What are the procedural steps to use Object Manager to manage changes in MicroStrategy projects, including handling metadata locks?

Using Object Manager involves creating, managing, and applying update packages of project objects. Placing a metadata lock prohibits other users from modifying objects to avoid inconsistencies. Locking happens during read/write mode access or while running Project Merge . To manage changes with Object Manager, one needs to create update packages, potentially reverse changes using undo packages, and manually manage locks ensuring efficiency and data integrity across project updates .

What are the steps to implement LDAP authentication in MicroStrategy, and what decisions must be made regarding user information synchronization?

Implementing LDAP authentication in MicroStrategy involves several high-level steps: reviewing the LDAP information flow, collecting information and making decisions based on a checklist for connecting your LDAP server, and using the LDAP Connectivity Wizard . Key decisions include whether to import LDAP user and group information in batches or in real-time at login, setting up recursive group import levels, and deciding on importing additional LDAP attributes such as email addresses or the Trusted Authenticated Request User ID .

In what ways can the memory usage of MicroStrategy's Intelligence Server be optimized to prevent memory depletion?

Memory usage in MicroStrategy's Intelligence Server can be optimized by configuring the maximum memory for result caches, intelligent cubes, and user sessions. Memory Contract Manager (MCM) helps govern memory requests according to user-configured limits, denying requests that would push memory usage to unfavorable levels . Additionally, limiting report result rows and controlling intermediate row limits in specific reports help manage memory, preventing excessive consumption from large or complex report instances .

How does MicroStrategy handle conflicts during a project merge, and what are the implications for user and group permissions?

During a project merge, MicroStrategy evaluates objects based on their IDs and versions, resolving conflicts using a pre-defined set of rules. If object IDs match but versions differ, conflict resolution rules are applied . While object structures are reconciled through the merge, user and group permissions are not transferred automatically and require a project security update package to migrate such settings, necessitating careful planning for permissions management in merged projects.

What steps are necessary to enable trusted authentication for MicroStrategy Web or Mobile with a third-party provider, and what are the prerequisites?

Enabling trusted authentication involves configuring the respective product (Web or Mobile) to support this authentication mode, choosing the appropriate third-party provider, and establishing a trusted relationship between the product and Intelligence Server . Prerequisites include completing the setup of third-party authentication systems and verifying compatibility with the existing framework to ensure tokens can be securely passed between systems.

What are the essential steps and decisions involved in setting up integrated authentication for data sources in MicroStrategy?

Setting up integrated authentication involves configuring the project to enable user credentials to pass to the database server. This setup requires enabling integrated authentication at the project level, choosing Kerberos for supported databases, and ensuring that database servers allow this type of authentication . The decision requires compatibility checks with the underlying infrastructure and awareness of how integrated authentication might affect operations like report subscriptions.

Describe how project access information is managed when using configuration update packages in MicroStrategy.

When using configuration update packages, project access information such as privileges and security roles is not included. Therefore, to manage user and group roles and permissions efficiently, a separate project security update package must be created. This ensures that permissions are accurately migrated alongside user and group data, necessitating careful coordination to maintain security and access controls .

What role does the Memory Contract Manager play in managing memory requests in MicroStrategy Intelligence Server?

The Memory Contract Manager (MCM) in Intelligence Server restricts memory allocations by granting or denying memory requests based on user-configured limits. It protects against excessive memory requests that could lead to depletion, managing requests for database connections, report processing, and other operations within the server . This role is critical for ensuring resource availability and maintaining system stability during high-demand periods.

What considerations are involved in enabling Single Sign-On (SSO) with SAML for MicroStrategy Web and Mobile?

Enabling SSO with SAML involves ensuring a SAML-enabled identity provider infrastructure is deployed, configuring the Intelligence Server connection to establish a trusted relationship, generating required configuration files, modifying the web.xml file for SAML, and enabling the corresponding logging features . It is essential to assess compatibility with existing identity management frameworks and ensure appropriate configuration to maintain security and efficiency across MicroStrategy services.

How does MicroStrategy handle linking LDAP users and groups without importing them and what implications does this have on user management?

MicroStrategy allows linking an LDAP user or group to a MicroStrategy user or group without importing them into the metadata. This link allows login but does not create a visual representation in the Developer, resulting in the need for manual grouping within MicroStrategy after the synchronization . This approach implies increased manual management to maintain user group coherence within MicroStrategy, especially for larger organizations relying on LDAP for user control.

Open navigation menu

Upload

0% found this document useful (1 vote)

415 views2,693 pages

System Administration Guide PDF

Uploaded by

mnbqwepoizxc

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (1 vote)

415 views2,693 pages

System Administration Guide PDF

Uploaded by

mnbqwepoizxc

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2693

System

Administration Guide

Ver si o n 2019
2019, Jul y 2019
C opyr i ght © 2019 by M i cr oStr ategy Incor por ated. Al l r i ghts r eser ved.
Tr adem ar k Infor m ati on
The fol l ow i ng ar e ei ther tr adem ar ks or r egi ster ed tr adem ar ks of M i cr oStr ategy Incor por ated or i ts affi l i ates i n the U ni ted States and cer tai n other countr i es:

MicroStrategy, MicroStrategy 2019, MicroStrategy 11, MicroStrategy 10, MicroStrategy 10 Secure Enterprise, MicroStrategy 9,
MicroStrategy 9s, MicroStrategy Analytics, MicroStrategy Analytics Platform, MicroStrategy Desktop, MicroStrategy Library,
MicroStrategy Operations Manager, MicroStrategy Analytics Enterprise, MicroStrategy Evaluation Edition, MicroStrategy
Secure Enterprise, MicroStrategy Web, MicroStrategy Mobile, MicroStrategy Server, MicroStrategy Parallel Relational In-
Memory Engine (MicroStrategy PRIME), MicroStrategy MultiSource, MicroStrategy OLAP Services, MicroStrategy Intelligence
Server, MicroStrategy Intelligence Server Universal, MicroStrategy Distribution Services, MicroStrategy Report Services,
MicroStrategy Transaction Services, MicroStrategy Visual Insight, MicroStrategy Web Reporter, MicroStrategy Web Analyst,
MicroStrategy Office, MicroStrategy Data Mining Services, MicroStrategy Geospatial Services, MicroStrategy Narrowcast
Server, MicroStrategy Health Center, MicroStrategy Analyst, MicroStrategy Developer, MicroStrategy Web Professional,
MicroStrategy Architect, MicroStrategy SDK, MicroStrategy Command Manager, MicroStrategy Enterprise Manager,
MicroStrategy Object Manager, MicroStrategy Integrity Manager, MicroStrategy System Manager, MicroStrategy Analytics App,
MicroStrategy Mobile App, MicroStrategy Tech Support App, MicroStrategy Mobile App Platform, MicroStrategy Cloud,
MicroStrategy R Integration, Dossier, Usher, MicroStrategy Usher, Usher Badge, Usher Security, Usher Security Server, Usher
Mobile, Usher Analytics, Usher Network Manager, Usher Professional, MicroStrategy Identity, MicroStrategy Badge,
MicroStrategy Identity Server, MicroStrategy Identity Analytics, MicroStrategy Identity Manager, MicroStrategy Communicator,
MicroStrategy Services, MicroStrategy Professional Services, MicroStrategy Consulting, MicroStrategy Customer Services,
MicroStrategy Education, MicroStrategy University, MicroStrategy Managed Services, BI QuickStrike, Mobile QuickStrike,
Transaction Services QuickStrike Perennial Education Pass, MicroStrategy Web Based Training (WBT), MicroStrategy World,
Best in Business Intelligence, Pixel Perfect, Global Delivery Center, Direct Connect, Enterprise Grade Security For Every
Business, Build Your Own Business Apps, Code-Free, Welcome to Ideal, Intelligent Enterprise, HyperIntelligence, HyperCard,
HyperVoice, HyperVision, HyperMobile, HyperScreen, Zero-Click Intelligence, Enterprise Semantic Graph, The World’s Most
Comprehensive Analytics Platform, The World’s Most Comprehensive Analytics Platform. Period.

Other pr oduct and com pany nam es m enti oned her ei n m ay be the tr adem ar ks of thei r r especti ve ow ner s.
Speci fi cati ons subj ect to change w i thout noti ce. M i cr oStr ategy i s not r esponsi bl e for er r or s or om i ssi ons. M i cr oStr ategy m akes no w ar r anti es or com m i tm ents
concer ni ng the avai l abi l i ty of futur e pr oducts or ver si ons that m ay be pl anned or under devel opm ent.
CONTENTS
1. Int r oduct ion t o M icr oSt r at egy Syst em Adm inist r at ion 12

Best Pr act i ces f or M i cr oSt r at egy Syst em Ad m i ni st r at i on 13

U nd er st and i ng t he M i cr oSt r at egy Ar chi t ect ur e 14
Com m uni cat i ng w i t h Dat ab ases 19
M anagi ng Int el l i gence Ser ver 29
M anagi ng and M oni t or i ng Pr oj ect s 47

Pr ocessi ng Job s 59
U si ng Aut om at ed Inst al l at i on Techni q ues 83

2. Set t ing Up User Secur it y 85

The M i cr oSt r at egy U ser M od el 86

Cont r ol l i ng Access t o Ap p l i cat i on Funct i onal i t y 95

Cont r ol l i ng Access t o Dat a 121
M er gi ng U ser s or Gr oup s 151
Secur i t y Checkl i st Bef or e Dep l oyi ng t he Syst em 156

3. Ident ifying User s: Aut hent icat ion 159

Wor kf l ow : Changi ng Aut hent i cat i on M od es 160

M od es of Aut hent i cat i on 161

Im p l em ent i ng St and ar d Aut hent i cat i on 165

© 2019, M icr o St r at egy In c. 3

Syst em Ad m in ist r at io n Gu id e

Im p l em ent i ng Anonym ous Aut hent i cat i on 169

Im p l em ent i ng LDAP Aut hent i cat i on 171
Enab l i ng Si ngl e Si gn-On Aut hent i cat i on 212
Enab l i ng Bad ge Aut hent i cat i on f or Web and M ob i l e 328
H ow t o Enab l e Seam l ess Logi n Bet w een Web , Li b r ar y, and
Wor kst at i on 332
Im p l em ent i ng Dat ab ase War ehouse Aut hent i cat i on 336
Aut hent i cat i on Exam p l es 339

4. Secur e Com m unicat ion in M icr oSt r at egy 343

Conf i gur i ng SSL f or Int el l i gence Ser ver 344

Conf i gur i ng Web and M ob i l e Ser ver Tr ust st or e 345
SSL w i t h Cl i ent Cer t i f i cat e Ver i f i cat i on 349
Conf i gur i ng Web , M ob i l e Ser ver , and Web Ser vi ces t o
Req ui r e SSL Access 352

Conf i gur i ng Secur e Com m uni cat i on f or M i cr oSt r at egy Web ,

M ob i l e Ser ver , and Devel op er 353
Conf i gur i ng M i cr oSt r at egy Cl i ent Ap p l i cat i ons t o U se an
H TTPS U RL 355

Test i ng SSL Access 356

Cer t i f i cat e Fi l es: Com m on Ext ensi ons and Conver si ons 357
Sel f -Si gned Cer t i f i cat es: Cr eat i ng a Cer t i f i cat e Aut hor i t y f or
Devel op m ent 359

5. M anaging Your Licenses 369

M anagi ng and Ver i f yi ng Your Li censes 370

Aud i t i ng and U p d at i ng Li censes 375

U p d at i ng CPU Af f i ni t y 388

4 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

6. M anaging Your Pr oject s 395

The Pr oj ect Li f e Cycl e 397

Im p l em ent i ng t he Recom m end ed Li f e Cycl e 403
Dup l i cat i ng a Pr oj ect 405
U p d at i ng Pr oj ect s w i t h N ew Ob j ect s 413
Cop yi ng Ob j ect s Bet w een Pr oj ect s: Ob j ect M anager 417
M er gi ng Pr oj ect s t o Synchr oni ze Ob j ect s 467
Com p ar i ng and Tr acki ng Pr oj ect s 477
Del et i ng U nused Schem a Ob j ect s: M anaged Ob j ect s 481

7. M onit or ing Syst em Usage 486

M i cr oSt r at egy Syst em M oni t or s 487

M oni t or i ng Syst em Act i vi t y: Change Jour nal i ng 489
M oni t or i ng Syst em U sage: Int el l i gence Ser ver St at i st i cs 499

M oni t or i ng Qui ck Sear ch Ind i ces 515

Ad d i t i onal M oni t or i ng Tool s 516

8. Tuning Your Syst em for Best Per for m ance 544

Tuni ng: Over vi ew and Best Pr act i ces 546

Desi gni ng Syst em Ar chi t ect ur e 685

M anagi ng Syst em Resour ces 691
M anagi ng U ser Sessi ons 711
Gover ni ng Req uest s 722
M anagi ng Job Execut i on 731
Gover ni ng Resul t s Del i ver y 748
Tuni ng Your Syst em f or In-M em or y Dat aset s 755
Desi gni ng Rep or t s 757

© 2019, M icr o St r at egy In c. 5

Syst em Ad m in ist r at io n Gu id e

Conf i gur i ng Int el l i gence Ser ver and Pr oj ect s 760

Tuni ng N ar r ow cast Ser ver and Int el l i gence Ser ver 783

9. Clust er ing M ult iple M icr oSt r at egy Ser ver s 786

Over vi ew of Cl ust er i ng 787

The Cl ust er ed Ar chi t ect ur e 790
Pr er eq ui si t es f or Cl ust er i ng Int el l i gence Ser ver s 799
Cl ust er i ng Int el l i gence Ser ver s 802
M anagi ng Your Cl ust er ed Syst em 823
Connect i ng M i cr oSt r at egy Web t o a Cl ust er 850

10. Im pr oving Response Tim e: Caching 852

Page Caches 854

Resul t Caches 860
Savi ng Rep or t Resul t s: H i st or y Li st 897

El em ent Caches 920

Ob j ect Caches 936
Vi ew i ng Docum ent Cache H i t s 941

11. M anaging Int elligent Cubes 943

M anagi ng Int el l i gent Cub es: Int el l i gent Cub e M oni t or 944
Gover ni ng Int el l i gent Cub e M em or y U sage, Load i ng, and
St or age 954
Sup p or t i ng Connect i on M ap p i ngs i n Int el l i gent Cub es 969

12. Scheduling Jobs and Adm inist r at ive Tasks 971

Best Pr act i ces f or Sched ul i ng Job s and Ad m i ni st r at i ve Tasks 972

Cr eat i ng and M anagi ng Sched ul es 975

Sched ul i ng Ad m i ni st r at i ve Tasks 983

6 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Sched ul i ng Rep or t s and Docum ent s: Sub scr i p t i ons 988

Conf i gur i ng and Ad m i ni st er i ng Di st r i b ut i on Ser vi ces 1008

13. Adm inist er ing M icr oSt r at egy Web and M obile 1051

Assi gni ng Pr i vi l eges f or M i cr oSt r at egy Web 1052

U si ng t he M i cr oSt r at egy Web Ad m i ni st r at or Page 1054
Def i ni ng Pr oj ect Def aul t s 1057
U si ng Ad d i t i onal Secur i t y Feat ur es f or M i cr oSt r at egy Web
and M ob i l e 1059
Int egr at i ng N ar r ow cast Ser ver w i t h M i cr oSt r at egy Web
p r od uct s 1069
Enab l i ng U ser s t o Inst al l M i cr oSt r at egy Of f i ce f r om Web 1072
FAQs f or Conf i gur i ng and Tuni ng M i cr oSt r at egy Web
Pr od uct s 1074

14. Com bining Adm inist r at ive Tasks w it h Syst em

M anager 1078

Cr eat i ng a Wor kf l ow 1079

Def i ni ng Pr ocesses 1130
Dep l oyi ng a Wor kf l ow 1238

15. Aut om at ing Adm inist r at ive Tasks w it h Com m and

M anager 1247

U si ng Com m and M anager 1248

Execut i ng a Com m and M anager Scr i p t 1254
Com m and M anager Scr i p t Synt ax 1263

U si ng Com m and M anager f r om t he Com m and Li ne 1265

U si ng Com m and M anager w i t h OEM Sof t w ar e 1266

© 2019, M icr o St r at egy In c. 7

Syst em Ad m in ist r at io n Gu id e

16. Ver ifying Repor t s and Docum ent s w it h Int egr it y

M anager 1267

What i s an Int egr i t y Test ? 1269

Best Pr act i ces f or U si ng Int egr i t y M anager 1274
Cr eat i ng an Int egr i t y Test 1276
Execut i ng an Int egr i t y Test 1280
Vi ew i ng t he Resul t s of a Test 1295
Li st of Tags i n t he Int egr i t y Test Fi l e 1303

1. SQL Gener at ion and Dat a Pr ocessing: VLDB Pr oper t ies 1321

Sup p or t i ng Your Syst em Conf i gur at i on 1323

Accessi ng and Wor ki ng w i t h VLDB Pr op er t i es 1325
Det ai l s f or Al l VLDB Pr op er t i es 1336
Def aul t VLDB Set t i ngs f or Sp eci f i c Dat a Sour ces 1643

2. Cr eat ing a M ult ilingual Envir onm ent :

Int er nat ionalizat ion 1647

Ab out Int er nat i onal i zat i on 1650

Best Pr act i ces f or Im p l em ent i ng Int er nat i onal i zat i on 1653

Pr ep ar i ng a Pr oj ect t o Sup p or t Int er nat i onal i zat i on 1654

Pr ovi d i ng M et ad at a Int er nat i onal i zat i on 1658
Pr ovi d i ng Dat a Int er nat i onal i zat i on 1673
M aki ng Tr ansl at ed Dat a Avai l ab l e t o U ser s 1684
Achi evi ng t he Cor r ect Language Di sp l ay 1705
M ai nt ai ni ng Your Int er nat i onal i zed Envi r onm ent 1711

3. List of Pr ivileges 1728

Pr i vi l eges f or Pr ed ef i ned Secur i t y Rol es 1729

8 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Pr i vi l eges f or Out -Of -The-Box U ser Gr oup s 1731

Li st of Al l Pr i vi l eges 1749
Pr i vi l eges b y Li cense Typ e 1751

4. M ult i-Tenant Envir onm ent s: Object N am e

Per sonalizat ion 1762

H ow a Tenant Language Di f f er s f r om a St and ar d Language 1764

Gr ant i ng U ser Access t o Renam e Ob j ect s and Vi ew Tenant
Languages 1764
Renam i ng M et ad at a Ob j ect s 1766
M aki ng Tenant -Sp eci f i c Dat a Avai l ab l e t o U ser s 1777
M ai nt ai ni ng Your M ul t i -Tenant Envi r onm ent 1796

5. Int elligence Ser ver St at ist ics Dat a Dict ionar y 1799

STG_CT_DEVICE_STATS 1800

STG_CT_EXEC_STATS 1803
STG_CT_M AN IP_STATS 1815
STG_IS_CACH E_H IT_STATS 1822
STG_IS_CU BE_REP_STATS 1827
STG_IS_DOC_STEP_STATS 1833

STG_IS_DOCU M EN T_STATS 1842

STG_IS_IN BOX_ACT_STATS 1850
STG_IS_M ESSAGE_STATS 1859
STG_IS_PERF_M ON _STATS 1869
STG_IS_PR_AN S_STATS 1872

STG_IS_PROJ_SESS_STATS 1879
STG_IS_REP_COL_STATS 1883

STG_IS_REP_SEC_STATS 1886

© 2019, M icr o St r at egy In c. 9

Syst em Ad m in ist r at io n Gu id e

STG_IS_REP_SQL_STATS 1890
STG_IS_REP_STEP_STATS 1900
STG_IS_REPORT_STATS 1911
STG_IS_SCH EDU LE_STATS 1926
STG_IS_SESSION _STATS 1929
STG_M SI_STATS_PROP 1937

6. Ent er pr ise M anager Dat a Dict ionar y 1938

Ent er p r i se M anager Dat a War ehouse Tab l es 1939

Rel at i onshi p Tab l es 1993
Ent er p r i se M anager M et ad at a Tab l es 1994
Ent er p r i se M anager At t r i b ut es and M et r i cs 1996

7. Com m and M anager Runt im e 2617

St at em ent Ref er ence Gui d e 2618

Execut i ng a Scr i p t w i t h Com m and M anager Runt i m e 2618

Synt ax Ref er ence Gui d e 2620

8. M icr oSt r at egy Web Cookies 2622

Sessi on Inf or m at i on 2623

Def aul t U ser N am e 2627

Pr oj ect Inf or m at i on 2627
Cur r ent Language 2628
GU I Set t i ngs 2628
Per sonal Aut ost yl e Inf or m at i on 2629

Syst em Aut ost yl e Inf or m at i on 2629

Connect i on Inf or m at i on 2630

Avai l ab l e Pr oj ect s Inf or m at i on 2630

10 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Gl ob al U ser Pr ef er ences 2631

Cached Pr ef er ences 2631
Pr ef er ences 2632

9. Tr oubleshoot ing 2642

M et hod ol ogy f or Fi nd i ng Tr oub l e Sp ot s 2643

M em or y Dep l et i on Tr oub l eshoot i ng 2645
Aut hent i cat i on Tr oub l eshoot i ng 2653
Fi xi ng Inconsi st enci es i n t he M et ad at a 2662
Ob j ect Dep end enci es Tr oub l eshoot i ng 2669
Dat e/ Ti m e Funct i ons Tr oub l eshoot i ng 2669
Per f or m ance Tr oub l eshoot i ng 2670
Pr oj ect Per f or m ance 2670
Tr oub l eshoot i ng Dat a Im p or t ed f r om a Fi l e 2673

Sub scr i p t i on and Rep or t Resul t s Tr oub l eshoot i ng 2674

Dr i l l ed -To Rep or t Ret ur ns N o Dat a or Incor r ect Dat a 2674
Int er nat i onal i zat i on Tr oub l eshoot i ng 2679
Tr oub l eshoot i ng Int el l i gence Ser ver 2681
Logon Fai l ur e 2681

M od i f yi ng ODBC Er r or M essages 2684

Cl ust er ed Envi r onm ent s Tr oub l eshoot i ng 2686
Pr ob l em s i n a Cl ust er ed Envi r onm ent 2686
St at i st i cs Loggi ng Tr oub l eshoot i ng 2689

© 2019, M icr o St r at egy In c. 11

1
I NTRODUCTION TO
M ICRO STRATEGY SYSTEM
ADM INISTRATION

© 2019, M icr o St r at egy In c. 12

Syst em Ad m in ist r at io n Gu id e

Thi s secti on summari zes the maj or components i n the Mi croStrategy

system archi tecture and provi des a bri ef overvi ew of some of the
basi c concepts you need to understand to admi ni ster a Mi croStrategy
system.

The fol l ow i ng are di scussed:

Best Practices for MicroStrategy System

Administration
Mi croStrategy recommends the fol l ow i ng best practi ces to keep your
system runni ng smoothl y and effi ci entl y:

l U se the proj ect l i fe cycl e of devel opment, testi ng, producti on to ful l y
test your reports, metri cs, and other obj ects before rel easi ng them
to users.

l If you need to del egate admi ni strati ve responsi bi l i ti es among

several peopl e, create a user group. A user group (or "group" for
short) i s a col l ecti on of users and/or subgroups. Groups provi de a
conveni ent w ay to manage a l arge number of users and provi de
them w i th certai n pri vi l eges. Mi croStrategy comes w i th a number of
predefi ned groups for vari ous Admi ni strati on tasks. For more
i nformati on, see About Mi croStrategy U ser Groups.

l If you have mul ti pl e users w orki ng on a proj ect w i th di fferent

functi onal i ty needs, uti l i ze securi ty rol es. A securi ty rol e i s a
col l ecti on of proj ect-l evel pri vi l eges that are assi gned to users.
They can be used i n any proj ect regi stered w i th Intel l i gence Server
and users can have di fferent securi ty rol es i n each proj ect.

l Once Intel l i gence Server i s up and runni ng, you can adj ust i ts
governi ng setti ngs to better sui t your envi ronment. For detai l ed
i nformati on about these setti ngs, see C hapter 8, Tuni ng Your

13 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

System for Best Performance.

You c an us e Enterpris e Manager to monitor v arious as pec ts of

Intelligenc e Serv er's performanc e. Enterpris e Manager is a
Mic roStrategy projec t that us es the Intelligenc e Serv er s tatis tic s
databas e as its data warehous e. For information , s ee the Enterpri se
Manager Gui de .

l If you have mul ti pl e machi nes avai l abl e to run Intel l i gence Server,
you can cl uster those machi nes to i mprove performance and
rel i abi l i ty. See C hapter 9, C l usteri ng Mul ti pl e Mi croStrategy
Servers.

l C reate caches for commonl y used reports and documents to reduce

the database l oad and i mprove the system response ti me. See
C hapter 10, Improvi ng R esponse Ti me: C achi ng.

Creating reports bas ed on Intelligent Cubes c an als o greatly s peed up

the proc es s ing time for reports . Intelligent Cubes are part of the OLAP
Serv ic es features in Intelligenc e Serv er. See C hapter 11, Managi ng
Intel l i gent C ubes .

l Schedul e admi ni strati ve tasks and reports to run duri ng off-peak

hours, so that they do not adversel y affect system performance. See
C hapter 12, Schedul i ng Jobs and Admi ni strati ve Tasks

You c an automate the deliv ery of reports and doc uments to us ers with
the Dis tribution Serv ic es add-on to Intelligenc e Serv er. See Overvi ew
of D i stri buti on Servi ces, page 1008 .

Understanding the MicroStrategy Architecture

A Mi croStrategy system i s bui l t around a three-ti er or four-ti er
structure.

© 2019, M icr o St r at egy In c. 14

Syst em Ad m in ist r at io n Gu id e

l The fi rst ti er consi sts of tw o databases: the data w arehouse, w hi ch

contai ns the i nformati on that your users anal yze; and the
Mi croStrategy metadata, w hi ch contai ns i nformati on about your
Mi croStrategy proj ects. For an i ntroducti on to these databases, see
Stori ng Informati on: the D ata Warehouse and Indexi ng your D ata:
Mi croStrategy Metadata.

l The second ti er consi sts of Mi croStrategy Intel l i gence Server, w hi ch

executes your reports, dossi ers, and documents agai nst the data
w arehouse. For an i ntroducti on to Intel l i gence Server, see
Processi ng Your D ata: Intel l i gence Server.

If Mic roStrategy Dev eloper us ers c onnec t v ia a two-tier projec t

s ourc e (als o c alled a direc t c onnec tion), they c an ac c es s the data
warehous e without Intelligenc e Serv er. For more information on two-
tier projec t s ourc es , s ee Tyi ng i t Al l Together: Proj ects and
Proj ect Sources .

l The thi rd ti er i n thi s system i s Mi croStrategy Web or Mobi l e Server,

w hi ch del i vers the reports to a cl i ent. For an i ntroducti on to
Mi croStrategy Web, see C hapter 13, Admi ni steri ng Mi croStrategy
Web and Mobi l e.

l The l ast ti er i s the Mi croStrategy Web cl i ent, Li brary cl i ent,

Workstati on cl i ent, D esktop cl i ent, or Mi croStrategy Mobi l e app,
w hi ch provi des documents and reports to the users.

In a three-tier s y s tem, Dev eloper is the las t tier.

Storing Information: the Data Warehouse

The data w arehouse i s the foundati on that your Mi croStrategy system
i s bui l t on. It stores al l the i nformati on you and your users anal yze
w i th the Mi croStrategy system. Thi s i nformati on i s usual l y pl aced or
l oaded i n the data w arehouse usi ng some sort of extracti on,
transformati on, and l oadi ng (ETL) process. Your onl i ne transacti on

15 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

processi ng (OLTP) system i s usual l y the mai n source of ori gi nal data
used by the ETL process. Proj ects i n one metadata can have di fferent
data w arehouses and one proj ect can have more than one data
w arehouse.

As a system admi ni strator, you need to know w hi ch rel ati onal

database management system (R D BMS) manages your data
w arehouse, how the Mi croStrategy system accesses i t (w hi ch
machi ne i t i s on and w hi ch OD BC dri ver and D ata Source N ame i t
uses to connect to i t), and w hat shoul d happen w hen the data
w arehouse i s l oaded (such as runni ng scri pts to i nval i date certai n
caches i n Intel l i gence Server, and so on).

Indexing your Data: MicroStrategy Metadata

Mi croStrategy metadata i s l i ke a road map or an i ndex to the
i nformati on that i s stored i n your data w arehouse. The Mi croStrategy
system uses the metadata to know w here i n the data w arehouse i t
shoul d l ook for i nformati on. It al so stores other types of obj ects that
al l ow you to access that i nformati on. These are di scussed bel ow .

The metadata resi des i n a database, the metadata reposi tory, that i s
separate from your data w arehouse. Thi s can be i ni ti al l y created
w hen you run through the Mi croStrategy C onfi gurati on Wi zard. Al l the
metadata i nformati on i s stored i n database tabl es defi ned by
Mi croStrategy.

For more information about running the Mic roStrategy Configuration

Wiz ard, s ee the Instal l ati on and C onfi gurati on Gui de .

To hel p expl ai n how the Mi croStrategy system uses the metadata to

do i ts w ork, i magi ne that a user runs a report w i th a total of revenue
for a certai n regi on i n a quarter of the year. The metadata stores
i nformati on about how the revenue metri c i s to be cal cul ated,
i nformati on about w hi ch row s and tabl es i n the data w arehouse to use
for the regi on, and the most effi ci ent w ay to retri eve the i nformati on.

© 2019, M icr o St r at egy In c. 16

Syst em Ad m in ist r at io n Gu id e

The physi cal w arehouse schema i s a type of conceptual tool that i s

cruci al for you to vi sual i ze i nformati on's l ocati on i n the data
w arehouse. Thi s i ncl udes tabl e and col umn i nformati on about w here
thi ngs are actual l y stored as w el l as maps, such as l ookup and rel ate
tabl es, that hel p the system effi ci entl y access that i nformati on.
Persons w ho create the schema obj ects i n the Mi croStrategy
metadata must reference the physi cal w arehouse schema. Therefore,
i t i s not actual l y stored i n a l ocati on i n the metadata, but i t i s i mpl i ci tl y
present i n the defi ni ti on of the schema obj ects i n the metadata.

The role of the phy s ic al warehous e s c hema is further ex plained in the

Basi c R eporti ng Gui de .

In addi ti on to the physi cal w arehouse schema's i mpl i ci t presence i n

the metadata, the fol l ow i ng types of obj ects are stored i n the
metadata:

l Schema obj ects are obj ects created, usual l y by a proj ect desi gner
or archi tect, based on the l ogi cal and physi cal model s. Facts,
attri butes, and hi erarchi es are exampl es of schema obj ects. These
obj ects are devel oped i n Mi croStrategy Archi tect, w hi ch can be
accessed from Mi croStrategy D evel oper. The Proj ect D esi gn Gui de
i s devoted to expl ai ni ng schema obj ects.

l Appl i cati on obj ects are the obj ects that are necessary to run
reports. These obj ects are general l y created by a report desi gner
and can i ncl ude reports, report templ ates, fi l ters, metri cs, prompts,
and so on. These obj ects are bui l t i n D evel oper or C ommand
Manager. The Basi c R eporti ng Gui de and Advanced R eporti ng
Gui de are devoted to expl ai ni ng appl i cati on obj ects.

l C onfi gurati on obj ects are admi ni strati ve and connecti vi ty-rel ated
obj ects. They are managed i n D evel oper (or C ommand Manager) by
an admi ni strator changi ng the Intel l i gence Server confi gurati on or
proj ect confi gurati on. Exampl es of confi gurati on obj ects i ncl ude
users, groups, server defi ni ti ons and so on.

17 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Processing Your Data: Intelligence Server

Intel l i gence Server i s the second ti er i n the Mi croStrategy system.
Intel l i gence Server must be runni ng for users to get i nformati on from
the data w arehouse usi ng Mi croStrategy cl i ents, such as
Mi croStrategy Web or D evel oper.

Intel l i gence Server i s the heart of the Mi croStrategy system. It

executes reports stored i n the metadata agai nst the data w arehouse
and passes the resul ts of the reports to users. For detai l ed
i nformati on about Intel l i gence Server, i ncl udi ng how to start and stop
i t, see Managi ng Intel l i gence Server, page 29.

A server defi ni ti on i s an i nstance of Intel l i gence Server and i ts

confi gurati on setti ngs. Mul ti pl e server defi ni ti ons can be stored i n the
metadata, but onl y one can be run at a ti me on a machi ne. If you w ant
mul ti pl e machi nes to poi nt to the same metadata, you shoul d cl uster
them. For more i nformati on about cl usteri ng, i ncl udi ng i nstructi ons on
how to cl uster Intel l i gence Servers, see C hapter 9, C l usteri ng
Mul ti pl e Mi croStrategy Servers.

Pointing multiple Intelligenc e Serv ers to the s ame metadata without

c lus tering may c aus e metadata inc ons is tenc ies . This c onfiguration is
not s upported, and Mic roStrategy s trongly rec ommends that us ers not
c onfigure their s y s tems in this way .

Tying it All Together: Projects and Project Sources

A Mi croStrategy proj ect i s an obj ect i n w hi ch you defi ne al l the
schema and appl i cati on obj ects, w hi ch together provi de for a fl exi bl e
reporti ng envi ronment. A proj ect's metadata reposi tory i s establ i shed
by the proj ect source i n w hi ch you construct the proj ect. The proj ect's
data w arehouse i s speci fi ed by associ ati ng the proj ect w i th the
appropri ate database i nstance. For detai l ed i nformati on about
proj ects, i ncl udi ng i nstructi ons on how to create a proj ect, see the
Proj ect D esi gn Gui de.

© 2019, M icr o St r at egy In c. 18

Syst em Ad m in ist r at io n Gu id e

You can manage your proj ects usi ng the System Admi ni strati on
Moni tor. For detai l s, see Managi ng and Moni tori ng Proj ects, page 47.

A proj ect source i s a contai ner stored i n D evel oper that defi nes how
D evel oper accesses the metadata reposi tory. Thi nk of a proj ect
source as a poi nter to one or more proj ects that are stored i n a
metadata reposi tory.

Tw o types of proj ect sources can be created, defi ned by the type of
connecti on they represent:

l Server connecti on, or three-ti er, w hi ch speci fi es the Intel l i gence

Server to connect to.

l D irect connecti on, or tw o-ti er, w hi ch bypasses Intel l i gence Server

and al l ow s D evel oper to connect di rectl y to the Mi croStrategy
metadata and data w arehouse. N ote that thi s i s pri mari l y for proj ect
desi gn and testi ng. Because thi s type of connecti on bypasses
Intel l i gence Server, i mportant benefi ts such as cachi ng and
governi ng, w hi ch hel p protect the system from bei ng overl oaded,
are not avai l abl e.

In older s y s tems y ou may enc ounter a 6.x Project c onnec tion (als o
two-tier) that c onnec ts direc tly to a Mic roStrategy v ers ion 6 projec t in
read-only mode.

For more i nformati on on proj ect sources, see the Instal l ati on and
C onfi gurati on Gui de.

Communicating with Databases

Establ i shi ng communi cati on betw een Mi croStrategy and your
databases or other data sources i s an essenti al fi rst step i n
confi guri ng Mi croStrategy products for reporti ng and anal yzi ng data.
Thi s secti on expl ai ns how Mi croStrategy communi cates w i th vari ous
data sources and the steps requi red to set up thi s communi cati on.

19 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

OD BC (Open D atabase C onnecti vi ty) i s a standard database access

method. OD BC enabl es a si ngl e appl i cati on to access database data,
regardl ess of the database management system (D BMS) that stores
the data. A D BMS i s a col l ecti on of programs that enabl es you to
store, modi fy, and extract i nformati on from a database.

Mi croStrategy Intel l i gence Server, w hen used i n a three- or four-ti er

confi gurati on, i s the appl i cati on that uses OD BC to access a D BMS.
OD BC dri vers transl ate Mi croStrategy Intel l i gence Server requests
i nto commands that the D BMS understands. Mi croStrategy
Intel l i gence Server connects to several databases (at a mi ni mum, the
data w arehouse and the metadata reposi tory) to do i ts w ork.

U sers of Mi croStrategy Web can al so connect to data sources usi ng

database connecti ons. A database connecti on supports connecti ng to
data sources through the use of D SN s, as w el l as through D SN l ess
connecti ons, to i mport and i ntegrate data i nto Mi croStrategy. For
steps to create database connecti ons i n Mi croStrategy Web, see
C reati ng database connecti ons i n Web.

Thi s secti on descri bes the OD BC standard for connecti ng to

databases and creati ng data source names (D SN s) for the OD BC
dri vers that are bundl ed w i th the Mi croStrategy appl i cati ons.

The di agram bel ow i l l ustrates the three-ti er metadata and data

w arehouse connecti vi ty used i n the Mi croStrategy system.

© 2019, M icr o St r at egy In c. 20

Syst em Ad m in ist r at io n Gu id e

The di agram show n above i l l ustrates proj ects that connect to onl y one
data source. H ow ever, Mi croStrategy al l ow s connecti on to mul ti pl e
data sources i n the fol l ow i ng w ays:

l Wi th Mi croStrategy Mul ti Source Opti on, a Mi croStrategy proj ect can

connect to mul ti pl e rel ati onal data sources. For i nformati on on
Mul ti Source Opti on, see the Proj ect D esi gn Gui de.

l You can i ntegrate MD X cube sources such as SAP BW, Mi crosoft

Anal ysi s Servi ces, and H yperi on Essbase w i th your Mi croStrategy
proj ects. For i nformati on on i ntegrati ng these MD X cubes sources
i nto Mi croStrategy, see the MD X C ube R eporti ng Gui de.

Thi s secti on provi des i nformati on and i nstructi ons on the fol l ow i ng
tasks:

21 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Connecting to the MicroStrategy Metadata

Mi croStrategy users need connecti vi ty to the metadata so that they
can access proj ects, create obj ects, and execute reports. Intel l i gence
Server connects to the metadata by readi ng the server metadata
connecti on regi stry w hen i t starts. H ow ever, thi s connecti on i s onl y
one segment of the connecti vi ty pi cture.

C onsi der these questi ons:

l H ow does a D evel oper user access the metadata?

l H ow does a user connect to Intel l i gence Server?

l Where i s the connecti on i nformati on stored?

The di agram bel ow i l l ustrates three-ti er metadata connecti vi ty

betw een the Mi croStrategy metadata database (ti er one), Intel l i gence
Server (ti er tw o), and D evel oper (ti er three).

In a server (three-ti er) envi ronment, D evel oper metadata connecti vi ty

i s establ i shed through the proj ect source. For steps to create a proj ect
source, see the Instal l ati on and C onfi gurati on Gui de.

© 2019, M icr o St r at egy In c. 22

Syst em Ad m in ist r at io n Gu id e

You can al so create and edi t a proj ect source usi ng the Proj ect
Source Manager i n D evel oper. When you use the Proj ect Source
Manager, you must speci fy the Intel l i gence Server machi ne to w hi ch
to connect. It i s through thi s connecti on that D evel oper users retri eve
metadata i nformati on.

The Dev eloper c onnec tion information is s tored in the Dev eloper
mac hine regis try .

Connecting to the Data Warehouse

Once you establ i sh a connecti on to the metadata, you must create a
connecti on to the data w arehouse. Thi s i s general l y performed duri ng
i ni ti al softw are i nstal l ati on and confi gurati on, but i t can al so be
establ i shed w i th the fol l ow i ng procedures i n D evel oper:

23 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l C reati ng a database i nstance: A Mi croStrategy obj ect created i n

D evel oper that represents a connecti on to the data w arehouse. A
database i nstance speci fi es w arehouse connecti on i nformati on
such as the data w arehouse D SN , Logi n ID and passw ord, and
other data w arehouse-speci fi c i nformati on. A database i nstance
shoul d have one defaul t database connecti on w i th one defaul t
database l ogi n.

l C reati ng a database connecti on: Speci fi es the D SN and database

l ogi n used to access the data w arehouse. A database i nstance
desi gnates one database connecti on as the defaul t connecti on for
Mi croStrategy users.

l C reati ng a database l ogi n: Speci fi es the user ID and passw ord used
to access the data w arehouse. The database l ogi n overw ri tes any
l ogi n i nformati on stored i n the D SN .

l U ser connecti on mappi ng: The process of mappi ng Mi croStrategy

users to database connecti ons and database l ogi ns.

For procedures to connect to the data w arehouse, see the Instal l ati on
and C onfi gurati on Gui de.

Caching Database Connections

C onnecti ng to and di sconnecti ng from databases i ncurs a smal l
amount of overhead that may cause a smal l yet noti ceabl e decrease
i n performance i n hi gh-concurrency systems. Wi th connecti on
cachi ng, Intel l i gence Server i s abl e to reuse database connecti ons.
Thi s mi ni mi zes the overhead associ ated w i th repeatedl y connecti ng
to and di sconnecti ng from databases.

C onnecti ons can exi st i n one of tw o states:

l Busy: connecti ons that are acti vel y submi tti ng a query to a
database

© 2019, M icr o St r at egy In c. 24

Syst em Ad m in ist r at io n Gu id e

l C ached: connecti ons that are sti l l connected to a database but not
acti vel y submi tti ng a query to a database

A cached connecti on i s used for a j ob i f the fol l ow i ng cri teri a are

sati sfi ed:

l The connecti on stri ng for the cached connecti on matches the

connecti on stri ng that w i l l be used for the j ob.

l The dri ver mode (mul ti process versus mul ti threaded) for the cached
connecti on matches the dri ver mode that w i l l be used for the j ob.

Intelligenc e Serv er does not c ac he any c onnec tions that hav e pre- or
pos t-SQL s tatements as s oc iated with them bec aus e thes e options may
dras tic ally alter the s tate of the c onnec tion.

Monitoring Database Instance Connections

A w arehouse database connecti on i s i ni ti ated any ti me a user
executes an uncached report or brow ses uncached el ements. The
D atabase C onnecti on Moni tor enabl es you to vi ew the number of busy
and cached connecti ons to the data w arehouse. You can al so vi ew
the name of the database i nstance, the user w ho i s usi ng the
connecti on, and the database l ogi n bei ng used to connect to the
database.

If a database connecti on i s cached, the OD BC connecti on from

Intel l i gence Server to the data w arehouse remai ns open. H ow ever, i f
the data w arehouse connecti on surpasses the connecti on ti me-out or
l i feti me governors (set i n the D atabase C onnecti ons di al og box, on
the A dvanced tab), the OD BC connecti on cl oses, and i t no l onger
di spl ays i n the D atabase C onnecti on Moni tor.

25 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

To View the Current Database Connections

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th the Moni tor D atabase C onnecti ons pri vi l ege.

2. Expand A dministration, then expand System Monitors, and

then sel ect D atabase C onnections. The database connecti on
i nformati on di spl ays on the ri ght-hand si de.

To Delete a Database Connection

In the D atabase C onnecti on Moni tor, ri ght-cl i ck the connecti on and

sel ect D isconnect.

Benefiting from Centralized Database Access Control

Al l database connecti vi ty i s handl ed by Intel l i gence Server, w hi ch
provi des central i zed control of database access. The advantages of
central i zed control i ncl ude:

l C onnecti onl ess cl i ent—Al l connecti ons to databases i n the system

are made through Intel l i gence Server. Thi s means that onl y the
Intel l i gence Server machi ne needs to have database connecti vi ty. It
al so el i mi nates the need to rel y on i denti cal l y confi gured
connecti ons on cl i ent and server computers. Thi s makes i t easy to
set up, depl oy, and manage l arge systems.

l C onnecti on cachi ng—C onnecti ng to and di sconnecti ng from

databases i ncurs a smal l amount of overhead that may cause a
smal l , yet noti ceabl e, decrease i n performance i n hi gh-concurrency
systems. Wi th connecti on cachi ng, Intel l i gence Server i s abl e to
reuse database connecti ons. Thi s mi ni mi zes the overhead
associ ated w i th repeated connecti ng to and di sconnecti ng from
databases.

© 2019, M icr o St r at egy In c. 26

Syst em Ad m in ist r at io n Gu id e

l Workl oad governi ng—Because onl y Intel l i gence Server connects to

databases, i t can make sure that no one database becomes
overl oaded w i th user requests. Thi s i s especi al l y i mportant for the
data w arehouse.

l U ser connecti on mappi ng—Intel l i gence Server can map

Mi croStrategy users and user groups to data w arehouse l ogi n ID s.
Thi s al l ow s mul ti pl e users to access the database usi ng a si ngl e
database l ogi n or di fferent database l ogi ns.

l Ease of admi ni strati on/moni tori ng—Because al l database

connecti vi ty i s handl ed by Intel l i gence Server, keepi ng track of al l
connecti ons to al l databases i n the system i s easy.

l Pri ori ti zed access to databases—You can set access pri ori ty by
user, proj ect, esti mated j ob cost, or any combi nati on of these.

l Mul ti process executi on—The abi l i ty to run i n mul ti process mode

means that i f one process fai l s, such as a l ost or hung database
access thread, the others are not affected.

l D atabase opti mi zati ons—U si ng VLD B properti es, Intel l i gence

Server i s abl e to take advantage of the uni que performance
opti mi zati ons that di fferent database servers offer.

Updating VLDB Properties for ODBC Connections

VLD B properti es al l ow Intel l i gence Server to take advantage of the
uni que opti mi zati ons that di fferent databases offer. D ependi ng on the
database type, these properti es can affect how Intel l i gence Server
handl es thi ngs l i ke:

l Joi n opti ons, such as the star j oi n and ful l outer j oi n

l Metri c cal cul ati on opti ons, such as w hen to check for N U LLs and
zeros

l Pre- and post-SQL statements

27 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Query opti mi zati ons, such as sub-queri es and dri vi ng tabl es

l Tabl e types, such as temporary tabl es or deri ved tabl es

For more i nformati on about al l the VLD B properti es, see SQL
Generati on and D ata Processi ng: VLD B Properti es.

Up gr ad in g Yo u r Dat ab ase Typ e Pr o p er t ies

D efaul t VLD B properti es are set accordi ng to the database type
speci fi ed i n the database i nstance. Mi croStrategy peri odi cal l y
updates the defaul t setti ngs as database vendors add new
functi onal i ty.

