User Guide

1. Using a browser, users access the login screen of a web identity management solution (for

example, SiteMinder) or SAP Enterprise Portal. They enter user names and passwords,

which are validated against configured user directories to verify user authenticity. Hyperion

products are also configured to work with these user directories.

When users navigate to a Hyperion product, information about the authenticated user is

passed to Hyperion product, which accepts the information as valid.

If the user logged on to SAP Portal, an SAP logon ticket is passed to Hyperion product. The

Security API implemented on Hyperion product decrypts the SAP logon ticket using a

specified SAP certificate.

If the user logged on to a web identity management solution, a custom

HYPLOGIN HTTP

header is passed to Hyperion product.

2. To verify user credentials, Hyperion product tries to locate the user in one of the user

directories based on the search order. If a matching user account is found, user information

is returned to Hyperion product.

3. Using the retrieved user information, Hyperion product queries Shared Services to obtain

provisioning details for the user.

On receiving user provisioning information from Shared Services, the Hyperion product is

made available to the user. SSO is then enabled for all Hyperion products for which that

user is provisioned.

Provisioning (Role-Based Authorization)

Hyperion application security determines user access to products using the concept of roles. A

role is a set of permissions that determines user access to product functions.

Each Hyperion product provides several default roles tailored to suit various business needs.

Predefined roles from each Hyperion application registered with Shared Services are available

from User Management Console. These roles are used for provisioning. You may also create

additional roles that aggregate the default roles to suit specific requirements. The process of

About Hyperion Security