Versions Compared

Version Old Version 1 New Version Current
Changes made by

Jeroen de Soeten (Deactivated)

Tomasz Marcula (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

CXO cockpit support SSO mode for Essbase connections but it works for single Essbase server only. In case of multiple essbase servers used in one application, SSO is possible to only the first essbase server. It should be possible to connect to other Essbase servers using the username of the currently logged on user without requirement to know the password of the currently logged on user.

Image Removed

In this scenario Essbase Server 1 is used for authentication and can also be used for SSO but Essbase server 2 is not used for authentication so the SSO mode is not possible. In this case, Impersonation mode can be used.There are 2 ways to apply Essbase security in the CXO Software:

  1. Essbase Authentication plugin with SSO mode enabled
  2. Use User Impersonation (recommended approach)

Essbase Authentication plugin with SSO mode enabled

Image Added

In this scenario, the username and password the end user enters to login to CXO are used to connect to Essbase server. The limitations of this scenario are:

  • Impossible to use any other authentication adapter (SAML, Windows etc)
  • Impossible to connect to more than one Essbase Server

Read more about Essbase Authentication Plugin

Note: The term SSO in the context above means that credentials provided by user in CXO are being used for connecting to essbase as well. It should not be confused with Single Sign On behavior between applications in a browser.

User Impersonation

The user impersonation scenario can be used to overcome the limitations of the Essbase Authentication plugin scenario. 

Image Added

In this case, the connection to Essabase servers is made using the username and password configured in CXO Software on behalf of the the end user logged in to CXO. In this case the Essbase API function "LoginAs" is used to open the connection.

To turn on Essbase impersonation:

  1. Start the Source system manager (if you want to check if the connection is working you need to login with a cxo user, that also exists in Essbase)
  2. Select the Essbase source system
  3. Click Connector Properties
  4. Under SSO Login, check Impersonate User

Image Added


Image Added


Essbase logs in case of impersonation

The way How Essbase logs activities from "EssLoginAs" functionality is managed by Oracle.

Based on tests performed by CXO, Essbase logs the impersonated user, and not the service account when we retrieve data (Mdx queries).
Below is an example from Essbase log when "EssLoginAs" functionality is used. In the use case below the Impersonated username is Julien.


[Mon Jun 14 07:11:10 2021]Local/ASOsamp///2052/Info(1042059)
Connected from [::ffff:172.31.35.177]

[Mon Jun 14 07:11:10 2021]Local/ASOsamp/Sample/Julien@Native Directory/2052/Info(1013091)
Received Command [MdxReport] from user [Julien@Native Directory]

[Mon Jun 14 07:11:10 2021]Local/ASOsamp/Sample/Julien@Native Directory/2052/Info(1260039)
MaxL DML Execution Elapsed Time : [0.031] seconds

[Mon Jun 14 07:11:10 2021]Local/ASOsamp///2280/Info(1042059)
Connected from [::ffff:172.31.35.177]

[Mon Jun 14 07:11:10 2021]Local/ASOsamp/Sample/Julien@Native Directory/2280/Info(1013091)
Received Command [MdxReport] from user [Julien@Native Directory]

[Mon Jun 14 07:11:10 2021]Local/ASOsamp/Sample/Julien@Native Directory/2280/Info(1260039)
MaxL DML Execution Elapsed Time : [0] seconds