When you create the metadata for a Mi croStrategy proj ect, the
database-speci fi c i nformati on i s l oaded from a fi l e suppl i ed by
Mi croStrategy (cal l ed D a t a b a s e . p d s ). If you get a new rel ease from
Mi croStrategy, the metadata i s automati cal l y upgraded usi ng the
Data ba se .p d s fi l e w i th the metadata update process. The
Admi ni strator i s the onl y user w ho can upgrade the metadata. D o thi s
by cl i cki ng Yes w hen prompted for updati ng the metadata. Thi s
happens w hen you connect to an exi sti ng proj ect after i nstal l i ng a
new Mi croStrategy rel ease.

The Mic roStrategy s y s tem c annot detec t when y ou upgrade or c hange

the databas e us ed to s tore the Mic roStrategy metadata or y our data
warehous e. If y ou upgrade or c hange the databas e that is us ed to s tore
the metadata or data warehous e, y ou c an manually update the databas e
ty pe to apply the default properties for the new databas e ty pe.

When you update the database type i nformati on, thi s process:

l Loads new l y supported database types. For exampl e, properti es for

the new est database servers that w ere recentl y added.

l Loads updated properti es for exi sti ng database types that are sti l l
supported.

© 2019, M icr o St r at egy In c. 28

Syst em Ad m in ist r at io n Gu id e

l Keeps properti es for exi sti ng database types that are no l onger
supported. If there w ere no updates for an exi sti ng database type,
but the properti es for i t have been removed from the
Da ta ba se . p d s fi l e, the process does not remove them from your
metadata.

In s ome c as es , Mic roStrategy no longer updates c ertain DBMS objec ts

as newer v ers ions are releas ed. Thes e are not normally remov ed.
Howev er, in the c as e of Orac le 8i R2 and Orac le 8i R3, the DBMS
objec ts were merged into "Orac le 8i R2/R3" for both Standard and
Enterpris e editions bec aus e Orac le 8i R3 is no longer being updated.
You may need to s elec t the merged v ers ion as part of y our databas e
ins tanc e if y ou are us ing a v ers ion of Orac le 8i. This will bec ome
apparent if date/time func tions s top work ing, partic ularly in Enterpris e
Manager.

For more i nformati on about VLD B properti es, see SQL Generati on and
D ata Processi ng: VLD B Properti es.

You may need to manual l y upgrade the database types i f you chose
not to run the update metadata process after i nstal l i ng a new rel ease.

To Manually Upgrade the Database Type Properties

1. In the D atabase Instance edi tor, cl i ck the General tab.

2. Sel ect U pgrade.

The R eadme lis ts all DBMSs that are s upported or c ertified for us e with
Mic roStrategy .

Managing Intelligence Server

Thi s secti on i ntroduces you to basi c Intel l i gence Server operati on,
i ncl udi ng starti ng and stoppi ng Intel l i gence Server and runni ng i t as a
servi ce or as an appl i cati on.

29 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

You can i mprove your system and database performance by adj usti ng
vari ous Intel l i gence Server governi ng setti ngs to fi t your system
parameters and your reporti ng needs. For detai l ed i nformati on about
these setti ngs, see C hapter 8, Tuni ng Your System for Best
Performance.

What Happens When Intelligence Server Starts?

Once a server defi ni ti on i s defi ned and sel ected for Intel l i gence
Server usi ng the C onfi gurati on Wi zard, the metadata connecti on
i nformati on and server defi ni ti on name are saved i n the machi ne's
regi stry. When Intel l i gence Server starts, i t reads thi s i nformati on to
i denti fy the metadata to w hi ch i t w i l l connect.

When Intel l i gence Server starts, i t does the fol l ow i ng:

l Ini ti al i zes i nternal processi ng uni ts

l R eads metadata connecti on i nformati on and server defi ni ti on name

from the machi ne regi stry and connects to the speci fi ed metadata
database

l Loads confi gurati on and schema i nformati on for each l oaded proj ect

l Loads exi sti ng report cache fi l es from automati c backup fi l es i nto

memory for each l oaded proj ect (up to the speci fi ed maxi mum R AM
setti ng)

This oc c urs only if report c ac hing is enabled and the Load c ac hes on
s tartup feature is enabled.

l Loads schedul es

l Loads MD X cube schemas

You c an s et Intelligenc e Serv er to load MDX c ube s c hemas when it

s tarts , rather than loading MDX c ube s c hemas upon running an MDX
c ube report. For more details on this and s teps to load MDX c ube

© 2019, M icr o St r at egy In c. 30

Syst em Ad m in ist r at io n Gu id e

s c hemas when Intelligenc e Serv er s tarts , s ee the C onfi guri ng and

C onnecti ng Intel l i gence Server s ec tion of the Instal l ati on and
C onfi gurati on Gui de .

If a system or pow er fai l ure occurs, Intel l i gence Server cannot capture
i ts current state. The next ti me the server i s started, i t l oads the state
i nformati on, caches, and H i story Li sts that w ere saved i n the l ast
automati c backup. (The automati c backup frequency i s set usi ng the
Intel l i gence Server C onfi gurati on Edi tor.) The server does not re-
execute any j ob that w as runni ng unti l the person requesti ng the j ob
l ogs i n agai n.

What Happens When Intelligence Server Stops?

When you i ni ti ate an Intel l i gence Server shutdow n, i t:

l Wri tes cache and H i story Li st i nformati on to backup fi l es

l C ancel s currentl y executi ng j obs

The us er who s ubmitted a c anc eled job s ees a mes s age in the His tory
Lis t indic ating that there was an error. The us er mus t res ubmit the job.

l C l oses database connecti ons

l Logs out connected users from the system

l R emoves i tsel f from the cl uster (i f i t w as i n a cl uster)

It does not rejoin the c lus ter automatic ally when res tarted.

As noted earl i er, i f a system or pow er fai l ure occurs, these acti ons
cannot be done. Instead, Intel l i gence Server recovers i ts state from
the l atest automati c backup.

31 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Running Intelligence Server as an Application or a

Service
Intel l i gence Server can be started as a Wi ndow s servi ce or as an
appl i cati on. If you run Intel l i gence Server as a servi ce, you can start
and stop i t from a remote machi ne w i th D evel oper or by l oggi ng i nto
the Intel l i gence Server machi ne remotel y. In addi ti on, you can
confi gure the servi ce to start automati cal l y w hen the machi ne on
w hi ch i t i s i nstal l ed starts. For more i nformati on about runni ng
Intel l i gence Server as a servi ce, see Starti ng and Stoppi ng
Intel l i gence Server as a Servi ce, page 33.

On rare occasi ons you may need to run Intel l i gence Server as an
appl i cati on. Thi s i ncl udes occasi ons w hen you need preci se control
over w hen Intel l i gence Server stops and starts or w hen you need to
change certai n advanced tuni ng setti ngs that are not avai l abl e w hen
Intel l i gence Server i s runni ng as a servi ce. For more i nformati on
about runni ng Intel l i gence Server as an appl i cati on, see Starti ng
Intel l i gence Server as an Appl i cati on, page 40.

Regist er in g an d Un r egist er in g In t elligen ce Ser ver as a UNIX

Ser vice
In U N IX, w hen you confi gure Intel l i gence Server you must speci fy that
i t starts as an appl i cati on or a servi ce. If you w ant to start Intel l i gence
Server as a servi ce, you must regi ster i t as a servi ce w i th the system.
In addi ti on, i n U N IX, i f you w ant to start Intel l i gence Server as a
servi ce after havi ng started i t as an appl i cati on, you must regi ster i t
as a servi ce.

To regis ter or unregis ter Intelligenc e Serv er as a s erv ic e in UNIX, y ou

mus t be logged in to the Intelligenc e Serv er mac hine with root
priv ileges .

You can regi ster Intel l i gence Server as a servi ce i n tw o w ays:

© 2019, M icr o St r at egy In c. 32

Syst em Ad m in ist r at io n Gu id e

l From the C onfi gurati on Wi zard: on the Speci fy a Port N umber page,
ensure that the R egister Intelligence Server as a Service check
box i s sel ected.

l From the command l i ne: i n ~ / M i c r o S t r a t e g y / b i n enter:

mstrctl -s IntelligenceServer rs

If you w ant to start Intel l i gence Server as an appl i cati on after havi ng
regi stered i t as a servi ce, you need to unregi ster i t. U nregi steri ng the
servi ce can be done onl y from the command l i ne, i n
~/Mi cr oS tr a t e g y / b i n. The syntax to unregi ster the servi ce i s:

mstrctl -s IntelligenceServer us

St ar t in g an d St o p p in g In t elligen ce Ser ver as a Ser vice

Once the servi ce i s started, i t i s desi gned to run constantl y, even after
the user w ho started i t l ogs off the system. H ow ever, you may need to
stop and restart i t for these reasons:

l R outi ne mai ntenance on the Intel l i gence Server machi ne

l C hanges to Intel l i gence Server confi gurati on opti ons that cannot be
changed w hi l e Intel l i gence Server i s runni ng

l Potenti al pow er outages due to storms or pl anned bui l di ng

mai ntenance

You can start and stop Intel l i gence Server manual l y as a servi ce
usi ng any of the fol l ow i ng methods:

l Mi croStrategy Servi ce Manager i s a management appl i cati on that

can run i n the background on the Intel l i gence Server machi ne. It i s
often the most conveni ent w ay to start and stop Intel l i gence Server.
For i nstructi ons, see Servi ce Manager, page 34.

33 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l If you are al ready usi ng D evel oper, you may need to start and stop
Intel l i gence Server from w i thi n D evel oper. For i nstructi ons, see
D evel oper, page 37.

l You can start and stop Intel l i gence Server as part of a C ommand
Manager scri pt. For detai l s, see C ommand Manager, page 38.

l Fi nal l y, you can start and stop Intel l i gence Server from the
command l i ne usi ng Mi croStrategy Server C ontrol U ti l i ty. For
i nstructi ons, see C ommand Li ne, page 38.

l You mus t hav e the Configuration ac c es s permis s ion for the s erv er
definition objec t. For information about objec t permis s ions in
Mic roStrategy , s ee C ontrol l i ng Access to Obj ects: Permi ssi ons,
page 95 . For a lis t of the permis s ion groupings for s erv er definition
objec ts , s ee C ontrol l i ng Access to Obj ects: Permi ssi ons, page 95 .

l To remotely s tart and s top the Intelligenc e Serv er s erv ic e in Windows ,

y ou mus t be logged in to the remote mac hine as a Windows us er with
adminis trativ e priv ileges .

Service Manager

Servi ce Manager i s a management tool i nstal l ed w i th Intel l i gence

Server that enabl es you to start and stop Intel l i gence Server and
choose a startup opti on. Servi ce Manager al l ow s you to start, stop,
and manage the fol l ow i ng servi ces:

l Mi croStrategy Intel l i gence Server

l Mi croStrategy Li stener

l Mi croStrategy D i stri buti on Manager

l Mi croStrategy Executi on Engi ne

l Mi croStrategy Enterpri se Manager D ata Loader

© 2019, M icr o St r at egy In c. 34

Syst em Ad m in ist r at io n Gu id e

l Mi croStrategy C ol l aborati on Servi ce

l Mi croStrategy PD F Exporter

For i nstructi ons on how to use Servi ce Manager, cl i ck H elp from

w i thi n Servi ce Manager.

Serv ic e Manager requires that port 8888 be open. If this port is not open,
c ontac t y our network adminis trator.

To Open MicroStrategy Service Manager in Windows

1. In the system tray of the Wi ndow s task bar, doubl e-cl i ck the
Mi croStrategy Servi ce Manager i con, or .

2. If the i con i s not present i n the system tray, then from the
Wi ndow s Start menu, poi nt to A ll Programs, then MicroStrategy
Tools, then sel ect Service Manager.

To Open MicroStrategy Service Manager in UNIX

In UNIX, Serv ic e Manager requires an X-Windows env ironment.

1. Brow se to the fol der speci fi ed as the home di rectory duri ng

Mi croStrategy i nstal l ati on (the defaul t i s ~ / M i c r o S t r a t e g y),
then brow se to / b i n.

2. Type ./ m s t r s v c m g r and press Enter.

35 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Using the Listener/Restarter to Start Intelligence Server

You can confi gure Intel l i gence Server to start automati cal l y w hen the
Intel l i gence Server machi ne starts. You can al so confi gure the
R estarter to restart the Intel l i gence Server servi ce automati cal l y i f i t
fai l s, but the machi ne on w hi ch i t i s i nstal l ed i s sti l l runni ng. To do
thi s, you must have the Mi croStrategy Li stener servi ce runni ng.

To Start a MicroStrategy Service Automatically When the Machine

Restarts

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, then sel ect Service Manager.

2. In the Server drop-dow n l i st, sel ect the name of the machi ne on
w hi ch the servi ce i s i nstal l ed.

3. In the Service drop-dow n l i st, sel ect the servi ce.

© 2019, M icr o St r at egy In c. 36

Syst em Ad m in ist r at io n Gu id e

4. C l i ck Options.

5. Sel ect A utomatic as the Startup Type opti on.

6. C l i ck OK .

You c an als o s et this us ing the Serv ic es option in the Mic ros oft
Window's Control Panel.

To Start Intelligence Server Service Automatically when it Fails

Unexpectedly

The Mic roStrategy Lis tener s erv ic e mus t be running for the Re-s tarter
feature to work .

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, then sel ect Service Manager.

2. In the Server drop-dow n l i st, sel ect the machi ne on w hi ch the

Intel l i gence Server servi ce i s i nstal l ed.

3. In the Service drop-dow n l i st, sel ect MicroStrategy Intelligence

Server.

4. C l i ck Options.

5. On the Intel l i gence Server Opti ons tab, sel ect the Enabled check
box for the R e-starter Option.

Developer

You can start and stop a l ocal Intel l i gence Server from D evel oper.
You cannot start or stop a remote Intel l i gence Server from D evel oper;
you must use one of the other methods to start or stop a remote
Intel l i gence Server.

37 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

To Start or Stop Intelligence Server Using Developer

1. In D evel oper, i n the Fol der Li st, ri ght-cl i ck the A dministration

i con.

2. C hoose Start Server to start i t or Stop Server to stop i t.

Command Manager

C ommand Manager i s a scri pt-based tool that enabl es you to perform

vari ous admi ni strati ve and mai ntenance tasks w i th reusabl e scri pts.
You can start and stop Intel l i gence Server usi ng C ommand Manager.

For the C ommand Manager syntax for starti ng and stoppi ng

Intel l i gence Server, see the C ommand Manager H el p (press F1 from
w i thi n C ommand Manager). For a more general i ntroducti on to
Mi croStrategy C ommand Manager, see C hapter 15, Automati ng
Admi ni strati ve Tasks w i th C ommand Manager.

Command Line

You can start and stop Intel l i gence Server from a command prompt,
usi ng the Mi croStrategy Server C ontrol U ti l i ty. Thi s uti l i ty i s i nvoked
by the command m s t r c t l. By defaul t the uti l i ty i s i n C : \ P r o g r a m
File s ( x8 6) \ C o m m o n F i l e s \ M i c r o S t ra t e g y \ i n Wi ndow s,
and i n ~/ Mi c r o S t r a t e g y / b i n i n U N IX.

The syntax to start the servi ce i s:

mstrctl -s IntelligenceServer start --service

The syntax to stop the servi ce i s:

mstrctl -s IntelligenceServer stop

For detai l ed i nstructi ons on how to use the Server C ontrol U ti l i ty, see
Managi ng Mi croStrategy Servi ces from the C ommand Li ne, page 41.

© 2019, M icr o St r at egy In c. 38

Syst em Ad m in ist r at io n Gu id e

Windows Services Window

You can start and stop Intel l i gence Server and choose a startup
opti on usi ng the Wi ndow s Servi ces w i ndow .

To Start and Stop Intelligence Server Using the Windows Services

Window

1. On the Wi ndow s Start menu, poi nt to Settings, then choose

C ontrol Panel.

2. D oubl e-cl i ck A dministrative Tools, and then doubl e-cl i ck

Services.

3. From the Services l i st, sel ect MicroStrategy Intelligence

Server.

4. You can do any of the fol l ow i ng:

l To start the servi ce, cl i ck Start.

l To stop the servi ce, cl i ck Stop.

l To change the startup type, sel ect a startup opti on from the
drop-dow n l i st.

l A utomatic means that the servi ce starts w hen the computer

starts.

l Manual means that you must start the servi ce manual l y.

l D isabled means that you cannot start the servi ce unti l you
change the startup type to one of the other types.

5. C l i ck OK .

39 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

St ar t in g In t elligen ce Ser ver as an Ap p licat io n

Whi l e the need to do so i s rare, you can start Intel l i gence Server as
an appl i cati on. Thi s may be necessary i f you must admi ni ster
Intel l i gence Server on the machi ne on w hi ch i t i s i nstal l ed, i f
D evel oper i s not i nstal l ed on that machi ne.

Some advanced tuni ng setti ngs are onl y avai l abl e w hen starti ng
Intel l i gence Server as a servi ce. If you change these setti ngs, they
are appl i ed the next ti me Intel l i gence Server i s started as a servi ce.

Mic roStrategy rec ommends that y ou not c hange thes e s ettings unles s
reques ted to do s o by a Mic roStrategy Tec hnic al Support as s oc iate.

There are some l i mi tati ons to runni ng Intel l i gence Server as an

appl i cati on:

l The user w ho starts Intel l i gence Server as an appl i cati on must

remai n l ogged on to the machi ne for Intel l i gence Server to keep
runni ng. When the user l ogs off, Intel l i gence Server stops.

l If Intel l i gence Server i s started as an appl i cati on, you cannot

admi ni ster i t remotel y. You can admi ni ster i t onl y by l oggi ng i n to
the Intel l i gence Server machi ne.

l The appl i cati on does not automati cal l y restart i f i t fai l s.

In UNIX, if Intelligenc e Serv er has prev ious ly been c onfigured to run

as a s erv ic e, y ou mus t unregis ter it as a s erv ic e before y ou c an run it
as an applic ation. For ins truc tions on unregis tering Intelligenc e Serv er
as a s erv ic e, s ee R egi steri ng and U nregi steri ng Intel l i gence
Server as a U N IX Servi ce, page 32 .

The defaul t path for the Intel l i gence Server appl i cati on executabl e i s
C:\P ro gr am F i l e s ( x 8 6 ) \ M i c r o S t r a t e g y \ I n t e l l i g e n c e
Serv er \M ST R S v r . e x e i n Wi ndow s, and ~ / M i c r o S t r a t e g y / b i n
i n U N IX.

© 2019, M icr o St r at egy In c. 40

Syst em Ad m in ist r at io n Gu id e

Executi ng thi s fi l e from the command l i ne di spl ays the fol l ow i ng

admi ni strati on menu i n Wi ndow s, and a si mi l ar menu i n U N IX.

To use these opti ons, type the correspondi ng l etter on the command
l i ne and press Enter. For exampl e, to moni tor users, type U and press
Enter. The i nformati on i s di spl ayed.

Managing MicroStrategy Services from the Command

Line
Mi croStrategy Server C ontrol U ti l i ty enabl es you to create and
manage Intel l i gence Server server i nstances from the command l i ne.
A server i nstance i s an Intel l i gence Server that i s usi ng a parti cul ar
server defi ni ti on. For more i nformati on about server defi ni ti ons, see
Processi ng Your D ata: Intel l i gence Server.

Server C ontrol U ti l i ty can al so be used to start, stop, and restart other

Mi croStrategy servi ces—such as the Li stener, D i stri buti on Manager,
Executi on Engi ne, or Enterpri se Manager D ata Loader servi ces—and
to vi ew and set confi gurati on i nformati on for those servi ces.

41 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The fol l ow i ng tabl e l i sts the commands that you can perform w i th the
Server C ontrol U ti l i ty. The syntax for usi ng the Server C ontrol U ti l i ty
commands i s:

mstrctl -m machinename [-l login] -s servicenamecommand

[instancename]
[(> | <) filename.xml]

Where:

l ma ch in en a m e i s the name of the machi ne hosti ng the server

i nstance or servi ce. If thi s parameter i s omi tted, the servi ce i s
assumed to be hosted on the l ocal machi ne.

l lo gi n i s the l ogi n for the machi ne hosti ng the server i nstance or

servi ce, and i s requi red i f you are not l ogged i nto that machi ne. You
are prompted for a passw ord.

l se rv ic en a m e i s the name of the servi ce, such as

Intel l i genceServer or EMServi ce.

To retriev e a lis t of s erv ic es on a mac hine, us e the c ommand

ms tr ct l - m m a c h i n e n a m e l s .

l co mm an d i s one of the commands from the l i st bel ow .

l in st an ce n a m e i s the name of a server i nstance, w here requi red. If

a name i s not speci fi ed, the command uses the defaul t i nstance
name.

l fi le na me i s the name of the fi l e to read from or w ri te to.

The n us e this
If y ou wa nt to. . .
c omma nd. . .

Get in f o rmat io n ab o u t t h e Server C o n t ro l U t ilit y

List all commands f or t he S erver Cont rol Ut ilit y. -h

© 2019, M icr o St r at egy In c. 42

Syst em Ad m in ist r at io n Gu id e

The n us e this
If y ou wa nt to. . .
c omma nd. . .

This command does not require a machine name, login, or

--help
service name.

Display t he version number of t he S erver Cont rol Ut ilit y.

-V
This command does not require a machine name, login, or --version
service name.

Get in f o rmat io n ab o u t t h e Micro St rat eg y n et wo rk

List machines t hat t he S erver Cont rol Ut ilit y can see and af f ect .
lm
This command does not require a machine name, login, or list-machines
service name.

List t he MicroS t rat egy services available on a machine. ls

list-servers
This command does not require a service name.

List t he ODB C DS Ns available on a machine. lod

list-odbc-dsn
This command does not require a service name.

C o n f ig u re a service

Display t he conf igurat ion inf ormat ion f or a service, in X ML gsvc

instancename [>
f ormat . For more inf ormat ion, see U s ing files to s tore output
filename.xml]
and prov ide input, page 27 .
get-service-
configuration
Y ou can opt ionally specif y a f ile t o save t he conf igurat ion
instancename [>
propert ies t o. filename.xml]

S pecif y t he conf igurat ion inf ormat ion f or a service, in X ML ssvc

instancename [<
f ormat . For more inf ormat ion, see U s ing files to s tore output
filename.xml]
and prov ide input, page 27 .
set-service-
configuration
Y ou can opt ionally specif y a f ile t o read t he conf igurat ion
instancename [<
propert ies f rom. filename.xml]

43 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The n us e this
If y ou wa nt to. . .
c omma nd. . .

C o n f ig u re a server

Display t he conf igurat ion propert ies of a server, in X ML f ormat . gsc [>
For more inf ormat ion, see U s ing files to s tore output and filename.xml]
prov ide input, page 27 .
get-server-
configuration
Y ou can opt ionally specif y a f ile t o save t he conf igurat ion [>
propert ies t o. filename.xml]

S pecif y t he conf igurat ion propert ies of a server, in X ML f ormat . ssc [<
For more inf ormat ion, see U s ing files to s tore output and filename.xml]
prov ide input, page 27 .
set-server-
configuration
Y ou can opt ionally specif y a f ile t o read t he conf igurat ion [<
propert ies f rom. filename.xml]

C o n f ig u re a server in st an ce

gsic
Display t he conf igurat ion inf ormat ion f or a server inst ance, in instancename [>
X ML f ormat . For more inf ormat ion, see U s ing files to store filename.xml]
output and prov ide input, page 27 . get-server-
instance-
Y ou can opt ionally specif y a f ile t o save t he conf igurat ion configuration
propert ies t o. instancename [>
filename.xml]

S pecif y t he conf igurat ion inf ormat ion f or a server inst ance, in ssic
instancename
X ML f ormat . For more inf ormat ion, see U s ing files to store
output and prov ide input, page 27 . set-server-
instance-
configuration
Y ou can opt ionally specif y a f ile t o read t he conf igurat ion
instancename [<
propert ies f rom. filename.xml]

Man ag e server in st an ces

gdi
Display t he def ault inst ance f or a service. get-default-
instance

© 2019, M icr o St r at egy In c. 44

Syst em Ad m in ist r at io n Gu id e

The n us e this
If y ou wa nt to. . .
c omma nd. . .

sdi
instancename
S et an inst ance of a service as t he def ault inst ance. set-default-
instance
instancename

ci instancename
Creat e a new server inst ance. create-instance
instancename

cpi
instancename
Creat e a copy of a server inst ance. S pecif y t he name f or t he newinstancename
new inst ance as newinstancename . copy-instance
instancename
newinstancename

di instancename
Delet e a server inst ance. delete-instance
instancename

rs instancename

Regist er a server inst ance as a service. register-

service
instancename

us instancename

Unregist er a regist ered server inst ance as a service. unregister-

service
instancename

gl instancename
Display t he license inf ormat ion f or a service inst ance. get-license
instancename

gs instancename
Display t he st at us inf ormat ion f or a server inst ance get-status
instancename

St art o r st o p a server in st an ce

45 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The n us e this
If y ou wa nt to. . .
c omma nd. . .

start --service
S t art a server inst ance as a service.
instancename

S t art a server inst ance as an applicat ion. For more inf ormat ion, start --
see R unning Intelligenc e Serv er as an Applic ation or a interactive
Serv ic e, page 32 . instancename

stop
S t op a server inst ance t hat has been st art ed as a service.
instancename

pause
P ause a server inst ance t hat has been st art ed as a. service
instancename

Resume a server inst ance t hat has been st art ed as a service and resume
paused. instancename

term
instancename
Terminat e a server inst ance t hat has been st art ed as a service.
terminate
instancename

Usin g Files t o St o r e Ou t p u t an d Pr o vid e In p u t

C ertai n Server C ontrol U ti l i ty commands i nvol ve XML defi ni ti ons. The
commands to di spl ay a server confi gurati on, a servi ce confi gurati on,
and a server i nstance confi gurati on al l output an XML defi ni ti on. The
commands to modi fy a server confi gurati on, a servi ce confi gurati on,
and a server i nstance confi gurati on al l requi re an XML defi ni ti on as
i nput.

It i s di ffi cul t and ti me consumi ng to type a compl ete server, servi ce, or
server i nstance confi gurati on from the command l i ne. An easi er w ay
to confi gure them i s to output the current confi gurati on to a fi l e,
modi fy the fi l e w i th a text edi tor, and then use the fi l e as i nput to a
command to modi fy the confi gurati on.

© 2019, M icr o St r at egy In c. 46

Syst em Ad m in ist r at io n Gu id e

Configuring Intelligenc e Serv er with XML files requires ex tens iv e

k nowledge of the v arious parameters and v alues us ed to define
Intelligenc e Serv er c onfigurations . Prov iding an inc orrec t XML definition
to c onfigure Intelligenc e Serv er c an c aus e errors and unex pec ted
func tionality .

For exampl e, the fol l ow i ng command saves the defaul t server

i nstance confi gurati on to an XML fi l e:

mstr ct l - s I n t e l l i g e n c e S e r v e r
gsic > fi le n a m e. x m l

The server i nstance confi gurati on i s saved i n the fi l e

file na me . xm l, i n the current di rectory.

The fol l ow i ng command modi fi es the defaul t server i nstance

confi gurati on by readi ng i nput from an XML fi l e:

mstr ct l - s I n t e l l i g e n c e S e r v e r
ssic < fi le n a m e. x m l

The XML defi ni ti on i n S e r v e r I n s t a n c e . x m l i s used to defi ne the

server i nstance confi gurati on.

Managing and Monitoring Projects

The System Admi ni strati on Moni tor l i sts al l the proj ects on an
Intel l i gence Server and al l the machi nes i n the cl uster that
Intel l i gence Server i s usi ng. You can moni tor the status of the
proj ects on a proj ect source, and l oad, unl oad, i dl e, and resume
proj ects for the enti re proj ect source or for a si ngl e node of the
cl uster. You can al so schedul e vari ous system mai ntenance tasks
from the Schedul ed Mai ntenance vi ew .

The System Admi ni strati on group contai ns the fol l ow i ng vi ew s:

47 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Proj ect, w hi ch hel ps you keep track of the status of al l the proj ects
contai ned i n the sel ected proj ect source. For detai l ed i nformati on,
see Managi ng Proj ect Status, C onfi gurati on, or Securi ty: Proj ect
Vi ew , page 48.

l C l uster, w hi ch hel ps you manage how proj ects are di stri buted
across the servers i n a cl uster. For detai l ed i nformati on, see
Managi ng C l ustered Intel l i gence Servers: C l uster Vi ew , page 50.

l The Schedul ed Mai ntenance moni tor, w hi ch l i sts al l the schedul ed

mai ntenance tasks. For detai l ed i nformati on, see Schedul i ng
Admi ni strati ve Tasks, page 983.

Managing Project Status, Configuration, or Security:

Project View
The Proj ect vi ew hel ps you keep track of the status of al l the proj ects
contai ned i n the sel ected proj ect source. It al so enabl es access to a
number of proj ect mai ntenance i nterfaces i n one pl ace. Thi s makes i t
faster and easi er to perform mai ntenance tasks such as purgi ng
caches, managi ng securi ty fi l ters, or l oadi ng or unl oadi ng proj ects
from Intel l i gence Server.

To Access the Project View

1. Expand A dministration i n the proj ect source's fol der l i st.

2. Expand the System A dministration group, and then sel ect

Project. The proj ects and thei r statuses di spl ay on the ri ght-
hand si de.

Usin g t h e Pr o ject View

The Proj ect vi ew l i sts al l the proj ects i n the proj ect source. If your
system i s set up as a cl uster of servers, the Proj ect Moni tor di spl ays
al l proj ects i n the cl uster, i ncl udi ng the proj ects that are not runni ng

© 2019, M icr o St r at egy In c. 48

Syst em Ad m in ist r at io n Gu id e

on the node from w hi ch you are accessi ng the Proj ect Moni tor. For
detai l s on proj ects i n a cl ustered envi ronment, see D i stri buti ng
Proj ects Across N odes i n a C l uster, page 818.

To vi ew the status of a proj ect, sel ect the List or D etails vi ew , and
cl i ck the + si gn next to the proj ect's name. A l i st of al l the servers i n
the cl uster expands bel ow the proj ect's name. The status of the
proj ect on each server i s show n next to the server's name. If your
system i s not cl ustered, there i s onl y one server i n thi s l i st.

For projec ts dis tributed as y mmetric ally ac ros s nodes of a c lus ter, a
primary s erv er is as s igned to eac h projec t. A projec t's primary s erv er
handles the time-bas ed s c heduling for that projec t. The primary s erv er
is dis play ed in bold, and Primary Server appears after the s erv er
name.

From the Proj ect vi ew , you can access a number of admi ni strati ve and
mai ntenance functi ons. You can:

l Manage the users and securi ty fi l ters for a proj ect

l Vi ew the change j ournal for a proj ect (for detai l s, see Moni tori ng
System Acti vi ty: C hange Journal i ng, page 489)

l Export and pri nt the proj ect's schema or other proj ect
documentati on

l Load or unl oad proj ects from Intel l i gence Server, or i dl e or resume
proj ects for mai ntenance (for detai l s, see Setti ng the Status of a
Proj ect, page 51)

To load a projec t on a s pec ific s erv er in a c lus ter, y ou us e the Clus ter
Monitor. For details on this proc edure, s ee Managi ng C l ustered
Intel l i gence Servers: C l uster Vi ew , page 50 .

49 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Purge report, el ement, or obj ect caches for proj ects

These tasks are al l avai l abl e by ri ght-cl i cki ng a proj ect i n the
Proj ect Moni tor. For more detai l ed i nformati on about any of these
opti ons, see the H el p or rel ated secti ons i n thi s gui de.

You c an perform an ac tion on multiple projec ts at the s ame time. To

do this , s elec t s ev eral projec ts ( C TR L +c lic k ), then right-c lic k and
s elec t one of the options .

You can al so schedul e any of these mai ntenance functi ons from the
Schedul e Admi ni strati on Tasks di al og box. To access thi s di al og box,
ri ght-cl i ck a proj ect i n the Proj ect vi ew and sel ect Schedule
A dministration Tasks. For more i nformati on, i ncl udi ng detai l ed
i nstructi ons on schedul i ng a task, see Schedul i ng Admi ni strati ve
Tasks, page 983.

Managing Clustered Intelligence Servers: Cluster View

The C l uster vi ew hel ps you keep track of the status of your cl ustered
Intel l i gence Servers. Through the C l uster vi ew , you can vi ew the
status of each node, add or remove nodes i n the cl uster, and vi ew
how proj ects are di stri buted across the nodes.

To Access the Cluster View

1. Expand A dministration i n the proj ect source's fol der l i st.

2. Expand the System A dministration group, and then sel ect

C luster. The proj ects and thei r statuses di spl ay on the ri ght-
hand si de.

3. To see a l i st of al l the proj ects on a node, cl i ck the + si gn next to

that node. The status of the proj ect on the sel ected server i s
show n next to the proj ect's name.

© 2019, M icr o St r at egy In c. 50

Syst em Ad m in ist r at io n Gu id e

Usin g t h e Clu st er View

From the C l uster vi ew , you can access a number of admi ni strati ve
and mai ntenance functi ons. You can:

l Manage the securi ty pol i cy setti ngs for the proj ect source

l Joi n or l eave a cl uster

l Manage the change j ournal i ng for proj ects on a cl uster

l Purge the obj ect cache for a server

These tasks are al l avai l abl e by ri ght-cl i cki ng a server i n the C l uster
vi ew .

You can al so l oad or unl oad proj ects from a machi ne, or i dl e or
resume proj ects on a machi ne for mai ntenance (for detai l s, see
Setti ng the Status of a Proj ect, page 51) by ri ght-cl i cki ng a proj ect on
a server. For more detai l ed i nformati on about any of these opti ons,
see Managi ng your Proj ects Across N odes of a C l uster, page 824.

Setting the Status of a Project

Each proj ect i n Intel l i gence Server can operate i n one of several
modes. Proj ect modes al l ow for vari ous system admi ni strati on tasks
to occur w i thout i nterrupti ng Intel l i gence Server operati on for other
proj ects. The tasks that are al l ow ed to occur depend on the j ob or
j obs that are requi red for that task.

A proj ect's status can be one of the fol l ow i ng:

l Loaded, page 52

l U nl oaded, page 52

l R equest Idl e, page 53

l Executi on Idl e, page 53

l Warehouse Executi on Idl e, page 54

51 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Ful l Idl e, page 55

l Parti al Idl e, page 55

For i nstructi ons on changi ng a proj ect's status, see C hangi ng the
Status of a Proj ect, page 56.

For exampl e scenari os w here the di fferent proj ect i dl e modes can
hel p to support proj ect and data w arehouse mai ntenance tasks, see
Proj ect and D ata Warehouse Mai ntenance Exampl e Scenari os, page
58.

Lo ad ed
A proj ect i n Loaded mode appears as an avai l abl e proj ect i n
D evel oper and Mi croStrategy Web products. In thi s mode, user
requests are accepted and processed as normal .

Un lo ad ed
U nl oaded proj ects are sti l l regi stered on Intel l i gence Server, but they
do not appear as avai l abl e proj ects i n D evel oper or Mi croStrategy
Web products, even for admi ni strators. N othi ng can be done i n the
proj ect unti l i t i s l oaded agai n.

U nl oadi ng a proj ect can be hel pful w hen an admi ni strator has
changed some proj ect confi gurati on setti ngs that do not affect run-
ti me executi on and are to be appl i ed to the proj ect at a l ater ti me. The
admi ni strator can unl oad the proj ect, and then rel oad the proj ect
w hen i t i s ti me to appl y the proj ect confi gurati on setti ngs.

A projec t unload reques t is fully proc es s ed only when all ex ec uting jobs
for the projec t are c omplete.

© 2019, M icr o St r at egy In c. 52

Syst em Ad m in ist r at io n Gu id e

Req u est Id le
R equest Idl e mode hel ps to achi eve a graceful shutdow n of the
proj ect rather than modi fyi ng a proj ect from Loaded mode di rectl y to
Ful l Idl e mode. In thi s mode, Intel l i gence Server:

l Stops accepti ng new user requests from the cl i ents for the proj ect.

l C ompl etes j obs that are al ready bei ng processed. If a user

requested that resul ts be sent to thei r H i story Li st, the resul ts are
avai l abl e i n thei r H i story Li st after the proj ect i s resumed.

Setti ng a proj ect to R equest Idl e can be hel pful to manage server l oad
for proj ects on di fferent cl usters. For exampl e, i n a cl uster w i th tw o
nodes named N ode1 and N ode2, the admi ni strator w ants to redi rect
l oad temporari l y to the proj ect on N ode2. The admi ni strator must fi rst
set the proj ect on N ode1 to R equest Idl e. Thi s al l ow s exi sti ng
requests to fi ni sh executi on for the proj ect on N ode1, and then al l
new l oad i s handl ed by the proj ect on N ode2.

Execu t io n Id le
A proj ect i n Executi on Idl e mode i s i deal for Intel l i gence Server
mai ntenance because thi s mode restri cts users i n the proj ect from
runni ng any j ob i n Intel l i gence Server. In thi s mode, Intel l i gence
Server:

l Stops executi ng al l new and currentl y executi ng j obs and, i n most

cases, pl aces them i n the j ob queue. Thi s i ncl udes j obs that requi re
SQL to be submi tted to the data w arehouse and j obs that are
executed i n Intel l i gence Server, such as answ eri ng prompts.

If a projec t is idled while Intelligenc e Serv er is in the proc es s of

fetc hing query res ults from the data warehous e for a job, that job is
c anc eled ins tead of being plac ed in the job queue. When the projec t is

53 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

res umed, if the job was s ent to the us er's His tory Lis t, an error
mes s age is plac ed in the His tory Lis t. The us er c an c lic k the mes s age
to res ubmit the job reques t.

l Al l ow s users to conti nue to request j obs, but executi on i s not

al l ow ed and the j obs are pl aced i n the j ob queue. Jobs i n the j ob
queue are di spl ayed as "Wai ti ng for proj ect" i n the Job Moni tor.
When the proj ect i s resumed, Intel l i gence Server resumes executi ng
the j obs i n the j ob queue.

Thi s mode al l ow s you to perform mai ntenance tasks for the proj ect.
For exampl e, you can sti l l vi ew the di fferent proj ect admi ni strati on
moni tors, create reports, create attri butes, and so on. H ow ever,
tasks such as el ement brow si ng, exporti ng, and runni ng reports that
are not cached are not al l ow ed.

War eh o u se Execu t io n Id le
A proj ect i n Warehouse Executi on Idl e mode i s i deal for data
w arehouse mai ntenance because thi s mode restri cts users i n the
proj ect from runni ng any SQL agai nst the data w arehouse. In thi s
mode, Intel l i gence Server:

l Accepts new user requests from cl i ents for the proj ect, but i t does
not submi t any SQL to the data w arehouse.

l Stops any new or currentl y executi ng j obs that requi re SQL to be

executed agai nst the data w arehouse and, i n most cases, pl aces
them i n the j ob queue. These j obs di spl ay as "Wai ti ng for proj ect" i n
the Job Moni tor. When the proj ect i s resumed, Intel l i gence Server
resumes executi ng the j obs i n the j ob queue.

If a projec t is idled while Intelligenc e Serv er is in the proc es s of

fetc hing query res ults from the data warehous e for a job, that job is
c anc eled ins tead of being plac ed in the job queue. When the projec t is

© 2019, M icr o St r at egy In c. 54

Syst em Ad m in ist r at io n Gu id e

res umed, if the job was s ent to the us er's His tory Lis t, an error
mes s age is plac ed in the His tory Lis t. The us er c an c lic k the mes s age
to res ubmit the job reques t.

l C ompl etes any j obs that do not requi re SQL to be executed agai nst
the data w arehouse.

Thi s mode al l ow s you to perform mai ntenance tasks on the data

w arehouse w hi l e users conti nue to access non-database-dependent
functi onal i ty. For exampl e, users can run cached reports, but they
cannot dri l l i f that dri l l i ng requi res addi ti onal SQL to be submi tted to
the data w arehouse. U sers can al so export reports and documents
i n the proj ect.

Fu ll Id le
Ful l Idl e i s a combi nati on of R equest Idl e and Executi on Idl e. In thi s
mode, Intel l i gence Server does not accept any new user requests and
acti ve requests are cancel ed. When the proj ect i s resumed,
Intel l i gence Server does not resubmi t the cancel ed j obs and i t pl aces
an error message i n the user's H i story Li st. The user can cl i ck the
message to resubmi t the request.

Thi s mode al l ow s you to stop al l Intel l i gence Server and data

w arehouse processi ng for a proj ect. H ow ever, the proj ect sti l l remai ns
i n Intel l i gence Server memory.

Par t ial Id le
Parti al Idl e i s a combi nati on of R equest Idl e and Warehouse
Executi on Idl e. In thi s mode, Intel l i gence Server does not accept any
new user requests. Any acti ve requests that requi re SQL to be
submi tted to the data w arehouse are queued unti l the proj ect i s
resumed. Al l other acti ve requests are compl eted.

55 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Thi s mode al l ow s you to stop al l Intel l i gence Server and data

w arehouse processi ng for a proj ect, w hi l e not cancel i ng j obs that do
not requi re any w arehouse processi ng. The proj ect sti l l remai ns i n
Intel l i gence Server memory.

Ch an gin g t h e St at u s o f a Pr o ject

To Load or Unload a Project

If the projec t is running on multiple c lus tered Intelligenc e Serv ers , the
projec t is loaded or unloaded from all nodes . To load or unload the
projec t from s pec ific nodes , us e the C luster v iew ins tead of the
Project v iew. For detailed ins truc tions , s ee U si ng the C l uster Vi ew ,
page 51 .

1. In D evel oper, l og i n to the proj ect source contai ni ng the proj ect.

2. U nder that proj ect source, expand A dministration, then expand

System A dministration, and sel ect Project.

3. R i ght-cl i ck the proj ect, poi nt to A dminister Project, and sel ect
Load or U nload. The proj ect i s l oaded or unl oaded. If you are
usi ng cl ustered Intel l i gence Servers, the proj ect i s l oaded or
unl oaded for al l nodes i n the cl uster.

To Idle or Resume a Project

If the projec t is running on multiple c lus tered Intelligenc e Serv ers , the
projec t s tatus c hanges for all nodes . To idle or res ume the projec t on
s pec ific nodes , us e the C luster v iew ins tead of the Project v iew. For
detailed ins truc tions , s ee U si ng the C l uster Vi ew , page 51 .

© 2019, M icr o St r at egy In c. 56

Syst em Ad m in ist r at io n Gu id e

1. In D evel oper, l og i n to the proj ect source contai ni ng the proj ect.

2. U nder that proj ect source, expand A dministration, then expand

System A dministration, and then sel ect Project.

3. R i ght-cl i ck the proj ect, poi nt to Admi ni ster Proj ect, and sel ect
Idle/R esume.

4. Sel ect the opti ons for the i dl e mode that you w ant to set the
proj ect to:

l R equest Idl e (R equest Idle): al l executi ng and queued j obs

fi ni sh executi ng, and any new l y submi tted j obs are rej ected.

l Executi on Idl e (Execution Idle for A ll Jobs): al l executi ng,

queued, and new l y submi tted j obs are pl aced i n the queue, to
be executed w hen the proj ect resumes.

l Warehouse Executi on Idl e (Execution Idle for Warehouse

jobs): al l executi ng, queued, and new l y submi tted j obs that
requi re SQL to be submi tted to the data w arehouse are pl aced
i n the queue, to be executed w hen the proj ect resumes. Any
j obs that do not requi re SQL to be executed agai nst the data
w arehouse are executed.

57 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Ful l Idl e (R equest Idle and Execution Idle for A ll jobs): al l

executi ng and queued j obs are cancel ed, and any new l y
submi tted j obs are rej ected.

l Parti al Idl e (R equest Idle and Execution Idle for Warehouse

jobs): al l executi ng and queued j obs that do not submi t SQL
agai nst the data w arehouse are cancel ed, and any new l y
submi tted j obs are rej ected. Any currentl y executi ng and
queued j obs that do not requi re SQL to be executed agai nst the
data w arehouse are executed.

To res ume the projec t from a prev ious ly idled s tate, c lear the
R equest Idle and Execution Idle c hec k box es .

5. C l i ck OK . The Idl e/R esume di al og box cl oses and the proj ect
goes i nto the sel ected mode. If you are usi ng cl ustered
Intel l i gence Servers, the proj ect mode i s changed for al l nodes i n
the cl uster.

Project and Data Warehouse Maintenance Example

Scenarios
In addi ti on to the exampl e scenari os provi ded w i th the di fferent
proj ect i dl e modes, the l i st bel ow descri bes some other mai ntenance
scenari os that can be achi eved usi ng vari ous proj ect i dl e modes:

l D atabase mai ntenance for a data w arehouse i s schedul ed to run at

mi dni ght, duri ng w hi ch ti me the data w arehouse must not be
accessi bl e to users. At 11:00 P.M., the admi ni strator sets the proj ect
mode to R equest Idl e. Al l currentl y executi ng j obs w i l l fi ni sh
normal l y. At 11:30 P.M., the admi ni strator sets the proj ect mode to
Warehouse Executi on Idl e, di sal l ow i ng any executi on agai nst the
data w arehouse w hi l e mai ntenance tasks are performed. After
mai ntenance i s compl ete, the admi ni strator sets the proj ect to
Loaded to al l ow normal executi on and functi onal i ty to resume for

© 2019, M icr o St r at egy In c. 58

Syst em Ad m in ist r at io n Gu id e

the proj ect.

l Tw o proj ects, named Proj ect1 and Proj ect 2, use the same data
w arehouse. Proj ect1 needs dedi cated access to the data w arehouse
for a speci fi c l ength of ti me. The admi ni strator fi rst sets Proj ect2 to
R equest Idl e. After exi sti ng acti vi ty agai nst the data w arehouse i s
compl ete, Proj ect2 i s restri cted agai nst executi ng on the data
w arehouse. Then, the admi ni strator sets Proj ect2 to Warehouse
Executi on Idl e mode to al l ow data w arehouse-i ndependent acti vi ty
to execute. Proj ect1 now has dedi cated access to the data
w arehouse unti l Proj ect2 i s reset to Loaded.

l When the admi ni strator schedul es a proj ect mai ntenance acti vi ty,
the i mpact on users of the proj ect duri ng thi s ti me can be reduced.
The admi ni strator can set a proj ect's i dl e mode to R equest Idl e,
fol l ow ed by Parti al Idl e, and fi nal l y to Ful l Idl e. Thi s process can
reduce user access to a proj ect and data w arehouse gradual l y,
rather than changi ng di rectl y to Ful l Idl e and thus i mmedi atel y
stoppi ng al l user acti vi ty.

