How Shared Services Works
What Shared Services Does
Shared Services is a component of the “foundation services”. It is the mechanism that provides a common framework for user security and administration. It is the first component that is installed in an installation. Once up and running, all Hyperion products and modules “plug-in” to this base. Shared Services provides a single interface to:
- Define External Authentication providers (ie – corporate LDAP, MSAD, etc)
- Provision Users and Groups
- Life Cycle Management (promotion of artifacts between DEV and PROD)
Products communicate with Shared services though a common API which allows all the products to employ true single sign-on between the products.
Shared Services components
There are 4 major components of what we collectively call Shared Services:
- Shared Services web server. The Web Server for the Shared Services communication and interface. Default URL and port is http://<server>:58080/interop
- Native Directory. A small file-based OpenLDAP directory that comes with Shared Services to store provisioning information
- Relational Repository. A small relational database (ie Oracle, SQL Server, etc) that stores location information
- Corporate External Authentication (optional). Your (already existing) corporate external authentication mechanism.
If you do not have a corporate external authentication provider you can use the provided Native Directory to create users and passwords to provision. However, doing this puts you into the password and account maintenance business. If you do have one, you will want to use it, as that will be taken care of for you. Shared Services will not store passwords of externally authenticated users, it simply forwards on the ID/Password combination to the provider for a thumbs-up or thumbs-down. You can have multiple user directories configured and set a search order for them.
The Native directory holds user IDs and Passwords of Natively authenticated users, provisioning information for all users, and tracks user-group relationships. Again, this is stored in the OpenLDAP repository that comes with Shared Services. The OpenLDAP that comes with HSS is a simple file-based database that is in LDAP format which runs on port 58089. You can actually use an LDAP browser and connect to OpenLDAP and browse around using a base DN of dc=css,dc=hyperion,dc=com.
The relational component is a separate database (or schema in Oracle) that holds registration information about the products in the environment.
The following diagram summarizes the components. Again, the corporate LDAP authenticates the user (are they who they say they are), the relational holds product registration information (can they access this particular product), and the native directory handles authorization (do they have permission to do what they are requesting to do in this product).
Provisioning users and Groups
The User Management console using the URL http://<server>:58080/interop is used to provision users. Provisioning is the process of granting access to users to certain products and services. Here we browse through the users, and provision Henry for the BBB Essbase Application and the Finsrvs FDM application, and the TotPlan Planning Application.
Show all users
Right click on Henry
Provision
The Process of Authentication
Once a product is registered with Shared Services, it receives and stores location of the user directories. So when a user logs into a product, the process is as follows:
- The user enters the ID and Password into the product log-in screen
- The product queries all the configured user directories to verify the credentials. Upon success, the user is authenticated.
- Once authenticated, the product contacts Shared Services to lookup the provisioning information of the user to see if the user has been given the access to the product and service.
- SSO is enabled for this user now for the rest of the products they are provisioned for.
What This Means for our System Administrator Brethren
- Shared Services must be the first to be installed and configured
- Shared Services must be the first to be started (along with OpenLDAP). Note: it can take a while for Shared Services to come up. Make sure you wait a while and check that HSS is all the way up by going to the URL before starting the other services)
- Shared Services is a single point of failure for all Hyperion Products.
- You must be diligent in backing up Shared Services, including
- Shared Services relational database
- OpenLDAP (see the backup/recovery guide ….there is a utility that backs up the OpenLDAP directory)
The I.T. Side 
Good article.
I have a question.
When I cinfigured HSS with the MSAD, everything went well.
I am able to search all the user with their names.
The problem I am facing is.. When the user tries to login with his userid(eg “wgang”) it says invalid username or password. But when he gives his user name (eg “wolf gang”) then he is able to login. I am not sure why userid not working and why user name is working. can u help me please. thank u
When configuring the external authentication in Shared Services, the “ID Attribute” field should be populated with the MSAD attribute used for the user logins. With MSAD, most commonly this is sAMAccoutName, however, it can be set to anything. Change that, restart Shared Services, and that should work.
Hi Eric,
Nice EPM blog. Looking forward to read more.
The HSS User Management Console is obviously not designed by an administrator. Since most applications use hierarchies in their metadata structures, the limitations on displaying and reporting security rights is lacking big time. I know of a couple of companies that have developed their own MS Access tool to maintain the user security rights and updating HSS by upload files (HSS and Application specific).
Oracle should take this seriously and use OBIEE to display group relations and access rights to Security Classes in one combined view – Maybe even like a focused Mindmap as used in Infor PM Financial Consolidation (not the security part).
Even more important is the lack of support for Matrix Organisations when it comes to security – The multi-user-account approach is not compliant to SOX, so Oracle should stand up to their responsibility and make at least HFM fully SOX compliant. Most enterprises uses some sort of matrix organisation so it is a growing problem.
Eric, do you know of any commercial products that are available to help administrators of System 9/11 in regard to user security maintenance?
Hi there,
Nice article, I have configured MSAD as user directory and it works fine, I need to configure SSO, so it can authenticate using the MSAD, can you please thow me some light on this, I have been reading the documents, but still I am not able to understand which way I have to go, should I extend the api to pass the user name and password or can it be done just through configuration.
You advise would be really helpful.
Its a very nice article for the first time in HSS
REALLY ………THIS ARTICLE IS AWESOME…………!
THNKS A LOT………..!
Really very fantastic article on HSS. I got the clear idea. Thank you so much to the author.