User Guide

granting users and groups specific access permissions to Hyperion resources is called

provisioning.

Native Directory and configured user directories are sources for user and group information for

the provisioning (authorization) process. You can browse and provision users and groups from

all configured user directories from User Management Console. Provisioning data is stored in

Native Directory. You can also use application-specific aggregated roles created in Native

Directory in the provisioning process.

This illustration depicts a broad overview of the authorization process:

1. After a user is authenticated, Hyperion product queries the user directories to determine

the user's groups.

2. Hyperion product uses the group and user information to retrieve the user's provisioning

data from Shared Services. The product uses this data to determine resources that a user can

access.

Product-specific provisioning tasks, such as setting product-specific access control, are

completed from each product. This data is combined with provisioning data to determine

the product access for users.

Role-based provisioning of Hyperion products uses these concepts.

Roles

A role is a construct (similar to access control list) that defines the access permissions granted

to users and groups to perform functions on Hyperion resources. It is a combination of resource

or resource types (what users can access; for example, a report) and actions that users can perform

on the resource (for example, view and edit).

Access to Hyperion application resources is restricted; users can access them only after a role

that provides access is assigned to the user or to the group to which the user belongs. Access

restrictions based on roles enable administrators to control and manage application access.

Provisioning (Role-Based Authorization)