Processing Jobs
Any request submi tted to Intel l i gence Server from any part of the
Mi croStrategy system i s know n as a j ob. Jobs may ori gi nate from
servers such as the Subscri pti on server or Intel l i gence Server's
i nternal schedul er, or from cl i ent appl i cati ons such as Mi croStrategy
D esktop, Mi croStrategy Li brary, Mi croStrategy Workstati on,
Mi croStrategy Web, Mobi l e, Integri ty Manager, or another custom-
coded appl i cati on.

The mai n types of requests i ncl ude report executi on requests, obj ect
brow si ng requests, el ement brow si ng requests, document requests,
and dossi er requests.

59 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The Job Moni tor show s you w hi ch j obs are currentl y executi ng and
l ets you cancel j obs as necessary. For i nformati on about the j ob
moni tor, see Moni tori ng C urrentl y Executi ng Jobs, page 81.

By defaul t, j obs are processed on a fi rst-i n fi rst-out basi s. H ow ever,

your system probabl y has some j obs that need to be processed before
other j obs. You can assi gn a pri ori ty l evel to each j ob accordi ng to
factors such as the type of request, the user or user group requesti ng
the j ob, the source of the j ob (such as D evel oper, Mobi l e, or
Mi croStrategy Web), the resource cost of the j ob, or the proj ect
contai ni ng the j ob. Jobs w i th a hi gher pri ori ty have precedence over
j obs w i th a l ow er pri ori ty, and they are processed fi rst i f there i s a
l i mi t on the resources avai l abl e. For detai l ed i nformati on on j ob
pri ori ty, i ncl udi ng i nstructi ons on how to pri ori ti ze j obs, see
Pri ori ti zi ng Jobs, page 737.

Intelligence Server Job Processing (Common to All Jobs)

R egardl ess of the type of request, Intel l i gence Server uses some
common functi onal i ty to sati sfy them. The fol l ow i ng i s a hi gh-l evel
overvi ew of the processi ng that takes pl ace.

1. A user makes a request from a cl i ent appl i cati on such as

Mi croStrategy Web, w hi ch sends the request to Intel l i gence
Server.

2. Intel l i gence Server determi nes w hat type of request i t i s and

performs a vari ety of functi ons to prepare for processi ng.

D ependi ng on the request type, a task l i st i s composed that

determi nes w hat tasks must be accompl i shed to compl ete the
j ob, that i s, w hat components the j ob has to use w i thi n the server
that handl e thi ngs l i ke aski ng the user to respond to a prompt,
retri evi ng i nformati on from the metadata reposi tory, executi ng
SQL agai nst a database, and so on. Each type of request has a
di fferent set of tasks i n the task l i st.

© 2019, M icr o St r at egy In c. 60

Syst em Ad m in ist r at io n Gu id e

3. The components i n Intel l i gence Server perform di fferent tasks i n

the task l i st, such as queryi ng the data w arehouse, unti l a fi nal
resul t i s achi eved.

Those components are the stops the j ob makes i n w hat i s cal l ed

a pi pel i ne, a path that the j ob takes as Intel l i gence Server w orks
on i t.

4. The resul t i s sent back to the cl i ent appl i cati on, w hi ch presents
the resul t to the user.

Most of the actual processi ng that takes pl ace i s done i n steps 2 and
3 i nternal l y i n Intel l i gence Server. Al though the user request must be
recei ved and the fi nal resul ts must be del i vered (steps 1 and 4), those
are rel ati vel y si mpl e tasks. It i s more useful to expl ai n how
Intel l i gence Server w orks. Therefore, the rest of thi s secti on
di scusses Intel l i gence Server acti vi ty as i t processes j obs. Thi s
i ncl udes:

l Processi ng R eport Executi on, page 62

l Processi ng Obj ect Brow si ng, page 67

l Processi ng El ement Brow si ng, page 69

l Processi ng R eport Servi ces D ocument Executi on, page 72

l Processi ng D ossi er Executi on, page 75

l C l i ent-Speci fi c Job Processi ng, page 77

Bei ng fami l i ar w i th thi s materi al shoul d hel p you to understand and

i nterpret stati sti cs, Enterpri se Manager reports, and other l og fi l es
avai l abl e i n the system. Thi s may hel p you to know w here to l ook for
bottl enecks i n the system and how you can tune the system to
mi ni mi ze thei r effects.

61 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Processing Report Execution

R eports are perhaps the most common requests made of Intel l i gence
Server. Al l report requests have the fol l ow i ng pi eces:

l A report i nstance i s a contai ner for al l obj ects and i nformati on

needed and produced duri ng report executi on i ncl udi ng templ ates,
fi l ters, prompt answ ers, generated SQL, report resul ts, and so on.

l A task l i st i s a l i st of tasks that must be accompl i shed to compl ete a

j ob. Al l j obs have a task l i st associ ated w i th them. Intel l i gence
Server coordi nates the report i nstance bei ng passed from one
i nternal Intel l i gence Server component to another as a report i s
executed.

The most promi nent Intel l i gence Server components rel ated to report
j ob processi ng are l i sted here.

Co mp o n en t F u n ctio n

P erf orms complex calculat ions on a result set ret urned

f rom t he dat a warehouse, such as st at ist ical and f inancial
f unct ions. A lso, sort s raw result s ret urned f rom t he Query
E ngine int o a cross-t abbed grid suit able f or display t o t he
A nalyt ical E ngine
user. I n addit ion, it perf orms subt ot al calculat ions on t he
S erver
result set . Depending on t he met ric def init ions, t he
A nalyt ical E ngine will also perf orm met ric calculat ions t hat
were not or could not be perf ormed using S QL, such as
complex f unct ions.

Met adat a S erver Cont rols all access t o t he met adat a f or t he ent ire project .

Creat es, modif ies, saves, loads and delet es object s f rom
met adat a. A lso maint ains a server cache of recent ly used
object s. The Object S erver does not manipulat e met adat a
Object S erver
direct ly. The Met adat a S erver does all reading/ writ ing
f rom/ t o t he met adat a; t he Object S erver uses t he
Met adat a S erver t o make any changes t o t he met adat a.

© 2019, M icr o St r at egy In c. 62

Syst em Ad m in ist r at io n Gu id e

Co mp o n en t F u n ctio n

S ends t he S QL generat ed by t he S QL E ngine t o t he dat a

Query E ngine
warehouse f or execut ion.

Creat es and manages all server report ing inst ance

Report S erver
object s. Maint ains a cache of execut ed report s.

Resolves prompt s f or report request s. Works in conjunct ion

Resolut ion S erver wit h Object S erver and E lement S erver t o ret rieve
necessary object s and element s f or a given request .

S QL E ngine S erver Generat es t he S QL needed f or t he report .

Bel ow i s a typi cal scenari o of a report's executi on w i thi n Intel l i gence

Server. The di agram show s the report processi ng steps. An
expl anati on of each step fol l ow s the di agram.

63 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

1. Intel l i gence Server recei ves the request.

2. The R esol uti on Server checks for prompts. If the report has one
or more prompts, the user must answ er them. For i nformati on
about these extra steps, see Processi ng reports w i th prompts.

3. The R eport Server checks the i nternal cache, i f the cachi ng

feature i s turned on, to see w hether the report resul ts al ready
exi st. If the report exi sts i n the cache, Intel l i gence Server ski ps
di rectl y to the l ast step and del i vers the report to the cl i ent. If no
val i d cache exi sts for the report, Intel l i gence Server creates the
task l i st necessary to execute the report. For more i nformati on on
cachi ng, see R esul t C aches, page 860.

Prompts are res olv ed before the Serv er c hec k s for c ac hes . Us ers
may be able to retriev e res ults from c ac he ev en if they hav e
pers onaliz ed the report with their own prompt ans wers .

4. The R esol uti on Server obtai ns the report defi ni ti on and any other
requi red appl i cati on obj ects from the Obj ect Server. The Obj ect
Server retri eves these obj ects from the obj ect cache, i f possi bl e,
or reads them from the metadata vi a the Metadata Server.
Obj ects retri eved from metadata are stored i n the obj ect cache.

5. The SQL Generati on Engi ne creates the opti mi zed SQL speci fi c
to the R D BMS bei ng used i n the data w arehouse. The SQL i s
generated accordi ng to the defi ni ti on of the report and
associ ated appl i cati on obj ects retri eved i n the previ ous step.

6. The Query Engi ne runs the SQL agai nst the data w arehouse. The
report resul ts are returned to Intel l i gence Server.

7. The Anal yti cal Engi ne performs addi ti onal cal cul ati ons as
necessary. For most reports, thi s i ncl udes cross-tabbi ng the raw
data and cal cul ati ng subtotal s. Some reports may requi re

© 2019, M icr o St r at egy In c. 64

Syst em Ad m in ist r at io n Gu id e

addi ti onal cal cul ati ons that cannot be performed i n the database
vi a SQL.

8. D ependi ng on the anal yti cal compl exi ty of the report, the resul ts
mi ght be passed back to the Query Engi ne for further processi ng
by the database unti l the fi nal report i s ready (i n thi s case, steps
5–7 are repeated).

9. Intel l i gence Server's R eport Server saves or updates the report

i n the cache, i f the cachi ng feature i s turned on, and passes the
formatted report back to the cl i ent, w hi ch di spl ays the resul ts to
the user.

Pr o cessin g Rep o r t s wit h Pr o mp t s

If the report has prompts, these steps are i nserted i n the regul ar
report executi on steps presented above (see Processi ng report
executi on):

1. Intel l i gence Server sends the j ob to the R esol uti on Server

component. The R esol uti on Server di scovers that the report
defi ni ti on contai ns a prompt and tel l s Intel l i gence Server to
prompt the user for the necessary i nformati on.

2. Intel l i gence Server puts the j ob i n a sl eep mode and tel l s the
R esul t Sender component to send a message to the cl i ent
appl i cati on prompti ng the user for the i nformati on.

3. The user compl etes the prompt, and the cl i ent appl i cati on sends
the user's prompt sel ecti ons back to Intel l i gence Server.

4. Intel l i gence Server performs the securi ty and governi ng checks

and updates the stati sti cs. It then w akes up the sl eepi ng j ob,
adds the user's prompt repl y to the j ob's report i nstance, and
passes the j ob to the R esol uti on Server agai n.

65 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

5. Thi s cycl e repeats unti l al l prompts i n the report are resol ved.

A s leeping job times out after a c ertain period or if the c onnec tion
to the c lient is los t. If the prompt reply c omes bac k after the job
has timed out, the us er s ees an error mes s age.

Al l regul ar report processi ng resumes from the poi nt at w hi ch

Intel l i gence Server checks for a report cache, i f the cachi ng feature i s
turned on.

Pr o cessin g Per so n al In t elligen t Cu b e Rep o r t s

Personal Intel l i gent C ube reports are i ni ti al l y processed the same as
a regul ar report, and the report i nstance i s hel d i n Intel l i gence
Server's memory. If the user mani pul ates the report and that
mani pul ati on does not cause the base report's SQL to change, the
Anal yti cal Engi ne component servi ces the request and sends the
resul ts to the cl i ent. N o addi ti onal processi ng from the data
w arehouse i s requi red.

R eports can al so connect to Intel l i gent C ubes that can be shared by

mul ti pl e reports. These Intel l i gent C ubes al so al l ow the Anal yti cal
Engi ne to perform addi ti onal anal ysi s w i thout requi ri ng any
processi ng on the data w arehouse.

For i nformati on on personal Intel l i gent C ubes and Intel l i gent C ubes,
see the In-memory Anal yti cs Gui de.

Pr o cessin g Gr ap h Rep o r t s
When processi ng graph reports, Intel l i gence Server performs the
regul ar report processi ng (see Processi ng report executi on).
D ependi ng on the connecti on, the fol l ow i ng happens:

© 2019, M icr o St r at egy In c. 66

Syst em Ad m in ist r at io n Gu id e

l In a three-ti er connecti on, Intel l i gence Server sends the report to

D evel oper, w hi ch creates the graph i mage.

l In a four-ti er connecti on, Intel l i gence Server uses the graph

generati on component to create the graph i mage and sends i t to the
cl i ent.

Processing Object Browsing

The defi ni ti ons for al l obj ects di spl ayed i n the fol der l i st, such as
fol ders, metri cs, attri butes, and reports, are stored i n the metadata.
Whenever you expand or sel ect a fol der i n D evel oper or
Mi croStrategy Web, Intel l i gence Server must retri eve the obj ects from
the metadata before i t can di spl ay them i n the fol der l i st and the
obj ect vi ew er.

Thi s process i s cal l ed obj ect brow si ng and i t creates w hat are cal l ed
obj ect requests. It can cause a sl i ght del ay that you may noti ce the
fi rst ti me you expand or sel ect a fol der. The retri eved obj ect
defi ni ti ons are then pl aced i n Intel l i gence Server's memory (cache) so
that the i nformati on i s di spl ayed i mmedi atel y the next ti me you
brow se the same fol der. Thi s i s cal l ed obj ect cachi ng. For more
i nformati on on thi s, see Obj ect C aches, page 936.

The most promi nent Intel l i gence Server components rel ated to obj ect
brow si ng are l i sted here.

Compone ntU F u n ctio n

Met adat a
Cont rols all access t o t he met adat a f or t he ent ire project .
S erver

Object Creat es, modif ies, saves, loads and delet es object s f rom met adat a.
S erver A lso maint ains a server cache of recent ly used object s.

S ource Net Receives, de-serializes, and passes met adat a object request s t o t he
S erver object server.

67 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The di agram bel ow show s the obj ect request executi on steps. An
expl anati on of each step fol l ow s the di agram.

1. Intel l i gence Server recei ves the request.

2. The Obj ect Server checks for an obj ect cache that can servi ce
the request. If an obj ect cache exi sts, i t i s returned to the cl i ent
and Intel l i gence Server ski ps to the l ast step i n thi s process. If
no obj ect cache exi sts, the request i s sent to the Metadata
Server.

3. The Metadata Server reads the obj ect defi ni ti on from the
metadata reposi tory.

4. The requested obj ects are recei ved by the Obj ect Server w here
are they deposi ted i nto memory obj ect cache.

5. Intel l i gence Server returns the obj ects to the cl i ent.

© 2019, M icr o St r at egy In c. 68

Syst em Ad m in ist r at io n Gu id e

Processing Element Browsing

Attri bute el ements are typi cal l y stored i n l ookup tabl es i n the data
w arehouse. Thi s i ncl udes data that i s uni que to your busi ness
i ntel l i gence system, such as N ortheast, N orthw est, C entral , and Asi a
i n the R egi on attri bute.

For a more thorough dis c us s ion of attribute elements , s ee the s ec tion in

the Basi c R eporti ng Gui de about the logic al data model.

When users request attri bute el ements from the system, they are sai d
to be el ement brow si ng and create w hat are cal l ed el ement requests.
More speci fi cal l y, thi s happens w hen users:

l Answ er prompts w hen executi ng a report

l Brow se attri bute el ements i n D evel oper usi ng the D ata Expl orer
(ei ther i n the Fol der Li st or the R eport Edi tor)

l U se D evel oper's Fi l ter Edi tor, C ustom Group Edi tor, or Securi ty
Fi l ter Edi tor

l U se the D esi gn Mode on Mi croStrategy Web to edi t the report fi l ter

When Intel l i gence Server recei ves an el ement request from the user,
i t sends a SQL statement to the data w arehouse requesti ng attri bute
el ements. When i t recei ves the resul ts from the data w arehouse, i t
then passes the resul ts back to the user. Al so, i f the el ement cachi ng
feature i s turned on, i t stores the resul ts i n memory so that addi ti onal
requests are retri eved from memory i nstead of queryi ng the data
w arehouse agai n. For more i nformati on on thi s, see El ement C aches,
page 920.

The most promi nent Intel l i gence Server components rel ated to
el ement brow si ng are l i sted here.

69 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Co mp o n en t F u n ctio n

DB E lement Transf orms element request s int o report request s and t hen sends
S erver report request s t o t he warehouse.

E lement Net Receives, de-serializes, and passes element request messages t o

S erver t he E lement S erver.

E lement Creat es and st ores server element caches in memory. Manages all
S erver element request s in t he project .

S ends t he S QL generat ed by t he S QL E ngine t o t he dat a warehouse

Query E ngine
f or execut ion.

Creat es and manages all server report ing inst ance object s.
Report S erver
Maint ains a cache of execut ed report s.

Resolves prompt s f or report request s. Works in conjunct ion wit h

Resolut ion
Object S erver and E lement S erver t o ret rieve necessary object s and
S erver
element s f or a given request .

S QL E ngine
Generat es t he S QL needed f or t he report .
S erver

The di agram bel ow show s the el ement request executi on steps. An

expl anati on of each step fol l ow s the di agram.

© 2019, M icr o St r at egy In c. 70

Syst em Ad m in ist r at io n Gu id e

1. Intel l i gence Server recei ves the request.

2. The El ement Server checks for a server el ement cache that can
servi ce the request. If a server el ement cache exi sts, the el ement
cache i s returned to the cl i ent. Ski p to the l ast step i n thi s
process.

3. If no server el ement cache exi sts, the database El ement Server

recei ves the request and transforms i t i nto a report request.

71 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The element reques t at this point is proc es s ed lik e a report

reques t: Intelligenc e Serv er c reates a report that has only the
attributes and pos s ibly s ome filtering c riteria, and SQL is
generated and ex ec uted lik e any other report.

4. The R eport Server recei ves the request and creates a report
i nstance.

5. The R esol uti on Server recei ves the request and determi nes w hat
el ements are needed to sati sfy the request, and then passes the
request to the SQL Engi ne Server.

6. The SQL Engi ne Server generates the necessary SQL to sati sfy
the request and passes i t to the Query Engi ne Server.

7. The Query Engi ne Server sends the SQL to the data w arehouse.

8. The el ements are returned from the data w arehouse to

Intel l i gence Server and deposi ted i n the server memory el ement
cache by the El ement Server.

9. Intel l i gence Server returns the el ements to the cl i ent.

Processing Report Services Document Execution

A Mi croStrategy R eport Servi ces document contai ns obj ects
representi ng data comi ng from one or more reports. The document
al so hol ds posi ti oni ng and formatti ng i nformati on. A document i s used
to combi ne data from mul ti pl e reports i nto a si ngl e di spl ay of
presentati on qual i ty. When you create a document, you can speci fy
the data that appears and can al so control the l ayout, formatti ng,
groupi ng, and subtotal i ng of that data. In addi ti on, you can i nsert
pi ctures i nto the document and draw borders on i t. Al l these
capabi l i ti es al l ow you to create documents that are sui tabl e to present
to management.

Most of the data on a document i s from an underl yi ng dataset. A

dataset i s a Mi croStrategy report that defi nes the i nformati on that

© 2019, M icr o St r at egy In c. 72

Syst em Ad m in ist r at io n Gu id e

Intel l i gence Server retri eves from the data w arehouse or cache. Other
data that does not ori gi nate from the dataset i s stored i n the
document's defi ni ti on.

D ocument executi on i s sl i ghtl y di fferent from the executi on of a si ngl e

report, si nce documents can contai n mul ti pl e reports.

The fol l ow i ng di agram show s the document processi ng executi on

steps. An expl anati on of each step fol l ow s the di agram.

1. Intel l i gence Server recei ves a document executi on request and

creates a document i nstance i n Intel l i gence Server. Thi s
i nstance hol ds the resul ts of the request.

73 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

A document i nstance faci l i tates the processi ng of the document

through Intel l i gence Server, si mi l ar to a report i nstance that i s
used to process reports. It contai ns the report i nstances for al l
the dataset reports and therefore has access to al l the
i nformati on that may be i ncl uded i n the dataset reports. Thi s
i nformati on i ncl udes prompts, formats, and so on.

2. The D ocument Server i nspects al l dataset reports and prepares

for executi on. It consol i dates al l prompts from datasets i nto a
si ngl e prompt to be answ ered. Al l i denti cal prompts are merged
so that the resul ti ng prompt contai ns onl y one copy of each
prompt questi on.

3. The D ocument Server, w i th the assi stance of the R esol uti on

Server, asks the user to answ er the consol i dated prompt. The
user's answ ers are stored i n the D ocument Server.

4. The D ocument Server creates an i ndi vi dual report executi on j ob

for each dataset report. Each j ob i s processed by Intel l i gence
Server, usi ng the report executi on fl ow descri bed i n Processi ng
R eport Executi on, page 62. Prompt answ ers are provi ded by the
D ocument Server to avoi d further prompt resol uti on.

5. After Intel l i gence Server has compl eted al l the report executi on
j obs, the Anal yti cal Engi ne recei ves the correspondi ng report
i nstances to begi n the data preparati on step. D ocument el ements
are mapped to the correspondi ng report i nstance to construct
i nternal data vi ew s for each el ement.

Doc ument elements inc lude grouping, data fields , Grid/Graphs ,

and s o on.

6. The Anal yti cal Engi ne eval uates each data vi ew and performs
the cal cul ati ons that are requi red to prepare a consol i dated
dataset for the enti re document i nstance. These cal cul ati ons

© 2019, M icr o St r at egy In c. 74

Syst em Ad m in ist r at io n Gu id e

i ncl ude cal cul ated expressi ons, deri ved metri cs, and condi ti onal
formatti ng. The consol i dated dataset determi nes the number of
el ements for each group and the number of detai l secti ons.

7. The D ocument Server recei ves the fi nal document i nstance to

fi nal i ze the document format:

l Addi ti onal formatti ng steps are requi red i f the document i s

exported to PD F or Excel format. The export generati on takes
pl ace on the cl i ent si de i n three-ti er and on the server si de i n
four-ti er, al though the component i n charge i s the same i n both
cases.

l If the document i s executed i n H TML, the Mi croStrategy Web

cl i ent requests an XML representati on of the document to
process i t and render the fi nal output.

8. The compl eted document i s returned to the cl i ent.

Processing Dossier Execution

A dossi er i s a contai ner for formatti ng, di spl ayi ng, and di stri buti ng
mul ti pl e reports from a si ngl e request. D ossi ers are based on an
H TML templ ate, w hi ch al l ow s them to contai n any combi nati on of text,
i mages, hyperl i nks, tabl es, gri d reports, and graph reports. Any
reports i ncl uded i n a dossi er are cal l ed the chi l d reports of the
dossi er.

Because dossi ers are col l ecti ons of mul ti pl e reports, thei r executi on
process i s sl i ghtl y di fferent from si ngl e reports. The most notabl e
di fferences are show n i n the procedure bel ow .

The di agram bel ow show s the dossi er processi ng executi on steps. An

expl anati on of each step fol l ow s the di agram.

75 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

1. Intel l i gence Server recei ves a dossi er executi on request and

creates dossi er i nstance to go through Intel l i gence Server and
hol d the resul ts.

2. The dossi er server consol i dates al l prompts from chi l d reports

i nto a si ngl e prompt to be answ ered. Any i denti cal prompts are
merged so that the resul ti ng si ngl e prompt contai ns onl y one
copy of each prompt questi on.

3. R esol uti on Server asks the user to answ er the consol i dated
prompt. (The user onl y needs to answ er a si ngl e set of
questi ons.)

4. The dossi er server spl i ts the dossi er request i nto separate

i ndi vi dual j obs for the consti tuent reports. Each report goes
through the report executi on fl ow as descri bed above.

Prompts hav e already been res olv ed for the c hild reports .

5. The compl eted request i s returned to the cl i ent.

© 2019, M icr o St r at egy In c. 76

Syst em Ad m in ist r at io n Gu id e

Client-Specific Job Processing

Thi s secti on expl ai ns the j ob processi ng steps that certai n cl i ent
appl i cati ons perform as they del i ver user requests to Intel l i gence
Server. It al so covers how those cl i ents recei ve resul ts, and how the
resul ts are di spl ayed them to the user.

For i nformati on about the processi ng steps performed by Intel l i gence

Server for al l j obs, see Intel l i gence Server Job Processi ng (C ommon
to Al l Jobs), page 60.

Pr o cessin g Jo b s f r o m Micr o St r at egy Web Pr o d u ct s

Thi s secti on provi des a hi gh-l evel overvi ew of processi ng fl ow for
requests ori gi nati ng i n Mi croStrategy Web or Web U ni versal . It al so
i ncl udes the j ob process for exporti ng reports i n vari ous formats.

Job Requests from MicroStrategy Web Products

1. The user makes a request from a w eb brow ser. The request i s

sent to the w eb server vi a H TTP or H TTPS.

2. An ASP.N ET page or a servl et recei ves the request and cal l s the
Mi croStrategy Web API.

3. The Mi croStrategy Web API sends the request to Intel l i gence

Server, w hi ch processes the j ob as usual (see Processi ng
R eport Executi on, page 62).

4. Intel l i gence Server sends the resul ts back to the Mi croStrategy

Web API vi a XML.

5. Mi croStrategy Web converts the XML to H TML w i thi n the

appl i cati on code:

l In Mi croStrategy Web, the conversi on i s pri mari l y performed i n

ASP code.

77 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l In some customi zati ons, the conversi on may occur w i thi n

custom XSL cl asses. By defaul t, the product does not use XSL
for renderi ng output, except i n document obj ects.

6. Mi croStrategy Web sends the H TML to the cl i ent's brow ser,

w hi ch di spl ays the resul ts.

What Happens When I Export a Report from MicroStrategy Web?

Exporti ng a report from Mi croStrategy Web products l ets users save

the report i n another format that may provi de addi ti onal capabi l i ti es
for shari ng, pri nti ng, or further mani pul ati on. Thi s secti on expl ai ns the
addi ti onal processi ng the system must do w hen exporti ng a report i n
one of several formats. Thi s may hel p you to understand w hen certai n
parts of the Mi croStrategy pl atform are stressed w hen exporti ng.

Exporti ng a report from Mi croStrategy Web products causes

Intel l i gence Server to retri eve the enti re resul t set (no i ncremental
fetch) i nto memory and send i t to Mi croStrategy Web. Thi s i ncreases
the memory use on the Intel l i gence Server machi ne and i t i ncreases
netw ork traffi c.

For information about gov erning report s iz e limits for ex porting, s ee

Li mi ti ng the Informati on D i spl ayed at One Ti me, page 750 and the
following s ec tions .

Export to Comma Separated File (CSV) or Excel with Plain Text

Export to C omma Separated Fi l e (C SV) and Export to Excel w i th Pl ai n

Text i s done compl etel y on Intel l i gence Server. These formats contai n
onl y report data and no formatti ng i nformati on. The onl y di fference
betw een these tw o formats i s the i nternal "contai ner" that i s used.

The Mi croStrategy system performs these steps w hen exporti ng to

C SV or to Excel w i th pl ai n text:

© 2019, M icr o St r at egy In c. 78

Syst em Ad m in ist r at io n Gu id e

1. Mi croStrategy Web product recei ves the request for the export
and passes the request to Intel l i gence Server. Intel l i gence
Server takes the XML contai ni ng the report data and parses i t for
separators, headers and metri c val ues.

2. Intel l i gence Server then outputs the ti tl es of the uni ts i n the R ow

axi s. Al l these uni ts end up i n the same row of the resul t text.

3. Intel l i gence Server then outputs the ti tl e and header of one uni t
i n the C ol umn axi s.

4. R epeat step 3 unti l al l uni ts i n the C ol umn axi s are compl eted.

5. Intel l i gence Server outputs al l the headers of the R ow axi s and

al l metri c val ues one row at a ti me.

6. The fi ni shed resul t i s then passed to be output as a C SV or an

Excel fi l e, w hi ch i s then passed to the cl i ent brow ser.

Export to Excel with Formatting

Exporti ng to Excel w i th formatti ng al l ow s for reports to be exported to

an Excel fi l e and contai n the same formatti ng as show n i n the brow ser
w i ndow . The report retai ns al l cel l col ori ng, font si zes, styl es, and
other formatti ng aspects.

l To ex port to Ex c el with formatting, the c lient mac hine mus t hav e Ex c el

2000 SR-1 or later.

l To ex port to Ex c el, us ers mus t firs t s et their Ex port preferenc es by

c lic k ing Preferences , then U ser preferences , then Export , and
s elec t the Ex c el v ers ion they want to ex port to.

The Mi croStrategy system performs these steps w hen exporti ng to

Excel w i th formatti ng:

79 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

1. Mi croStrategy Web product recei ves the request for the export to
Excel and passes the request to Intel l i gence Server. Intel l i gence
Server produces an H TML document by combi ni ng the XML
contai ni ng the report data w i th the XSL contai ni ng formatti ng
i nformati on.

2. Intel l i gence Server passes the H TML document to Mi croStrategy

Web, w hi ch creates an Excel fi l e and sends i t to the brow ser.

3. U sers can then choose to vi ew the Excel fi l e or save i t

dependi ng on the cl i ent machi ne operati ng system's setti ng for
vi ew i ng Excel fi l es.

Export to PDF

Exporti ng to PD F uses Intel l i gence Server's export engi ne to create a

PD F (Portabl e D ocument Format) fi l e. PD F fi l es are vi ew ed w i th
Adobe's Acrobat reader and provi de greater pri nti ng functi onal i ty than
si mpl y pri nti ng the report from the brow ser.

Pr o cessin g Jo b s f r o m Nar r o wcast Ser ver

Mi croStrategy N arrow cast Server performs the fol l ow i ng steps to
del i ver reports to users.

For detailed information about Narrowc as t Serv er, s ee the N arrow cast
Server Getti ng Started Gui de .

Job Requests from MicroStrategy Narrowcast Server

1. A N arrow cast servi ce executi on i s tri ggered by a schedul e or

external API cal l .

2. N arrow cast Server determi nes the servi ce reci pi ents and
al l ocates w ork to Executi on Engi ne (EE) machi nes.

© 2019, M icr o St r at egy In c. 80

Syst em Ad m in ist r at io n Gu id e

3. EE machi nes determi ne personal i zed reports to be created for

each reci pi ent by usi ng reci pi ent preferences.

4. N arrow cast Server submi ts one report per user or one mul ti page
report for mul ti pl e users, dependi ng on servi ce defi ni ti on.

5. Intel l i gence Server processes the report j ob request as usual .

(See Processi ng R eport Executi on, page 62.) It then sends the
resul t back to N arrow cast Server.

6. N arrow cast Server creates formatted documents usi ng the

personal i zed report data.

7. N arrow cast Server packages documents as appropri ate for the

servi ce's del i very method, such as e-mai l , w i rel ess, and so on.

8. N arrow cast Server del i vers the i nformati on to reci pi ents by the
chosen del i very method.

Monitoring Currently Executing Jobs

The Job Moni tor i nforms you of w hat i s happeni ng w i th system tasks.
H ow ever, i t does not di spl ay detai l ed sub-steps that a j ob i s
performi ng. You can see j obs that are:

l Executi ng

l Wai ti ng i n the queue

l Wai ti ng for a user to repl y to a prompt

l C ancel i ng

l N ot compl eti ng because of an error

The Job Moni tor di spl ays w hi ch tasks are runni ng on an Intel l i gence
Server. When a j ob has compl eted i t no l onger appears i n the moni tor.
You can vi ew a j ob's i denti fi cati on number; the user w ho submi tted i t;
the j ob's status; a descri pti on of the status and the name of the report,
document, or query; and the proj ect executi ng i t.

81 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

To View the Currently Executing Jobs

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th the Moni tor Jobs pri vi l ege.

2. Expand A dministration, then expand System Monitors, and

then sel ect Jobs. The j ob i nformati on di spl ays on the ri ght-hand
si de.

3. Because the Job Moni tor does not refresh i tsel f, you must
peri odi cal l y refresh i t to see the l atest status of j obs. To do thi s,
press F5.

4. To vi ew a j ob's detai l s i ncl udi ng i ts SQL, doubl e-cl i ck i t.

5. To vi ew more detai l s for al l j obs di spl ayed, ri ght-cl i ck i n the Job

Moni tor and sel ect View options. Sel ect the addi ti onal col umns
to di spl ay and cl i ck OK .

At times , y ou may s ee "Temp c lient" in the Network Addres s c olumn.

This may happen when Intelligenc e Serv er is under a heav y load and a
us er ac c es s es the lis t of av ailable projec ts . Intelligenc e Serv er c reates
a temporary s es s ion that s ubmits a job reques t for the av ailable projec ts
and then s ends the lis t to the Mic roStrategy Web c lient for dis play . This
temporary s es s ion, whic h remains open until the reques t is fulfilled, is
dis play ed as Temp c lient.

To Cancel a Job

1. Sel ect the j ob i n the Job Moni tor.

2. Press D ELETE, and then confi rm w hether you w ant to cancel the
j ob.

© 2019, M icr o St r at egy In c. 82

Syst em Ad m in ist r at io n Gu id e

Using Automated Installation Techniques

You can make i nstal l i ng the Mi croStrategy system across your
enterpri se easi er i n several w ays. They are menti oned here but more
ful l y expl ai ned i n the Instal l ati on and C onfi gurati on Gui de.

Using a Response File to Install the Product

The response fi l e i nstal l ati on al l ow s you to automate certai n aspects
of the i nstal l ati on by confi guri ng a Wi ndow s IN I-l i ke response fi l e,
cal l ed re sp on s e . i n i. Thi s opti on i s typi cal l y i mpl emented by
Ori gi nal Equi pment Manufacturer (OEM) appl i cati ons that embed
Mi croStrategy i nstal l ati ons i n other products. It can al so be
i mpl emented by IT departments that w ant to have more control over
desktop i nstal l ati ons. For more i nformati on on how to set up and use
a response fi l e, see the Instal l ati on and C onfi gurati on Gui de.

Using a Response File to Configure the Product

You can al so use a response fi l e to automate certai n aspects of the
Mi croStrategy confi gurati on. Thi s response fi l e suppl i es parameters
to the C onfi gurati on Wi zard to set up a metadata reposi tory and
stati sti cs tabl es, Intel l i gence Server, and mul ti pl e proj ect sources. For
steps on setti ng up and usi ng a response fi l e for the C onfi gurati on
Wi zard, see the Instal l ati on and C onfi gurati on Gui de.

Running a Silent Installation

Si l ent i nstal l ati ons do not present any graphi cal user i nterface (GU I).
They are typi cal l y i mpl emented by IT departments that perform
softw are di stri buti on and i nstal l ati on across the netw ork, for exampl e,
by usi ng Mi crosoft's System Management Server softw are. Thi s
i nvol ves confi guri ng a s e t u p . i s s fi l e that the Mi croStrategy
Instal l ati on Wi zard uses. For steps on setti ng up and usi ng a
setu p. is s fi l e for a si l ent Mi croStrategy i nstal l ati on, see the
Instal l ati on and C onfi gurati on Gui de.

83 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

OEMs may us e s ilent ins tallations ; howev er, it is more c ommon for
OEMs to us e a res pons e file ins tallation.

© 2019, M icr o St r at egy In c. 84

2
SETTING U P U SER
SECURITY

© 2019, M icr o St r at egy In c. 85

Syst em Ad m in ist r at io n Gu id e

Securi ty i s a concern i n any organi zati on. The metadata and data
w arehouse may contai n sensi ti ve i nformati on that shoul d not be
vi ew ed by al l users. It i s your responsi bi l i ty as admi ni strator to make
the ri ght data avai l abl e to the ri ght users.

Mi croStrategy has a robust securi ty model that enabl es you to create

users and groups, and control w hat data they can see and w hat
obj ects they can use. The securi ty model i s covered i n the fol l ow i ng
secti ons:

l The Mi croStrategy U ser Model , page 86

l C ontrol l i ng Access to Appl i cati on Functi onal i ty, page 95

l C ontrol l i ng Access to D ata, page 121

l Mergi ng U sers or Groups, page 151

Authenti cati on, the process by w hi ch the system i denti fi es the user, i s
an i ntegral part of any securi ty model . Authenti cati ng users i s
addressed i n C hapter 3, Identi fyi ng U sers: Authenti cati on.

The MicroStrategy User Model

Thi s secti on provi des an overvi ew of w hat users and groups are i n the
system and how they can be i mported or created.

About Mi croStrategy U sers

About Mi croStrategy U ser Groups

Pri vi l eges

Permi ssi ons

C reati ng, Importi ng, and D el eti ng U sers and Groups

Moni tori ng U sers' C onnecti ons to Proj ects

86 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

About MicroStrategy Users

Li ke most securi ty archi tectures, the Mi croStrategy securi ty model i s
bui l t around the concept of a user. To do anythi ng useful w i th
Mi croStrategy, a user must be authenti cated and authori zed. The user
can then perform tasks such as creati ng obj ects or executi ng reports
and documents, and can general l y take advantage of al l the other
features of the Mi croStrategy system.

Mic roStrategy s upports a s ingle s ign-on for us ers in an enterpris e

env ironment that c ons is ts of multiple applic ations , data s ourc es , and
s y s tems . Us ers c an log in to the s y s tem onc e and ac c es s all the
res ourc es of the enterpris e s eamles s ly . For more details about
implementing s ingle s ign-on in Mic roStrategy , s ee Enabl i ng Si ngl e
Si gn-On Authenti cati on, page 212 .

U sers are defi ned i n the Mi croStrategy metadata and exi st across
proj ects. You do not have to defi ne users for every proj ect you create
i n a si ngl e metadata reposi tory.

Each user has a uni que profi l e fol der i n each proj ect. Thi s profi l e
fol der appears to the user as the "My Personal Obj ects" fol der. By
defaul t other users' profi l e fol ders are hi dden. They can be vi ew ed by,
i n the D evel oper Preferences di al og box, i n the D evel oper: Brow si ng
category, sel ecti ng the D isplay H idden Objects check box.

A dministrator i s a bui l t-i n defaul t user created w i th a new

Mi croStrategy metadata reposi tory. The Admi ni strator user has al l
pri vi l eges and permi ssi ons for al l proj ects and al l obj ects.

One of the firs t things y ou s hould do in y our Mic roStrategy ins tallation is
to c hange the pas s word for the Adminis trator us er.

© 2019, M icr o St r at egy In c. 87

Syst em Ad m in ist r at io n Gu id e

About MicroStrategy User Groups

A user group (or "group" for short) i s a col l ecti on of users and/or
subgroups. Groups provi de a conveni ent w ay to manage a l arge
number of users.

Instead of assi gni ng pri vi l eges, such as the abi l i ty to create reports,
to hundreds of users i ndi vi dual l y, you may assi gn pri vi l eges to a
group. Groups may al so be assi gned permi ssi ons to obj ects, such as
the abi l i ty to add reports to a fol der.

In addition to hav ing priv ileges of their own, s ubgroups alway s inherit
the priv ileges from their parent groups .

For a l i st of the pri vi l eges assi gned to each group, see the Li st of
Pri vi l eges secti on.

Do not modify the priv ileges for an out-of-the-box us er group. During

upgrades to newer v ers ions of Mic roStrategy , the priv ileges for the out-
of-the-box us er groups are ov erwritten with the default priv ileges .
Ins tead, y ou s hould c opy the us er group y ou need to modify and mak e
c hanges to the c opied v ers ion.

Th e Ever yo n e Gr o u p
Al l users except for guest users are automati cal l y members of the
Everyone group. The Everyone group i s provi ded to make i t easy for
you to assi gn pri vi l eges, securi ty rol e membershi ps, and permi ssi ons
to al l users.

When a projec t is upgraded from Mic roStrategy v ers ion 7.5.x or earlier
to v ers ion 9.x , the Us e Dev eloper priv ilege is automatic ally granted to
the Ev ery one group. This ens ures that all us ers who were able to
ac c es s Dev eloper in prev ious v ers ions c an c ontinue to do s o.

88 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Au t h en t icat io n -Relat ed Gr o u p s
These groups are provi ded to assi st you i n managi ng the di fferent
w ays i n w hi ch users can l og i nto the Mi croStrategy system. For
detai l s on the di fferent authenti cati on methods, see C hapter 3,
Identi fyi ng U sers: Authenti cati on.

l Public/Guest: The Publ i c group provi des the capabi l i ty for

anonymous l ogi ns and i s used to manage the access ri ghts of guest
users. If you choose to al l ow anonymous authenti cati on, each guest
user assumes the profi l e defi ned by the Publ i c group. For more
i nformati on about anonymous authenti cati on and the Publ i c/Guest
group, see Impl ementi ng Anonymous Authenti cati on, page 169.

l 3rd Party U sers: U sers w ho access Mi croStrategy proj ects through

thi rd-party (OEM) softw are.

l LD A P U sers: The group i nto w hi ch users that are i mported from an

LD AP server are added.

l LD A P Public/Guest: Thi s group i s for LD AP anonymous l ogi n. It

behaves l i ke the Publ i c/Guest group, except that i t i s for LD AP
anonymous l ogi n. When an LD AP anonymous user l ogs i n, i t i s
authori zed w i th the pri vi l eges and access ri ghts of LD AP
Publ i c/Guest and Publ i c/Guest.

For information on integrating LDAP with Mic roStrategy , s ee

Impl ementi ng LD AP Authenti cati on, page 171 .

l Warehouse U sers: U sers w ho access a proj ect through a

w arehouse connecti on.

Gr o u p s Co r r esp o n d in g t o Pr o d u ct Of f er in gs
These groups are bui l t-i n groups that correspond to the l i censes you
have purchased. U si ng these groups gi ves you a conveni ent w ay to
assi gn product-speci fi c pri vi l eges.

© 2019, M icr o St r at egy In c. 89

Syst em Ad m in ist r at io n Gu id e

l A rchitect: Archi tects functi on as proj ect desi gners and can create
attri butes, facts, hi erarchi es, proj ects, and so on.

l A nalyst: Anal ysts have the pri vi l eges to execute si mpl e reports,
answ er prompts, dri l l on reports, format reports, create reports by
mani pul ati ng R eport Obj ects, create deri ved metri cs, modi fy vi ew
fi l ter, pi vot reports, create page by, and sort usi ng advanced
opti ons.

l D eveloper: D evel opers can desi gn new reports from scratch, and
create report components such as consol i dati ons, custom groups,
data marts, documents, dri l l maps, fi l ters, metri cs, prompts, and
templ ates.

l Web R eporter: Web R eporters can vi ew schedul ed reports and

i nteracti vel y sl i ce and di ce them. They can al so use the pri nti ng,
exporti ng, and e-mai l subscri pti on features.

l Web A nalyst: Web Anal ysts can create new reports w i th basi c
report functi onal i ty, and use ad hoc anal ysi s from Intel l i gent C ubes
w i th i nteracti ve, sl i ce and di ce OLAP.

l Web Professional: Web Professi onal users have the maxi mum
access to Mi croStrategy Web functi onal i ty. They can create
Intel l i gent C ubes and reports for users, w i th ful l reporti ng, ad hoc,
and OLAP capabi l i ti es w i th seaml ess R OLAP anal ysi s.

Ad min ist r at o r Gr o u p s
l System Monitors: The System Moni tors groups provi de an easy
w ay to gi ve users basi c admi ni strati ve pri vi l eges for al l proj ects i n
the system. U sers i n the System Moni tors groups have access to the
vari ous moni tori ng and admi ni strati ve moni tori ng tool s

l System A dministrators: The System Admi ni strators group i s a

group w i thi n the System Moni tors group. It provi des al l the

90 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

capabi l i ti es of the System Moni tors group pl us the abi l i ty to modi fy

confi gurati on obj ects such as database i nstances, and so on.

Privileges
Pri vi l eges al l ow users to access and w ork w i th vari ous functi onal i ty
w i thi n the softw are. Al l users created i n the Mi croStrategy system are
assi gned a set of pri vi l eges by defaul t.

For detai l ed i nformati on about pri vi l eges, i ncl udi ng how to assi gn
pri vi l eges to a user or group, see C ontrol l i ng Access to Functi onal i ty:
Pri vi l eges, page 109. For a l i st of al l user and group pri vi l eges i n
Mi croStrategy, see the Li st of Pri vi l eges secti on.

To see w hi ch users are usi ng certai n pri vi l eges, use the Li cense
Manager. See U si ng Li cense Manager, page 375.

To View a User's Privileges

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th the C reate And Edi t U sers And Groups pri vi l ege.

2. Expand A dministration, then U ser Manager, and then the group

contai ni ng the user.

3. R i ght-cl i ck the user and sel ect Grant access to projects. The
U ser Edi tor opens to the Proj ect Access di al og box. The
pri vi l eges that the user has for each proj ect are l i sted, as w el l as
the source of those pri vi l eges (i nherent to user, i nheri ted from a
group, or i nheri ted from a securi ty rol e).

Permissions
Permi ssi ons al l ow users to i nteract w i th vari ous obj ects i n the
Mi croStrategy system. Al l users created i n the Mi croStrategy system
have certai n access ri ghts to certai n obj ects by defaul t.

© 2019, M icr o St r at egy In c. 91

Syst em Ad m in ist r at io n Gu id e

Permis s ions differ from priv ileges in that permis s ions res tric t or allow
ac tions related to a s ingle objec t, while priv ileges res tric t or allow
ac tions ac ros s all objec ts in a projec t.

For detai l ed i nformati on about permi ssi ons, i ncl udi ng how to assi gn
permi ssi ons for an obj ect to a user or group, see C ontrol l i ng Access
to Obj ects: Permi ssi ons, page 95.

To View the Permissions for an Object

1. From w i thi n D evel oper, ri ght-cl i ck the obj ect and sel ect
Properties.

2. Expand the Security category.

Creating, Importing, and Deleting Users and Groups

It i s possi bl e to create users i ndi vi dual l y usi ng the U ser Manager
i nterface i n D evel oper, or usi ng C ommand Manager (for a detai l ed
expl anati on of how to use C ommand Manager, i ncl udi ng exampl es,
see C hapter 15, Automati ng Admi ni strati ve Tasks w i th C ommand
Manager). You can al so i mport users and groups from a text fi l e, from
a Wi ndow s user di rectory, or from an LD AP di rectory.

To Create a New User with the User Editor in Developer

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th the C reate And Edi t U sers And Groups pri vi l ege.

2. Expand A dministration, then U ser Manager, and then a group

that you w ant the new user to be a member of. If you do not w ant
the user to be a member of a group, sel ect Everyone.

3. Go to File > N ew > U ser.

92 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

4. Speci fy the user i nformati on for each category i n the edi tor.

The us er login ID is limited to 50 c harac ters .

To Delete a User

If a Narrowc as t us er ex is ts that inherits authentic ation from the us er

that y ou are deleting, y ou mus t als o remov e the authentic ation definition
from that Narrowc as t us er. For ins truc tions , s ee the Mi croStrategy
N arrow cast Server Admi ni strati on Gui de .

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th the C reate And Edi t U sers And Groups pri vi l ege.

2. Expand A dministration, then U ser Manager, and then brow se to

the group contai ni ng the user.

3. Sel ect the user and press D elete.

4. C l i ck OK .

5. C l i ck N o. The fol der and i ts contents remai n on the system and

ow nershi p i s assi gned to Admi ni strator. You may l ater assi gn
ow nershi p and access control l i sts for the fol der and i ts contents
to other users.

6. C l i ck Yes and the fol der and al l of i ts contents are del eted.

Monitoring Users' Connections to Projects

When a user connects to a proj ect, a user connecti on i s establ i shed.
You may w ant to see a l i st of al l users connected to proj ects w i thi n a
proj ect source. The U ser C onnecti on Moni tor di spl ays a l i st of al l
connecti ons and al l ow s you to di sconnect a user.

© 2019, M icr o St r at egy In c. 93

Syst em Ad m in ist r at io n Gu id e

To View the Active User Connections

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th the Moni tor U ser C onnecti ons pri vi l ege.

2. Go to A dministration > System Monitors > U ser C onnections.

The user connecti on i nformati on di spl ays on the ri ght-hand si de.
For each user, there i s one connecti on for each proj ect the user
i s l ogged i n to, pl us one connecti on for < S e r v e r > i ndi cati ng
that the user i s l ogged i n to the proj ect source.

l Scheduler : Connec tions made by Intelligenc e Serv er to

proc es s s c heduled reports or doc uments appear as
<S c h e d u l e r > in the Network Addres s c olumn. Sc heduler
s es s ions c annot be manually dis c onnec ted as des c ribed abov e.
Howev er, thes e s es s ions will be remov ed automatic ally by
Intelligenc e Serv er when the us er s es s ion idle time out v alue is
reac hed.

l Temp client : At times , y ou may s ee "Temp c lient" in the

Network Addres s c olumn. This may happen when Intelligenc e
Serv er is under a heav y load and a us er ac c es s es the Projec ts
or Home page in Mic roStrategy Web (the pages that dis play the
lis t of av ailable projec ts ). Intelligenc e Serv er c reates a
temporary s es s ion that s ubmits a job reques t for the av ailable
projec ts and then s ends the lis t to the Mic roStrategy Web c lient
for dis play . This temporary s es s ion, whic h remains open until
the reques t is fulfilled, is dis play ed as "Temp c lient."

3. To vi ew a connecti on's detai l s, doubl e-cl i ck i t.

To Disconnect a User

1. In the U ser C onnecti on Moni tor, sel ect the connecti on.

2. Press D elete.

94 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

If y ou dis c onnec t us ers from the projec t s ourc e (the <Configuration>

entry in the Us er Connec tion Monitor), they are als o dis c onnec ted from
any projec ts they were c onnec ted to.

Controlling Access to Application Functionality

Access control governs the resources that an authenti cated user can
read, modi fy, or w ri te. In addi ti on to control l i ng access to data (see
C ontrol l i ng Access to D ata, page 121), you must al so control access
to appl i cati on functi onal i ty, such as the abi l i ty to create reports or
w hi ch reports are vi ew abl e. The Mi croStrategy system provi des a ri ch
set of functi onal i ty for access control w i thi n Intel l i gence Server:

Controlling Access to Objects: Permissions

Permi ssi ons defi ne the degree of control users have over i ndi vi dual
obj ects i n the system. For exampl e, i n the case of a report, a user may
have permi ssi on to vi ew the report defi ni ti on and execute the report,
but not to modi fy the report defi ni ti on or del ete the report.

Whi l e pri vi l eges are assi gned to users (ei ther i ndi vi dual l y, through
groups, or w i th securi ty rol es), permi ssi ons are assi gned to obj ects.
More preci sel y, each obj ect has an Access C ontrol Li st (AC L) that
speci fi es w hi ch permi ssi ons di fferent sets of users have on that
obj ect.

Intelligenc e Serv er inc ludes s pec ial priv ileges c alled By pas s All Objec t
Sec urity Ac c es s Chec k s and By pas s Sc hema Objec t Sec urity Ac c es s
Chec k s . Us ers with thes e priv ileges are not res tric ted by ac c es s c ontrol
permis s ions and are c ons idered to hav e full c ontrol ov er all objec ts and
s c hema objec ts , res pec tiv ely . For information about priv ileges , s ee
C ontrol l i ng Access to Functi onal i ty: Pri vi l eges, page 109 .

© 2019, M icr o St r at egy In c. 95

Syst em Ad m in ist r at io n Gu id e

To Modify Permissions for an Object in Developer

1. In D evel oper, ri ght-cl i ck the obj ect and sel ect Properties.

To modify an objec t's ACL, y ou mus t ac c es s the Properties dialog

box direc tly from Dev eloper. If y ou ac c es s the Properties dialog
box from within an editor, y ou c an v iew the objec t's ACL but c annot
mak e any c hanges .

2. Sel ect the Security category.

3. For the U ser or Group (cl i ck A dd to sel ect a new user or group),
from the Object drop-dow n l i st, sel ect the predefi ned set of
permi ssi ons, or sel ect C ustom to defi ne a custom set of
permi ssi ons. If the obj ect i s a fol der, you can al so assi gn
permi ssi ons to obj ects contai ned i n that fol der usi ng the
C hildren drop-dow n l i st.

4. C l i ck OK .

To Modify Permissions for an Object in MicroStrategy Web

1. In Mi croStrategy Web, ri ght-cl i ck an obj ect and sel ect Share.

2. To modi fy permi ssi ons for a user or group, from the Permission
Level drop-dow n l i st for that user or group, sel ect the predefi ned
set of permi ssi ons, or sel ect C ustom to defi ne a custom set of
permi ssi ons.

3. To add new users or groups to the obj ect's access control l i st

(AC L):

l C l i ck C hoose U sers/Groups.

l Sel ect the users or groups that you w ant to add to the obj ect's
AC L.

96 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l From the C hoose a Permission Level drop-dow n l i st, sel ect

the predefi ned set of permi ssi ons, or sel ect C ustom to defi ne a
custom set of permi ssi ons.

l C l i ck A dd.

4. To remove a user or group from the obj ect's AC L, cl i ck the X next

to the user or group's name.

5. When you are fi ni shed modi fyi ng the obj ect's permi ssi ons, cl i ck
OK .

Access Co n t r o l List (ACL)

The Access C ontrol Li st (AC L) of an obj ect i s a l i st of users and
groups, and the access permi ssi ons that each has for the obj ect.

For exampl e, for the N ortheast R egi on Sal es report you can speci fy
the fol l ow i ng permi ssi ons:

l The Managers and Executi ve user groups have Vi ew access to the

report.

l The D evel opers user group (peopl e w ho create and modi fy your
appl i cati ons) has Modi fy access.

l The Admi ni strators user group has Ful l C ontrol of the report.

l The Everyone user group (any user not i n one of the other groups)
shoul d have no access to the report at al l , so you assi gn the D eni ed
Al l permi ssi on groupi ng.

The defaul t AC L of a new l y created obj ect has the fol l ow i ng

characteri sti cs:

l The ow ner (the user w ho created the obj ect) has Ful l C ontrol
permi ssi on.

© 2019, M icr o St r at egy In c. 97

Syst em Ad m in ist r at io n Gu id e

l Permi ssi ons for al l other users are set accordi ng to the C hildren
AC L of the parent fol der.

Newly c reated folders inherit the s tandard ACLs of the parent folder.
They do not inherit the C hildren ACL.

l When c reating new s c hema objec ts , if the Ev ery one us er group is not
defined in the ACL of the parent folder, Dev eloper will add the
Ev ery one us er group to the ACL of the new s c hema objec t, and s et
the permis s ions to Cus tom. If the Ev ery one us er group has
permis s ions already as s igned in the parent folder ACL, they will be
inherited properly .

For ex ample, if the C hildren s etting of the parent folder's ACL

inc ludes Full Control permis s ion for the Adminis trator and View
permis s ion for the Ev ery one group, then the newly c reated objec t
ins ide that folder will hav e Full Control permis s ion for the owner, Full
Control for the Adminis trator, and View permis s ion for Ev ery one.

l When y ou hav e a us er group belongs to another us er group, granting

one group permis s ions and deny ing the other any permis s ions will
c aus e both groups to hav e the Denied All permis s ion.

For ex ample, group A belongs to group B. If the ACL on Objec t A for

group A is as s igned Full Control and the ACL on Objec t A for Group B
is Deny All, then the res olv ed ACL on Us er A is Deny All.

l Modify ing the ACL of a s hortc ut objec t does not modify the ACL of that
s hortc ut's parent objec t.

l When y ou mov e an objec t to a different folder, the mov ed objec t

retains its original ACLs until y ou c los e and reopen the projec t in
Dev eloper. Us ing Save A s to mov e an objec t to a new folder will
update the ACLs for all objec ts ex c ept metric s . When editing or
mov ing a metric , y ou s hould c opy the objec t and plac e the c opy in a
new folder s o the c opied objec t inherits its ACL from the C hildren
ACL of the folder into whic h it is c opied.

98 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Wh at Per missio n s Can b e Gr an t ed f o r an Ob ject ?

When you edi t an obj ect's AC L usi ng the obj ect's Properti es di al og
box, you can assi gn a predefi ned groupi ng of permi ssi ons or you can
create a custom groupi ng. The tabl e bel ow l i sts the predefi ned
groupi ngs and the speci fi c permi ssi ons each one grants.

Pe r mis s ions
Gr ouping De s c r iption
gr a nte d

• B rowse
Grant s permission t o access t he object f or viewing • Read
V iew only, and t o provide t ranslat ions f or an object 's name
and descript ion. • Use

• E xecut e

• B rowse

• Read

• Writ e
Modif y Grant s permission t o view and/ or modif y t he object .
• Delet e

• Use

• E xecut e

Cont rol and

Grant s all permissions f or t he object and also allows all ot her
Full Cont rol
t o modif y t he A CL f or t he object . permissions
are grant ed

E xplicit ly denies all permissions f or t he object . None none; all

Denied A ll
of t he permissions are assigned. are denied

Neit her grant s nor denies permissions. A ll

Def ault permissions are inherit ed f rom t he groups t o which none
t he user or group belongs.

A llows t he user or group t o have a cust om cust om

Cust om
combinat ion of permissions t hat you can def ine. choice

© 2019, M icr o St r at egy In c. 99

Syst em Ad m in ist r at io n Gu id e

Pe r mis s ions
Gr ouping De s c r iption
gr a nte d

Consume
• B rowse
(Only (I nt elligent Cube only) Grant s permission t o creat e
available in • Read
and execut e report s based on t his I nt elligent Cube.
MicroS t rat egy • Use
Web)

A dd • B rowse
(I nt elligent Cube only) Grant s permission t o creat e
(Only and execut e report s based on t his I nt elligent Cube, • Read
available in and republish/ re-execut e t he I nt elligent Cube t o • Use
MicroS t rat egy updat e t he dat a.
Web) • E xecut e

• B rowse

Collaborat e • Read
(I nt elligent Cube only) Grant s permission t o creat e
(Only and execut e report s based on t his I nt elligent Cube, • Writ e
available in republish/ re-execut e t he I nt elligent Cube t o updat e • Delet e
MicroS t rat egy t he dat a, and modif y t he I nt elligent Cube.
Web) • Use

• E xecut e

The permi ssi ons actual l y assi gned to the user or group w hen you
sel ect a permi ssi on groupi ng are expl ai ned i n the tabl e bel ow .

Pe r mis s ion De finition

B rowse V iew t he object in Developer and MicroS t rat egy Web

V iew t he object 's def init ion in t he appropriat e edit or, and view t he
object 's access cont rol list . When applied t o a language object , allows
Read
users t o see t he language in t he Translat ion E dit or but not edit st rings
f or t his language.

Writ e Modif y t he object 's def init ion in t he appropriat e edit or and creat e new

100 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Pe r mis s ion De finition

object s in t he parent object . For example, add a new met ric in a report
or add a new report t o a document .

Delet e Delet e t he object

Cont rol Modif y t he object 's access cont rol list

Use t he object when creat ing or modif ying ot her object s. For example,
t he Use permission on a met ric allows a user t o creat e a report
cont aining t hat met ric. For more inf ormat ion, see Permissions and
R eport/D oc ument Ex ec ution, page 106 . When applied t o a language
object , allows users t o edit and save t ranslat ions, and t o select t he
language f or display in t heir Developer or MicroS t rat egy Web language
Use
pref erences. This permission is checked at design t ime, and when
execut ing report s against an I nt elligent Cube.

A user wit h Use but not E xecut e permission f or an I nt elligent Cube

can creat e and execut e report s t hat use t hat I nt elligent Cube, but
cannot publish t he I nt elligent Cube.

E xecut e report s or document s t hat ref erence t he object . To execut e a

report or document , a user must have E xecut e access t o all object s on
t he report / document . For more inf ormat ion, see Permiss ions and
R eport/D oc ument Ex ec ution, page 106 . This permission is checked at
E xecut e
run t ime.

The user must have Use permission on an I nt elligent Cube t o

execut e report s against t hat I nt elligent Cube.

When y ou giv e us ers only Brows e ac c es s to a folder, us ing the Cus tom
permis s ions , they c an s ee that folder dis play ed, but c annot s ee a lis t of
objec ts within the folder. Howev er, if they perform a s earc h, and objec ts
within that folder matc h the s earc h c riteria, they c an s ee thos e objec ts .
To deny a us er the ability to s ee objec ts within a folder, y ou mus t deny
all ac c es s direc tly to the objec ts in the folder.

© 2019, M icr o St r at egy In c. 101

Syst em Ad m in ist r at io n Gu id e

For exampl e, grant the Brow se permi ssi on to a fol der, but
assi gn D eni ed Al l for the fol der's chi l dren obj ects, then sel ect
the A pply changes in permissions to all children objects
check box. Thi s al l ow s a user to see the fol der, but nothi ng
i nsi de i t. Al ternati vel y, i f you assi gn D eni ed Al l to the fol der
and to i ts chi l dren, the user cannot see the fol der or any of i ts
contents.

Per missio n s f o r Ser ver Go ver n in g an d Co n f igu r at io n

A server obj ect i s a confi gurati on-l evel obj ect i n the metadata cal l ed
Server D efi ni ti on. It contai ns governi ng setti ngs that appl y at the
server l evel , a l i st of proj ects regi stered on the server, connecti on
i nformati on to the metadata reposi tory, and so on. It i s created or
modi fi ed w hen a user goes through the C onfi gurati on Wi zard. Server
defi ni ti on obj ects are not di spl ayed i n the i nterface i n the same w ay
other obj ects are (reports, metri cs, and so on).

As w i th other obj ects i n the system, you can create an AC L for a

server obj ect that determi nes w hat system admi ni strati on permi ssi ons
are assi gned to w hi ch users. These permi ssi ons are di fferent from the
ones for other obj ects (see tabl e bel ow ) and determi ne w hat
capabi l i ti es a user has for a speci fi c server. For exampl e, you can
confi gure a user to act as an admi ni strator on one server, but as an
ordi nary user on another. To do thi s, you must modi fy the AC L for
each server defi ni ti on obj ect by ri ght-cl i cki ng the A dministration
i con, sel ecti ng Properties, and then sel ecti ng the Security tab.

The tabl e bel ow l i sts the groupi ngs avai l abl e for server obj ects, the
permi ssi ons each one grants, and the tasks each al l ow s you to
perform on the server.

102 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Gr ouping Pe r mis s ions Gr a nte d Allows y ou to...

Connect l B rowse Connect t o t he server

l V iew server def init ion

l B rowse propert ies
Monit oring
l Read l V iew st at ist ics set t ings

l Use t he syst em monit ors

l S t art / st op t he server

l A pply runt ime set t ings

l Updat e diagnost ics at runt ime

l Cancel jobs

l B rowse l I dle/ resume a project

l Read l Disconnect user

A dminist rat ion
l Use l S chedule report s

l E xecut e l Delet e schedules

l Trigger event s

l P erf orm cache administ rat ion

l Creat e securit y f ilt ers

l Use S ecurit y Filt er Manager

l B rowse l Change server def init ion

propert ies
l Read
l Change st at ist ics set t ings
Conf igurat ion l Writ e
l Delet e server def init ion
l Delet e
l Grant server right s t o ot her
l Cont rol users

A ll permissions t hat are

Def ault P erf orm any t ask on t hat server.
assigned t o " Def ault "

P erf orm t he t asks your cust om

Cust om. . . cust om choice
select ions allow.

© 2019, M icr o St r at egy In c. 103

Syst em Ad m in ist r at io n Gu id e

Ho w Per missio n s ar e Det er min ed

A user can have permi ssi ons for a gi ven obj ect from the fol l ow i ng
sources:

l U ser i denti ty: The user i denti ty i s w hat determi nes an obj ect's
ow ner w hen an obj ect i s created. The user i denti ty al so determi nes
w hether the user has been granted the ri ght to access a gi ven
obj ect.

l Group membershi p: A user i s granted access to an obj ect i f they

bel ong to a group w i th access to the obj ect.

l Speci al pri vi l eges: A user may possess a speci al pri vi l ege that
causes the normal access checks to be bypassed:

l Bypass Schema Obj ect Securi ty Access C hecks al l ow s the user to

i gnore the access checks for schema obj ects.

l Bypass Al l Obj ect Securi ty Access C hecks al l ow s the user to

i gnore the access checks for al l obj ects.

Permission Levels

A user can have permi ssi ons di rectl y assi gned to an obj ect, and be a
member of one or more groups that have a di fferent permi ssi on
groupi ng assi gned to the obj ect. In thi s case, user-l evel permi ssi ons
overri de group-l evel permi ssi ons, and permi ssi ons that are deni ed at
the user or group l evel overri de permi ssi ons that are granted at that
l evel . The l i st bel ow i ndi cates w hat permi ssi ons are granted w hen
permi ssi ons from mul ti pl e sources confl i ct.

1. Permi ssi ons that are di rectl y deni ed to the user are al w ays
deni ed.

2. Permi ssi ons that are di rectl y granted to the user, and not di rectl y
deni ed, are al w ays granted.

104 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

3. Permi ssi ons that are deni ed by a group, and not di rectl y granted
to the user, are deni ed.

4. Permi ssi ons that are granted by a group, and not deni ed by
another group or di rectl y deni ed, are granted.

5. Any permi ssi ons that are not granted, ei ther di rectl y or by a
group, are deni ed.

For exampl e, user Jane does not have any permi ssi ons di rectl y
assi gned for a report. H ow ever, Jane i s a member of the D esi gners
group, w hi ch has Ful l C ontrol permi ssi ons for that report, and i s al so
a member of the Managers group, w hi ch has D eni ed Al l permi ssi ons
for that report. In thi s case, Jane i s deni ed al l permi ssi ons for the
report. If Jane i s l ater di rectl y granted Vi ew permi ssi ons for the report,
she w oul d have Vi ew permi ssi ons onl y.

Default Permissions for Folders in a New Project

By defaul t, i n a new Mi croStrategy proj ect, users are onl y al l ow ed to

save obj ects w i thi n thei r personal fol ders. Onl y admi ni strati ve users
can save obj ects w i thi n the Publ i c Fol der di rectory i n a Mi croStrategy
proj ect. Fol ders i n a new proj ect are created w i th these defaul t AC Ls:

l Publ i c Obj ects fol der, Schema Obj ects fol der

l Admi ni strator: Ful l C ontrol

l Everyone: Brow se

l Publ i c/Guest: Brow se

l Inheri ted AC L

l Admi ni strator: D efaul t

l Everyone: Vi ew

© 2019, M icr o St r at egy In c. 105

Syst em Ad m in ist r at io n Gu id e

l Publ i c/Guest: Vi ew

This means that new us ers , as part of the Ev ery one group, are able
to brows e the objec ts in the Public Objec ts folder, v iew their
definitions and us e them in definitions of other objec ts (for ex ample,
c reate a report with a public metric ), and ex ec ute them (ex ec ute
reports ). Howev er, new us ers c annot delete thes e objec ts , or c reate
or s av e new objec ts to thes e folders .

l Personal fol ders

l Ow ner: Ful l C ontrol

This means that new us ers c an c reate objec ts in thes e folders and
hav e full c ontrol ov er thos e objec ts .

Per missio n s an d Rep o r t / Do cu men t Execu t io n

Tw o permi ssi ons rel ate to report and document executi on: the U se
and Execute permi ssi ons. These have the fol l ow i ng effects:

l The U se permi ssi on al l ow s the user to reference or use the obj ect
w hen they are modi fyi ng another obj ect. Thi s permi ssi on i s checked
at obj ect desi gn ti me, and w hen executi ng reports agai nst an
Intel l i gent C ube.

l The Execute permi ssi on al l ow s the user to execute reports or

documents that use the obj ect. Thi s permi ssi on i s checked onl y at
report/document executi on ti me.

A user may have four di fferent l evel s of access to an obj ect usi ng
these tw o new permi ssi ons:

l Both U se and Execute permi ssi ons: The user can use the obj ect to
create new reports, and can execute reports contai ni ng the obj ect.

106 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Execute permi ssi on onl y: The user can execute previ ousl y created
reports contai ni ng the obj ect, but cannot create new reports that use
the obj ect. If the obj ect i s an Intel l i gent C ube, the user cannot
execute reports agai nst that Intel l i gent C ube.

l U se permi ssi on onl y: The user can create reports usi ng the obj ect,
but cannot execute those reports.

A us er with Brows e, Read, and Us e (but not Ex ec ute) permis s ions for
an Intelligent Cube c an c reate and ex ec ute reports that us e that
Intelligent Cube, but c annot publis h the Intelligent Cube.

l N ei ther U se nor Execute permi ssi on: The user cannot create reports
contai ni ng the obj ect, nor can the user execute such reports, even i f
the user has Execute ri ghts on the report.

Interpreting Access Rights During Report/Document Execution

The abi l i ty to execute a report or document i s determi ned by w hether

the user has Execute permi ssi on on the report and Execute
permi ssi on on the obj ects used to defi ne that report. More
speci fi cal l y, Execute permi ssi on i s requi red on al l attri butes, custom
groups, consol i dati ons, prompts, metri cs, facts, fi l ters, templ ates, and
hi erarchi es used to defi ne the report or document. Permi ssi ons are
not checked on transformati ons and functi ons used to defi ne the
report.

If the user does not have access to an attri bute, custom group,
consol i dati on, prompt, fact, fi l ter, templ ate, or hi erarchy used to
defi ne a report, the report executi on fai l s.

If the user does not have access to a metri c used to defi ne a report,
the report executi on conti nues, but the metri c i s not di spl ayed i n the
report for that user.

Thi s enhancement al l ow s a fi ner l evel of access control w hen

executi ng reports. The same report can be depl oyed to many users

© 2019, M icr o St r at egy In c. 107

Syst em Ad m in ist r at io n Gu id e

w ho experi ence di fferent resul ts dependi ng on thei r respecti ve

permi ssi ons on metri cs.

ACLs an d Per so n alized Dr ill Pat h s in Micr o St r at egy Web

You can control w hat attri bute dri l l paths users see on reports. You
can determi ne w hether users can see al l dri l l paths for an attri bute, or
onl y those to w hi ch they have access. You determi ne thi s access
usi ng the Enable Web personalized drill paths check box i n the
Proj ect C onfi gurati on Edi tor, Project D efinition: D rilling category. (In
D evel oper, ri ght-cl i ck a proj ect and sel ect Project C onfiguration.)

Wi th the Enable Web personalized drill paths check box cl eared

(and thus, XML cachi ng enabl ed), the attri butes to w hi ch al l users i n
Mi croStrategy Web can dri l l are stored i n a report's XML cache. In thi s
case, users see al l attri bute dri l l paths w hether they have access to
them or not. When a user sel ects an attri bute dri l l path, Intel l i gence
Server then checks w hether the user has access to the attri bute. If the
user does not have access (for exampl e, because of Access C ontrol
Li sts), the dri l l i s not performed and the user sees an error message.

Al ternati vel y, i f you sel ect the Enable Web personalized drill paths
check box, at the ti me the report resul ts are created (not at dri l l ti me),
Intel l i gence Server checks w hi ch attri butes the user may access and
creates the report XML w i th onl y the al l ow ed attri butes. Thi s w ay, the
users onl y see thei r avai l abl e dri l l paths, and they cannot attempt a
dri l l acti on that i s not al l ow ed. Wi th thi s opti on enabl ed, you may see
performance degradati on on Intel l i gence Server. Thi s i s because i t
must create XML for each report/user combi nati on rather than usi ng
XML that w as cached.

For more i nformati on about XML cachi ng, see Types of R esul t
C aches, page 864.

108 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Controlling Access to Functionality: Privileges

As di scussed earl i er i n thi s secti on, there are di fferent types of users
and groups i n the user communi ty. It i s your responsi bi l i ty as a
system admi ni strator to assi gn pri vi l eges to users and groups. They
gi ve you ful l control over the user experi ence.

Pri vi l eges gi ve users access to speci fi c Mi croStrategy functi onal i ty.

For exampl e, the C reate Metri c pri vi l ege al l ow s the user to use the
Metri c Edi tor to create a new metri c, and the Moni tor C aches pri vi l ege
al l ow s the user to vi ew cache i nformati on i n the C ache Moni tor.

There is a s pec ial priv ilege c alled By pas s All Objec t Sec urity Ac c es s
Chec k s . Us ers with this priv ilege c an ignore the ac c es s c ontrol
permis s ions and are c ons idered to hav e full c ontrol ov er all objec ts . For
information about permis s ions , s ee C ontrol l i ng Access to Obj ects:
Permi ssi ons, page 95 .

Based on thei r di fferent pri vi l eges, the users and user groups can
perform di fferent types of operati ons i n the Mi croStrategy system. If a
user does not have a certai n pri vi l ege, that user does not have access
to that pri vi l ege's functi onal i ty. You can see w hi ch users are usi ng
certai n pri vi l eges by usi ng Li cense Manager (see U si ng Li cense
Manager, page 375).

Most pri vi l eges may be granted w i thi n a speci fi c proj ect or across al l
proj ects. C ertai n admi ni strati ve pri vi l eges, such as C onfi gure Group
Membershi p, do not appl y to speci fi c proj ects and can onl y be granted
at the proj ect source l evel .

For a compl ete l i st of pri vi l eges and w hat they control i n the system,
see the Li st of Pri vi l eges secti on.

© 2019, M icr o St r at egy In c. 109

Syst em Ad m in ist r at io n Gu id e

Assign in g Pr ivileges t o User s an d Gr o u p s

Pri vi l eges can be assi gned to users and user groups di rectl y or
through securi ty rol es. The di fference i s that the former grants
functi onal i ty across al l proj ects w hi l e the l atter onl y appl y w i thi n a
speci fi ed proj ect (see D efi ni ng Sets of Pri vi l eges: Securi ty R ol es,
page 113).

To Assign Privileges to Users or Groups

1. From D evel oper U ser Manager, edi t the user w i th the U ser Edi tor
or edi t the group w i th the Group Edi tor.

2. Expand U ser D efinition or Group D efinition, and then sel ect

Project A ccess.

3. Sel ect the check boxes to grant pri vi l eges to the user or group.

R ather than assi gni ng i ndi vi dual users and groups these pri vi l eges, i t
may be easi er for you to create Securi ty R ol es (col l ecti ons of
pri vi l eges) and assi gn them to users and groups. Then you can
assi gn addi ti onal pri vi l eges i ndi vi dual l y w hen there are excepti ons.
For more i nformati on about securi ty rol es, see D efi ni ng Sets of
Pri vi l eges: Securi ty R ol es, page 113.

Assigning Privileges to Multiple Users at Once

You can grant, revoke, and repl ace the exi sti ng pri vi l eges of users,
user groups, or securi ty rol es w i th the Fi nd and R epl ace Pri vi l eges
di al og box. Thi s di al og box al l ow s you to search for the user, user
group, or securi ty rol e and change thei r pri vi l eges, dependi ng on the
tasks requi red for thei r w ork.

For exampl e, your organi zati on i s upgradi ng Fl ash on al l users'

machi nes. U nti l the ti me the Fl ash update i s compl eted, the users w i l l
not be abl e to export reports to Fl ash. You can use Fi nd and R epl ace

110 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Pri vi l eges to revoke the Export to Fl ash pri vi l ege assi gned to users,
and w hen the upgrade i s compl ete you can grant the pri vi l ege to the
users agai n.

To access the Fi nd and R epl ace Pri vi l eges di al og box, i n D evel oper,
ri ght-cl i ck the U ser Manager and sel ect Find and R eplace
Privileges.

How are Privileges Inherited?

A user's pri vi l eges w i thi n a gi ven proj ect i ncl ude the fol l ow i ng:

l Pri vi l eges assi gned di rectl y to the user (see Assi gni ng Pri vi l eges to
U sers and Groups, page 110)

l Pri vi l eges assi gned to any groups of w hi ch the user i s a member

(see About Mi croStrategy U ser Groups, page 88)

Groups als o inherit priv ileges from their parent groups .

l Pri vi l eges assi gned to any securi ty rol es that are assi gned to the
user w i thi n the proj ect (see D efi ni ng Sets of Pri vi l eges: Securi ty
R ol es, page 113)

l Pri vi l eges assi gned to any securi ty rol es that are assi gned to a
group of w hi ch the user i s a member

Pr ed ef in ed User Gr o u p s an d Pr ivileges
Mi croStrategy comes w i th several predefi ned user groups. For a
compl ete l i st and expl anati on of these groups, see About
Mi croStrategy U ser Groups, page 88. These groups possess the
fol l ow i ng pri vi l eges:

l Everyone, Publ i c/Guest, 3rd Party U sers, LD AP Publ i c/Guest, and

LD AP U sers, have no predefi ned pri vi l eges.

© 2019, M icr o St r at egy In c. 111

Syst em Ad m in ist r at io n Gu id e

l The predefi ned product-based user groups possess al l the

pri vi l eges associ ated w i th thei r correspondi ng products. For a l i st of
these groups, see About Mi croStrategy U ser Groups, page 88.

International Us ers is a member of the following produc t-bas ed

groups : Analy s t, Mobile Us er, Web Reporter, and Web Analy s t. It has
the priv ileges as s oc iated with thes e groups .

l System Moni tors and i ts member groups have pri vi l eges based on
thei r expected rol es i n the company. To see the pri vi l eges assi gned
to each group, ri ght-cl i ck the group and sel ect Grant A ccess to
Projects.

How Predefined User Groups Inherit Privileges

Several of the predefi ned user groups form hi erarchi es, w hi ch al l ow

groups to i nheri t pri vi l eges from any groups at a hi gher l evel w i thi n
the hi erarchy. These hi erarchi es are as fol l ow s:

In the case of the Mi croStrategy Web user groups, the Web Anal yst
i nheri ts the pri vi l eges of the Web R eporter. The Web Professi onal
i nheri ts the pri vi l eges of both the Web Anal yst and Web R eporter. The
Web Professi onal user group has the compl ete set of Mi croStrategy
Web pri vi l eges.

l Web R eporter

l Web Anal yst

l Web Professi onal

In the case of the Mi croStrategy D evel oper user groups, the

D evel oper i nheri ts the pri vi l eges of the Anal yst and therefore has
more pri vi l eges than the Anal ysts.

l Anal yst

l D evel oper

112 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The vari ous System Moni tors user groups i nheri t the pri vi l eges of the
System Moni tors user group and therefore have more pri vi l eges than
the System Moni tors. Each has i ts ow n speci fi c set of pri vi l eges i n
addi ti on, that are not shared by the other System Moni tors groups.

l System Moni tors

l vari ous System Moni tors groups

Thi s group i nheri ts the pri vi l eges of the Anal yst, Mobi l e U ser, Web
R eporter, and Web Anal yst groups.

l Internati onal U sers

Defining Sets of Privileges: Security Roles

A securi ty rol e i s a col l ecti on of proj ect-l evel pri vi l eges that are
assi gned to users and groups. For exampl e, you mi ght have tw o types
of users w i th di fferent functi onal i ty needs: the Executi ve U sers w ho
need to run, sort, and pri nt reports, and the Busi ness Anal ysts w ho
need addi ti onal capabi l i ti es to dri l l and change subtotal defi ni ti ons. In
thi s case, you can create tw o securi ty rol es to sui t these tw o di fferent
types of users.

Securi ty rol es exi st at the proj ect source l evel , and can be used i n
any proj ect regi stered w i th Intel l i gence Server. A user can have
di fferent securi ty rol es i n each proj ect. For exampl e, an admi ni strator
for the devel opment proj ect may have a Proj ect Admi ni strator securi ty
rol e i n that proj ect, but the N ormal U ser securi ty rol e i n al l other
proj ects on that server.

A securi ty rol e i s fundamental l y di fferent from a user group i n the

fol l ow i ng w ays:

l A group i s a col l ecti on of users that can be assi gned pri vi l eges (or
securi ty rol es) al l at once, for the proj ect source and al l proj ects i n
i t.

© 2019, M icr o St r at egy In c. 113

Syst em Ad m in ist r at io n Gu id e

l A securi ty rol e i s a col l ecti on of pri vi l eges i n a proj ect. Those

pri vi l eges are assi gned as a set to vari ous users or groups, on a
proj ect-by-proj ect basi s.

For i nformati on about how pri vi l eges are i nheri ted from securi ty rol es
and groups, see C ontrol l i ng Access to Functi onal i ty: Pri vi l eges, page
109

Man agin g Secu r it y Ro les

The Securi ty R ol e Manager l i sts al l the securi ty rol es avai l abl e i n a
proj ect source. From thi s manager you can assi gn or revoke securi ty
rol es for users i n proj ects, or create or del ete securi ty rol es. For
addi ti onal methods of managi ng securi ty rol es, see Other Ways of
Managi ng Securi ty R ol es, page 116.

To Assign a Security Role to Users or Groups in a Project

1. In D evel oper, l og i n to the proj ect source contai ni ng the securi ty

rol e.

2. Expand A dministration, then C onfiguration Managers, and

then sel ect Security R oles.

3. D oubl e-cl i ck the securi ty rol e you w ant to assi gn to the user or
group.

4. Sel ect the Members tab.

5. From the Select a Project drop-dow n l i st, sel ect the proj ect for
w hi ch to assi gn the securi ty rol e.

6. From the drop-dow n l i st of groups, sel ect the group contai ni ng a

user or group you w ant to assi gn the securi ty rol e to. The users
or groups that are members of that group are show n i n the l i st

114 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

box bel ow the drop-dow n l i st.

l By default, us ers are not s hown in this lis t box . To v iew the us ers
as well as the groups , s elec t the Show users c hec k box .

l To as s ign a top-lev el group to a s ec urity role, from the drop-

down lis t s elec t A ll Groups .

7. Sel ect a desi red user or group.

8. C l i ck the > i con. The user or group moves to the Selected

members l i st. You can assi gn mul ti pl e users or groups to the
securi ty rol e by sel ecti ng them and cl i cki ng the > i con.

9. When you are fi ni shed assi gni ng the securi ty rol e, cl i ck OK .

To Create a Security Role

1. In D evel oper, l og i n to the proj ect source you w ant to create the
securi ty rol e i n.

2. Expand A dministration, go to C onfiguration Managers >

Security R oles.

3. From the File menu, poi nt to N ew, and sel ect Security R ole.

4. Enter a name and descri pti on for the new securi ty rol e.

5. Sel ect the Privileges tab.

6. Sel ect the pri vi l eges to add to thi s securi ty rol e. For an
expl anati on of each pri vi l ege, see the Li st of Pri vi l eges secti on.

To s elec t all priv ileges in a priv ilege group, s elec t the group.

7. To assi gn the rol e to users, sel ect the Members tab and fol l ow
the i nstructi ons i n To Assi gn a Securi ty R ol e to U sers or Groups

© 2019, M icr o St r at egy In c. 115

Syst em Ad m in ist r at io n Gu id e

i n a Proj ect, page 114.

8. C l i ck OK .

To Delete a Security Role

1. In D evel oper, l og i n the proj ect source you w ant to remove the
securi ty rol e from.

2. Expand A dministration, then C onfiguration Managers, and

then sel ect Security R oles.

3. C l i ck the securi ty rol e that you w ant to remove.

4. From the File menu sel ect D elete.

5. C l i ck Yes.

Other Ways of Managing Security Roles

You can al so assi gn securi ty rol es to a user or group i n the U ser

Edi tor or Group Edi tor. From the Project A ccess category of the
edi tor, you can speci fy w hat securi ty rol es that user or group has for
each proj ect.

You can assi gn rol es to mul ti pl e users and groups i n a proj ect
through the Proj ect C onfi gurati on di al og box. The Project A ccess -
General category di spl ays w hi ch users and groups have w hi ch
securi ty rol es i n the proj ect, and al l ow s you to re-assi gn the securi ty
rol es.

You can al so use C ommand Manager to manage securi ty rol es.

C ommand Manager i s a scri pt-based admi ni strati ve tool that hel ps
you perform compl ex admi ni strati ve acti ons qui ckl y. For speci fi c
syntax for securi ty rol e management statements i n C ommand
Manager, see Securi ty R ol e Management i n the C ommand Manager
on-l i ne hel p (from C ommand Manager, press F1, or sel ect the H elp
menu). For general i nformati on about C ommand Manager, see

116 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

C hapter 15, Automati ng Admi ni strati ve Tasks w i th C ommand

Manager.

If y ou are us ing UNIX, y ou mus t us e Command Manager to manage y our

s y s tem's s ec urity roles .

Co n t r o llin g Access t o a Pr o ject

You can deny user or group access to a speci fi c Mi croStrategy proj ect
by usi ng a securi ty rol e.

To Deny User or Group Access to a Project

1. In D evel oper, ri ght-cl i ck on the proj ect you w ant to deny access
to. Sel ect Project C onfiguration.

2. Expand the Project A ccess category.

3. In the Select a security role drop-dow n l i st, sel ect the securi ty
rol e that contai ns the user or group w ho you w ant to deny proj ect
access.

4. On the ri ght-hand si de of the Proj ect access - General di al og,

sel ect the user or group w ho you w ant to deny proj ect access.
Then cl i ck the l eft arrow to remove that user or group from the
securi ty rol e.

5. U si ng the ri ght arrow , add any users to the securi ty rol e for w hom
you w ant to grant proj ect access. To see the users contai ned i n
each group, hi ghl i ght the group and check the Show users
check box.

6. Make sure the user or group w hose access you w ant deny does
not appear i n the Selected members pane on the ri ght-hand si de
of the di al og. Then cl i ck OK .

© 2019, M icr o St r at egy In c. 117

Syst em Ad m in ist r at io n Gu id e

7. In D evel oper, under the proj ect source that contai ns the proj ect
you are restri cti ng access to, expand A dministration, then
expand U ser Manager.

8. C l i ck on the group to w hi ch the user bel ongs w ho you w ant to

deny proj ect access for. Then doubl e-cl i ck on the user i n the
ri ght-hand si de of D evel oper.

9. Expand U ser D efi ni ti on, then sel ect Proj ect Access.

10. In the Securi ty R ol e Sel ecti on row , under the proj ect you w ant to
restri ct access to, revi ew the Securi ty R ol e Sel ecti on drop-dow n
l i st. Make sure that no securi ty rol e i s associ ated w i th thi s
proj ect for thi s user.

11. C l i ck OK .

When the user attempts to l og i n to the proj ect, they recei ve the
message "N o proj ects w ere returned by thi s proj ect source."

Th e Ro le-Based Ad min ist r at io n Mo d el

Begi nni ng w i th versi on 9.0, the Mi croStrategy product sui te comes
w i th a number of predefi ned securi ty rol es for admi ni strators. These
rol es makes i t easy to del egate admi ni strati ve tasks.

For exampl e, your company securi ty pol i cy may requi re you to keep
the user securi ty admi ni strator for your proj ects separate from the
proj ect resource admi ni strator. R ather than speci fyi ng the pri vi l eges
for each admi ni strator i ndi vi dual l y, you can assi gn the Proj ect
Securi ty Admi ni strator rol e to one admi ni strator, and the Proj ect
R esource Admi ni strator to another. Because users can have di fferent
securi ty rol es for each proj ect, you can use the same securi ty rol e for
di fferent users i n di fferent proj ects to further del egate proj ect
admi ni strati on duti es.

118 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The predefi ned proj ect admi ni strati on rol es cover every proj ect-l evel
admi ni strati ve pri vi l ege except for Bypass Al l Obj ect Securi ty Access
C hecks. N one of the rol es have any pri vi l eges i n common. For a l i st
of the pri vi l eges i ncl uded w i th each predefi ned securi ty rol e, see the
Li st of Pri vi l eges secti on.

The predefi ned admi ni strati on securi ty rol es are:

l A nalyst, w ho have authori ng capabi l i ti es.

l A nalytics A rchitect, w ho can create, publ i sh, and opti mi ze a

federated data l ayer as the enterpri se’ s si ngl e versi on of the truth.
U sers can bui l d and mai ntai n schema obj ects and abstracti on
l ayers on top of vari ous, changi ng enterpri se assests.

l A pplication A dministrator, w ho have access to al l appl i cati on-

speci fi c tasks.

l A pplication A rchitect, w ho create, share, and mai ntai n i ntel l i gence

appl i cati ons for the enterpri se.

l C ertifier, w ho can certi fy obj ects i n addi ti on to havi ng authori ng

capabi l i ti es.

l C ollaborator, w ho can vi ew and col l aborate on a dossi er or

document they have access to.

l C onsumer, w ho can onl y vi ew a dossi er or document they have

access to.

l D atabase A rchitect, w ho can opti mi ze query performance and

uti l i zati on based on query type, usage patterns, and appl i cati on
desi gn requi rements by tuni ng VLD B setti ngs or confi guri ng schema
obj ects.

l Embedded A nalytics A rchitect, w ho can i nj ect, extend, and

embed anal yti cs i nto portal s, thi rd-party, mobi l e, and w hi te-l abel l ed
appl i cati ons.

© 2019, M icr o St r at egy In c. 119

Syst em Ad m in ist r at io n Gu id e

l IntroB I, w hi ch i s used for the Mi croStrategy cl ass "Introducti on to

Enterpri se Busi ness Intel l i gence."

l Mobile A rchitect, w ho bui l ds, compi l es, depl oys, and mai ntai ns
mobi l e envi ronments and appl i cati ons. Thi s user can al so opti mi ze
the end user experi ence w hen accessi ng appl i cati ons vi a mobi l e
devi ces.

l N ortheast U sers, w hi ch i s used for the Mi croStrategy cl ass

"Introducti on to Enterpri se Busi ness Intel l i gence."

l Pl atform Admi ni strator, w ho confi gures the Intel l i gence Server,

mai ntai n the securi ty l ayer, moni tor system usage, and opti mi ze
archi tecture i n order to reduce errors, maxi mi ze upti me, and boost
performance.

l Power U sers, w hi ch have the l argest subset of pri vi l eges of any

securi ty rol e.

l Project B ulk A dministrators, w ho can perform admi ni strati ve

functi ons on mul ti pl e obj ects w i th Obj ect Manager (see C opyi ng
Obj ects Betw een Proj ects: Obj ect Manager, page 417), C ommand
Manager (see C hapter 15, Automati ng Admi ni strati ve Tasks w i th
C ommand Manager), and the Bul k R eposi tory Transl ati on Tool .

l Project Operations A dministrators, w ho can perform mai ntenance

on vari ous aspects of a proj ect.

l Project Operations Monitors, w ho can vi ew the vari ous

Intel l i gence Server moni tors but cannot make any changes to the
moni tored systems.

l Project R esource Settings A dministrators, w ho can confi gure

proj ect-l evel setti ngs.

l Project Security A dministrators, w ho create users and manage

user and obj ect securi ty.

120 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l System A dministrator, w ho sets up, mai ntai ns, moni tors, and
conti nuousl y supports the i nfrastructure envi ronment through
depl oyment on cl oud, Wi ndow s, or Li nux.

For i nstructi ons on how to assi gn these securi ty rol es to users or

groups, see Managi ng Securi ty R ol es, page 114.

Do not modify the priv ileges for an out-of-the-box s ec urity role. During
upgrades to newer v ers ions of Mic roStrategy , the priv ileges for the out-
of-the-box s ec urity roles are ov erwritten with the default priv ileges .
Ins tead, y ou s hould c opy the s ec urity role y ou need to modify and mak e
c hanges to the c opied v ers ion.

Controlling Access to Data

Access control governs the resources that an authenti cated user i s
abl e to read, modi fy, or w ri te. D ata i s a maj or resource of i nterest i n
any securi ty scheme that determi nes w hat source data a user i s
al l ow ed to access. You may be more fami l i ar w i th the terms
authenti cati on (maki ng sure the user i s w ho they say they are) and
authori zati on (maki ng sure they can access the data they are enti tl ed
to see now that I know w ho they are).

The w ays by w hi ch data access can be control l ed are di scussed

bel ow :

Controlling Access to the Database: Connection

Mappings
C onnecti on mappi ngs al l ow you to assi gn a user or group i n the
Mi croStrategy system to a l ogi n ID on the data w arehouse R D BMS.
The mappi ngs are typi cal l y used to take advantage of one of several
R D BMS data securi ty techni ques (securi ty vi ew s, spl i t fact tabl es by
row s, spl i t fact tabl es by col umns) that you may have al ready created.

© 2019, M icr o St r at egy In c. 121

Syst em Ad m in ist r at io n Gu id e

For detai l s on these techni ques, see C ontrol l i ng Access to D ata at the
D atabase (R D BMS) Level , page 147.

Wh y Use Co n n ect io n Map p in gs?

U se a connecti on mappi ng i f you need to di fferenti ate Mi croStrategy
users from each other at the data w arehouse l evel or i f you need to
di rect them to separate data w arehouses. Thi s i s expl ai ned i n more
detai l bel ow .

Fi rst i t i s i mportant to know that, as a defaul t, al l users i n a

Mi croStrategy proj ect use the same database connecti on/D SN and
database l ogi n w hen connecti ng to the database. Thi s means that al l
users have the same securi ty l evel at the data w arehouse and
therefore, securi ty vi ew s cannot be assi gned to a speci fi c
Mi croStrategy user. In thi s defaul t confi gurati on, w hen the database
admi ni strator (D BA) uses an R D BMS feature to vi ew a l i st of users
connected to the data w arehouse, al l Mi croStrategy users w oul d al l
appear w i th the same name. For exampl e, i f forty users are si gned on
to the Mi croStrategy system and runni ng j obs, the D BA sees a l i st of
forty users cal l ed "MSTR users" (or w hatever name i s speci fi ed i n the
defaul t database l ogi n). Thi s i s show n i n the di agram bel ow i n w hi ch
al l j obs runni ng agai nst the data w arehouse use the "MSTR users"
database l ogi n.

122 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Cr eat in g a Co n n ect io n Map p in g

You defi ne connecti on mappi ngs w i th the Proj ect C onfi gurati on Edi tor
i n D evel oper. To create a connecti on mappi ng, you assi gn a user or
group ei ther a database connecti on or database l ogi n that i s di fferent
from the defaul t. For i nformati on on thi s, see C onnecti ng to the D ata
Warehouse, page 23.

To Create a Connection Mapping

1. In D evel oper, l og i nto your proj ect. You must l og i n as a user

w i th admi ni strati ve pri vi l eges.

2. Go to A dministration > Projects > Project C onfiguration.

3. Expand the D atabase Instances category, and then sel ect

C onnection Mapping.

4. R i ght-cl i ck i n the gri d and sel ect N ew to create a new connecti on

mappi ng.

5. D oubl e-cl i ck the new connecti on mappi ng i n each col umn to

sel ect the database i nstance, database connecti on, database
l ogi n, and l anguage.

6. D oubl e-cl i ck the new connecti on mappi ng i n the U sers col umn.
C l i ck ... (the brow se button).

7. Sel ect the desi red user or group and cl i ck OK . That user or
group i s now associ ated w i th the connecti on mappi ng.

8. C l i ck OK .

Co n n ect io n Map p in g Examp le

One case i n w hi ch you may w ant to use connecti on mappi ngs i s i f you
have exi sti ng securi ty vi ew s defi ned i n the data w arehouse and you

© 2019, M icr o St r at egy In c. 123

Syst em Ad m in ist r at io n Gu id e

w ant to al l ow Mi croStrategy users' j obs to execute on the data

w arehouse usi ng those speci fi c l ogi n ID s. For exampl e,

l The C EO can access al l data (w arehouse l ogi n ID = "C EO")

l Al l other users have l i mi ted access (w arehouse l ogi n ID = "MSTR

users")

In thi s case, you w oul d need to create a user connecti on mappi ng

w i thi n Mi croStrategy for the C EO. To do thi s:

l C reate a new database l ogi n defi ni ti on for the C EO i n Mi croStrategy

so i t matches thei r exi sti ng l ogi n ID on the data w arehouse

l C reate the new connecti on mappi ng i n Mi croStrategy to speci fy that

the C EO user uses the new database l ogi n

Thi s i s show n i n the di agram bel ow i n w hi ch the C EO connects as

C EO (usi ng the new database l ogi n cal l ed "C EO") and al l other users
use the defaul t database l ogi n "MSTR users."

Both the CEO and all the other us ers us e the s ame projec t, databas e
ins tanc e, databas e c onnec tion (and DSN), but the databas e login is
different for the CEO.

124 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

If w e w ere to create a connecti on mappi ng i n the Mi croStrategy

Tutori al proj ect accordi ng to thi s exampl e, i t w oul d l ook l i ke the
di agram bel ow .

For i nformati on on creati ng a new database connecti on, see

C onnecti ng to the D ata Warehouse, page 23. For i nformati on on
creati ng a new database l ogi n, see C onnecti ng to the D ata
Warehouse, page 23.

C onnecti on mappi ngs can al so be made for user groups and are not
l i mi ted to i ndi vi dual users. C onti nui ng the exampl e above, i f you have
a Managers group w i thi n the Mi croStrategy system that can access
most data i n the data w arehouse (w arehouse l ogi n ID = "Managers"),
you coul d create another database l ogi n and then create another
connecti on mappi ng to assi gn i t to the Managers user group.

Another case i n w hi ch you may w ant to use connecti on mappi ngs i s i f

you need to have users connect to tw o data w arehouses usi ng the
same proj ect. In thi s case, both data w arehouses must have the same
structure so that the proj ect w orks w i th both. Thi s may be appl i cabl e i f
you have a data w arehouse w i th domesti c data and another w i th
forei gn data and you w ant users to be di rected to one or the other

© 2019, M icr o St r at egy In c. 125

Syst em Ad m in ist r at io n Gu id e

based on the user group to w hi ch they bel ong w hen they l og i n to the
Mi croStrategy system.

For exampl e, i f you have tw o user groups such that:

l "U S users" connect to the U .S. data w arehouse (data w arehouse

l ogi n ID "MSTR users")

l "Europe users" connect to the London data w arehouse (data

w arehouse l ogi n ID "MSTR users")

In thi s case, you w oul d need to create a user connecti on mappi ng

w i thi n Mi croStrategy for both user groups. To do thi s, you w oul d:

l C reate tw o database connecti ons i n Mi croStrategy—one to each

data w arehouse (thi s assumes that D SN s al ready exi st for each
data w arehouse)

l C reate tw o connecti on mappi ngs i n the Mi croStrategy proj ect that

l i nk the groups to the di fferent data w arehouses vi a the tw o new
database connecti on defi ni ti ons

Thi s i s show n i n the di agram bel ow .

126 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

The projec t, databas e ins tanc e, and databas e login c an be the s ame, but
the c onnec tion mapping s pec ifies different databas e c onnec tions (and
therefore, different DSNs ) for the two groups .

Linking Database Users and MicroStrategy Users:

Passthrough Execution
You can l i nk a Mi croStrategy user to an R D BMS l ogi n ID usi ng the
U ser Edi tor (on the Authenti cati on tab, speci fy the Warehouse Login
and Password) or usi ng C ommand Manager. Thi s l i nk i s requi red for
database w arehouse authenti cati on (see Impl ementi ng D atabase
Warehouse Authenti cati on, page 336) but w orks for other
authenti cati on modes as w el l .

You can confi gure each proj ect to use ei ther connecti on mappi ngs
and/or the l i nked w arehouse l ogi n ID w hen users execute reports,
documents, or brow se attri bute el ements. If passthrough executi on i s

© 2019, M icr o St r at egy In c. 127

Syst em Ad m in ist r at io n Gu id e

enabl ed, the proj ect uses the l i nked w arehouse l ogi n ID and
passw ord as defi ned i n the U ser Edi tor (Authenti cati on tab). If no
w arehouse l ogi n ID i s l i nked to a user, Intel l i gence Server uses the
defaul t connecti on and l ogi n ID for the proj ect's database i nstance.

By defaul t, w arehouse passthrough executi on i s turned off, and the

system uses connecti on mappi ngs. If no connecti on mappi ng i s
defi ned for the user, Intel l i gence Server uses the defaul t connecti on
and l ogi n ID for the proj ect's database i nstance.

Wh y u se Passt h r o u gh Execu t io n ?
You may w ant to use passthrough executi on for these reasons:

l R D BMS audi ti ng: If you w ant to be abl e to track w hi ch users are

accessi ng the R D BMS system dow n to the i ndi vi dual database
query. Mappi ng mul ti pl e users to the same R D BMS account bl urs
the abi l i ty to track w hi ch users have i ssued w hi ch R D BMS queri es.

l Teradata spool space: If you use the Teradata R D BMS, note that i t
has a l i mi t for spool space set per account. If mul ti pl e users share
the same R D BMS account, they are col l ecti vel y l i mi ted by thi s
setti ng.

l R D BMS securi ty vi ew s: If you use securi ty vi ew s, each user needs

to l og i n to the R D BMS w i th a uni que database l ogi n ID so that a
database securi ty vi ew i s enforced.

En ab lin g Lin ked War eh o u se Lo gin s

You can confi gure l i nked w arehouse l ogi ns w i th the Proj ect
C onfi gurati on Edi tor i n D evel oper. To create a connecti on mappi ng,
you assi gn a user or group ei ther a database connecti on or database
l ogi n that i s di fferent from the defaul t. For i nformati on on thi s, see
C onnecti ng to the D ata Warehouse, page 23.

128 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

To Enable Linked Warehouse Logins

1. In D evel oper, l og i nto your proj ect. You must l og i n as a user

w i th admi ni strati ve pri vi l eges.

2. From the A dministration menu, poi nt to Projects, and sel ect

Project C onfiguration.

3. Expand the D atabase Instances category, expand

A uthentication, and then sel ect Warehouse.

4. Sel ect the U se warehouse pass-through credentials check

box.

5. To use w arehouse credenti al s for al l database i nstances, sel ect

the For all database instances opti on.

6. To use w arehouse credenti al s for speci fi c database i nstances,

sel ect the For selected database instances opti on. Then sel ect
those database i nstances from the l i st bel ow .

7. C l i ck OK .

Restricting Access to Data: Security Filters

Securi ty fi l ters enabl e you to control w hat w arehouse data users can
see w hen that data i s accessed through Mi croStrategy. A securi ty
fi l ter can be assi gned to a user or group to narrow the resul t set w hen
they execute reports or brow se el ements. The securi ty fi l ter appl i es to
al l reports and documents, and al l attri bute el ement requests,
submi tted by a user.

For exampl e, tw o regi onal managers can have tw o di fferent securi ty

fi l ters assi gned to them for thei r regi ons: one has a securi ty fi l ter
assi gned to them that onl y show s the data from the N ortheast regi on,
and the other has a securi ty fi l ter that onl y show s data from the
Southw est regi on. If these tw o regi onal managers run the same
report, they may see di fferent report resul ts.

© 2019, M icr o St r at egy In c. 129

Syst em Ad m in ist r at io n Gu id e

Securi ty fi l ters serve a si mi l ar functi on to database-l evel techni ques

such as database vi ew s and row l evel securi ty. For i nformati on about
control l i ng data securi ty at the data w arehouse l evel , see C ontrol l i ng
Access to D ata at the D atabase (R D BMS) Level , page 147.

For more i nformati on about securi ty fi l ters, see the fol l ow i ng:

l Securi ty Fi l ter Exampl e, page 130

l H ow Securi ty Fi l ters Work, page 131

l C reati ng and Appl yi ng a Securi ty Fi l ter, page 132

l Securi ty Fi l ters and Metri c Level s, page 134

l U si ng a Si ngl e Securi ty Fi l ter for Mul ti pl e U sers: System Prompts,

page 144

l Mergi ng Securi ty Fi l ters, page 140

Secu r it y Filt er Examp le

A user i n the Mi croStrategy Tutori al proj ect has a securi ty fi l ter
defi ned as Subcategory=TV. When thi s user brow ses the Product
hi erarchy begi nni ng w i th the C ategory attri bute, they onl y see the
El ectroni cs category. Wi thi n the El ectroni cs category, they see onl y
the TV subcategory. Wi thi n the TV subcategory, they see al l Items
w i thi n that subcategory.

When thi s user executes a si mpl e report w i th C ategory, Subcategory,

and Item i n the row s, and R evenue i n the col umns, onl y the Items
from the TV Subcategory are returned, as show n i n the exampl e
bel ow .

130 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

If thi s user executes another report w i th C ategory i n the row s and

R evenue i n the col umns, onl y the R evenue from the TV Subcategory
i s returned, as show n i n the exampl e bel ow . The user cannot see any
data from attri bute el ements that are outsi de the securi ty fi l ter.

Ho w Secu r it y Filt er s Wo r k
Securi ty fi l ters are the same as regul ar fi l ters except that they can
contai n onl y attri bute qual i fi cati ons, custom expressi ons, and j oi nt
el ement l i sts. R el ati onshi p fi l ters and metri c qual i fi cati ons are not
al l ow ed i n a securi ty fi l ter. A securi ty fi l ter can i ncl ude as many
expressi ons as you need, j oi ned together by l ogi cal operators. For
more i nformati on on creati ng fi l ters, see the Fi l ters secti on i n the
Basi c R eporti ng Gui de.

A securi ty fi l ter comes i nto pl ay w hen a user i s executi ng reports and

brow si ng el ements. The qual i fi cati on defi ned by the securi ty fi l ter i s
used i n the WH E R E cl ause for any report that i s rel ated to the securi ty
fi l ter's attri bute. By defaul t, thi s i s al so true for el ement brow si ng:

© 2019, M icr o St r at egy In c. 131

Syst em Ad m in ist r at io n Gu id e

w hen a user brow ses through a hi erarchy to answ er a prompt, they

onl y see the attri bute el ements that the securi ty fi l ter al l ow s them to
see. For i nstructi ons on how to di sabl e securi ty fi l ters for el ement
brow si ng, see To D i sabl e Securi ty Fi l ters for El ement Brow si ng, page
134.

Securi ty fi l ters are used as part of the cache key for report cachi ng
and el ement cachi ng. Thi s means that users w i th di fferent securi ty
fi l ters cannot access the same cached resul ts, preservi ng data
securi ty. For more i nformati on about cachi ng, see C hapter 10,
Improvi ng R esponse Ti me: C achi ng.

Each user or group can be di rectl y assi gned onl y one securi ty fi l ter
for a proj ect. U sers and groups can be assi gned di fferent securi ty
fi l ters for di fferent proj ects. In cases w here a user i nheri ts one or
more securi ty fi l ters from any groups that they bel ong to, the securi ty
fi l ters may need to be merged. For i nformati on about how securi ty
fi l ters are merged, see Mergi ng Securi ty Fi l ters, page 140.

Cr eat in g an d Ap p lyin g a Secu r it y Filt er

You create and appl y securi ty fi l ters i n the Securi ty Fi l ter Manager.
Make sure you i nform your users of any securi ty fi l ters assi gned to
them or thei r group. If you do not i nform them of thei r securi ty fi l ters,
they may not know that the data they see i n thei r reports has been
fi l tered, w hi ch may cause mi si nterpretati on of report resul ts.

To c reate s ec urity filters , y ou mus t hav e the following priv ileges :

l Create Applic ation Objec ts (under the Common Priv ileges priv ilege
group)

l Us e Report Filter Editor (under the Dev eloper priv ilege group)

l Us e Sec urity Filter Manager (under the Adminis tration priv ilege group)

132 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

1. To create and appl y a securi ty fi l ter for a user or group

2. In D evel oper, from the A dministration menu, go to Projects >

Security Filter Manager.

3. From the C hoose a project drop-dow n l i st, sel ect the proj ect
that you w ant to create a securi ty fi l ter for.

4. Sel ect the Security Filters tab.

5. Sel ect one:

l To create a new securi ty fi l ter, cl i ck N ew. The Securi ty Fi l ter

Edi tor opens.

l OR , to convert an exi sti ng fi l ter i nto a securi ty fi l ter, cl i ck

Import. Brow se to the fi l ter you w ant to convert and cl i ck
Open. Speci fy a name and l ocati on for the new securi ty fi l ter
and cl i ck Save.

6. In the l eft si de of the Securi ty Fi l ter Manager, i n the Security

Filters tab, brow se to the securi ty fi l ter that you w ant to appl y,
and sel ect that securi ty fi l ter.

7. In the ri ght si de of the Securi ty Fi l ter Manager, sel ect Security

Filters.

8. Brow se to the user or group that you w ant to appl y the securi ty
fi l ter to, and sel ect that user or group.

9. C l i ck > to appl y the sel ected securi ty fi l ter to the sel ected user or
group.

10. C l i ck OK .

© 2019, M icr o St r at egy In c. 133

Syst em Ad m in ist r at io n Gu id e

To Disable Security Filters for Element Browsing

1. In D evel oper, l og i nto a proj ect. You must l og i n w i th a user

account that has admi ni strati ve pri vi l eges.

2. From the A dministration menu, poi nt to Projects, and then

sel ect Project C onfiguration.

3. Expand the Project D efinition category, and then sel ect

A dvanced.

4. U nder A ttribute element browsing, cl ear the A pply security

filters to element browsing check box.

5. C l i ck OK .

6. R estart Intel l i gence Server for your changes to take effect.

Secu r it y Filt er s an d Met r ic Levels

In certai n si tuati ons i nvol vi ng l evel metri cs, users may be abl e to see
a l i mi ted amount of data from outsi de thei r securi ty fi l ter. Speci fi cal l y,
i f a metri c i s defi ned w i th absol ute fi l teri ng on a l evel above that used
i n the securi ty fi l ter's expressi on, the fi l ter expressi on i s rai sed to the
metri c's l evel . For i nformati on about metri c l evel s and fi l teri ng i n
metri cs, see the Metri cs secti on i n the Advanced R eporti ng Gui de.

For exampl e, consi der a metri c cal l ed C ategory R evenue that i s

defi ned to return the revenue across al l i tems i n each category. Its
l evel expressi on i s Target=C ategory, Fi l teri ng=Absol ute. When a user
w i th a securi ty fi l ter Subcategory=TV executes a report w i th the
C ategory R evenue metri c, the C ategory R evenue metri c di spl ays the
total revenue for the category. The user's securi ty fi l ter i s effecti vel y
changed to show the enti re C ategory i n w hi ch TV i s a Subcategory.

Thi s behavi or can be modi fi ed by usi ng the top range attri bute and
bottom range attri bute properti es.

134 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l A top range attribute speci fi es the hi ghest l evel of detai l i n a gi ven

hi erarchy that the securi ty fi l ter al l ow s the user to vi ew . If a top
range attri bute i s speci fi ed, the securi ty fi l ter expressi on i s not
rai sed to any l evel above the top range.

l A bottom range attribute speci fi es the l ow est l evel of detai l i n a

gi ven hi erarchy that the securi ty fi l ter al l ow s the user to vi ew . If thi s
i s not speci fi ed, the securi ty fi l ter can vi ew every l evel l ow er than
the speci fi ed top range attri bute, as l ong as i t i s w i thi n the
qual i fi cati on defi ned by the fi l ter expressi on.

The top and bottom range attributes c an be s et to the s ame lev el.

For i nstructi ons on how to assi gn range attri butes to securi ty fi l ters,
see Assi gni ng a Top or Bottom R ange Attri bute to a Securi ty Fi l ter,
page 138.

The exampl es bel ow use a report w i th C ategory, Subcategory, and

Item on the row s, and three metri cs i n the col umns:

l R evenue

l Subcategory R evenue, w hi ch i s defi ned w i th absol ute fi l teri ng to

the Subcategory l evel

l C ategory R evenue, w hi ch i s defi ned w i th absol ute fi l teri ng to the

C ategory l evel

The user executi ng thi s report has a securi ty fi l ter that restri cts the
Subcategory to the TV el ement.

No Top or Bottom Range Attribute

If no top or bottom range attri bute i s speci fi ed, then at the l evel of the
securi ty fi l ter (Subcategory) and bel ow , the user cannot see data
outsi de thei r securi ty fi l ter. Above the l evel of the securi ty fi l ter, the
user can see data outsi de the securi ty fi l ter i f i t i s i n a metri c w i th

© 2019, M icr o St r at egy In c. 135

Syst em Ad m in ist r at io n Gu id e

absol ute fi l teri ng for that l evel . Even i n thi s case, the user sees onl y
data for the C ategory i n w hi ch thei r securi ty fi l ter i s defi ned.

In the exampl e report bel ow , the user's securi ty fi l ter does not speci fy
a top or bottom range attri bute. Item-l evel detai l i s di spl ayed for onl y
the i tems w i thi n the TV category. The Subcategory R evenue i s
di spl ayed for al l i tems w i thi n the TV subcategory. The C ategory
R evenue i s di spl ayed for al l i tems i n the C ategory, i ncl udi ng i tems
that are not part of the TV subcategory. H ow ever, onl y the El ectroni cs
category i s di spl ayed. Thi s i l l ustrates how the securi ty fi l ter
Subcategory=TV i s rai sed to the category l evel such that
C ategory=El ectroni cs i s the fi l ter used w i th C ategory R evenue.

Top Range Attribute: Subcategory

If a top range attri bute i s speci fi ed, then the user cannot see any data
outsi de of them securi ty fi l ter. Thi s i s true even at l evel s above the
top l evel , regardl ess of w hether metri cs w i th absol ute fi l teri ng are
used.

In the exampl e report bel ow , the user's securi ty fi l ter speci fi es a top
range attri bute of Subcategory. H ere, the C ategory R evenue i s

136 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

di spl ayed for onl y the i tems w i thi n the TV subcategory. The securi ty
fi l ter Subcategory=TV i s not rai sed to the C ategory l evel , because
C ategory i s above the speci fi ed top l evel of Subcategory.

Bottom Range Attribute: Subcategory

If a bottom range attri bute i s speci fi ed, the user cannot see data
aggregated at a l ow er l evel than the bottom l evel .

In the exampl e report bel ow , the user's securi ty fi l ter speci fi es a

bottom range attri bute of Subcategory. Item-l evel detai l i s not
di spl ayed, because Item i s a l evel bel ow the bottom l evel of
Subcategory. Instead, data for the enti re Subcategory i s show n for
each i tem. D ata at the Subcategory l evel i s essenti al l y the l ow est
l evel of granul ari ty the user i s al l ow ed to see.

© 2019, M icr o St r at egy In c. 137

Syst em Ad m in ist r at io n Gu id e

Assigning a Top or Bottom Range Attribute to a Security Filter

You assi gn top and bottom range attri butes to securi ty fi l ters i n the
Securi ty Fi l ter Manager. You can assi gn range attri butes to a securi ty
fi l ter for al l users, or to the securi ty fi l ters per user.

You can assi gn the same attri bute to a securi ty fi l ter as a top and
bottom range attri bute. A securi ty fi l ter can have mul ti pl e top or
bottom range attri butes as l ong as they are from di fferent hi erarchi es.
You cannot assi gn mul ti pl e attri butes from the same hi erarchy to
ei ther a top or bottom range. H ow ever, you can assi gn attri butes from
the same hi erarchy i f one i s a top range attri bute and one i s a bottom
range attri bute. For exampl e, you can assi gn Quarter (from the Ti me
hi erarchy) and Subcategory (from the Products hi erarchy) as top
range attri butes, and Month (from the Ti me hi erarchy) and
Subcategory as bottom range attri butes.

To modify s ec urity filters , y ou mus t hav e the Us e Sec urity Filter Manager
priv ilege.

138 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

To Assign a Top or Bottom Range Attribute to a Security Filter

1. In D evel oper, from the A dministration menu, poi nt to Projects

and then sel ect Security Filter Manager.

2. From the C hoose a project drop-dow n l i st, sel ect the proj ect
that you w ant to modi fy securi ty fi l ters for.

3. Sel ect the A ttributes tab.

4. Brow se to the attri bute that you w ant to set as a top or bottom
range attri bute, and sel ect that attri bute.

5. To appl y a top or bottom range attri bute to a securi ty fi l ter for al l

users:

l In the ri ght si de of the Securi ty Fi l ter Manager, sel ect Security

Filters.

l Brow se to the securi ty fi l ter that you w ant to appl y the range
attri bute to.

l Expand that securi ty fi l ter, and sel ect ei ther the Top range
attributes or B ottom range attributes fol der.

l C l i ck > to appl y the sel ected attri bute to the sel ected securi ty
fi l ter.

6. To appl y a top or bottom range attri bute to a securi ty fi l ter for a

si ngl e user or group:

l In the ri ght si de of the Securi ty Fi l ter Manager, sel ect

Groups/U sers.

l Brow se to the user or group that you w ant to appl y the range
attri bute to.

l Expand that user or group and sel ect the securi ty fi l ter that you
w ant to appl y the range attri bute to.

© 2019, M icr o St r at egy In c. 139

Syst em Ad m in ist r at io n Gu id e

l Expand that securi ty fi l ter, and sel ect ei ther the Top range
attributes or B ottom range attributes fol der.

l C l i ck > to appl y the sel ected attri bute to the sel ected securi ty
fi l ter for the sel ected user or group.

7. C l i ck OK .

Mer gin g Secu r it y Filt er s

A user can be assi gned a securi ty fi l ter di rectl y, and can i nheri t a
securi ty fi l ter from any groups that they bel ong to. Because of thi s,
mul ti pl e securi ty fi l ters may need to be merged w hen executi ng
reports or brow si ng el ements.

Mi croStrategy supports the fol l ow i ng methods of mergi ng securi ty

fi l ters:

l Mergi ng R el ated Securi ty Fi l ters w i th OR and U nrel ated Securi ty

Fi l ters w i th AN D , page 141 (Thi s i s the defaul t method for mergi ng
securi ty fi l ters)

l Mergi ng Al l Securi ty Fi l ters w i th AN D , page 142

For the exampl es i n these secti ons, consi der a proj ect w i th the
fol l ow i ng user groups and associ ated securi ty fi l ters:

Gr oup Se c ur ity Filte r Hie r a r c hy

E lect ronics Cat egory = E lect ronics P roduct

Drama S ubcat egory = Drama P roduct

Movies Cat egory = Movies P roduct

Nort heast Region = Nort heast Geography

You control how securi ty fi l ters are merged at the proj ect l evel . You
can change the merge setti ngs i n the Proj ect C onfi gurati on Edi tor for

140 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

the sel ected proj ect, i n the Securi ty Fi l ter category. After maki ng any
changes to the securi ty fi l ter setti ngs, you must restart Intel l i gence
Server for those changes to take effect.

Changing how s ec urity filters are merged does not automatic ally
inv alidate any res ult c ac hes c reated for us ers who hav e multiple
s ec urity filters . Mic roStrategy rec ommends that y ou inv alidate all res ult
c ac hes in a projec t after c hanging how s ec urity filters are merged for
that projec t. For ins truc tions on how to inv alidate all res ult c ac hes in a
projec t, s ee Managi ng R esul t C aches, page 878 .

Merging Related Security Filters with OR and Unrelated Security Filters

with AND

By defaul t, securi ty fi l ters are merged w i th an OR i f they are rel ated,

and w i th an AN D i f they are not rel ated. That i s, i f tw o securi ty fi l ters
are rel ated, the user can see al l data avai l abl e from ei ther securi ty
fi l ter. H ow ever, i f the securi ty fi l ters are not rel ated, the user can see
onl y the data avai l abl e i n both securi ty fi l ters.

Tw o securi ty fi l ters are consi dered rel ated i f the attri butes that they
deri ve from bel ong i n the same hi erarchy, such as C ountry and
R egi on, or Year and Month. In the exampl e securi ty fi l ters gi ven
above, the El ectroni cs, TV, and Movi es securi ty fi l ters are al l rel ated,
and the N ortheast securi ty fi l ter i s not rel ated to any of the others.

U si ng thi s merge method, a user w ho i s a member of both the

El ectroni cs and D rama groups can see data from the El ectroni cs
category and the D rama subcategory, as show n bel ow :

© 2019, M icr o St r at egy In c. 141

Syst em Ad m in ist r at io n Gu id e

A user w ho i s a member of both the Movi es and D rama groups can

see data from al l subcategori es i n the Movi es category, not j ust the
D rama subcategory. A user w ho i s a member of both the El ectroni cs
and D rama categori es can see data from both categori es.

If a user w ho i s a member of the Movi es and N ortheast groups

executes a report w i th R egi on, C ategory, and Subcategory i n the
row s, onl y data from the Movi es category i n the N ortheast regi on i s
show n, as seen bel ow :

D ata for the Movi es category from outsi de the N ortheast regi on i s not
avai l abl e to thi s user, nor i s data for the N ortheast regi on for other
categori es.

Merging All Security Filters with AND

You can al so confi gure Intel l i gence Server to al w ays merge securi ty
fi l ters w i th an AN D , regardl ess of w hether they are rel ated.

As i n the fi rst method, a user w ho i s a member of both the Movi es and

N ortheast groups w oul d see onl y i nformati on about the Movi es
category i n the N ortheast regi on.

A user w ho i s a member of both the Movi es and D rama groups w oul d

see onl y data from the D rama subcategory of Movi es, as show n
bel ow :

142 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

D ata for the other subcategori es of D rama i s not avai l abl e to thi s
user.

Thi s setti ng may cause probl ems i f a user i s a member of tw o

mutual l y excl usi ve groups. For exampl e, a user w ho i s a member of
both the Movi es and El ectroni cs groups cannot see any data from the
Product hi erarchy, because that hi erarchy does not contai n any data
that bel ongs to both the Movi es and El ectroni cs categori es.

To c onfigure how s ec urity filters are merged, y ou mus t hav e the Configure
Projec t Bas ic priv ilege.

To Configure how Intelligence Server Merges Multiple Security

Filters for a User or Group

1. In D evel oper, l og i nto a proj ect. You must l og i n as a user w i th

admi ni strati ve pri vi l eges.

2. From the A dministration menu, poi nt to Projects, and then

sel ect Project C onfiguration.

3. Expand the Security Filter category, and then sel ect General.

4. U nder Security Filter Merge Options, sel ect one of the opti ons:

l U nion (OR ) Security Filters on related attributes, intersect

(A N D ) Security Filters on unrelated attributes (see Mergi ng
R el ated Securi ty Fi l ters w i th OR and U nrel ated Securi ty Fi l ters
w i th AN D , page 141)

l Intersect (A N D ) all Security Filters (see Mergi ng Al l Securi ty

Fi l ters w i th AN D , page 142)

5. C l i ck OK .

6. R estart Intel l i gence Server for your changes to take effect.

© 2019, M icr o St r at egy In c. 143

Syst em Ad m in ist r at io n Gu id e

Usin g a Sin gle Secu r it y Filt er f o r Mu lt ip le User s: Syst em

Pr o mp t s
A system prompt i s a speci al type of prompt that does not requi re an
answ er from the user. Instead, i t i s answ ered automati cal l y by
Intel l i gence Server. System prompts are i n the P u b l i c
Obje ct s/ Pr o m p t s / S y s t e m P r o m p t s fol der i n D evel oper.

l Lik e other prompt objec ts , ans wers to s y s tem prompts are us ed to

matc h c ac hes . Therefore, us ers do not s hare c ac hes for reports that
c ontain different ans wers to s y s tem prompts .

l The s y s tem prompts Tok en 1, Tok en 2, Tok en 3, and Tok en 4 are

prov ided to s upport us ing an XQuery s ourc e to authentic ate us ers for
a Mic roStrategy projec t. For s teps to report on and authentic ate us ing
XQuery s ourc es , s ee the Advanced R eporti ng Gui de .

The U ser Logi n prompt i s a system prompt that i s automati cal l y

answ ered w i th the l ogi n name of the user w ho executes the obj ect
contai ni ng the prompt. It can provi de fl exi bi l i ty w hen i mpl ementi ng
securi ty mechani sms i n Mi croStrategy. You can use thi s prompt to
i nsert the user's l ogi n name i nto any securi ty fi l ter, or any other obj ect
that can use a prompt.

If you are usi ng LD AP authenti cati on i n your Mi croStrategy system,

you can i mport LD AP attri butes i nto your system as system prompts.
You can then use these system prompts i n securi ty fi l ters, i n the same
w ay that you use the U ser Logi n system prompt, as descri bed above.
For i nstructi ons on how to i mport LD AP attri butes as system prompts,
see Managi ng LD AP Authenti cati on, page 202.

For exampl es of how to use system prompts i n securi ty fi l ters, see:

l Si mpl i fyi ng the Securi ty Fi l ter D efi ni ti on Process, page 145

l Impl ementi ng a R eport-Level Securi ty Fi l ter, page 146

144 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l U si ng D atabase Tabl es That C ontai n Securi ty Informati on, page

146

To Create a Security Filter Using a System Prompt

1. In D evel oper, from the A dministration menu, poi nt to Projects

and then sel ect Security Filter Manager.

2. From the C hoose a project drop-dow n l i st, sel ect the proj ect
that you w ant to create a securi ty fi l ter for.

3. Sel ect the Security Filters tab.

4. C l i ck N ew.

5. D oubl e-cl i ck on the text D ouble-click here to add a

qualification.

6. Sel ect A dd an advanced qualification and cl i ck OK .

7. From the Option drop-dow n l i st, sel ect C ustom Expression.

8. Type your custom expressi on i n the C ustom Expression area.

You can drag and drop a system prompt or other obj ect to
i ncl ude i t i n the custom expressi on. For detai l ed i nstructi ons on
creati ng custom expressi ons i n fi l ters, see the Fi l ters secti on of
the Advanced R eporti ng Gui de.

9. When you have fi ni shed typi ng your custom expressi on, cl i ck

Validate to make sure that i ts syntax i s correct.

10. C l i ck Save and close. Type a name for the securi ty fi l ter and
cl i ck Save.

Simplifying the Security Filter Definition Process

You can use a system prompt to appl y a si ngl e securi ty fi l ter to al l

users i n a group. For exampl e, you can create a securi ty fi l ter usi ng
the formul a Us e r @ I D = ?[ U s e r L o g i n ] that di spl ays i nformati on

© 2019, M icr o St r at egy In c. 145

Syst em Ad m in ist r at io n Gu id e

onl y for the el ement of the U ser attri bute that matches the user's
l ogi n.

For a more compl ex exampl e, you can restri ct Managers so that they
can onl y vi ew data on the empl oyees that they supervi se. Add the
U ser Logi n prompt to a securi ty fi l ter i n the form M a n a g e r = ?[ U s e r
Logi n] . Then assi gn the securi ty fi l ter to the Managers group. When
a manager named John Smi th executes a report, the securi ty fi l ter
generates SQL for the condi ti on M a n a g e r = ' J o h n S m i t h ' and onl y
John Smi th's empl oyees' data i s returned.

Implementing a Report-Level Security Filter

You can al so use the U ser Logi n system prompt to i mpl ement securi ty
fi l ter functi onal i ty at the report l evel , by defi ni ng a report fi l ter w i th a
system prompt. For exampl e, you can defi ne a report fi l ter w i th the
U ser Logi n prompt i n the form M a n a g e r = ?[ Us e r L o g i n ]. Any
reports that use thi s fi l ter return data onl y to those users w ho are
l i sted as Managers i n the system.

Using Database Tables That Contain Security Information

If your organi zati on mai ntai ns securi ty i nformati on i n database tabl es,
you can use a system prompt to bui l d Mi croStrategy securi ty
mechani sms usi ng the database securi ty tabl es. For exampl e, you can
restri ct the data returned based on a user's l ogi n by creati ng a report
fi l ter that accesses col umns i n your securi ty tabl es and i ncl udes the
U ser Logi n system prompt. You can al so restri ct data access based
on tw o or more unrel ated attri butes by usi ng l ogi cal vi ew s (database
vi ew s) and the U ser Logi n system prompt i n a securi ty fi l ter.

146 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Controlling Access to Data at the Database (RDBMS)

Level
D atabase servers have thei r ow n securi ty archi tectures that provi de
authenti cati on, access control , and audi ti ng. As menti oned above,
you may choose to use these R D BMS techni ques to manage access
to data, or you may choose to use mechani sms i n the Mi croStrategy
appl i cati on l ayer to manage access to data, or you may use a
combi nati on of the tw o. They are not mutual l y excl usi ve. One
advantage of usi ng the database-l evel securi ty mechani sms to secure
data i s that al l appl i cati ons accessi ng the database benefi t from those
securi ty measures. If onl y Mi croStrategy mechani sms are used, then
onl y those users accessi ng the Mi croStrategy appl i cati on benefi t from
those securi ty measures. If other appl i cati ons access the database
w i thout goi ng through the Mi croStrategy system, the securi ty
mechani sms are not i n pl ace.

Secu r it y Views
Most databases provi de a w ay to restri ct access to data. For exampl e,
a user may be abl e to access onl y certai n tabl es, or they may be
restri cted to certai n row s and col umns w i thi n a tabl e. The subset of
data avai l abl e to a user i s cal l ed the user's securi ty vi ew .

Securi ty vi ew s are often used w hen spl i tti ng fact tabl es by col umns
and spl i tti ng fact tabl es by row s (di scussed bel ow ) cannot be used.
The rul es that determi ne w hi ch row s each user i s al l ow ed to see
typi cal l y vary so much that users cannot be separated i nto a
manageabl e number of groups. In the extreme, each user i s al l ow ed
to see a di fferent set of row s.

N ote that restri cti ons on tabl es, or row s and col umns w i thi n tabl es,
may not be di rectl y evi dent to a user. H ow ever, they do affect the
val ues di spl ayed i n a report. You need to i nform users as to w hi ch
data they can access so that they do not i nadvertentl y run a report

© 2019, M icr o St r at egy In c. 147

Syst em Ad m in ist r at io n Gu id e

that yi el ds mi sl eadi ng fi nal resul ts. For exampl e, i f a user has access
to onl y hal f of the sal es i nformati on i n the data w arehouse but runs a
summary report on al l sal es, the summary refl ects onl y hal f of the
sal es. R eports do not i ndi cate the database securi ty vi ew used to
generate the report.

C onsul t your database vendor's product documentati on to l earn how

to create securi ty vi ew s for your database.

Sp lit t in g Fact Tab les b y Ro ws

You can spl i t fact tabl es by row s to separate a l ogi cal data set i nto
mul ti pl e physi cal tabl es based on val ues i n the row s (thi s i s al so
know n as tabl e parti ti oni ng). The resul tant tabl es are physi cal l y
di sti nct tabl es i n the data w arehouse, and securi ty admi ni strati on i s
si mpl e because permi ssi ons are granted to enti re tabl es rather than to
row s and col umns.

If the data to be secured can be separated by row s, then thi s may be a

useful techni que. For exampl e, suppose a fact tabl e contai ns the key
C ustomer ID , Address, Member Bank and tw o fact col umns, as show n
bel ow :

Cus tome r Cus tome r Me mbe r Tr a ns a c tion Cur r e nt

ID Addr e s s Ba nk Amount ($ ) Ba la nc e ($ )

1st
123456 12 E lm S t . 400. 80 40, 450. 00
Nat ional

E ast ern
945940 888 Oak S t . 150. 00 60, 010. 70
Credit

P eople's
908974 45 Crest Dr. 3, 000. 00 100, 009. 00
B ank

907 Grove 1st

886580 76. 35 10, 333. 45
Rd. Nat ional

148 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Cus tome r Cus tome r Me mbe r Tr a ns a c tion Cur r e nt

ID Addr e s s Ba nk Amount ($ ) Ba la nc e ($ )

1 Ocean E ast ern

562055 888. 50 1, 000. 00
B lvd. Credit

You can spl i t the tabl e i nto separate tabl es (based on the val ue i n
Member Bank), one for each bank: 1st N ati onal , Eastern C redi t, and
so on. In thi s exampl e, the tabl e for 1st N ati onal bank w oul d l ook l i ke
thi s:

Cus tome r Cus tome r Me mbe r Tr a ns a c tion Cur r e nt

ID Addr e s s Ba nk Amount ($ ) Ba la nc e ($ )

1st
123456 12 E lm S t . 400. 80 40, 450. 00
Nat ional

907 Grove 1st

886580 76. 35 10, 333. 45
Rd. Nat ional

The tabl e for Eastern C redi t w oul d l ook l i ke thi s:

Cus tome r Cus tome r Me mbe r Tr a ns a c tion Cur r e nt

ID Addr e s s Ba nk Amount ($ ) Ba la nc e ($ )

E ast ern
945940 888 Oak S t . 150. 00 60, 010. 70
Credit

1 Ocean E ast ern

562055 888. 50 1, 000. 00
B lvd. Credit

Thi s makes i t si mpl e to grant permi ssi ons by tabl e to managers or

account executi ves w ho shoul d onl y be l ooki ng at customers for a
certai n bank.

© 2019, M icr o St r at egy In c. 149

Syst em Ad m in ist r at io n Gu id e

In most R D BMSs, spl i t fact tabl es by row s are i nvi si bl e to system

users. Al though there are many physi cal tabl es, the system "sees"
one l ogi cal fact tabl e.

Support for Spl i t fact tabl es by row s for securi ty reasons shoul d not
be confused w i th the support that Intel l i gence Server provi des for spl i t
fact tabl es by row s for performance benefi ts. For more i nformati on
about parti ti oni ng, see the Advanced R eporti ng Gui de.

Sp lit t in g Fact Tab les b y Co lu mn s

You can spl i t fact tabl es by col umns to separate a l ogi cal data set i nto
mul ti pl e physi cal tabl es by col umns. If the data to be secured can be
separated by col umns, then thi s may be a useful techni que.

Each new tabl e has the same pri mary key, but contai ns onl y a subset
of the fact col umns i n the ori gi nal fact tabl e. Spl i tti ng fact tabl es by
col umns al l ow s fact col umns to be grouped based on user communi ty.
Thi s makes securi ty admi ni strati on si mpl e because permi ssi ons are
granted to enti re tabl es rather than to col umns. For exampl e, suppose
a fact tabl e contai ns the key l abel ed C ustomer ID and fact col umns as
fol l ow s:

Cus tome r Cus tome r Me mbe r Tr a ns a c tion Cur r e nt

ID Addr e s s Ba nk Amount ($ ) Ba la nc e ($ )

You can spl i t the tabl e i nto tw o tabl es, one for the marketi ng
department and one for the fi nance department. The marketi ng fact
tabl e w oul d contai n everythi ng except the fi nanci al fact col umns as
fol l ow s:

15 0 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Cus tome r Cus tome r Me mbe r

ID Addr e s s Ba nk

The second tabl e used by the fi nanci al department w oul d contai n onl y
the fi nanci al fact col umns but not the marketi ng-rel ated i nformati on as
fol l ow s:

Cur r e nt
Cus tome r Tr a ns a c tion
Ba la nc e
ID Amount ($ )
($ )

Merging Users or Groups

Wi thi n a gi ven proj ect source, you may need to combi ne mul ti pl e
users i nto one user defi ni ti on or combi ne a user group i nto another
user group. For exampl e, i f U serA i s taki ng over the duti es of U serB,
you may w ant to combi ne the users by mergi ng U serB's properti es
i nto U serA. The Mi croStrategy U ser Merge Wi zard merges mul ti pl e
users or groups and thei r profi l es i nto a si ngl e user or group, w i th a
si ngl e profi l e.

Topi cs covered i n thi s secti on i ncl ude:

How Users and Groups are Merged

The U ser Merge Wi zard combi nes users and thei r rel ated obj ects,
from a si ngl e proj ect source. These obj ects i ncl ude profi l e fol ders,
group membershi ps, user pri vi l eges, securi ty rol es, and securi ty

© 2019, M icr o St r at egy In c. 15 1

Syst em Ad m in ist r at io n Gu id e

fi l ters, among others. Informati on from the user or group that i s bei ng
merged i s copi ed to the desti nati on user or group. Then the user or
group that i s bei ng merged i s removed from the metadata and onl y the
desti nati on user or group remai ns.

For exampl e, you w ant to merge U serB i nto U serA. In thi s case U serA
i s referred to as the desti nati on user. In the w i zard, thi s i s show n i n
the i mage bel ow :

When y ou open the Us er Merge Wiz ard and s elec t a projec t s ourc e, the
wiz ard loc k s that projec t c onfiguration. Other us ers c annot c hange any
c onfiguration objec ts until y ou c los e the wiz ard. For more information
about loc k ing and unloc k ing projec ts , s ee Locki ng Proj ects, page
416 .

You can al so merge users i n batches i f you have a l arge number of

users to merge. Mergi ng i n batches can si gni fi cantl y speed up the
merge process. Batch-mergi ng i s an opti on i n the U ser Merge Wi zard.
C l i ck H elp for detai l s on setti ng thi s opti on.

The U ser Merge Wi zard automati cal l y merges the fol l ow i ng

properti es: pri vi l eges, group membershi ps, profi l e fol ders, and obj ect
ow nershi p (access control l i sts). You may opti onal l y choose to merge
properti es such as a user's or group's securi ty rol es, securi ty fi l ters,
and database connecti on maps. D etai l s about how the w i zard merges
each of these properti es are di scussed bel ow .

Mer gin g User Pr ivileges

The U ser Merge Wi zard automati cal l y merges al l of a user's or
group's pri vi l eges. To conti nue w i th the exampl e above, before the

15 2 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

users are merged, each user has a di sti nct set of gl obal user
pri vi l eges. After the merge, al l pri vi l eges that had been assi gned to
U serB are combi ned w i th those of the desti nati on user, U serA. Thi s
combi nati on i s performed as a uni on. That i s, pri vi l eges are not
removed from ei ther user.

For exampl e, i f U serA has the Web user pri vi l ege and U serB has the
Web user and Web Admi ni strati on pri vi l eges, after the merge, U serA
has both Web user and Web Admi ni strati on pri vi l eges.

Mer gin g User Gr o u p Memb er sh ip s

The U ser Merge Wi zard automati cal l y merges al l of a user's or
group's group membershi ps. Before the merge, each user has a
di sti nct set of group membershi ps. After the merge, al l group
membershi ps that w ere assi gned to U serB are combi ned w i th those of
the desti nati on user, U serA. Thi s combi nati on i s performed as a
uni on. That i s, group membershi ps are not removed for ei ther user.

Mer gin g User Pr o f ile Fo ld er s

The U ser Merge Wi zard automati cal l y merges al l of a user's or
group's profi l e fol ders. Before the merge, U serA and U serB have
separate and di sti nct user profi l e fol ders. After U serB i s merged i nto
U serA, onl y U serA exi sts; thei r profi l e contai ns the profi l e fol der
i nformati on from both U serA and U serB.

Mer gin g Ob ject Own er sh ip an d Access Co n t r o l List s

The U ser Merge Wi zard automati cal l y merges al l of a user's or
group's obj ect ow nershi ps and access control l i sts (AC Ls). Before the
merge, the user to be merged, U serB, ow ns the user obj ects i n thei r
profi l e fol der and al so has ful l control over the obj ects i n the access
control l i st. After the merge, ow nershi p and access to the merged
user's obj ects are granted to the desti nati on user, U serA. The merged

© 2019, M icr o St r at egy In c. 15 3

Syst em Ad m in ist r at io n Gu id e

user i s removed from the obj ect's AC L. Any other users that exi sted i n
the AC L remai n i n the AC L. For exampl e, before the merge, U serB
ow ns an obj ect that a thi rd user, U serC has access to. After the
merge, U serA ow ns the obj ect, and U serC sti l l has access to i t.

Mer gin g Pr o ject Secu r it y Ro les

The U ser Merge Wi zard does not automati cal l y merge a user's or
group's securi ty rol es. To merge them, you must sel ect the Security
R oles check box on the Merge Opti ons page i n the w i zard. Before the
merge, both users have uni que securi ty rol es for a gi ven proj ect. After
the merge, the desti nati on user profi l e i s changed based on the
fol l ow i ng rul es:

l If nei ther user has a securi ty rol e for a proj ect, the desti nati on user
does not have a securi ty rol e on that proj ect.

l If the desti nati on user has no securi ty rol e for a proj ect, the user
i nheri ts the rol e from the user to be merged.

l If the desti nati on user and the user to be merged have di fferent
securi ty rol es, then the exi sti ng securi ty rol e of the desti nati on user
i s kept.

l If you are mergi ng mul ti pl e users i nto a si ngl e desti nati on user and
each of the users to be merged has a securi ty rol e, then the
desti nati on user takes the securi ty rol e of the fi rst user to be
merged. If the desti nati on user al so has a securi ty rol e, the exi sti ng
securi ty rol e of the desti nati on user i s kept.

Mer gin g Pr o ject Secu r it y Filt er s

The U ser Merge Wi zard does not automati cal l y merge a user's or
group's securi ty fi l ters. To merge them, you must sel ect the Security
Filters check box on the Merge Opti ons page i n the w i zard. When

15 4 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

mergi ng securi ty fi l ters, the w i zard fol l ow s the same rul es as for
securi ty rol es, descri bed above.

Mer gin g Dat ab ase Co n n ect io n Map p in g

The U ser Merge Wi zard does not automati cal l y merge a user's or
group's database connecti on maps. To merge them, you must sel ect
the C onnection Mapping check box on the Merge Opti ons page i n
the w i zard. When mergi ng database connecti on mappi ngs, the Wi zard
fol l ow s the same rul es as for securi ty rol es and securi ty fi l ters,
descri bed above.

Running the User Merge Wizard

The fol l ow i ng hi gh-l evel procedure provi des an overvi ew of w hat the
U ser Merge Wi zard does. For an expl anati on of the i nformati on
requi red at any gi ven page i n the w i zard, cl i ck H elp, or press F1.

To Merge Users or Groups

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, and then sel ect U ser Merge Wizard.

2. Speci fy the proj ect source contai ni ng the users/groups you w ant
to merge.

3. Sel ect w hether you w ant to merge opti onal user properti es such
as securi ty rol es, securi ty fi l ters, and database connecti on maps.
For a descri pti on of how the U ser Merge Wi zard merges these
opti onal properti es, see each i ndi vi dual property's secti on i n
H ow U sers and Groups are Merged, page 151.

4. Speci fy w hether you w ant to have the w i zard sel ect the
users/groups to merge automati cal l y (you can veri fy and correct
the merge candi dates), or i f you w ant to manual l y sel ect them.

© 2019, M icr o St r at egy In c. 15 5

Syst em Ad m in ist r at io n Gu id e

5. In the U ser Merge C andi dates page, sel ect the desti nati on users
or groups and cl i ck > to move them to the ri ght-hand si de.

6. Sel ect the users or groups to be merged and cl i ck > to move

them to the ri ght-hand si de.

7. C l i ck Finish.

Security Checklist Before Deploying the System

U se the checkl i st bel ow to make sure you have i mpl emented the
appropri ate securi ty servi ces or features for your system before i t i s
depl oyed. Al l the securi ty i mpl ementati ons l i sted bel ow are descri bed
i n detai l i n precedi ng secti ons.

Ensure that the Admi ni strator passw ord has been changed. When you
i nstal l Intel l i gence Server, the Admi ni strator account comes w i th a
bl ank passw ord that must be changed.

Set up access control s for the database (see C ontrol l i ng Access to

D ata, page 121). D ependi ng on your securi ty requi rements you may
need to:

l Set up securi ty vi ew s to restri ct access to speci fi c tabl es, row s, or

col umns i n the database

l Spl i t tabl es i n the database to control user access to data by

separati ng a l ogi cal data set i nto mul ti pl e physi cal tabl es, w hi ch
requi re separate permi ssi ons for access

l Impl ement connecti on mappi ng to control i ndi vi dual access to the

database

l C onfi gure passthrough executi on to control i ndi vi dual access to the

database from each proj ect, and to track w hi ch users are accessi ng
the R D BMS

15 6 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Assi gn securi ty fi l ters to users or groups to control access to

speci fi c data (these operate si mi l arl y to securi ty vi ew s but at the
appl i cati on l evel )

U nderstand the Mi croStrategy user model (see The Mi croStrategy

U ser Model , page 86). U se thi s model to:

l Sel ect and i mpl ement a system authenti cati on mode to i denti fy
users

l Set up securi ty rol es for users and groups to assi gn basi c pri vi l eges
and permi ssi ons

l U nderstand AC Ls (access control l i sts), w hi ch al l ow users access

permi ssi ons to i ndi vi dual obj ects

l C heck and, i f necessary, modi fy pri vi l eges and permi ssi ons for
anonymous authenti cati on for guest users. (By defaul t, anonymous
access i s di sabl ed at both the server and the proj ect l evel s.) D o not
assi gn del ete pri vi l eges to the guest user account.

Assi gn pri vi l eges and permi ssi ons to control user access to
appl i cati on functi onary. You may need to:

l Assi gn the D eni ed Al l permi ssi on to a speci al user or group so that,

even i f permi ssi on i s granted at another l evel , permi ssi on i s sti l l
deni ed

l Make sure guest users (anonymous authenti cati on) have access to
the Log fol der i n C :\Program Fi l es (x86)\C ommon
Fi l es\Mi croStrategy. Thi s ensures that any appl i cati on errors that
occur w hi l e a guest user i s l ogged i n can be w ri tten to the l og fi l es.

U se your w eb appl i cati on server securi ty features to:

l Impl ement fi l e-l evel securi ty requi rements

l C reate securi ty rol es for the appl i cati on server

© 2019, M icr o St r at egy In c. 15 7

Syst em Ad m in ist r at io n Gu id e

l Make use of standard Internet securi ty technol ogi es such as

fi rew al l s, di gi tal certi fi cates, and encrypti on.

l If you are w orki ng w i th sensi ti ve or confi denti al data, enabl e the

setti ng to encrypt al l communi cati on betw een Mi croStrategy Web
server and Intel l i gence Server.

There may be a notic eable performanc e degradation bec aus e the

s y s tem mus t enc ry pt and dec ry pt all network traffic .

l Enabl e encrypti on for Mi croStrategy Web products. By defaul t most

encrypti on technol ogi es are not used unl ess you enabl e them.

Locate the physi cal machi ne hosti ng the Mi croStrategy Web

appl i cati on i n a physi cal l y secure l ocati on.

R estri ct access to fi l es stored on the machi ne hosti ng the

Mi croStrategy Web appl i cati on by i mpl ementi ng standard fi l e-l evel
securi ty offered by your operati ng system. Speci fi cal l y, appl y thi s type
of securi ty to protect access to the Mi croStrategy admi ni strator pages,
to prevent someone from typi ng speci fi c U R Ls i nto a brow ser to
access these pages. (The defaul t l ocati on of the Admi n page fi l e i s
C:\P ro gr am F i l e s ( x 8 6 ) \ M i c r o S t r a t e g y \ W e b
ASPx \a sp \A d m i n . a s p x .) Be sure to restri ct access to:

l The asp di rectory

l Admi n.aspx

15 8 © 2019, M icr o St r at egy In c.

3
I DENTIFYING U SERS:
AUTHENTICATION

© 2019, M icr o St r at egy In c. 15 9

Syst em Ad m in ist r at io n Gu id e

Authenti cati on i s the process by w hi ch the system i denti fi es the user.

In most cases, a user provi des a l ogi n ID and passw ord w hi ch the
system compares to a l i st of authori zed l ogi ns and passw ords. If they
match, the user i s abl e to access certai n aspects of the system,
accordi ng to the access ri ghts and appl i cati on pri vi l eges associ ated
w i th the user.

Workflow: Changing Authentication Modes

The fol l ow i ng i s a l i st of hi gh-l evel tasks that you perform w hen you
change the defaul t authenti cati on mode i n your Mi croStrategy
i nstal l ati on.

l C hoose an authenti cati on mode, and set up the i nfrastructure

necessary to support i t. For exampl e, i f you w ant to use LD AP
Authenti cati on, you must set up your LD AP di rectory and server. For
the modes of authenti cati on avai l abl e, see Modes of Authenti cati on,
page 161.

l Import your user database i nto the Mi croStrategy metadata, or l i nk

your users' accounts i n your user database w i th thei r accounts i n
Mi croStrategy. For exampl e, you can i mport users i n your LD AP
di rectory i nto the Mi croStrategy metadata, and ensure that thei r
LD AP credenti al s are l i nked to the correspondi ng Mi croStrategy
users. D ependi ng on the authenti cati on mode you choose, the
fol l ow i ng opti ons are avai l abl e:

l If your organi zati on's users do not exi st i n the Mi croStrategy

metadata:

l You can i mport thei r accounts from an LD AP di rectory, or from a

text fi l e. For the steps to i mport users, refer to the System
Admi ni strati on H el p i n D evel oper.

160 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l You can confi gure Intel l i gence Server to automati cal l y i mport
users i nto the metadata w hen they l og i n.

l If your organi zati on's users al ready exi st i n the Mi croStrategy

metadata:

l You can use a C ommand Manager scri pt to edi t the user

i nformati on i n the metadata, and l i nk the users' Mi croStrategy
accounts to thei r accounts i n your user di rectory.

l Enabl e your chosen authenti cati on mode for Mi croStrategy

appl i cati ons at the fol l ow i ng l evel s:

l Your w eb server, for exampl e, IIS or Apache.

l Your appl i cati on server, for exampl e, IIS or WebSphere.

l In Web Admi ni strator, on the D efaul t Server Properti es page.

l In Mobi l e Admi ni strator, on the D efaul t Server Properti es page.

l For al l proj ect sources that the above appl i cati ons connect to.

The speci fi c steps to i mpl ement an authenti cati on mode depend on

the mode you choose, and are descri bed i n the secti ons that
fol l ow .

Modes of Authentication
Several authenti cati on modes are supported i n the Mi croStrategy
envi ronment. The mai n di fference betw een the modes i s the
authenti cati on authori ty used by each mode. The authenti cati on
authori ty i s the system that veri fi es and accepts the l ogi n/passw ord
credenti al s provi ded by the user.

The avai l abl e authenti cati on modes for Mi croStrategy Pl atform

Products are:

© 2019, M icr o St r at egy In c. 161

Syst em Ad m in ist r at io n Gu id e

l Standard: Intel l i gence Server i s the authenti cati on authori ty. Thi s
i s the defaul t authenti cati on mode. For more i nformati on, see
Impl ementi ng Standard Authenti cati on, page 165. the System
Admi ni strati on Gui de.

l A nonymous: U sers l og i n as "Guest" and do not need to provi de a

passw ord. Thi s authenti cati on mode may be requi red to enabl e
other authenti cati on modes, such as database w arehouse. For more
i nformati on, see Impl ementi ng Anonymous Authenti cati on, page
169. the System Admi ni strati on Gui de.

l D atabase warehouse: The data w arehouse database i s the

authenti cati on authori ty. For more i nformati on, see Impl ementi ng
D atabase Warehouse Authenti cati on, page 336.

l LD A P (lightweight directory access protocol): An LD AP server i s

the authenti cati on authori ty. For more i nformati on, see
Impl ementi ng LD AP Authenti cati on, page 171.Setti ng up LD AP
Authenti cati on i n Mi croStrategy Web, Li brary, and Mobi l e

l Single sign-on: Si ngl e si gn-on encompasses several di fferent

thi rd-party authenti cati on methods, i ncl udi ng:

l SA ML authentication: A tw o w ay authenti cati on set up betw een

your Mi croStrategy server and a SAML Identi ty Provi der. For more
i nformati on, see Enabl i ng Si ngl e Si gn-On w i th SAML
Authenti cati on.

l Integrated authentication: A domai n control l er usi ng Kerberos

authenti cati on i s the authenti cati on authori ty. For more
i nformati on, see Enabl i ng i ntegrated authenti cati on.

l Trusted authentication: A thi rd-party si ngl e si gn-on tool , such as

IBM® Ti vol i ® Access Manager, C A Si teMi nder®, or Oracl e®
Access Manager, i s the authenti cati on authori ty. For more
i nformati on, see Enabl e Si ngl e Si gn-On to Li brary w i th Trusted

162 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Authenti cati on.

Trus ted authentic ation mode c annot be us ed in c ombination with

any other log in mode.

l Windows authentication: Wi ndow s i s the authenti cati on

authori ty. For more i nformati on, see Impl ementi ng Wi ndow s N T
Authenti cati on, page 296.

l U sher Security: U sers l og i nto Web and Mobi l e usi ng U sher

Securi ty. U sher enabl es users to el ectroni cal l y val i date thei r
i denti ty usi ng the U sher app and mobi l e badge on thei r smartphone,
i nstead of enteri ng a passw ord. For steps, see Enabl i ng Badge
Authenti cati on for Web and Mobi l e, page 328.

For exampl es of si tuati ons w here you mi ght w ant to i mpl ement
speci fi c authenti cati on modes, and the steps to do so, see
Authenti cati on Exampl es, page 339.

Configuring the Authentication Mode for a Project

Source
You can confi gure a proj ect source to use a speci fi c authenti cati on
mode usi ng the Proj ect Source Manager. By defaul t, proj ect sources
use standard authenti cati on (see Impl ementi ng Standard
Authenti cati on, page 165).

To Configure the Authentication Mode for a Project Source

1. In D evel oper, from the Tools menu, sel ect Project Source
Manager.

2. Sel ect the appropri ate proj ect source and cl i ck Modify.

3. On the A dvanced tab, sel ect the appropri ate opti on for the
defaul t authenti cati on mode that you w ant to use.

© 2019, M icr o St r at egy In c. 163

Syst em Ad m in ist r at io n Gu id e

4. C l i ck OK tw i ce.

5. If the proj ect source i s accessed vi a Mi croStrategy Web or

Mi croStrategy Offi ce, there are addi ti onal steps that must be
fol l ow ed to confi gure the authenti cati on mode, as fol l ow s:

l To set the authenti cati on mode i n Mi croStrategy Web, use the

Mi croStrategy Web Admi ni strator's D efaul t Server Properti es
page.

l To set the authenti cati on mode i n Mi croStrategy Offi ce, use the
pr oj ec t s o u r c e s . x m l fi l e. For detai l ed i nstructi ons, see the
Mi croStrategy for Offi ce Onl i ne H el p.

Importing Users from Different Authentication Systems

You can i mport users from mul ti pl e di fferent authenti cati on systems,
such as from a database w arehouse and from an LD AP Server, i nto a
si ngl e Mi croStrategy metadata.

Each user that i s i mported i nto Mi croStrategy from a si ngl e

authenti cati on mechani sm i s created as a separate user obj ect i n the
Mi croStrategy metadata. For exampl e, i f U ser A i s i mported from your
LD AP Server i nto Mi croStrategy, the U ser A obj ect i s created i n the
Mi croStrategy metadata. If U ser A i s al so i mported from your N T
system, a separate U ser A obj ect (w e can cal l i t U ser A-N T) i s created
i n the metadata. Every ti me a user i s i mported i nto the Mi croStrategy
metadata, a separate user obj ect i s created.

As an al ternati ve, you can i mport U ser A from a si ngl e authenti cati on
system (LD AP, for exampl e), and then l i nk the U ser A obj ect that i s
created to the same user i n your N T system, and to the same user i n
your database w arehouse, and so on. U si ng l i nki ng, you can
"connect" or map mul ti pl e authenti cati on systems to a si ngl e user
obj ect i n the Mi croStrategy metadata.

164 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Sharing User Accounts Between Users

Mic roStrategy does not rec ommend s haring us er ac c ounts .

You may deci de to map several users to the same Mi croStrategy user
account. These users w oul d essenti al l y share a common l ogi n to the
system. C onsi der doi ng thi s onl y i f you have users w ho do not need to
create thei r ow n i ndi vi dual obj ects, and i f you do not need to moni tor
and i denti fy each i ndi vi dual user uni quel y.

Implementing Standard Authentication

Standard authenti cati on i s the defaul t authenti cati on mode and the
si mpl est to set up. Each user has a uni que l ogi n and passw ord and
can be i denti fi ed i n the Mi croStrategy appl i cati on uni quel y.

By defaul t, al l users connect to the data w arehouse usi ng one

R D BMS l ogi n ID , al though you can change thi s usi ng C onnecti on
Mappi ng. For more i nformati on, see C onnecti ng to the D ata
Warehouse, page 23. In addi ti on, standard authenti cati on i s the onl y
authenti cati on mode that al l ow s a user or system admi ni strator to
change or expi re Mi croStrategy passw ords.

When usi ng standard authenti cati on, Intel l i gence Server i s the
authenti cati on authori ty. Intel l i gence Server veri fi es and accepts the
l ogi n and passw ord provi ded by the user. Thi s i nformati on i s stored i n
the metadata reposi tory.

When a proj ect source i s confi gured to use standard authenti cati on,
users must enter a val i d l ogi n ID and passw ord combi nati on before
they can access the proj ect source.

Password Policy
A val i d passw ord i s a passw ord that conforms to any speci fi cati ons
you may have set. You can defi ne the fol l ow i ng characteri sti cs of

© 2019, M icr o St r at egy In c. 165

Syst em Ad m in ist r at io n Gu id e

passw ords:

l Whether a user must change thei r passw ord w hen they fi rst l og i nto
Mi croStrategy

l H ow often the passw ord expi res

l The number of past passw ords that the system remembers, so that
users cannot use the same passw ord

l Whether a user can i ncl ude thei r l ogi n and/or name i n the passw ord

l Whether or not rotati ng characters from l ast passw ord are al l ow ed

i n new passw ords

l Mi ni mum number of character changes

l R ul es for passw ord compl exi ty, i ncl udi ng:

l The mi ni mum number of characters that the passw ord must

contai n

l The mi ni mum number of upper-case characters that the passw ord

must contai n

l The mi ni mum number of l ow er-case characters that the passw ord

must contai n

l The mi ni mum number of numeri c characters, that i s, numbers from

0 to 9, that the passw ord must contai n

l The mi ni mum number of speci al characters, that i s, symbol s, that

the passw ord must contai n

The expi rati on setti ngs are made i n the U ser Edi tor and can be set for
each i ndi vi dual user. The compl exi ty and remembered passw ord
setti ngs are made i n the Securi ty Pol i cy Setti ngs di al og box, and
affect al l users.

166 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Steps to Implement Standard Authentication

The procedure bel ow gi ves the hi gh-l evel steps for confi guri ng your
Intel l i gence Server for standard authenti cati on.

High-Level Steps to Configuration Standard Authentication

1. In D evel oper, open the Proj ect Source Manager and cl i ck

Modify.

2. On the Advanced tab, sel ect U se login ID and password

entered by the user (standard authentication). Thi s i s the
defaul t setti ng.

3. In Mi croStrategy Web, l og i n as an admi ni strator. On the

Preferences page, sel ect Project D efaults, sel ect Security, and
then enabl e Standard (user name & password) as the l ogi n
mode.

4. In D evel oper, create a database i nstance for the data w arehouse

and assi gn i t a defaul t database l ogi n. Thi s i s the R D BMS
account that w i l l be used to execute reports from al l users.

Password Hashing for Standard Authentication

Begi nni ng w i th Mi croStrategy 10.11 a new hashi ng al gori thm that
provi des much stronger securi ty w i l l be i mpl emented. Associ ated w i th
thi s new al gori thm i s a new fi el d i n D evel oper that al l ow s the
Admi ni strator to sel ect the number of i terati ons that a passw ord i s
hashed. Thi s provi des even greater securi ty on top of the al gori thm by
i terati vel y hashi ng the hash a confi gurabl e number of ti mes. The
previ ous opti on to sel ect a hashi ng al gori thm has been removed.

The new hashi ng al gori thm w as i mpl emented i n the product to

conform w i th current i ndustri al securi ty best practi ces by fol l ow i ng the
gui dance of N IST Speci al Publ i cati on 800-63B for the protecti on of

© 2019, M icr o St r at egy In c. 167

Syst em Ad m in ist r at io n Gu id e

memori zed secrets. The fol l ow i ng i s an overvi ew of the al gori thm

used for passw ord hashi ng:

l A 512-bi t random val ue i s generated for the passw ord. Thi s val ue i s
stored i n the Metadata as i t i s requi red w hen veri fyi ng the
passw ord.

l A passw ord-based key defi ni ti on functi on (i .e., PBKD F2) i s

executed w hi ch accepts three rel evant parameters:

l The previ ousl y generated random val ue (i .e., the sal t).

l A hashi ng functi on (i n thi s case SH A-512).

l The number of i terati ons to perform the PBKD F2 al gori thm (set by
the admi ni strator as descri bed bel ow ).

The PBKD F2 al gori thm combi nes the user’ s passw ord and the
random sal t and then performs i t’ s operati ons by appl yi ng the
speci fi ed hashi ng functi on (SH A-512) by the number of i terati ons
speci fi ed. The resul t i s then stored i n the Metadata as the hash of the
passw ord.

For reference the OpenSSL PKC S5-PBKD F2-H MAC functi on i s used
to perform the PBKD F2/SH A-512 hashi ng.

For new i nstal l ati ons w i th new metadata begi nni ng w i th 10.11, the
new al gori thm and hashi ng process i s automati cal l y appl i ed.

For exi sti ng depl oyments that are upgradi ng to 10.11, there are
si mi l arl y no addi ti onal acti ons that need to be taken by the
Admi ni strator beyond opti onal l y changi ng the defaul t number of hash
i terati ons. H ow ever, there are tw o i mportant caveats associ ated w i th
upgradi ng to 10.11:

l If upgradi ng Intel l i gence Server and metadata, pre-10.11

i nstal l ati ons of C OM API cl i ents must al so be upgraded as they are
not compati bl e.

168 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Once the upgrade i s undertaken, i t i s not possi bl e to revert to an

earl i er versi on of metadata.

Once an i nstal l ati on has been upgraded to 10.11, the process of

converti ng user passw ord hashes from the ol d al gori thm to the new
al gori thm w i l l occur automati cal l y, transparent to both users and
Admi ni strators. There i s no need to ask users to enter new
passw ords. After the upgrade i s performed, each user's passw ord
hash w i l l be automati cal l y updated on the next l og i n.

Ch an gin g t h e Def au lt Nu mb er o f It er at io n s
1. Open D evel oper and ri ght-cl i ck on a proj ect source and sel ect
C onfigure Intelligence Server.

If y ou are running Mic roStrategy Dev eloper on Windows for the

firs t time, run it as an adminis trator.

Right-c lic k the program ic on and s elec t R un as A dministrator .

This is nec es s ary in order to properly s et the Windows regis try

k ey s . For more information, s ee KB43491 .

2. Open Server D efinition > Security.

3. Set the number of hash i terati ons i n the Encryption Level

secti on.

Implementing Anonymous Authentication

When usi ng anonymous authenti cati on, users l og i n as guests and do
not need to provi de a passw ord. Each guest user assumes the profi l e
defi ned by the Publ i c group.

This dy namic ally c reated gues t us er is not the s ame as the "Gues t" us er
whic h is v is ible in the Us er Manager.

© 2019, M icr o St r at egy In c. 169

Syst em Ad m in ist r at io n Gu id e

Guest users i nheri t securi ty setti ngs, i ncl udi ng pri vi l eges and
permi ssi ons, proj ect access, securi ty fi l ter, and connecti on map
i nformati on, from the Publ i c/Guest group; they are not part of the
Everyone group.

By defaul t, guest users have no pri vi l eges; you must assi gn thi s group
any pri vi l eges that you w ant the guest users to have. Pri vi l eges that
are grayed out i n the U ser Edi tor are not avai l abl e by defaul t to a
guest user. Other than the unavai l abl e pri vi l eges, you can determi ne
w hat the guest user can and cannot do by modi fyi ng the pri vi l eges of
the Publ i c/Guest user group and by granti ng or denyi ng i t access to
obj ects. For more i nformati on, see C ontrol l i ng Access to
Functi onal i ty: Pri vi l eges, page 109 and C ontrol l i ng Access to
Obj ects: Permi ssi ons, page 95.

Al l obj ects created by guest users must be saved to publ i c fol ders and
are avai l abl e to al l guest users. Guest users may use the H i story Li st,
but thei r messages i n the H i story Li st are not saved and are purged
w hen the guest users l og out.

To Enable Anonymous Access to a Project Source

By default, anony mous ac c es s is dis abled at both the s erv er and the
projec t lev els .

1. In D evel oper, l og i nto the proj ect source w i th a user that has
admi ni strati ve pri vi l eges.

2. From the fol der Li st, sel ect A dministration.

3. From the File menu, sel ect Properties.

4. In the Security tab, cl i ck A dd.

5. Sel ect the Publ i c/Guest group.

6. In the A ccess Permission l i st, sel ect C onnect.

170 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

7. C l i ck OK .

8. Fol l ow the procedure i n C onfi guri ng the Authenti cati on Mode for
a Proj ect Source, page 163 and sel ect A nonymous
authentication. When users l og i nto thi s proj ect source, they are
now automati cal l y l ogged i n as guest users and not prompted for
a l ogi n or passw ord.

Implementing LDAP Authentication

Li ghtw ei ght D i rectory Access Protocol (LD AP) i s an open standard
Internet protocol runni ng over TC P/IP that i s desi gned to mai ntai n and
w ork w i th l arge user di rectory servi ces. It provi des a standard w ay for
appl i cati ons to request and manage user and group di rectory
i nformati on. LD AP performs si mpl e S e l e c t operati ons agai nst l arge
di rectori es, i n w hi ch the goal i s to retri eve a col l ecti on of attri butes
w i th si mpl e qual i fi cati ons, for exampl e, S e l e c t a l l t h e
empl oy ee s' p h o n e n u m b e r s i n t h e s u p p o r t d i v i s i o n.

An LD AP authenti cati on system consi sts of tw o components: an LD AP

server and an LD AP di rectory. An LD AP server i s a program that
i mpl ements the LD AP protocol and control s access to an LD AP
di rectory of user and group accounts. An LD AP di rectory i s the
storage l ocati on and structure of user and group accounts on an
LD AP server. Before i nformati on from an LD AP di rectory can be
searched and retri eved, a connecti on to the LD AP server must be
establ i shed.

If you use an LD AP di rectory to central l y manage users i n your

envi ronment, you can i mpl ement LD AP authenti cati on i n
Mi croStrategy. Group membershi p can be mai ntai ned i n the LD AP
di rectory w i thout havi ng to al so be defi ned i n Intel l i gence Server.
LD AP authenti cati on i denti fi es users i n an LD AP di rectory w hi ch
Mi croStrategy can connect to through an LD AP server. Supported
LD AP servers i ncl ude N ovel l D i rectory Servi ces, Mi crosoft D i rectory

© 2019, M icr o St r at egy In c. 171

Syst em Ad m in ist r at io n Gu id e

Servi ces, OpenLD AP for Li nux, and Sun ON E 5.1/i Pl anet. For the
l atest set of certi fi ed and supported LD AP servers, refer to the
R eadme.

The hi gh-l evel steps to i mpl ement LD AP authenti cati on are as

fol l ow s:

1. R evi ew the LD AP i nformati on fl ow , descri bed i n LD AP

Informati on Fl ow , page 172.

2. D ependi ng on your requi rements, col l ect i nformati on and make

deci si ons regardi ng the i nformati on i n C heckl i st: Informati on
R equi red for C onnecti ng Your LD AP Server to Mi croStrategy,
page 174.

3. R un the LD AP C onnecti vi ty Wi zard to connect your LD AP server

to Mi croStrategy, as descri bed i n Setti ng up LD AP
Authenti cati on i n Mi croStrategy Web, Li brary, and Mobi l e, page
198.

4. To make changes i n your LD AP confi gurati on, use the

procedures descri bed i n Managi ng LD AP Authenti cati on, page
202.

You can al so set up Mi croStrategy Offi ce to use LD AP authenti cati on.

For i nformati on, see the Mi croStrategy for Offi ce Onl i ne H el p.

LDAP Information Flow

The fol l ow i ng scenari o presents a hi gh-l evel overvi ew of the general
fl ow of i nformati on betw een Intel l i gence Server and an LD AP server
w hen an LD AP user l ogs i nto D evel oper or Mi croStrategy Web.

LDAP User Lo gin In f o r mat io n Flo w

1. When an LD AP user l ogs i n to Mi croStrategy Web or D evel oper,
Intel l i gence Server connects to the LD AP server usi ng the

172 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

credenti al s for the LD AP admi ni strati ve user, cal l ed an

authenti cati on user.

2. The authenti cati on user i s bound to LD AP usi ng a D i sti ngui shed

N ame (D N ) and passw ord set up i n the user's confi gurati on.

3. The authenti cati on user searches the LD AP di rectory for the user
w ho i s l oggi ng i n vi a D evel oper or Mi croStrategy Web, based on
the D N of the user l oggi ng i n.

4. If thi s search successful l y l ocates the user w ho i s l oggi ng i n, the

user's LD AP group i nformati on i s retri eved.

5. Intel l i gence Server then searches the Mi croStrategy metadata to

determi ne w hether the D N of the user l oggi ng i n i s l i nked to an
exi sti ng Mi croStrategy user or not.

6. If a l i nked user i s not found i n the metadata, Intel l i gence Server

refers to the i mport and synchroni zati on opti ons that are
confi gured. If i mporti ng i s enabl ed, Intel l i gence Server updates
the metadata w i th the user and group i nformati on i t accessed i n
the LD AP di rectory.

7. The user w ho i s l oggi ng i n i s gi ven access to Mi croStrategy, w i th

appropri ate pri vi l eges and permi ssi ons.

LDAP An o n ymo u s Lo gin In f o r mat io n Flo w

When an LD AP anonymous (empty passw ord) l ogs i nto Mi croStrategy
Web or D evel oper, Intel l i gence Server checks w hether the LD AP
anonymous bi nd to the LD AP server i s successful . When thi s
succeeds, the Intel l i gence server authori zes the LD AP anonymous
l ogi n usi ng LD A P U sers and Everyone groups. The pri vi l eges and
permi ssi ons of LD AP U sers and Everyone groups are appl i ed.

© 2019, M icr o St r at egy In c. 173

Syst em Ad m in ist r at io n Gu id e

Checklist: Information Required for Connecting Your

LDAP Server to MicroStrategy
You can connect your LD AP server from your Intel l i gence Server
usi ng the LD AP C onnecti vi ty Wi zard. Before begi nni ng the process,
ensure that you have the fol l ow i ng i nformati on:

l The connecti on detai l s for your LD AP server. The i nformati on

requi red i s as fol l ow s:

l The machi ne name or IP address of the LD AP server.

l The netw ork port that the LD AP server uses.

l Whether the LD AP server i s accessed usi ng cl ear text, or over an

encrypted SSL connecti on. If you are usi ng an SSL connecti on,
you need to do the fol l ow i ng before you begi n to set up LD AP:

l Obtai n a val i d certi fi cate from your LD AP server and save i t on

the machi ne w here Intel l i gence Server i s i nstal l ed.

l Fol l ow the procedure recommended by your operati ng system to

i nstal l the certi fi cate.

l The user name and passw ord of an LD AP user w ho can search

the LD AP di rectory. Thi s user i s cal l ed the authenti cati on user,
and i s used by the Intel l i gence Server to connect to the LD AP
server. Typi cal l y, thi s user has admi ni strati ve pri vi l eges for your
LD AP server.

l D etai l s of your LD AP SD K. The LD AP SD K i s a set of connecti vi ty

fi l e l i brari es (D LLs) that Mi croStrategy uses to communi cate w i th
the LD AP server. For i nformati on on the requi rements for your
LD AP SD K, and for steps to set up the SD K, see Setti ng up LD AP
SD K connecti vi ty.

l Your LD AP search setti ngs, w hi ch al l ow Intel l i gence Server to

effecti vel y search through your LD AP di rectory to authenti cate

174 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

and i mport users. For i nformati on on defi ni ng LD AP search

setti ngs, see D efi ni ng LD AP Search Fi l ters to Veri fy and Import
U sers and Groups at Logi n, page 182.

Addi ti onal l y, dependi ng on your organi zati on's requi rements, i t i s

recommended that you make deci si ons and gather i nformati on about
the fol l ow i ng:

l D etermi ne w hether you w ant to use connecti on pool i ng w i th your

LD AP server. Wi th connecti on pool i ng, you can reuse an open
connecti on to the LD AP server for subsequent operati ons. The
connecti on to the LD AP server remai ns open even w hen the
connecti on i s not processi ng any operati ons (al so know n as
pool i ng). Thi s setti ng can i mprove performance by removi ng the
processi ng ti me requi red to open and cl ose a connecti on to the
LD AP server for each operati on.

For background i nformati on on connecti on pool i ng, see D etermi ni ng

Whether to U se C onnecti on Pool i ng, page 187.

l D etermi ne the method that Intel l i gence Server uses to authenti cate
users i n the LD AP server. The possi bl e opti ons are descri bed
bel ow :

l Bi ndi ng: If you choose thi s method, the Intel l i gence Server
attempts to l og i n to the LD AP server w i th the user's credenti al s.

l Passw ord compari son: If you choose thi s method, the Intel l i gence
Server veri fi es the user's user name and passw ord w i th the LD AP
server, w i thout attempti ng to l og i n to the LD AP server.

For a compari son of the tw o methods of authenti cati on, see

D etermi ni ng Whether to U se Authenti cati on Bi ndi ng or Passw ord
C ompari son, page 189.

l D etermi ne w hether you need to use database passthrough

executi on. In Mi croStrategy, a si ngl e user name and passw ord
combi nati on i s frequentl y used to connect to and execute j obs

© 2019, M icr o St r at egy In c. 175

Syst em Ad m in ist r at io n Gu id e

agai nst a database. H ow ever, you can choose to pass to the

database a user's LD AP user name and passw ord used to l og i n to
Mi croStrategy. The database i s then accessed and j obs are
executed usi ng the LD AP user name and passw ord. Thi s al l ow s
each user l ogged i n to Mi croStrategy to execute j obs agai nst the
database usi ng thei r uni que user name and passw ord w hi ch can be
gi ven a di fferent set of pri vi l eges than other users.

For addi ti onal i nformati on on database passthrough executi on, see

D etermi ni ng Whether to Enabl e D atabase Passthrough Executi on
w i th LD AP, page 189.

l D etermi ne w hether you w ant to i mport LD AP user and group

i nformati on i nto the Mi croStrategy metadata. A Mi croStrategy group
i s created for each LD AP group. The fol l ow i ng opti ons are
avai l abl e:

l Import users and groups i nto Mi croStrategy: If you choose thi s

opti on, a Mi croStrategy user i s created for each user i n your
LD AP di rectory. U sers can then be assi gned addi ti onal pri vi l eges
and permi ssi ons i n Mi croStrategy.

l Li nk users and groups to Mi croStrategy, w i thout i mporti ng them: If

you choose thi s opti on, a l i nk i s created betw een Mi croStrategy
users and users i n your LD AP di rectory, w i thout creati ng new
LD AP users i n your metadata. If you have an LD AP di rectory w i th
a l arge number of users, thi s opti on avoi ds fi l l i ng your metadata
w i th new users.

For i nformati on on the benefi ts and consi derati ons for i mporti ng
LD AP user and group i nformati on i nto Mi croStrategy, see
D etermi ni ng Whether to Import LD AP U sers i nto Mi croStrategy,
page 190.

l D etermi ne w hether you w ant to automati cal l y synchroni ze user and

group i nformati on w i th the LD AP server. Thi s ensures that i f there
are changes i n the group membershi p for the users you have

176 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

i mported i nto Mi croStrategy, or users w ho are l i nked to exi sti ng

Mi croStrategy accounts, the changes i n the LD AP di rectory are
appl i ed i n Mi croStrategy w hen users l og i n, or on a schedul e that
you determi ne.

For the benefi ts and consi derati ons of synchroni zi ng user and group
i nformati on, see D etermi ni ng Whether to Automati cal l y Synchroni ze
LD AP U ser and Group Informati on, page 195.

l If you choose to i mport LD AP user and group i nformati on i nto the

Mi croStrategy metadata, determi ne the fol l ow i ng:

l D etermi ne w hether you w ant to i mport LD AP user and group

i nformati on i nto the Mi croStrategy metadata w hen users l og i n,
and w hether the i nformati on i s synchroni zed every ti me users l og
i n.

l D etermi ne w hether you w ant to i mport LD AP user and group

i nformati on i nto the Mi croStrategy metadata i n batches, and
w hether you w ant the i nformati on to be synchroni zed accordi ng to
a schedul e.

l If you w ant to i mport LD AP user and group i nformati on i n batches,

you must provi de search fi l ters to i mport the users and the groups.
For exampl e, i f your organi zati on has 1,000 users i n the LD AP
di rectory, of w hom 150 need to use Mi croStrategy, you must
provi de a search fi l ter that i mports the 150 users i nto the
Mi croStrategy metadata. For i nformati on on defi ni ng search fi l ters,
see D efi ni ng LD AP Search Fi l ters to Veri fy and Import U sers and
Groups at Logi n, page 182.

l If your LD AP organi zati onal structure i ncl udes groups contai ned
w i thi n groups, determi ne how many recursi ve groups to i mport
w hen you i mport a user or group i nto Mi croStrategy.

To understand how thi s setti ng effects the w ay the users and groups
are i mported i nto Mi croStrategy, see the fol l ow i ng di agram:

© 2019, M icr o St r at egy In c. 177

Syst em Ad m in ist r at io n Gu id e

If you choose to i mport tw o nested groups w hen Mi croStrategy i mports

LD AP groups, the groups associ ated w i th each user are i mported, up
to tw o l evel s above the user. In thi s case, for U ser 1, the groups
D omesti c and Marketi ng w oul d be i mported. For U ser 3, D evel opers
and Empl oyees w oul d be i mported.

l If you use a si ngl e si gn-on (SSO) authenti cati on system, such as

Wi ndow s authenti cati on or i ntegrated authenti cati on, determi ne
w hether you w ant to i mport the LD AP user and group i nformati on for
users of your si ngl e si gn-on system.

l D etermi ne w hether the fol l ow i ng addi ti onal i nformati on i s i mported:

l The users' emai l addresses. If you have a l i cense for

Mi croStrategy D i stri buti on Servi ces, then w hen you i mport LD AP
users, you can i mport these emai l addresses as contacts
associ ated w i th those users.

l The Trusted Authenti cated R equest U ser ID for a 3rd party user.
When a 3rd party user l ogs i n, thi s Trusted Authenti cated R equest
U ser ID w i l l be used to fi nd the l i nked Mi croStrategy user.

l Addi ti onal LD AP attri butes to i mport. For exampl e, your LD AP

di rectory may i ncl ude an attri bute cal l ed a c c o u n t E x p i r e s,
w hi ch contai ns i nformati on about w hen the users' accounts
expi re. The attri butes i n your LD AP di rectory depend on the LD AP

178 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

server that you use, and your LD AP confi gurati on.

You can create securi ty fi l ters based on the LD AP attri butes that
you i mport. For exampl e, you i mport the LD AP attri bute
co un tr yN a m e, create a securi ty fi l ter based on that LD AP
attri bute, and then you assi gn that securi ty fi l ter to al l LD AP
users. N ow , w hen a user from Brazi l vi ew s a report that breaks
dow n sal es revenue by country, they onl y see the sal es data for
Brazi l .

For i nformati on on setti ng up securi ty fi l ters based on LD AP

attri butes, see Managi ng LD AP Authenti cati on, page 202.

Once you have col l ected the above i nformati on, you can use the
LD AP C onnecti vi ty Wi zard to set up your LD AP connecti on. The steps
are descri bed i n Setti ng up LD AP Authenti cati on i n Mi croStrategy
Web, Li brary, and Mobi l e, page 198.

Set t in g Up LDAP SDK Co n n ect ivit y

From the perspecti ve of your LD AP server, Intel l i gence Server i s an
LD AP cl i ent that uses cl ear text or encrypted SSL to connect to your
LD AP server through the LD AP SD K.

The LD AP SD K i s a set of connecti vi ty fi l e l i brari es (D LLs) that

Mi croStrategy uses to communi cate w i th the LD AP server. For the
l atest set of certi fi ed and supported LD AP SD K fi l es, refer to the
R eadme.

Intel l i gence Server requi res that the versi on of the LD AP SD K you are
usi ng supports the fol l ow i ng:

l LD AP v. 3

l SSL connecti ons

© 2019, M icr o St r at egy In c. 179

Syst em Ad m in ist r at io n Gu id e

l 64-bi t archi tecture on Li nux pl atforms

For LDAP to work properly with Intelligenc e Serv er, the 64-bit LDAP
libraries mus t be us ed.

The fol l ow i ng i mage show s how behavi or of the vari ous el ements i n
an LD AP confi gurati on affects other el ements i n the confi gurati on.

1. The behavi or betw een Intel l i gence Server and the LD AP SD K

vari es sl i ghtl y dependi ng on the LD AP SD K used. The R eadme
provi des an overvi ew of these behavi ors.

2. The behavi or betw een the LD AP SD K and the LD AP server i s

i denti cal , no matter w hi ch LD AP SD K i s used.

Mi croStrategy recommends that you use the LD AP SD K vendor that

corresponds to the operati ng system vendor on w hi ch Intel l i gence
Server i s runni ng i n your envi ronment. Speci fi c recommendati ons are
l i sted i n the R eadme, w i th the l atest set of certi fi ed and supported
LD AP SD Ks, references to Mi croStrategy Tech N otes w i th versi on-
speci fi c detai l s, and SD K dow nl oad l ocati on i nformati on.

High-Level Steps to Install the LDAP SDK DLLs

1. D ow nl oad the LD AP SD K D LLs onto the machi ne w here

Intel l i gence Server i s i nstal l ed.

180 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

2. Instal l the LD AP SD K.

3. R egi ster the l ocati on of the LD AP SD K fi l es as fol l ow s:

l Wi ndow s envi ronment: Add the path of the LD AP SD K l i brari es

as a system envi ronment vari abl e so that Intel l i gence Server
can l ocate them.

l Li nux envi ronment: Modi fy the L D A P . s h fi l e l ocated i n the e nv

fol der of your Mi croStrategy i nstal l ati on to poi nt to the l ocati on
of the LD AP SD K l i brari es. The detai l ed procedure i s
descri bed i n the procedure To Add the LD AP SD K Path to the
Envi ronment Vari abl e i n U N IX, page 181 bel ow .

4. R estart Intel l i gence Server.

To Add the LDAP SDK Path to the Environment Variable in UNIX

This proc edure as s umes y ou hav e ins talled an LDAP SDK. For high-
lev el s teps to ins tall an LDAP SDK, s ee H i gh-Level Steps to Instal l
the LD AP SD K D LLs, page 180 .

1. In a Li nux consol e w i ndow , brow se to H O M E _P A T H w here H O M E_

PA TH i s the speci fi ed home di rectory duri ng i nstal l ati on. Brow se
to the fol der /e n v i n thi s path.

2. Add W ri t e pri vi l eges to the L D A P . s h fi l e by typi ng the

command c h m o d u+ w L D A P . s h and then pressi ng E n t e r.

3. Open the L D A P . s h fi l e i n a text edi tor and add the l i brary path to
the M ST R _ L D A P _L IB R A R Y _P A T H envi ronment vari abl e. For
exampl e: M S T R _L D A P _L I B R A R Y _
PA TH =' / p a t h / L D A P / l i b r a r y '

It is rec ommended that y ou s tore all libraries in the s ame path. If

y ou hav e s ev eral paths , y ou c an add all paths to the M S T R _

© 2019, M icr o St r at egy In c. 181

Syst em Ad m in ist r at io n Gu id e

LD AP _L I B R A R Y _P A T H env ironment v ariable and s eparate them

by a c olon (:). For ex ample: M S T R _L D AP _L I B R A R Y _
PA TH = ' / p a t h / L D A P / l i b r a r y : / pa t h / L D A P / l i b r a r y
2'

4. R emove Wri te pri vi l eges from the L D A P . s h fi l e by typi ng the

command c h m o d a-w L D A P . s h and then pressi ng E n t e r.

5. R estart Intel l i gence Server for your changes to take effect.

Def in in g LDAP Sear ch Filt er s t o Ver if y an d Imp o r t User s an d

Gr o u p s at Lo gin
You must provi de Intel l i gence Server w i th some speci fi c parameters
so i t can search effecti vel y through your LD AP di rectory for user
i nformati on.

When users attempt to l og i n to Mi croStrategy, the Intel l i gence Server

authenti cates users by searchi ng the LD AP di rectory for the user's
D i sti ngui shed N ame, w hi ch i s a uni que w ay to i denti fy users w i thi n
the LD AP di rectory structure.

To search effecti vel y, Intel l i gence Server must know w here to start i ts
search. When setti ng up LD AP authenti cati on, i t i s recommended that
you i ndi cate a search root D i sti ngui shed N ame to establ i sh the
di rectory l ocati on from w hi ch Intel l i gence Server starts al l user and
group searches. If thi s search root i s not set, Intel l i gence Server
searches the enti re LD AP di rectory.

Addi ti onal l y, you can speci fy search fi l ters, w hi ch hel p narrow dow n
the users and groups to search.

The fol l ow i ng secti ons descri be the search setti ngs that you can
confi gure:

182 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l H i ghest Level to Start an LD AP Search: Search R oot, page 183

provi des exampl es of these parameters as w el l as addi ti onal detai l s
of each parameter and some LD AP server-speci fi c notes.

l Fi ndi ng U sers: U ser Search Fi l ters, page 184 provi des an overvi ew
of LD AP user search fi l ters.

l Fi ndi ng Groups: Group Search Fi l ters, page 185 provi des an

overvi ew of LD AP group search fi l ters.

Highest Level to Start an LDAP Search: Search Root

The fol l ow i ng di agram and tabl e present several exampl es of

possi bl e search roots based on how users mi ght be organi zed w i thi n
a company and w i thi n an LD AP di rectory. The di agram show s a
typi cal company's departmental structure. The tabl e descri bes several
user i mport scenari os based on the di agram.

The fol l ow i ng tabl e, based on the di agram above, provi des common
search scenari os for users to be i mported i nto Mi croStrategy. The
search root i s the root to be defi ned i n Mi croStrategy for the LD AP
di rectory.

Sc e na r io Se a r c h Root

I nclude all users and groups Operat ions

© 2019, M icr o St r at egy In c. 183

Syst em Ad m in ist r at io n Gu id e

Sc e na r io Se a r c h Root

f rom Operat ions

I nclude all users and groups

f rom Operat ions, Consult ant s, S ales
and S ales

I nclude all users and groups Depart ment s (wit h an exclusion clause in t he
f rom Operat ions, Consult ant s, User/ Group search f ilt er t o exclude users who
and Technology belong t o Market ing and A dminist rat ion)

I nclude all users and groups

Depart ment s (wit h an exclusion clause in t he
f rom Technology and
User/ Group search f ilt er t o exclude users who
Operat ions but not
belong t o Consult ant s. )
Consult ant s.

For some LD AP vendors, the search root cannot be the LD AP tree's

root. For exampl e, both Mi crosoft Acti ve D i rectory and Sun ON E
requi re a search to begi n from the domai n control l er R D N (dc). The
i mage bel ow show s an exampl e of thi s type of R D N , w here "dc=sal es,
dc=mi crostrategy, dc=com":

Finding Users: User Search Filters

U ser search fi l ters al l ow Mi croStrategy to effi ci entl y search an LD AP

di rectory to authenti cate or i mport a user at l ogi n.

184 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Once Intel l i gence Server l ocates the user i n the LD AP di rectory, the
search returns the user's D i sti ngui shed N ame, and the passw ord
entered at user l ogi n i s veri fi ed agai nst the LD AP di rectory.
Intel l i gence Server uses the authenti cati on user to access, search i n,
and retri eve the i nformati on from the LD AP di rectory.

U si ng the user's D i sti ngui shed N ame, Intel l i gence Server searches
for the LD AP groups that the user i s a member of. You must enter the
group search fi l ter parameters separatel y from the user search fi l ter
parameters (see Fi ndi ng Groups: Group Search Fi l ters, page 185).

U ser search fi l ters are general l y i n the form ( &

(obj ec tc la s s = L D A P _U S E R _O B J E C T _C L A S S) (L D A P _L O G I N _
ATTR = #L DA P_ L O G I N # ) ) w here:

l LD AP _ US ER _O B J E C T _C L A S S i ndi cates the obj ect cl ass of the

LD AP users. For exampl e, you can enter ( &
(o bj ec tc l a s s =p e r s o n) ( c n = # L D A P _L O G I N # ) ).

l LD AP _ LO GI N _A T T R i ndi cates w hi ch LD AP attri bute to use to store

LD AP l ogi ns. For exampl e, you can enter ( &
(o bj ec tc l a s s =person) (c n= # L D A P _L O G I N # ) ).

l #L DA P_ L OG I N # can be used i n thi s fi l ter to represent the LD AP

user l ogi n.

D ependi ng on your LD AP server vendor and your LD AP tree structure,

you may need to try di fferent attri butes w i thi n the search fi l ter syntax
above. For exampl e, ( &( o b j e c t c l a s s = p e r s o n )
(uni qu eI D = # L D A P _L O G I N # ) ), w here u n i q u e I D i s the LD AP
attri bute name your company uses for authenti cati on.

Finding Groups: Group Search Filters

Group search fi l ters al l ow Mi croStrategy to effi ci entl y search an LD AP

di rectory for the groups to w hi ch a user bel ongs. These fi l ters can be

© 2019, M icr o St r at egy In c. 185

Syst em Ad m in ist r at io n Gu id e

confi gured i n the Intel l i gence Server C onfi gurati on Edi tor, under the
LD AP subj ect.

The group search fi l ter i s general l y i n one of the fol l ow i ng forms (or
the fol l ow i ng forms may be combi ned, usi ng a pi pe | symbol to
separate the forms):

l (&(objectclass=LDAP_GROUP_OBJECT_CLASS) (LDAP_MEMBER_
LOGIN_ATTR=#LDAP_LOGIN#))

l (&(objectclass=LDAP_GROUP_OBJECT_CLASS) (LDAP_MEMBER_DN_
ATTR=#LDAP_DN#))

l (&(objectclass=LDAP_GROUP_OBJECT_CLASS)
(gidNumber=#LDAP_GIDNUMBER#))

The group search fi l ter forms l i sted above have the fol l ow i ng
pl acehol ders:

l LD AP _ GR OU P _O B J E C T _C L A S S i ndi cates the obj ect cl ass of the

LD AP groups. For exampl e, you can enter ( &
(o bj ec tc l a s s =g r o u p O f N a m e s)( m e m b e r = # L D A P _D N # ) ).

l LD AP _ ME MB E R _[ L O G I N o r D N ]_A T T R i ndi cates w hi ch LD AP

attri bute of an LD AP group i s used to store LD AP l ogi ns/D N s of the
LD AP users. For exampl e, you can enter ( &
(o bj ec tc l a s s = g r o u p O f N a m e s )(m e m b e r= # L D A P _D N # ) ).

l #L DA P_ D N# can be used i n thi s fi l ter to represent the di sti ngui shed

name of an LD AP user.

l #L DA P_ L OG I N # can be used i n thi s fi l ter to represent an LD AP

user's l ogi n.

l #L DA P_ G ID N U M B E R # can be used i n thi s fi l ter to represent the

U N IX or Li nux group ID number; thi s corresponds to the LD AP
attri bute gi d N u m b e r.

186 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

You can i mpl ement speci fi c search patterns by addi ng addi ti onal
cri teri a. For exampl e, you may have 20 di fferent groups of users, of
w hi ch onl y fi ve groups w i l l be accessi ng and w orki ng i n
Mi croStrategy. You can add addi ti onal cri teri a to the group search
fi l ter to i mport onl y those fi ve groups.

Det er min in g Wh et h er t o Use Co n n ect io n Po o lin g

Wi th connecti on pool i ng, you can reuse an open connecti on to the
LD AP server for subsequent operati ons. The connecti on to the LD AP
server remai ns open even w hen the connecti on i s not processi ng any
operati ons (al so know n as pool i ng). Thi s setti ng can i mprove
performance by removi ng the processi ng ti me requi red to open and
cl ose a connecti on to the LD AP server for each operati on.

If you do not use connecti on pool i ng, the connecti on to an LD AP

server i s cl osed after each request. If requests are sent to the LD AP
server i nfrequentl y, thi s can hel p reduce the use of netw ork
resources.

Connection Pooling with Clustered LDAP Servers

You may have mul ti pl e LD AP servers w hi ch w ork together as a cl uster

of LD AP servers.

If connecti on pool i ng i s di sabl ed, w hen a request to open an LD AP

connecti on i s made, the LD AP server w i th the l i ghtest l oad at the ti me
of the request i s accessed. The operati on agai nst the LD AP di rectory
can then be compl eted, and i n an envi ronment w i thout connecti on
pool i ng, the connecti on to the LD AP server i s cl osed. When the next
request to open an LD AP connecti on i s made, the LD AP server w i th
the l east amount of l oad i s determi ned agai n and chosen.

If you enabl e connecti on pool i ng for a cl ustered LD AP envi ronment,

the behavi or i s di fferent than descri bed above. On the fi rst request to
open an LD AP connecti on, the LD AP server w i th the l east amount of

© 2019, M icr o St r at egy In c. 187

Syst em Ad m in ist r at io n Gu id e

l oad at the ti me of the request i s accessed. H ow ever, the connecti on

to the LD AP server i s not cl osed because connecti on pool i ng i s
enabl ed. Therefore, i nstead of determi ni ng the LD AP server w i th the
l east amount of l oad duri ng the next request to open an LD AP
connecti on, the currentl y open connecti on i s reused.

The di agrams show n bel ow i l l ustrate how subsequent connecti ons to

a cl ustered LD AP server envi ronment are handl ed, dependi ng on
w hether connecti on pool i ng i s enabl ed or di sabl ed.

188 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Det er min in g Wh et h er t o Use Au t h en t icat io n Bin d in g o r

Passwo r d Co mp ar iso n
When Mi croStrategy attempts to authenti cate an LD AP user l oggi ng i n
to Mi croStrategy, you can choose to perform an LD AP bi nd to
authenti cate the user or si mpl y authenti cate on user name and
passw ord.

By i mpl ementi ng authenti cati on bi ndi ng, Mi croStrategy authenti cates

the user by l oggi ng i n to the LD AP server w i th the user's credenti al s,
and assessi ng the fol l ow i ng user restri cti ons:

l Whether the LD AP passw ord i s i ncorrect, has been l ocked out, or

has expi red

l Whether the LD AP user account has been di sabl ed, or has been
i denti fi ed as an i ntruder and i s l ocked out

If Mi croStrategy can veri fy that none of these restri cti ons are i n effect
for thi s user account, Mi croStrategy performs an LD AP bi nd, and
successful l y authenti cates the user l oggi ng i n. Thi s i s the defaul t
behavi or for users and groups that have been i mported i nto
Mi croStrategy.

You can choose to have Mi croStrategy veri fy onl y the accuracy of the
user's passw ord w i th w hi ch the user l ogged i n, and not check for
addi ti onal restri cti ons on the passw ord or user account. To support
passw ord compari son authenti cati on, your LD AP server must al so be
confi gured to al l ow passw ord compari son onl y.

Det er min in g Wh et h er t o En ab le Dat ab ase Passt h r o u gh

Execu t io n wit h LDAP
In Mi croStrategy, a si ngl e user name and passw ord combi nati on i s
frequentl y used to connect to and execute j obs agai nst a database.
H ow ever, you can choose to pass a user's LD AP user name and
passw ord used to l og i n to Mi croStrategy to the database. The

© 2019, M icr o St r at egy In c. 189

Syst em Ad m in ist r at io n Gu id e

database i s then accessed and j obs are executed usi ng the LD AP

user name and passw ord. Thi s al l ow s each user l ogged i n to
Mi croStrategy to execute j obs agai nst the database usi ng thei r uni que
user name and passw ord, w hi ch can be gi ven a di fferent set of
pri vi l eges than other users.

D atabase passthrough executi on i s sel ected for each user

i ndi vi dual l y. For general i nformati on on sel ecti ng user authenti cati on,
see About Mi croStrategy U sers, page 87.

If a user's passw ord i s changed duri ng a sessi on i n Mi croStrategy,

schedul ed tasks may fai l to run w hen usi ng database passthrough
executi on.

Cons ider the following s c enario.

A us er with us er login Us erA and pas s word Pas s A logs in to Mic roStrategy
at 9:00 A.M. and c reates a new report. The us er s c hedules the report to run
at 3:00 P.M. later that day . Sinc e there is no report c ac he, the report will be
ex ec uted agains t the databas e. At noon, an adminis trator c hanges Us erA's
pas s word to Pas s B. Us erA does not log bac k into Mic roStrategy , and at
3:00 P.M. the s c heduled report is run with the c redentials Us erA and
Pas s A, whic h are pas s ed to the databas e. Sinc e thes e c redentials are now
inv alid, the s c heduled report ex ec ution fails .

To prevent thi s probl em, schedul e passw ord changes for a ti me w hen
users are unl i kel y to run schedul ed reports. In the case of users usi ng
database passthrough executi on w ho regul arl y run schedul ed reports,
i nform them to reschedul e al l reports i f thei r passw ords have been
changed.

Det er min in g Wh et h er t o Imp o r t LDAP User s in t o

Micr o St r at egy
To connect your LD AP users and groups to users and groups i n
Mi croStrategy, you can ei ther i mport the LD AP users and groups i nto

190 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

the Mi croStrategy metadata or you can create a l i nk betw een users

and groups i n the LD AP di rectory and i n Mi croStrategy. Importi ng a
user creates a new user i n Mi croStrategy based on an exi sti ng user i n
the LD AP di rectory. Li nki ng a user connects an LD AP user's
i nformati on to an exi sti ng user i n Mi croStrategy. You can al so al l ow
LD AP users to l og i n to the Mi croStrategy system anonymousl y,
w i thout an associ ated Mi croStrategy user. The benefi ts and
consi derati ons of each method are descri bed i n the tabl e bel ow .

Conne c tion
Be ne fits Cons ide r a tions
Ty pe

l Users and groups are creat ed l I n environment s t hat have many

in t he met adat a. LDA P users, import ing can
l Users and groups can be quickly f ill t he met adat a wit h
I mport t hese users and t heir relat ed
assigned addit ional privileges
LDA P inf ormat ion.
and permissions in
users and
MicroS t rat egy. l Users and groups may not have
groups
l Users have t heir own inboxes t he correct permissions and
and personal f olders in privileges when t hey are init ially
MicroS t rat egy. import ed int o MicroS t rat egy.

l For environment s t hat have

many LDA P users, linking
Link users avoids f illing t he met adat a
wit h users and t heir relat ed l Users t o be linked t o must
and groups
inf ormat ion. already exist in t he MicroS t rat egy
wit hout
met adat a.
import ing l Y ou can use Command
Manager t o aut omat e t he
linking process using script s.

l P rivileges are limit ed t o t hose f or

A llow t he P ublic/ Guest group and
l Users can log in immediat ely LDA P P ublic group.
anonymous
wit hout having t o creat e a new
or guest l Users' personal f olders and
MicroS t rat egy user.
users I nboxes are delet ed f rom t he
syst em af t er t hey log out .

© 2019, M icr o St r at egy In c. 191

Syst em Ad m in ist r at io n Gu id e

The opti ons for i mporti ng users i nto Mi croStrategy are descri bed i n
detai l i n the fol l ow i ng secti ons:

l Importi ng LD AP U sers and Groups i nto Mi croStrategy, page 192

l Li nki ng U sers and Groups Wi thout Importi ng, page 193

l Al l ow i ng Anonymous/Guest U sers w i th LD AP Authenti cati on, page

194

You can modi fy your i mport setti ngs at any ti me, for exampl e, i f you
choose not to i mport users i ni ti al l y, but w ant to i mport them at some
poi nt i n the future. The steps to modi fy your LD AP setti ngs are
descri bed i n Managi ng LD AP Authenti cati on, page 202.

Importing LDAP Users and Groups into MicroStrategy

You can choose to i mport LD AP users and groups at l ogi n, i n a batch

process, or a combi nati on of the tw o. Imported users are automati cal l y
members of Mi croStrategy's LD AP U sers group, and are assi gned the
access control l i st (AC L) and pri vi l eges of that group. To assi gn
di fferent AC Ls or pri vi l eges to a user, you can move the user to
another Mi croStrategy user group.

When an LD AP user i s i mported i nto Mi croStrategy, you can al so

choose to i mport that user's LD AP groups. If a user bel ongs to more
than one group, al l the user's groups are i mported and created i n the
metadata. Imported LD AP groups are created w i thi n Mi croStrategy's
LD AP U sers fol der and i n Mi croStrategy's U ser Manager.

LD AP users and LD AP groups are al l created w i thi n the Mi croStrategy

LD AP U sers group at the same l evel . Whi l e the LD AP rel ati onshi p
betw een a user and any associ ated groups exi sts i n the Mi croStrategy
metadata, the rel ati onshi p i s not vi sual l y represented i n D evel oper.
For exampl e, l ooki ng i n the LD AP U sers fol der i n Mi croStrategy
i mmedi atel y after an i mport or synchroni zati on, you mi ght see the
fol l ow i ng l i st of i mported LD AP users and groups:

192 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

If you w ant a users' groups to be show n i n Mi croStrategy, you must

manual l y move them i nto the appropri ate groups.

The rel ati onshi p betw een an i mported LD AP user or group and the
Mi croStrategy user or group i s mai ntai ned by a l i nk i n the
Mi croStrategy metadata, w hi ch i s i n the form of a D i sti ngui shed
N ame. A D i sti ngui shed N ame (D N ) i s the uni que i denti fi er of an entry
(i n thi s case a user or group) i n the LD AP di rectory.

The Mic roStrategy us er's Dis tinguis hed Name is different from the DN
as s igned for the authentic ation us er. The authentic ation us er's DN is the
DN of the Mic roStrategy ac c ount that is us ed to c onnec t to the LDAP
s erv er and s earc h the LDAP direc tory . The authentic ation us er c an be
any one who has s earc h priv ileges in the LDAP s erv er, and is generally
the LDAP adminis trator.

R emovi ng a user from the LD AP di rectory does not effect the user's
presence i n the Mi croStrategy metadata. D el eted LD AP users are not
automati cal l y del eted from the Mi croStrategy metadata duri ng
synchroni zati on. You can revoke a user's pri vi l eges i n Mi croStrategy,
or remove the user manual l y.

You cannot export users or groups from Mi croStrategy to an LD AP

di rectory.

Linking Users and Groups Without Importing

A l i nk i s a connecti on betw een an LD AP user or group and a

Mi croStrategy user or group w hi ch al l ow s an LD AP user to l og i n to

© 2019, M icr o St r at egy In c. 193

Syst em Ad m in ist r at io n Gu id e

Mi croStrategy. U nl i ke an i mported LD AP user, a l i nked LD AP user i s

not created i n the Mi croStrategy metadata.

An LD AP group can onl y be l i nked to a Mi croStrategy group, and an

LD AP user can onl y be l i nked to a Mi croStrategy user. It i s not
possi bl e to l i nk a group to a user w i thout gi vi ng the user membershi p
i n the group.

When an LD AP user or group i s l i nked to an exi sti ng Mi croStrategy

user or group, no new user or group i s created w i thi n the
Mi croStrategy metadata as w i th i mporti ng. Instead, a l i nk i s
establ i shed betw een an exi sti ng Mi croStrategy user or group and an
LD AP user or group, w hi ch al l ow s the LD AP user to l og i n to
Mi croStrategy.

The l i nk betw een an LD AP user or group and the Mi croStrategy user

or group i s mai ntai ned i n the Mi croStrategy metadata i n the form of a
shared D i sti ngui shed N ame.

The user's or group's LD AP pri vi l eges are not l i nked w i th the

Mi croStrategy user. In Mi croStrategy, a l i nked LD AP user or group
recei ves the pri vi l eges of the Mi croStrategy user or group to w hi ch i t
i s l i nked.

LD AP groups cannot be l i nked to Mi croStrategy user groups. For

exampl e, you cannot l i nk an LD AP group to Mi croStrategy's Everyone
group. H ow ever, i t i s possi bl e to l i nk an LD AP user to a Mi croStrategy
user that has membershi p i n a Mi croStrategy group.

Allowing Anonymous/Guest Users with LDAP Authentication

An LD AP anonymous l ogi n i s an LD AP l ogi n w i th an empty l ogi n

and/or empty passw ord. A successful LD AP anonymous l ogi n i s
authori zed w i th the pri vi l eges and access ri ghts of LD AP Publ i c and
Publ i c/Guest groups. The LD AP server must be confi gured to al l ow
anonymous or guest authenti cati on requests from Mi croStrategy.

194 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Bec aus e gues t us ers are not pres ent in the metadata, there are c ertain
ac tions thes e us ers c annot perform in Mic roStrategy , ev en if the
as s oc iated priv ileges and permis s ions are ex plic itly as s igned.
Ex amples inc lude mos t adminis trativ e ac tions .

When the user i s l ogged i n as an anonymous/guest user:

l The user does not have a H i story Li st, because the user i s not
physi cal l y present i n the metadata.

l The user cannot create obj ects and cannot schedul e reports.

l The U ser C onnecti on moni tor records the LD AP user's user name.

l Intel l i gence Server stati sti cs record the sessi on i nformati on under
the user name LD AP U SER .

Det er min in g Wh et h er t o Au t o mat ically Syn ch r o n ize LDAP

User an d Gr o u p In f o r mat io n
In any company's securi ty model , steps must be taken to account for a
changi ng group of empl oyees. Addi ng new users and removi ng ones
that are no l onger w i th the company i s strai ghtforw ard. Accounti ng for
changes i n a user's name or group membershi p can prove more
compl i cated. To ease thi s process, Mi croStrategy supports user
name/l ogi n and group synchroni zati on w i th the i nformati on contai ned
w i thi n an LD AP di rectory.

If you choose to have Mi croStrategy automati cal l y synchroni ze LD AP

users and groups, any LD AP group changes that have occurred w i thi n
the LD AP server w i l l be appl i ed w i thi n Mi croStrategy the next ti me an
LD AP user l ogs i n to Mi croStrategy. Thi s keeps the LD AP di rectory
and the Mi croStrategy metadata i n synchroni zati on.

By synchroni zi ng users and groups betw een your LD AP server and

Mi croStrategy, you can update the i mported LD AP users and groups
i n the Mi croStrategy metadata w i th the fol l ow i ng modi fi cati ons:

© 2019, M icr o St r at egy In c. 195

Syst em Ad m in ist r at io n Gu id e

l U ser synchronization: U ser detai l s such as user name i n

Mi croStrategy are updated w i th the l atest defi ni ti ons i n the LD AP
di rectory.

l Group synchronization: Group detai l s such as group name i n

Mi croStrategy are updated w i th the l atest defi ni ti ons i n the LD AP
di rectory.

When synchroni zi ng LD AP users and groups i n Mi croStrategy, you

shoul d be aw are of the fol l ow i ng ci rcumstances:

l If an LD AP user or group has been gi ven new membershi p to a

group that has not been i mported or l i nked to a group i n
Mi croStrategy and i mport opti ons are turned off, the group cannot
be i mported i nto Mi croStrategy and thus cannot appl y i ts
permi ssi ons i n Mi croStrategy.

For exampl e, U ser1 i s a member of Group1 i n the LD AP di rectory,

and both have been i mported i nto Mi croStrategy. Then, i n the LD AP
di rectory, U ser1 i s removed from Group1 and gi ven membershi p to
Group2. H ow ever, Group2 i s not i mported or l i nked to a
Mi croStrategy group. U pon synchroni zati on, i n Mi croStrategy, U ser1
i s removed from Group1, and i s recogni zed as a member of Group2.
H ow ever, any permi ssi ons for Group2 are not appl i ed for the user
unti l Group2 i s i mported or l i nked to a Mi croStrategy group. In the
i nteri m, U ser1 i s gi ven the pri vi l eges and permi ssi ons of the LD AP
U sers group.

l When users and groups are del eted from the LD AP di rectory, the
correspondi ng Mi croStrategy users and groups that have been
i mported from the LD AP di rectory remai n i n the Mi croStrategy
metadata. You can revoke users' and groups' pri vi l eges i n
Mi croStrategy and remove the users and groups manual l y.

l R egardl ess of your synchroni zati on setti ngs, i f a user's passw ord i s
modi fi ed i n the LD AP di rectory, a user must l og i n to Mi croStrategy
w i th the new passw ord. LD AP passw ords are not stored i n the

196 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Mi croStrategy metadata. Mi croStrategy uses the credenti al s

provi ded by the user to search for and val i date the user i n the LD AP
di rectory.

C onsi der a user named Joe D oe w ho bel ongs to a parti cul ar group,
Sal es, w hen he i s i mported i nto Mi croStrategy. Later, he i s moved to a
di fferent group, Marketi ng, i n the LD AP di rectory. The LD AP user Joe
D oe and LD AP groups Sal es and Marketi ng have been i mported i nto
Mi croStrategy. Fi nal l y, the user name for Joe D oe i s changed to
Joseph D oe, and the group name for Marketi ng i s changed to
Marketi ngLD AP.

The i mages bel ow show a sampl e LD AP di rectory w i th user Joe D oe

bei ng moved w i thi n the LD AP di rectory from Sal es to Marketi ng.

The fol l ow i ng tabl e descri bes w hat happens w i th users and groups i n
Mi croStrategy i f users, groups, or both users and groups are
synchroni zed.

© 2019, M icr o St r at egy In c. 197

Syst em Ad m in ist r at io n Gu id e

Sy nc Sy nc Us e r Na me Afte r Gr oup Na me Afte r

Us e r s ? Gr oups ? Sy nc hr oniza tion Sy nc hr oniza tion

No No Joe Doe Market ing

No Y es Joe Doe Market ingLDA P

Y es No Joseph Doe Market ing

Y es Y es Joseph Doe Market ingLDA P

Setting up LDAP Authentication in MicroStrategy Web,

Library, and Mobile
When you have col l ected the connecti on i nformati on for your LD AP
server and your LD AP SD K, you can use the LD AP C onnecti vi ty
Wi zard to set up your LD AP connecti on. The LD AP C onnecti vi ty
Wi zard hel ps step you through the i ni ti al setup of usi ng your LD AP
server to authenti cate users and groups i n Mi croStrategy. The steps
to set up your LD AP connecti on are the same for Mi croStrategy Web,
Mi croStrategy Li brary, and Mi croStrategy Mobi l e. For more
i nformati on on setti ng up LD AP w i th your Mi croStrategy, see the
System Admi ni strati on Gui de.

l You hav e c ollec ted the information for y our LDAP s erv er, and made
dec is ions regarding the LDAP authentic ation methods y ou want to us e,
as des c ribed in C heckl i st: Informati on R equi red for C onnecti ng Your
LD AP Server to Mi croStrategy, page 174 . in the System
Admi ni strati on Gui de .

l If y ou want Intelligenc e Serv er to ac c es s y our LDAP s erv er ov er a s ec ure

SSL c onnec tion, y ou mus t do the following:

1. Obtain a v alid c ertific ate from y our LDAP s erv er and s av e it on the
mac hine where Intelligenc e Serv er is ins talled. The s teps to obtain
the c ertific ate depend on y our LDAP v endor, and the operating

198 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

s y s tem that y our LDAP s erv er runs on. For s pec ific s teps , refer to
the doc umentation for y our LDAP v endor.

2. Follow the proc edure rec ommended by y our operating s y s tem to

ins tall the c ertific ate.

To Set up LDAP Authentication in MicroStrategy

Connect i ng Your LDAP Ser ver U si ng t he LDAP Connect i vi t y Wi zar d

1. In D evel oper, l og i n to a proj ect source, as a user w i th

admi ni strati ve pri vi l eges.

2. From the A dministration menu, sel ect Server, and cl i ck LD A P

C onnectivity Wizard.

3. On the Wel come page, cl i ck N ext.

4. Type the fol l ow i ng i nformati on:

l H ost: The machi ne name or IP address of the LD AP server.

l Port: The netw ork port that the LD AP server uses. For cl ear
text connecti ons, the defaul t val ue i s 38 9. If you w ant
Intel l i gence Server to access your LD AP over an encrypted
SSL connecti on, the defaul t val ue i s 6 3 6.

5. If you w ant Intel l i gence Server to access your LD AP over an

encrypted SSL connecti on, sel ect SSL (encrypted). The Server
C erti fi cate fi l e fi el d i s enabl ed.

6. In the Server C ertificate file fi el d, dependi ng on your LD AP

server vendor, poi nt to the SSL certi fi cate i n the fol l ow i ng w ays:

l Microsoft A ctive D irectory: N o i nformati on i s requi red.

l Sun ON E/iPlanet: Provi de the path to the certi fi cate. D o not

i ncl ude the fi l e name.

© 2019, M icr o St r at egy In c. 199

Syst em Ad m in ist r at io n Gu id e

l N ovell: Provi de the path to the certi fi cate, i ncl udi ng the fi l e
name.

l IB M: U se Java GSKi t 7 to i mport the certi fi cate, and provi de

the key database name w i th ful l path, starti ng w i th the home
di rectory.

l Open LD A P: Provi de the path to the di rectory that contai ns the

C A certi fi cate fi l e c a c e r t . p e m, the server certi fi cate fi l e
se rv er c r t . p e m, and the server certi fi cate key fi l e
se rv er k e y . p e m.

7. C l i ck N ext.

8. Enter the detai l s of your LD AP SD K, and cl i ck N ext.

9. Step through the LD AP C onnecti vi ty Wi zard to enter the

remai ni ng i nformati on, such as the LD AP search fi l ters to use to
fi nd users, w hether to i mport users i nto Mi croStrategy, and so on.

10. When you have entered al l the i nformati on, cl i ck Finish to exi t
the LD AP C onnecti vi ty Wi zard. You are prompted to test the
LD AP connecti on. It i s recommended that you test the connecti on
to catch any errors w i th the connecti on parameters you have
provi ded.

Enab l i ng LDAP Aut hent i cat i on f or Your Pr oj ect Sour ce

1. In the Fol der Li st, ri ght-cl i ck the proj ect source, and sel ect
Modify Project Source.

2. On the A dvanced tab, go to U se LD A P A uthentication.

3. C l i ck OK .

200 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Enab l i ng LDAP Aut hent i cat i on f or M i cr oSt r at egy Web

1. From the Wi ndow s Start menu go to A ll Programs >

MicroStrategy Tools > Web A dministrator.

2. Sel ect Intelligence Server > D efault Properties.

3. In the Login area, for LD A P A uthentication, sel ect the Enabled

check box.

4. Sel ect the D efault opti on to set LD AP as the defaul t

authenti cati on mode.

If y our env ironment inc ludes multiple Intelligenc e Serv ers

c onnec ted to one Mic roStrategy Web s erv er, us ers are
authentic ated to all the Intelligenc e Serv ers us ing their LDAP
c redentials , and then s hown a lis t of projec ts they c an ac c es s .
Howev er, if one or more of the Intelligenc e Serv ers does not us e
LDAP authentic ation, the projec ts for thos e s erv ers may not be
dis play ed. To av oid this s c enario, in the Project list drop-down
menu, ens ure that Show all the projects connected to the
Web Server before the user logs in is s elec ted.

5. C l i ck Save.

Enab l i ng LDAP Aut hent i cat i on f or M i cr oSt r at egy Li b r ar y

1. Launch the Li brary Admi n page by enteri ng the fol l ow i ng U R L i n

your w eb brow ser

ht tp :/ / < F Q D N > : / M i c r o S t r a t e g y L i b r a r y / a d m in

w here < F Q D N > i s the Ful l y Qual i fi ed D omai n N ame of the

machi ne hosti ng your Mi croStrategy Li brary appl i cati on and
 i s the assi gned port number.

2. On the Library Web Server tab, sel ect LD A P from the l i st of

avai l abl e A uthentication Modes.

© 2019, M icr o St r at egy In c. 201

Syst em Ad m in ist r at io n Gu id e

3. C l i ck Save.

4. R estart your Web Server to appl y the change.

Managing LDAP Authentication

Whi l e w orki ng w i th Mi croStrategy and i mpl ementi ng LD AP
authenti cati on, you may w ant to i mprove performance or troubl eshoot
your LD AP i mpl ementati on. The secti ons bel ow cover steps that can
hel p your LD AP authenti cati on and Mi croStrategy systems w ork as a
cohesi ve uni t.

l If your LD AP server i nformati on changes, or to edi t your LD AP

authenti cati on setti ngs i n general , see Modi fyi ng Your LD AP
Authenti cati on Setti ngs, page 203.

l If you w ant to modi fy the setti ngs for i mporti ng users i nto
Mi croStrategy, for exampl e, i f you i ni ti al l y chose not to i mport users,
and now w ant to i mport users and groups, see Importi ng LD AP
U sers and Groups i nto Mi croStrategy, page 204.

l If you choose to synchroni ze users and groups i n batches, and w ant

to sel ect a synchroni zati on schedul e, see Sel ecti ng Schedul es for
Importi ng and Synchroni zi ng U sers, page 208.

l If you are usi ng si ngl e si gn-on (SSO) authenti cati on systems, such
as Wi ndow s N T authenti cati on or trusted authenti cati on, you can
l i nk users' SSO credenti al s to thei r LD AP user names, as descri bed
i n U si ng LD AP w i th Si ngl e Si gn-On Authenti cati on Systems, page
209.

l D ependi ng on the w ay your LD AP di rectory i s confi gured, You can

i mport addi ti onal LD AP attri butes for users, for exampl e, a
co un tr yC o d e attri bute, i ndi cati ng the user's l ocati on. These
addi ti onal LD AP attri butes can be used to create securi ty fi l ters for
users, such as di spl ayi ng data that i s rel evant to the user's country.
For i nformati on on creati ng these securi ty fi l ters, see U si ng LD AP
Attri butes i n Securi ty Fi l ters, page 210.

202 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Mo d if yin g Yo u r LDAP Au t h en t icat io n Set t in gs

D ependi ng on changes i n your organi zati on's pol i ci es, you may need
to modi fy the LD AP authenti cati on setti ngs i n Mi croStrategy. To
modi fy your LD AP authenti cati on setti ngs, you can use the
Intel l i gence Server C onfi gurati on Edi tor. The steps to access the
LD AP setti ngs i n the Intel l i gence Server C onfi gurati on Edi tor are
descri bed bel ow .

To Access LDAP Authentication Settings in the Intelligence Server

Configuration Editor

1. In D evel oper, l og i n to a proj ect source as a user w i th

admi ni strati ve pri vi l eges.

2. From the A dministration menu, sel ect Server, and cl i ck

C onfigure MicroStrategy Intelligence Server.

3. Expand the LD A P category. The LD AP setti ngs are di spl ayed.

You can modi fy the fol l ow i ng:

l Your LD AP server setti ngs, such as the machi ne name, port,

and so on.

l Your LD AP SD K i nformati on, such as the l ocati on of the LD AP

SD K D LL fi l es.

l The LD AP search fi l ters that Intel l i gence Server uses to fi nd

and authenti cate users.

l If you are i mporti ng and synchroni zi ng users or groups i n

batches, the synchroni zati on schedul es.

l If you are i mporti ng users and groups, the i mport setti ngs.

© 2019, M icr o St r at egy In c. 203

Syst em Ad m in ist r at io n Gu id e

Imp o r t in g LDAP User s an d Gr o u p s in t o Micr o St r at egy

You can choose to i mport LD AP users and groups at l ogi n, i n a batch
process, or a combi nati on of the tw o, descri bed as fol l ow s:

l Importi ng users and groups at l ogi n: When an LD AP user l ogs i n to

Mi croStrategy for the fi rst ti me, that user i s i mported i nto
Mi croStrategy and a physi cal Mi croStrategy user i s created i n the
Mi croStrategy metadata. Any groups associ ated w i th that user that
are not al ready i n Mi croStrategy are al so i mported and created i n
the metadata.

l Importi ng users and groups i n batches: The l i st of users and groups

are returned from user and group searches on your LD AP di rectory.
Mi croStrategy users and groups are created i n the Mi croStrategy
metadata for al l i mported LD AP users and groups.

Thi s secti on covers the fol l ow i ng:

l For i nformati on on setti ng up user and group i mport opti ons, see
Importi ng U sers and Groups i nto Mi croStrategy, page 204.

l Once you have set up user and group i mport opti ons, you can i mport
addi ti onal LD AP i nformati on, such as users' emai l addresses, or
speci fi c LD AP attri butes. For steps, see Importi ng U sers' Emai l
Addresses, page 207.

l For i nformati on on assi gni ng securi ty setti ngs after users are
i mported, see U ser Pri vi l eges and Securi ty Setti ngs after Import,
page 208.

Importing Users and Groups into MicroStrategy

You can choose to i mport users and thei r associ ated groups w hen a
user l ogs i n to Mi croStrategy for the fi rst ti me.

l Ens ure that y ou hav e rev iewed the information and made dec is ions

204 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

regarding y our organiz ation's polic y on importing and s y nc hroniz ing us er

information, des c ribed in the following s ec tions :

l C heckl i st: Informati on R equi red for C onnecti ng Your LD AP

Server to Mi croStrategy, page 174

l C heckl i st: Informati on R equi red for C onnecti ng Your LD AP

Server to Mi croStrategy, page 174

l If y ou want to import us ers and groups in batc hes , y ou mus t define the
LDAP s earc h filters to return lis ts of us ers and groups to import into
Mic roStrategy . For information on defining s earc h filters , s ee C heckl i st:
Informati on R equi red for C onnecti ng Your LD AP Server to
Mi croStrategy, page 174 .

To Import Users and/or Groups into MicroStrategy

1. In D evel oper, l og i n to a proj ect source as a user w i th

admi ni strati ve pri vi l eges.

2. From the A dministration menu, sel ect Server > C onfigure

MicroStrategy Intelligence Server.

3. Expand the LD A P category, then expand Import, and then sel ect
Import/Synchronize.

4. If you w ant to i mport user and group i nformati on w hen users l og

i n, i n the Import/Synchroni ze at Logi n area, do the fol l ow i ng:

l To i mport users at l ogi n, sel ect Import U sers.

l To al l ow Mi croStrategy's user i nformati on to automati cal l y

synchroni ze w i th the LD AP user i nformati on, sel ect
Synchronize MicroStrategy U ser Login/U ser N ame with
LD A P.

l To i mport groups at l ogi n, sel ect the Import Groups.

© 2019, M icr o St r at egy In c. 205

Syst em Ad m in ist r at io n Gu id e

l To al l ow Mi croStrategy's group i nformati on to automati cal l y

synchroni ze w i th the LD AP group i nformati on, sel ect
Synchronize MicroStrategy Group N ame with LD A P.

5. If you w ant to i mport user and group i nformati on i n batches, i n

the Import/Synchroni ze i n Batch area, do the fol l ow i ng:

l To i mport users i n batches, sel ect Import U sers. You must

al so enter a user search fi l ter i n the Enter search filter for
importing list of users fi el d to return a l i st of users to i mport.

l To synchroni ze Mi croStrategy's user i nformati on w i th the LD AP

user i nformati on, sel ect Synchronize MicroStrategy U ser
Login/U ser N ame with LD A P.

l To i mport groups i n batches, sel ect Import Groups. You must

al so enter a group search fi l ter i n the Enter search filter for
importing list of groups fi el d to return a l i st of users to i mport.

l To synchroni ze Mi croStrategy's group i nformati on w i th the

LD AP group i nformati on, sel ect Synchronize MicroStrategy
Group N ame with LD A P.

6. To modi fy the w ay that LD AP user and group i nformati on i s

i mported, for exampl e, to i mport group names as the LD AP
di sti ngui shed name, under the LD AP category, under Import,
cl i ck U ser/Group.

7. C l i ck OK .

Once a user or group i s created i n Mi croStrategy, the users are gi ven

thei r ow n i nboxes and personal fol ders. Addi ti onal l y, you can do the
fol l ow i ng:

l Import users' emai l addresses. For steps, see Importi ng U sers'

Emai l Addresses, page 207.

206 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Assi gn pri vi l eges and securi ty setti ngs that control w hat a user can
access i n Mi croStrategy. For i nformati on on assi gni ng securi ty
setti ngs after users are i mported, see U ser Pri vi l eges and Securi ty
Setti ngs after Import, page 208.

l Import addi ti onal LD AP attri butes, w hi ch can then be used i n

securi ty fi l ters for users. For steps, see U si ng LD AP Attri butes i n
Securi ty Fi l ters, page 210.

Importing Users' Email Addresses

D ependi ng on your requi rements, you can i mport addi ti onal

i nformati on, such as users' emai l addresses, from your LD AP
di rectory. For exampl e, If you have a l i cense for Mi croStrategy
D i stri buti on Servi ces, then w hen you i mport LD AP users, ei ther i n a
batch or at l ogi n, you can i mport these emai l addresses as contacts
associ ated w i th those users. For i nformati on about D i stri buti on
Servi ces, see Overvi ew of D i stri buti on Servi ces, page 1008.

Mi croStrategy 9 i mports the pri mary emai l address for each LD AP

user.

To Import Users' Email Addresses from LDAP

1. In D evel oper, l og i n to a proj ect source as a user w i th

admi ni strati ve pri vi l eges.

2. From the A dministration menu, sel ect Server, and then sel ect
C onfigure MicroStrategy Intelligence Server.

3. Expand the LD A P category, then expand Import, and sel ect

Options.

4. Sel ect Import Email A ddress.

© 2019, M icr o St r at egy In c. 207

Syst em Ad m in ist r at io n Gu id e

5. Sel ect w hether to use the defaul t LD AP emai l address attri bute
of m ai l , or to use a di fferent attri bute. If you w ant to use a
di fferent attri bute, speci fy i t i n the text fi el d.

6. From the D evice drop-dow n l i st, sel ect the emai l devi ce that the
emai l addresses are to be associ ated w i th.

7. C l i ck OK .

User Privileges and Security Settings after Import

Imported users recei ve the pri vi l eges of the Mi croStrategy LD AP

U sers group. You can add addi ti onal pri vi l eges to speci fi c users i n
the LD AP U sers group usi ng the standard Mi croStrategy process i n
the U ser Edi tor. You can al so adj ust pri vi l eges for the LD AP U sers
group as a w hol e. Group pri vi l eges can be modi fi ed usi ng the
Mi croStrategy Group Edi tor.

The pri vi l eges and securi ty setti ngs assi gned to LD AP users i mported
i n Mi croStrategy depend on the users' associ ated Mi croStrategy
group pri vi l eges and securi ty permi ssi ons. To see the defaul t
pri vi l eges assi gned to a user or group, i n the fol der l i st, expand your
proj ect source, expand A dministration, and then expand U ser
Manager. R i ght-cl i ck the group (or sel ect the group and ri ght-cl i ck the
user) and sel ect Edit. The Proj ect Access tab di spl ays al l pri vi l eges
for each proj ect i n the proj ect source.

The process of synchroni zi ng users and groups can modi fy w hi ch

groups a user bel ongs to, and thus modi fy the user's pri vi l eges and
securi ty setti ngs.

Select in g Sch ed u les f o r Imp o r t in g an d Syn ch r o n izin g User s

If you choose to synchroni ze users and groups i n batches, you can
sel ect a schedul e that di ctates w hen LD AP users and groups are
synchroni zed i n Mi croStrategy. For i nformati on on creati ng and usi ng

208 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

schedul es, see C reati ng and Managi ng Schedul es, page 975. To
sel ect a synchroni zati on schedul e for LD AP, fol l ow the steps bel ow .

To Select a Schedule for Importing and Synchronizing Users

1. In D evel oper, l og i n to a proj ect source as a user w i th

admi ni strati ve pri vi l eges.

2. From the A dministration menu, sel ect Server, and then sel ect
C onfigure MicroStrategy Intelligence Server.

3. Expand the LD A P category, then cl i ck Schedules. The avai l abl e

schedul es are di spl ayed. By defaul t, al l the checkboxes for al l
the schedul es are cl eared.

4. Sel ect the schedul es to use as LD AP user and group

synchroni zati on schedul es.

5. To synchroni ze your Mi croStrategy users and groups w i th the

l atest LD AP users and groups i mmedi atel y, sel ect R un
schedules on save.

6. C l i ck OK .

Usin g LDAP wit h Sin gle Sign -On Au t h en t icat io n Syst ems
If you are usi ng si ngl e si gn-on (SSO) authenti cati on systems, such as
Wi ndow s N T authenti cati on or trusted authenti cati on, you can l i nk
users' SSO credenti al s to thei r LD AP user names, and i mport the
LD AP user and group i nformati on i nto Mi croStrategy. For i nformati on
about confi guri ng a si ngl e si gn-on system, see Enabl i ng Si ngl e Si gn-
On Authenti cati on, page 212.

D ependi ng on the SSO authenti cati on system you are usi ng, refer to
one of the fol l ow i ng secti ons for steps:

© 2019, M icr o St r at egy In c. 209

Syst em Ad m in ist r at io n Gu id e

l If you are usi ng Wi ndow s N T authenti cati on, see Impl ementi ng
Wi ndow s N T Authenti cati on, page 296.

l If you are usi ng i ntegrated or trusted authenti cati on, see Li nki ng
i ntegrated authenti cati on users to LD AP users.

Usin g LDAP At t r ib u t es in Secu r it y Filt er s

You may w ant to i ntegrate LD AP attri butes i nto your Mi croStrategy
securi ty model . For exampl e, you w ant users to onl y see sal es data
about thei r country. You i mport the LD AP attri bute c o u n t r y N a m e,
create a securi ty fi l ter based on that LD AP attri bute, and then you
assi gn that securi ty fi l ter to al l LD AP users. N ow , w hen a user from
Brazi l vi ew s a report that breaks dow n sal es revenue by country, they
onl y see the sal es data for Brazi l .

LD AP attri butes are i mported i nto Mi croStrategy as system prompts. A

system prompt i s a speci al type of prompt that i s answ ered
automati cal l y by Intel l i gence Server. The LD AP attri bute system
prompts are answ ered w i th the rel ated LD AP attri bute val ue for the
user w ho executes the obj ect contai ni ng the system prompt. You
i mport LD AP attri butes i nto Mi croStrategy from the Intel l i gence Server
C onfi gurati on Edi tor.

Once you have created system prompts based on your LD AP

attri butes, you can use those system prompts i n securi ty fi l ters to
restri ct the data that your users can see based on thei r LD AP
attri butes. For i nformati on about usi ng system prompts i n securi ty
fi l ters, i ncl udi ng i nstructi ons, see R estri cti ng Access to D ata: Securi ty
Fi l ters, page 129. For general i nformati on about securi ty fi l ters, see
R estri cti ng Access to D ata: Securi ty Fi l ters, page 129.

210 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

To Import an LDAP Attribute into a Project

1. In D evel oper, l og i n to a proj ect source.

2. From the A dministration menu, poi nt to Server and then sel ect
C onfigure MicroStrategy Intelligence Server.

3. Expand the LD A P category, then expand the Import category,

and then sel ect A ttributes.

4. From the Select LD A P A ttributes drop-dow n l i st, sel ect the

LD AP attri bute to i mport.

5. From the D ata Type drop-dow n l i st, sel ect the data type of that
attri bute.

6. C l i ck A dd.

7. C l i ck OK .

Controlling Project Access with LDAP Attributes

By defaul t, an LD AP user can l og i n to a proj ect source even i f the

LD AP attri butes that are used i n system prompts are not defi ned for
that user. To i ncrease the securi ty of the system, you can prevent
LD AP users from l oggi ng i n to a proj ect source i f al l LD AP attri butes
that are used i n system prompts are not defi ned for that user.

When you sel ect thi s opti on, you prevent al l LD AP users from l oggi ng
i n to the proj ect source i f they do not have al l the requi red LD AP
attri butes. Thi s affects al l users usi ng LD AP authenti cati on, and al so
any users usi ng Wi ndow s, Trusted, or Integrated authenti cati on i f
those authenti cati on systems have been confi gured to use LD AP. For
exampl e, i f you are usi ng Trusted authenti cati on w i th a Si teMi nder
si ngl e si gn-on system, and Si teMi nder i s confi gured to use an LD AP
di rectory, thi s opti on prevents Si teMi nder users from l oggi ng i n i f they
do not have al l the requi red LD AP attri butes.

© 2019, M icr o St r at egy In c. 211

Syst em Ad m in ist r at io n Gu id e

l This s etting prev ents us ers from logging in to all projec ts in a projec t
s ourc e.

l If y our s y s tem us es multiple LDAP s erv ers , mak e s ure that all LDAP
attributes us ed by Intelligenc e Serv er are defined on all LDAP
s erv ers . If a required LDAP attribute is defined on LDAP s erv er A and
not on LDAP s erv er B, and the U ser login fails if LD A P attribute
value is not read from the LD A P server c hec k box is s elec ted,
us ers from LDAP s erv er B will not be able to log in to Mic roStrategy .

To Only Allow Users with All Required LDAP Attributes to Log In

to the System

1. In D evel oper, l og i n to a proj ect source.

2. From the A dministration menu, poi nt to Server and then sel ect
C onfigure MicroStrategy Intelligence Server.

3. Expand the LD A P category, then expand the Import category,

and then sel ect A ttributes.

4. Sel ect the U ser logon fails if LD A P attribute value is not read
from the LD A P server checkbox.

5. C l i ck OK .

Troubleshooting
There may be si tuati ons w here you can encounter probl ems or errors
w hi l e tryi ng to i ntegrate Mi croStrategy w i th your LD AP di rectory. For
troubl eshooti ng i nformati on and procedures, see Troubl eshooti ng
LD AP Authenti cati on, page 2655.

Enabling Single Sign-On Authentication

Enabl i ng authenti cati on to mul ti pl e appl i cati ons usi ng a si ngl e l ogi n
i s know n as si ngl e si gn-on authenti cati on. The topi cs bel ow expl ai n

212 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

the di fferent types of authenti cati on that can be used to enabl e si ngl e
si gn-on i n Mi croStrategy.

Enabling Single Sign-On with SAML Authentication

SAML i s a tw o-w ay setup betw een your Mi croStrategy
appl i cati onMi croStrategy Li brary and your Identi ty Provi der (IdP).
SAML support al l ow s Mi croStrategy to w ork w i th a w i de vari ety of
SAML i denti ty provi ders for authenti cati on.

To confi gure a Mi croStrategy appl i cati onMi croStrategy Li brary for

SAML authenti cati on, you w i l l need to create SAML confi gurati on fi l es
for your appl i cati on, regi ster the appl i cati on w i th your IdP, establ i sh
trust to Mi croStrategy Intel l i gence Server, and l i nk SAML users to
Mi croStrategy users.

See the appropri ate secti on for your Mi croStrategy Appl i cati on

En ab lin g SAML Au t h en t icat io n f o r Micr o St r at egy Lib r ar y

You can confi gure Mi croStrategy Li brary to use SAML authenti cati on
for si ngl e si gn-on. You w i l l need to generate SAML confi gurati on fi l es
for your Li brary appl i cati on, establ i sh a trust rel ati onshi p betw een the
Li brary server and Mi croStrategy Intel l i gence Server, regi ster the
appl i cati on w i th your SAML Identi ty Provi der (IdP), and l i nk SAML
users to Mi croStrategy users.

l A SAML Identity Prov ider

l Mic roStrategy Library is deploy ed

l A running Mic roStrategy Intelligenc e Serv er

It is rec ommended to c onfigure HTTPS for the web applic ation s erv er
running Mic roStrategy Library .

© 2019, M icr o St r at egy In c. 213

Syst em Ad m in ist r at io n Gu id e

Generating SAML Configuration Files

The fol l ow i ng steps w i l l generate the appl i cati on metadata

(SPM et ad at a . x m l) and appl i cati on SAML confi gurati on fi l es
(Mst rS am lC o n f i g . x m l) needed for SAML confi gurati on.

To ac c es s the c onfiguration page, y ou need admin priv ileges .

1. Open a brow ser and access the SAML confi gurati on page by the
fol l ow i ng U R L:

ht tp :/ /
<F QD N>
:
 /< M i c r o S t r a t e g y L i b r a r y >/ s a m l / c o n f i g / o p en

w here < F Q D N > i s the Ful l y Qual i fi ed D omai n N ame of the

machi ne hosti ng your Mi croStrategy Li brary appl i cati on and
 i s the assi gned port number.

2. Fi l l i n the fol l ow i ng:

l General:

l Entity ID : Thi s the uni que i denti fi er of the appl i cati on to be

recogni zed by the IdP.

Some IdPs may require Entity ID to be the applic ation URL.

SAML s tandards s tate it c an be any s tring as long as a unique
matc h c an be found among the IdP's regis tered entity IDs .
Follow the requirements for y our s pec ific IdP.

l Entity base U R L: Thi s i s the U R L the IdP w i l l send and

recei ve SAML requests and responses. The fi el d w i l l be
automati cal l y generated w hen you l oad the confi gurati on
page, but i t shoul d al w ays be doubl e checked. It shoul d be
the appl i cati on U R L end users w oul d use to access the
appl i cati on.

214 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

If the applic ation is s et up behind rev ers e prox y /load balanc er,
the auto-populated URL here may not be c orrec t. Ens ure y ou
are us ing the front-end URL.

l D o not use "l ocal host" for the Enti ty base U R L.

l Once confi gured, remember to al w ays use thi s U R L to

access Mi croStrategy Web. U si ng any al ternati ve host
name to vi si t w oul d end up fai l i ng the SAML
authenti cati on.

l B ehind the proxy: U si ng a reverse proxy or l oad bal ancer

can al ter the H TTP headers of the messages sent to the
appl i cati on server. These H TTP headers are checked
agai nst the desti nati on speci fi ed i n the SAML response to
make sure i t i s sent to the correct desti nati on. A mi smatch
betw een the tw o val ues can cause the message del i very to
fai l . To prevent thi s, sel ect Yes i f Mi croStrategy Li brary runs
behi nd a reverse proxy or l oad bal ancer. The base U R L fi el d
i s set to the front-end U R L. Sel ect N o i f you are not usi ng a
reverse proxy or l oad bal ancer.

l Logout mode: Sel ect Global to l ogout users from other

appl i cati ons control l ed by SSO. Thi s i s the preferred opti on.
Make sure that SSO supports gl obal l ogout before choosi ng
thi s opti on. Otherw i se, sel ect Local to prevent users from
bei ng l ogged out from al l other appl i cati ons control l ed by
SSO.

l Encryption:

l Signature algorithm: The defaul t i s to use the i ndustry

standard "SH S256 w i th R SA" encrypti on al gori thm. Set thi s
val ue i n accordance w i th the requi rements of your speci fi c
IdP.

© 2019, M icr o St r at egy In c. 215

Syst em Ad m in ist r at io n Gu id e

l Generate Encryption K ey: Set to N o by defaul t. Setti ng to

Yes w i l l generate an encrypti on key and store i t i n the
Mi croStrategy Li brary metadata XML fi l e.

If s etting Generate Encryption K ey to Yes : SAML

authentic ation will not work unles s y ou hav e the proper J AVA
enc ry ption s trength polic y and c orrec t s etup on IdP s ide.

l A ssertion A ttribute mapping:

These opti ons control how user attri butes recei ved from the
SAML responses are processed. If the SAML attri bute names
are confi gurabl e on IdP si de, you may l eave al l opti ons as
defaul t. If your IdP sends over SAML attri butes i n fi xed names
the val ues must be changed on the appl i cati on si de to match.

You c an als o c hange attribute names in Ms trSamlConfig.x ml

ev en after the c onfiguration is done.

l D isplay N ame A ttribute: U ser di spl ay name attri bute.

l Email A ttribute: U ser emai l address attri bute.

l D istiguished N ame A ttribute: U ser di sti ngui shed name

attri bute.

l Group A ttribute: U ser group attri bute.

l Group format:

l Simple: The defaul t opti on takes a user's group i nformati on

as pl ai n group names. When usi ng thi s opti on, make sure
val ues sent over by IdP i n the "Groups" attri bute are group
names and nothi ng el se.

216 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l D istinguishedN ame: D i sti ngui shedN ame means that

val ues sent over i n the "Groups" attri bute are the LD AP
D i sti ngui shedN ame of the user's groups. The opti on i s onl y
used to uti l i ze LD AP i ntegrati on or w hen the IdP onl y
sends group i nformati on as D i sti ngui shedN ames.

l A dmin Groups: C omma separated l i st of Mi croStrategy Web

Admi ni strator user groups.

The A dmin Groups has no effec t on Mic roStrategy Library

s etup. This field c an be left empty .

3. C l i ck Generate config.

4. The confi gurati on fi l es are generated i n the W E B -

IN F/ cl a s s e s / a u t h / S A M L fol der.

Registering Your SAML Identity Provider with MicroStrategy Library

Mi croStrategy Li brary needs a metadata fi l e from the IdP to i denti fy

w hi ch servi ce you are usi ng.

To regi ster your SAML IdP:

1. D ow nl oad the metadata fi l e and save i t as I D P M e t a d a t a . x m l

This file name is c as e s ens itiv e and mus t be s av ed ex ac tly as

s hown abov e.

2. Pl ace the fi l e i n the W E B -I N F / c l a s s e s / a u t h / S A M L fol der

w i th the Mi croStrategy Li brary confi gurati on fi l es you generated
previ ousl y.

Registering MicroStrategy Library with Your SAML Badge Provider

Mi croStrategy Li brary needs to be regi stered to the IdP to enabl e

SAML authenti cati on. The regi strati on methods provi ded bel ow

© 2019, M icr o St r at egy In c. 217

Syst em Ad m in ist r at io n Gu id e

shoul d appl y to most IdPs. Exact confi gurati on detai l s may di ffer
dependi ng on your IdP. C onsul t your Badge provi der's documentati on
for speci fi c i nstructi ons.

Regi st er b y U p l oad i ng SPM et ad at a.xm l

Many IdPs provi de a conveni ent w ay to regi ster an appl i cati on by

upl oadi ng a metadata fi l e.

U se the S PM e t a d a t a . x m l fi l e generated previ ousl y and fol l ow IdP's

i nstructi ons to regi ster the Mi croStrategy Li brary appl i cati on.

M anual Regi st r at i on

If upl oadi ng a metadata fi l e i s not supported by your IdP, manual

confi gurati on i s necessary.

The S PM et ad a t a . x m l fi l e contai ns al l of the i nformati on needed for

manual confi gurati on.

l The e nt it y I D = parameter i s the same Enti tyID you provi ded i n the
SAML confi g page

l As se rt io n C o n s u m e r S e r v i c e L o c a t i o n = thi s U R L i s l ocated
near the end of the fi l e.

Be aware that there are multiple URLs in this file. The

As se rt i o n C o n s u m e r S e r v i c e L o c a t i o n will c ontain the
binding s tatement H T T P -P O S T at the end.

l If the si gni ng certi fi cate i s requi red:

1. C opy the text betw een < d s : X 5 0 9 C e r t i f i c a t e > and

</ ds :X 5 0 9 C e r t i f i c a t e > tags.

2. Paste the contents i nto a text edi tor.

3. Save the fi l e as f i l e _n a m e . c e r and upl oad to IdP.

218 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

SAML Assertion Attributes Configuration

Mi croStrategy Li brary uses i nformati on about users from the SAML

R esponse to create Intel l i gence Server sessi ons. The setti ngs are
how SAML users are mapped or i mported to Mi croStrategy.

The user properti es that Mi croStrategy uses for mappi ng are:

Required Attributes:

l N ame ID - Maps to Trusted Authenti cated R equest U ser ID of the

Mi croStrategy user as defi ned i n Mi croStrategy D evel oper.

Optional Attributes:

l D isplayN ame - U sed to popul ate or l i nk to a Mi croStrategy user's

Ful l name

l Email - U ser emai l

l D istinguishedN ame - U sed to extract addi ti onal user i nformati on

from the LD AP server

l Groups - Li st of groups user bel ongs to

Attribute names are c as e s ens itiv e. Mak e s ure any SAML attribute
name c onfigured here is an ex ac t matc h to the applic ation c onfiguration.

In the c as e where IdP does not allow c us tomiz ation of SAML attribute
names and prov ides fix ed names ins tead, y ou may modify the
c orres ponding attribute names in M s t r S a m l C o n f i g . x m l generated
prev ious ly .

For more i nformati on on mappi ng users betw een a SAML IdP and
Mi croStrategy, see Mappi ng SAML U sers to Mi croStrategy

© 2019, M icr o St r at egy In c. 219

Syst em Ad m in ist r at io n Gu id e

Enabling SAML Authentication Mode

To use SAML authenti cati on i t needs to be enabl ed on Mi croStrategy

Li brary as a l ogi n mode.

To Enab l e SAM L Aut hent i cat i on M od e

1. Launch the Li brary Admi n page by enteri ng the fol l ow i ng U R L i n

your w eb brow ser

ht tp :/ /
<F QD N> :/ M i c r o S t r a t e g y L i b r a r y / a d m i n

w here < F Q D N > i s the Ful l y Qual i fi ed D omai n N ame of the

machi ne hosti ng your Mi croStrategy Li brary appl i cati on, and
 i s the assi gned port number.

2. On the Library Web Server tab, sel ect SA ML from the l i st of

avai l abl e A uthentication Modes.

If you use Mi croStrategy Identi ty Server as your SAML i denti ty

provi der, sel ect MicroStrategy Identity Server.

3. C l i ck C reate Trusted R elationship to establ i sh trusted

communi cati on betw een Li brary Web Server and Intel l i gence
Server.

Ens ure the Intelligenc e Serv er information is entered c orrec tly

before es tablis hing this trus ted relations hip.

4. C l i ck Save.

5. R estart your Web Server to appl y the changes.

220 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Sin gle Sign -On wit h SAML Au t h en t icat io n f o r JSP Web an d

Mo b ile
You can confi gure Mi croStrategy Web and Mi croStrategy Mobi l e to
w ork w i th SAML-compl i ant si ngl e si gn-on (SSO).

Though the following prerequis ites and proc edures refer to

Mic roStrategy Web, the s ame information applies to Mic roStrategy
Mobile, ex c ept where noted.

Before y ou begin c onfiguring Mic roStrategy Web to s upport s ingle s ign-on,

mak e s ure y ou hav e done the following:

l Deploy ed a SAML-enabled identity prov ider (IdP) infras truc ture

l Verified that Mic roStrategy Web is run on a J SP s erv er.

l Deploy ed Mic roStrategy Web on this web applic ation s erv er. Deploy the
Mic roStrategy Web WAR file on the web applic ation s erv er in ac c ordanc e
with y our web applic ation s erv er doc umentation.

The fol l ow i ng procedures descri be how to confi gure and i ntegrate

SAML support for Mi croStrategy Web to i mpl ement si ngl e si gn-on.

l H ow to C onfi gure the Intel l i gence Server C onnecti on

l H ow to Generate C onfi gurati on Fi l es

l H ow to R egi ster Mi croStrategy Web w i th Your Identi ty Provi der

l H ow to Modi fy the w eb.xml Fi l e

l H ow to C onfi gure Loggi ng

l H ow to D i sabl e SAML Support for Mi croStrategy Web

© 2019, M icr o St r at egy In c. 221

Syst em Ad m in ist r at io n Gu id e

Configuring SAML Support for MicroStrategy Web

H ow t o Conf i gur e t he Int el l i gence Ser ver Connect i on

To use SAML authenti cati on, you need to confi gure the trusted
rel ati onshi p betw een the w eb server and the Intel l i gence Server. It i s
done through the Admi ni strator Page. Open the admi n page for your
w eb appl i cati on. Then, connect to the Intel l i gence Server you w ant to
use.

l Establish trust between the server and Intelligence Server:

1. Open the Server properti es edi tor.

2. N ext to Trust relationship between MicroStrategy Web

Server and MicroStrategy Intelligence Server, cl i ck Setup.

3. Enter the Intel l i gence Server admi ni strator credenti al s.

4. C l i ck C reate Trust rel ati onshi p.

l Server D efault Properties screen:

In Mi croStrategy Web, the D efaul t properti es screen i s used for

confi guri ng defaul t l ogi n mode, but the defaul t properti es do not
appl y to SAML. When SAML authenti cati on i s confi gured i n
we b. xm l , thi s screen di spl ays SAML setti ngs regardl ess of the
defaul t property val ues and al l the l ogi n fi el ds on the page are
di sabl ed. SAML i s chosen uncondi ti onal l y for trusted mode.

222 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

See the Mappi ng SAML U sers to Mi croStrategy secti on to compl ete

SAML i ntegrati on w i th Mi croStrategy Web and Mobi l e.

H ow t o Gener at e Conf i gur at i on Fi l es

Mi croStrategy SAML support rel i es on several confi gurati on fi l es.

Mi croStrategy provi des a w eb page that automati cal l y generates the
necessary fi l es based on the provi ded i nformati on.

1. To l aunch the page that generates the confi gurati on fi l es, open a
brow ser and enter the fol l ow i ng U R L:

<w eb a p p l i c a t i o n _p a t h >/ s a m l / c o n f i g / o p e n

To access, you w i l l be prompted for the appl i cati on server's

admi n credenti al s.

If y ou deploy ed Mic roStrategy Web under the name

© 2019, M icr o St r at egy In c. 223

Syst em Ad m in ist r at io n Gu id e

Mi cr oS t r a t e g y W e b , and y ou are launc hing the c onfiguration page

from the mac hine where y ou deploy ed Mic roStrategy Web, then the
URL is :

ht tp :/ /
<F QD N>
:< po rt >/ M i c r o S t r a t e g y W e b / s a m l / c o n f i g / o p e n

If y ou deploy ed Mic roStrategy Mobile under the name

Mi cr oS t r a t e g y M o b i l e , and y ou are launc hing the c onfiguration
page from the mac hine where y ou deploy ed Mic roStrategy Mobile,
then the URL is :

ht tp :/ /
<F QD N>
:< po rt >/ M i c r o S t r a t e g y M o b i l e / s a m l / c o n f i g / o p e n

2. Fi l l i n the fol l ow i ng:

l General

l Entity ID : Thi s the uni que i denti fi er of the w eb appl i cati on to

be recogni zed by the IdP.

Some IdPs may require Entity ID to be the web applic ation

URL. SAML s tandards s tate it c an be any s tring as long as a
unique matc h c an be found among the IdP's regis tered entity
IDs . Follow the requirements for y our s pec ific IdP.

l Entity base U R L: Thi s i s the U R L the IdP w i l l send and

recei ve SAML requests and responses. The fi el d w i l l be
automati cal l y generated w hen you l oad the confi gurati on
page, but i t shoul d al w ays be doubl e checked. It shoul d be
the w eb appl i cati on U R L end users w oul d use to access the
w eb appl i cati on.

224 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

If the web applic ation is s et up behind rev ers e prox y or load

balanc er, the auto-populated URL here may not be c orrec t.
See below for more information.

l Do not us e "loc alhos t" for the Entity bas e URL.

l Onc e c onfigured, remember to alway s us e this URL to

ac c es s Mic roStrategy Web – us ing any alternativ e hos t
name to v is it would end up failing the SAML authentic ation.

l B ehind the proxy: U si ng a reverse proxy or l oad bal ancer

l Encryption

l Signature algorithm: The defaul t i s to use the i ndustry

standard "SH A256 w i th R SA" encrypti on al gori thm. Set thi s
val ue i n accordance w i th the requi rements of your speci fi c
IdP.

l Generate Encryption K ey: Set to N o by defaul t. Setti ng to

Yes w i l l generate an encrypti on key and store i t i n the
Mi croStrategy Li brary metadata XML fi l e.

If s etting Generate Encryption K ey to Yes : SAML

authentic ation will not work unles s y ou hav e the proper J av a
enc ry ption s trength polic y and c orrec t s etup on IdP s ide.

© 2019, M icr o St r at egy In c. 225

Syst em Ad m in ist r at io n Gu id e

l A ssertion A ttribute mapping

You c an als o c hange attribute names in

Ms t r S a m l C o n f i g . x m l ev en after the c onfiguration is done.

l D isplay N ame A ttribute: U ser di spl ay name attri bute

l Email A ttribute: U ser emai l address attri bute

l D istinguished N ame A ttribute: U ser di sti ngui shed name

attri bute

l Group A ttribute: U ser group attri bute

l Group format

l Simple: The defaul t opti on takes a user's group i nformati on

as pl ai n group names. When usi ng thi s opti on, make sure
val ues sent over by IdP i n the "Groups" attri bute are group
names and nothi ng el se.

l D istinguishedN ame: D i sti ngui shedN ame means that

l A dmin Groups: C omma-separated l i st of Mi croStrategy Web

Admi ni strator user groups.

226 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Mak e s ure to add Mic roStrategy Web Adminis trator us er groups

(for ex ample ad m i n ). Otherwis e, the web adminis trator page
will not be ac c es s ible after the w e b . x m l file has been modified
and the web s erv er res tarted. If it happens , y ou need to rec ov er
the original w eb . x m l , res tart the web s erv er, regenerate the
c onfiguration files , and re-regis ter Mic roStrategy Web with y our
Identity Prov ider.

3. C l i ck the Generate config button.

Three confi gurati on fi l es are w i l l be generated i n the W E B -

IN F/ cl a s s e s / r e s o u r c e s / S A M L fol der of the Mi croStrategy
Web i nstal l ati on di rectory:

l Ms tr Sa m l C o n f i g . x m l - C ontai ns run-ti me SAML support

confi gurati on parameters

l SP Me ta d a t a . x m l - C ontai ns metadata descri bi ng your w eb

appl i cati on to SSO

l Sa ml Ke y s t o r e . j k s - C ontai ns necessary cryptographi c

materi al

Do not rename any of the generated files .

H ow t o Regi st er M i cr oSt r at egy Web w i t h Your Id ent i t y Pr ovi d er

To regi ster Mi croStrategy Web w i th your IdP, you need to do the

fol l ow i ng:

l R egi ster Mi croStrategy Web w i th your IdP usi ng the

SP Me ta da t a . x m l fi l e you generated i n the previ ous step.

l C onfi gure the SAML Asserti on attri butes

Eac h SAML-c ompliant IdP has a different way to perform thes e s teps .
The s ec tions below prov ide a general ov erv iew of the proc es s .

© 2019, M icr o St r at egy In c. 227

Syst em Ad m in ist r at io n Gu id e

1. R egi ster the w eb appl i cati on w i th SSO:

U se the S P M e t a d a t a . x m l fi l e you generated i n the previ ous

step to regi ster the Mi croStrategy Web appl i cati on w i th the IdP.

If uploading a metadata file is not s upported by y our IdP, manual

c onfiguration is nec es s ary .

The S P M e t a d a ta . x m l file c ontains all of the information needed

for manual c onfiguration.

l The e n t i t y ID = parameter is the s ame Entity ID y ou prov ided

in the SAML c onfig page

l As s e r t i o n C o n s u m e r S e r v i c e L o c a t i o n = this URL is
loc ated near the end of the file.

Be aware that there are multiple URLs in this file. The

A s s e r t i o n C o n s u m e r S e r v i c e L o c a t i o n will
c ontain the binding s tatement H T T P -P O S T at the end.

l If the s igning c ertific ate is required:

1. Copy the tex t between < d s : X 50 9 C e r t i f i c a t e > and

< / d s : X 5 0 9 C e r t i f i c a t e > tags .

2. Pas te the c ontents into a tex t editor.

3. Sav e the file as f i l e _n a m e . c e r and upload to IdP.

2. C onfi gure SAML Asserti on attri butes:

Mi croStrategy Web uses i nformati on about users from the SAML

R esponse to create Intel l i gence Server sessi ons. The setti ngs
are how SAML users are mapped or i mported to Mi croStrategy.

The user properti es that Mi croStrategy uses for mappi ng are:

R equired attributes

228 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

l Na me I D: Maps to Trusted Authenti cated R equest U ser ID of

the Mi croStrategy user as defi ned i n Mi croStrategy D evel oper.

Optional attributes

l Di sp la y N a m e: U sed to popul ate or l i nk to a Mi croStrategy

user's Ful l name

l EM ai l : U ser emai l

l Di st in g u i s h e d N a m e: U sed to extract addi ti onal user

i nformati on from the LD AP server

l Gr ou ps : Li st of groups user bel ongs to

Attribute names are c as e s ens itiv e. Mak e s ure any SAML attribute
name c onfigured here is an ex ac t matc h to the web applic ation
c onfiguration.

In the c as e where IdP does not allow c us tomiz ation of SAML

attribute names and prov ides fix ed names ins tead, y ou may modify
the c orres ponding attribute names in M s t r S a m l C o n f i g . x m l
generated prev ious ly .

For more i nformati on on mappi ng users betw een a SAML IdP and
Mi croStrategy, see Mappi ng SAML U sers to Mi croStrategy

When c onfiguring as s ertion attributes , mak e s ure y ou s et up us ers

who belong to a group (for ex ample a d m i n ) with the s ame group
name as defined when generating c onfiguration files in
Mic roStrategy Web (s tep 2 in H ow to Generate C onfi gurati on
Fi l es ). Otherwis e, no us er will be able to ac c es s the web
adminis trator page after the w e b . x m l file has been modified and
the web s erv er res tarted. Us e G r o u p s as SAML Attribute Name.

© 2019, M icr o St r at egy In c. 229

Syst em Ad m in ist r at io n Gu id e

3. D ow nl oad the IdP metadata:

C onsul t the SSO documentati on for i nstructi ons on how to export

or dow nl oad the IdP metadata. The IdP metadata fi l e must be
named I D P M e t a d a t a . x m l and pl aced i n the W E B -
IN F/ cl a s s e s / r e s o u r c e s / S A M L fol der. Ensure that the
En ti ty I D val ue i n the I D P M e t a d a t a . x m l fi l e i s di fferent from
the E nt i t y I D val ue i n the S P M e t a d a t a . x m l fi l e to avoi d w eb
appl i cati on errors.

Mic roStrategy does not automatic ally update the

ID PM e t a d a t a . x m l file. If for any reas on the metadata c hanges
on the IdP s ide, y ou will need to download and replac e
ID PM e t a d a t a . x m l manually .

H ow t o M od i f y t he w e b . x m l Fi l e

To enabl e SAML i n a w eb appl i cati on, you need to modi fy the

web. xm l fi l e l ocated i n the W E B -I N F fol der of the Mi croStrategy Web
i nstal l ati on di rectory.

1. Stop the Mi croStrategy Web appl i cati on server.

2. D el ete or uncomment the fi rst and the l ast l i ne of the

we b. xm l fragment bel ow to enabl e SAML Authenti cati on mode.

<!-- Uncomment fragment below to enable SAML Authentication mode

<context-param>
<param-name>contextConfigLocation</param-name>
<param-
value>classpath:resources/SAML/SpringSAMLConfig.xml</param-value>
</context-param>

<context-param>
<param-name>contextInitializerClasses</param-name>
<param-

230 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

value>com.microstrategy.auth.saml.config.ConfigApplicationContextI
nitializer</param-value>
</context-param>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-
class>org.springframework.web.filter.DelegatingFilterProxy</filte
r-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/servlet/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/saml/*</url-pattern>
</filter-mapping>

<listener>
<listener-
class>org.springframework.web.context.ContextLoaderListener</liste
ner-class>
</listener>
-->

3. Save the w e b . x m l fi l e.

If you're not usi ng SSO to connect to the WebAdmi n page:

1. Stop the Mi croStrategy Web appl i cati on server.

2. D el ete or uncomment the fi rst and the l ast l i ne of the

we b. xm l fragment bel ow to enabl e SAML Authenti cati on mode.

<!-- Uncomment fragment below to enable SAML Authentication mode

<context-param>
<param-name>contextConfigLocation</param-name>
<param-

© 2019, M icr o St r at egy In c. 231

Syst em Ad m in ist r at io n Gu id e

value>classpath:resources/SAML/SpringSAMLConfig.xml</param-value>
</context-param>

<context-param>
<param-name>contextInitializerClasses</param-name>
<param-
value>com.microstrategy.auth.saml.config.ConfigApplicationContextI
nitializer</param-value>
</context-param>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-
class>org.springframework.web.filter.DelegatingFilterProxy</filte
r-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/servlet/mstrWeb/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/servlet/mstrWeb/*</url-pattern>
</filter-mapping>

<listener>
<listener-
class>org.springframework.web.context.ContextLoaderListener</liste
ner-class>
</listener>
-->

3. Save the w e b . x m l fi l e.

H ow t o Conf i gur e Loggi ng

1. Locate the l o g 4 j . p r o p e r t i e s fi l e i n the W E B -I N F / c l a s s es

fol der.

232 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

2. Modi fy the l o g 4 j . a p p e n d e r . S A M L A p p e n d e r . F i l e property

to poi nt to the fol der w here you w ant the SAML l ogs stored.

It is not rec ommended to leav e the file as is , s inc e the relativ e file
path is v ery unreliable and c an end up any where, and it almos t
alway s c annot be found in the web applic ation folder. Us e full file
paths here to fully c ontrol the log loc ation.

In a Windows env ironment, the file path needs to be in J av a format,

whic h means y ou either need to c hange eac h bac k s las h ("\") to a
s las h ("/"), or y ou need to es c ape the bac k s las h with another one
("\\"). There is als o a way to s horten the path by referring to the
Tomc at bas e folder as a v ariable, for ex ample:

${catalina.home}/webapps/MicroStrategy/WEB-
INF/log/SAML/SAML.log

For troubles hooting purpos es it is rec ommended to firs t c hange the

lev el of l o g 4 j . l o g g e r . P R O T O C O L _M E S S A G E to D E B U G and
leav e ev ery thing els e default. This will generate a c lean log with all
SAML mes s ages along with any error or ex c eption

3. R estart the w eb appl i cati on server to appl y al l changes.

If y ou hav e a problem ac c es s ing Mic roStrategy Web adminis trator

page, c los e and reopen y our web brows er to c lear old brows er
c ac he.

How to Disable SAML Support for MicroStrategy Web

1. R epl ace the w e b . x m l fi l e of the w eb appl i cati on w i th the

ori gi nal fi l e that you saved.

2. Open Web Admi ni strator:

© 2019, M icr o St r at egy In c. 233

Syst em Ad m in ist r at io n Gu id e

a. C hange l og-i n mode to the desi red mode.

b. R emove the trust rel ati onshi p betw een the w eb server and
Intel l i gence Server.

En ab lin g Sin gle Sign -On wit h SAML Au t h en t icat io n f o r ASP

Web an d Mo b ile
You can confi gure Mi croStrategy ASP Web and Mobi l e to support
SAML usi ng Shi bbol eth Servi ce Provi der for IIS.

Shi bbol eth Servi ce Provi der Setup

Shi bbol eth Servi ce Provi der C onfi gurati on

Identi ty Provi der C onfi gurati on

Mi croStrategy Integrati on

R ol e-based authenti cati on to secure Admi n pages i n ASP Web:

In Mi croStrategy 9.0 and above, AC L-based protecti on i s supported

for Admi n pages (asp/Admi n.aspx and asp/TaskAdmi n.aspx). By
defaul t, onl y admi ni strators have access to Admi n pages.

Addi ti onal l y, i n Mi croStrategy 11.0 a new feature to protect Admi n

pages w as i ntroduced usi ng Wi ndow s IIS U R L Authori zati on. By
defaul t, the U R L Authori zati on feature i s not i nstal l ed by the Wi ndow s
OS. IIS U R L Authori zati on i s supported by IIS 7.0 and above. You can
fi nd i nstructi ons to i nstal l IIS U R L Authori zati on here.

The authori zati on rul e has been added to Web.confi g out of the box.
Once you i nstal l the IIS U R L Authori zati on modul e, you w i l l
automati cal l y get protecti on for Admi n pages.

C ompared to the AC L based protecti on, IIS U R L authori zati on has a

central i zed confi gurati on i n Web.confi g.

234 © 2019, M icr o St r at egy In c.

Syst em Ad m in ist r at io n Gu id e

Shibboleth Service Provider Setup

1. Instal l the l atest versi on of Shi bbol eth Servi ce Provi der.

2. Fol l ow the i nstal l ati on i nstructi ons from Shi bbol eth for your
versi on of IIS.

Conf i gur i ng t he N ew Pl ugi n

This is bes t done from the c ommand line. You will als o need admin
priv ileges .

Conf i gur i ng t he IIS7 DLL

From the C :\ W i n d o w s \ S y s t e m 3 2 \ I n e t S r v di rectory, run the

fol l ow i ng l i nes:

appcmd install module /name:ShibNative32 /image:"c:\opt\shibboleth-

sp\lib\shibboleth\iis7_shib.dll" /precondition:bitness32
appcmd install module /name:ShibNative /image:"c:\opt\shibboleth-
sp\lib64\shibboleth\iis7_shib.dll" /precondition:bitness64

Ver i f yi ng t he i nst al l at i on

Open one of the fol l ow i ng U R Ls.

l If IIS i s set up for H TTPS:

In the following s ec tions , we as s ume the IIS is s et up for HTTPS. If

y our IIS is not s et up for HTTPS, pleas e us e HTTP in the URI when
y ou perform c onfiguration.

https://localhost/Shibboleth.sso/Status

l If IIS i s set up for H TTP:

http://localhost/Shibboleth.sso/Status

© 2019, M icr o St r at egy In c. 235

Syst em Ad m in ist r at io n Gu id e

This mus t be run as loc alhos t, and s hould return XML c ontaining
information about Shibboleth.

Shibboleth Service Provider Configuration

To confi gure the Shi bbol eth Servi ce Provi der, use the fol l ow i ng
i nstructi ons i n conj uncti on w i th the Shi bbol eth documentati on.

1. C onfi gure % S H I B B O L E T H _I N S T A L L _
DI R% \e t c \ s h i b b o l e t h \ s h i b b o l e t h 2 . x m l

l Set u se H e a d e r s to t r u e i n <ISAPI>

<I SA P I n o r m a l i z e R e q u e s t = " t r u e "

sa fe H e a d e r N a m e s = " t r u e " u s e H e a d e r s = " t r u e ">

l R epl ace si te name w i th a ful l y qual i fi ed si te name:

sh ib bo l e t h 2 . x m l – si te

<S it e i d = " 1 " n a m e = " s p . e x a m p l e . o r g " / >

w i th

<S it e i d = " 1 " n a m e = " F U L L Y _Q U A L I F I E D _S E R V I C E _

PR OV I D E R _H O S T_N A M E " / >

l R epl ace host name w i th ful l y qual i fi ed name, and paths:

sh ib bo l e t h 2 . x m l – host

w i th

Syst em Ad m in ist r at io n Gu id e

l R epl ace e n t i t y I D val ue w i th a sui tabl e enti ty name for your

new servi ce provi der:

Make note of thi s val ue, as i t w i l l be requi red by the Identi ty

Provi der.

sh ib bo l e t h 2 . x m l - e n t i t y I D

<ApplicationDefaults
entityID="https://sp.example.org/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"

cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4
:!SHA:!SSLv2">

w i th

<ApplicationDefaults entityID="https://FULLY_QUALIFIED_SERVICE_
PROVIDER_HOST_NAME/shibboleth"
REMOTE_USER="eppn persistent-id targeted-id"

cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4
:!SHA:!SSLv2">

l Set SSO enti tyID w i th your SAML Identi ty Provi der: Thi s may
be obtai ned from the Identi ty Provi der metadata by repl aci ng:

sh ib bo l e t h 2 . x m l - Identi ty Provi der

Syst em Ad m in ist r at io n Gu id e

w i th the fol l ow i ng:

Values for d i sc o v e r y P r o t o c o l and d i s c o v e r y U R L are

only required with Shibboleth Identity Prov ider.

l Obtai n Identi ty Provi der metadata:

l U R L option (recommended): If IdP exposes a metadata

endpoi nt, thi s i s the preferred sol uti on, otherw i se see Fi l e
opti on bel ow . Add the fol l ow i ng decl arati on bel ow the
commented out < M e t a d a t a P r o v i de r > secti on:

sh ib b o l e t h 2 .x m l - Identi ty Provi der metadata

l File option: C opy i t to the fi l e % S H I B B O L E T H _I N S T A L L _

DI R% \ e t c \ s h ib b o l e t h \ p a r t n e r-m e t a d a t a . x m l.
U ncomment the fol l ow i ng decl arati on i n s h i b b o l e t h 2 . x ml:

sh ib b o l e t h 2 .x m l - Identi ty Provi der metadata

<MetadataProvider
type="XML"

Syst em Ad m in ist r at io n Gu id e

file="partner-metadata.xml"/>

2. C onfi gure % S H I B B O L E T H _I N S T A L L _
DI R% \e t c \ s h i b b o l e t h \ a t t r i b u t e -m a p . x m l to extract
several fi el ds from the SAML asserti on, w hi ch Mi croStrategy w i l l
associ ate w i th an Intel l i gence Server user.

l Add the <Attri bute> mappi ngs under <Attri butes> root.
Shi bbol eth w i l l l ook for thi s asserti on attri bute and map i t to
the H TTP header SBU SER for the Mi croStrategy appl i cati on to
consume. H ere i s a confi gurati on for AD FS w here w e read the
w i ndow s account name cl ai m. Thi s must be consi stent w i th the
Identi ty Provi der cl ai m mappi ng that w i l l be confi gured l ater.

at tr ib u t e -m a p . x m l user mappi ng - AD FS

<Attribute

name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wi
ndowsaccountname"
id="SBUSER"/>

Here is a s ample c onfiguration for Key c loak , where y ou read the

"urn:oid:0.9.2342.19200300.100.1.1" or UID c laim :

at tr i b u t e -m a p . x m l us er mapping

It is als o rec ommended to c omment out the unus ed < A t t r i b u t e>

dec larations in a t t r i b u t e -m a p . x m l .

Syst em Ad m in ist r at io n Gu id e

3. R estart the fol l ow i ng servi ces:

l Shibboleth 2 D aemon: May be done w i th Wi ndow s servi ces,

or Wi ndow s C ommand Prompt:

net stop shibd_default

net start shibd_default

l World Wide Web Publishing Service: May be done w i th

Wi ndow s servi ces, or Wi ndow s C ommand Prompt:

net stop w3svc

net start w3svc

4. Veri fy XML i s returned from

ht tp s: / / l o c a l h o s t / S h i b b o l e t h . s s o / S t a t u s agai n.
Al so, ensure the Appl i cati on e n t i t y I D and
Me ta da t a P r o v i d e r source val ues have been correctl y
confi gured i n previ ous steps.

Identity Provider Configuration

It i s necessary to (1) add the Servi ce Provi der confi gured above as a
new cl i ent i n the SAML Identi ty Provi der (for exampl e, AD FS), and (2)
ensure that the user l ogi n/U ID i s al so i ncl uded i n the SAML Asserti on.
Some gui dance i s provi ded bel ow for several Identi ty Provi ders - refer
to thei r documentati on for addi ng new cl i ents/rel yi ng parti es for
detai l s.

ADFS

1. R un the Mi crosoft Wi ndow s Server Manager.

2. U nder Tools run A D FS Management.

3. Expand to the fol l ow i ng: A D FS > Trust R elationships > R elying

Party Trusts.

Syst em Ad m in ist r at io n Gu id e

4. C l i ck A dd R elying Party Trust to l aunch the w i zard.

5. When you reach the "Sel ect D ata Source" opti on, you need the
Shi bbol eth Servi ce Provi der metadata. Enter:

https://YOUR_MICROSTRATEGY_WEB_URL/Shibboleth.sso/Metadata

If the HTTP URL metadata does not work , y ou may hav e to

manually download and upload the metadata file.

6. For "D i spl ay name", i t i s recommended you use Y O U R _

MI CR OS T R A T E G Y _WE B _U R L.

7. When fi ni shed, you may be prompted to edi t cl ai m rul es. If not,

you can ri ght-cl i ck your new cl i ent and sel ect Edit claim rules.

8. C l i ck A dd R ule under the tab Issuance C laim R ules.The A dd

Transform R ule C laim Wizard appears.

Syst em Ad m in ist r at io n Gu id e

9. If your AD FS i s backed by LD AP, sel ect Send LD A P A ttributes

as C laims. Otherw i se, refer to AD FS documentati on.

10. Set the fol l ow i ng fi el ds to val ues consi stent w i th the Shi bbol eth
at tr ib u t e -m a p . x m l confi gurati on from above.

l C l ai m rul e name: u s e r

l Attri bute store: A c t i v e D i r e c t o r y

l Mappi ng: L D A P At t r i b u t e = S A M -A c c o u n t -N a m e ,
Ou tg oi n g C l a im T y p e = W i n d o w s a c c o u n t n a m e

Keycl oak

The Identi ty Provi der w i l l need ensure the user i denti ty fi el d i s al so

i ncl uded i n the SAML asserti on generated w hen a user i s
authenti cated. The exact fi el d depends upon the Identi ty Provi der.
The user i denti ty w i l l be associ ated w i th the SAML parameter name of

Syst em Ad m in ist r at io n Gu id e

urn: oi d: 0. 9 . 2 3 4 2 . 1 9 2 0 0 3 0 0 . 1 0 0 . 1 . 1. Thi s parameter must be

consi stent w i th the parameter w i th the same name i n the Shi bbol eth
Servi ce Provi der a t t r i b u t e -m a p . x m l decl arati on.

MicroStrategy Integration

Int egr at i on w i t h M i cr oSt r at egy ASP Web

1. Setup the Trust rel ati onshi p betw een Mi croStrategy Web and
Intel l i gence Server:

1. Open the admi n page at

ht t p s : / / l o ca l h o s t / M i c r o S t ra t e g y / a s p / A d m i n .a s
px

Syst em Ad m in ist r at io n Gu id e

2. Go to Intelligence Servers > Servers

3. For each Intel l i gence Server, go to Properties > Modify

4. C l i ck on "Trust relationship between Web Server and

MicroStrategy Intelligence Server".

5. Enter credenti al s. When successful l y setup, there shoul d be

a check mark next to the trust.

2. N avi gate to Intelligence Servers > D efault properties > Login.

3. Enabl e Trusted A uthentication R equest l og-i n mode.

4. U nder Trusted A uthentication Provider sel ect C ustom SSO.

5. C onfi gure C : \ P r o g r a m F i l e s ( x 8 6 ) \ M i c r o S t r a t e g y \ We b
AS Px \W E B - I N F \ c la s s e s \ r e s o u r c e s\ c u s t o m _
se cu ri t y . p r o p e r t i e s parameter L o g i n P a r a m w i th same
val ue associ ated w i th the user mapped from the SAML asserti on.

M i cr oSt r at egy U ser M ap p i ng

Ensure Intel l i gence Server users are mapped to your SAML users as
i denti fi ed by the U ID . Access U ser Manager, ei ther w i th Mi croStrategy
D evel oper or the Intel l i gence Server Admi ni strati on Portal i n
Mi croStrategy Web.

Micr o St r at egy Develo p er

To map users usi ng Mi croStrategy D evel oper, open: U ser Manager >
Edit U ser Properties > A uthentication > Metadata > Trusted
A uthentication R equest > U ser ID .

Syst em Ad m in ist r at io n Gu id e

In t elligen ce Ser ver Ad min ist r at io n Po r t al o n Micr o St r at egy

Web
To map users through the Web Admi ni strati on Portal , go to:
MicroStrategy Web > Intelligence Server A dministration Portal >
U ser Manager > Edit U ser Properties > A uthentication > Trusted
A uthentication Login.

Syst em Ad m in ist r at io n Gu id e

In t egr at in g SAML Su p p o r t wit h Bad ge

Thi s procedure provi des speci fi c detai l s about i ntegrati ng
Mi croStrategy Web or Li brary w i th Badge.

1. D ow nl oad the IdP metadata:

1. Open Identi ty Manager.

2. C l i ck the Logical Gateways tab.

3. C l i ck D ownload your network's B adge IdP metadata.

2. U pl oad the SP metadata to the Mi croStrategy Identi ty Server:

1. C l i ck the l arge SA ML button.

2. Enabl e the U pload Pre-configured Metadata opti on.

Syst em Ad m in ist r at io n Gu id e

3. C l i ck U pload Metadata.

3. C onfi gure asserti on attri butes by sel ecti ng the LD AP attri butes
and mappi ng them to SAML Asseti on attri butes.

Select LD A P attributes:

1. Open the U sers and B adges tab and cl i ck C onfigure i n the

U ser Management secti on.

2. On the Acti ve D i rectory Synchroni zati on page, set the

Badge user attri butes by mappi ng the val ues i n the Badge
fi el d col umn to the Acti ve D i rectory Attri bute to be used.
You may add custom Badge fi el ds w i th any gi ven name.

Map LD A P attributes to SA ML A ssetion attributes:

1. On the Logi cal Gatew ays tab and cl i ck the Edit l i nk i n the
Web Appl i cati on l ogi n secti on.

2. In the C onfi gure SAML Setti ngs di al og, cl i ck C onfigure on

SA ML A ttribute C onsuming Service.

Syst em Ad m in ist r at io n Gu id e

3. Map the SAML Attri bute N ame to the U ser Fi el d that

contai ns the appropri ate Acti ve D i rectory Attri bute
confi gured i n the previ ous step.

4. C l i ck Save.

4. C heck group format setti ng by fi ndi ng the < g r o u p F o r m a t > tag

i n the Ms t r S a m l C on f i g . x m l fi l e.

If your Identi ty netw ork i s confi gured w i th Acti ve D i rectory or

LD AP, the group i nformati on shoul d be sent as
D i sti ngui shedN ames.

In t egr at in g SAML Su p p o r t wit h ADFS

Thi s procedure provi des speci fi c detai l s about i ntegrati ng
Mi croStrategy Web w i th AD FS. Al l steps bel ow are performed i n

Syst em Ad m in ist r at io n Gu id e

AD FS Management C onsol e. Addi ti onal l y, the fol l ow i ng steps assume

that SAML i s al ready enabl ed i n the AD FS server. For more
i nformati on, see the AD FS documentati on.

1. D ownload the ID P metadata:

1. In the AD FS consol e, open the Endpoi nts w i ndow .

2. Fi nd the Federation Metadata entry poi nt.

3. In any brow ser, enter the U R L usi ng the format <AD FS

Server base U R L>/<Metadata entry poi nt> to dow nl oad the
metadata fi l e i n the brow ser's D ow nl oads fol der.

4. C opy the metadata fi l e i nto your appl i cati on's W E B -

IN F / c l a s s e s/ r e s o u r c e s / S A M L fol der.

5. R ename the copi ed metadata fi l e to I D P M e t a d a t a . x m l.

2. R egister with A D FS server:

l C opy the S P M e t as a t a . x m l fi l e somew here on AD FS server

machi ne.

l In the C onsol e tree, ri ght-mouse cl i ck on R elying Party

Trusts, and then choose A dd R elying Party Trust…

l In Sel ect D ata Source pane choose Import data about the
relying party from a file and then brow se to the metadata fi l e.

Syst em Ad m in ist r at io n Gu id e

l C onfi gure the rest of the opti ons accordi ng to your company
pol i cy.

3. Set the proper secure hash algorithm:

Mi croStrategy has added support for sha-256 si gni ng al gori thms

and there w i l l be no need to change the defaul t setti ng on AD FS.
Fol l ow the i nstructi ons bel ow i f you need to change the setti ng
on AD FS:

1. Open the Properti es w i ndow for the rel yi ng party trust (your
regi stered appl i cati on).

2. C l i ck the A dvanced tab.

3. C hoose the SH A -1 al gori thm.

Syst em Ad m in ist r at io n Gu id e

4. C l i ck A pply.

4. Add C l ai m R ul es for your regi stered rel yi ng party trust:

1. R i ght cl i ck on your regi stered appl i cati on and chose "Edi t

C l ai m R ul es".

C onsul t AD FS gui des for i nstructi ons on how to add and

confi gure cl ai m rul es. You may i ncl ude al l attri butes i n one
rul e or you may create di fferent rul es for di fferent attri butes.
"N ame ID " and "Groups" are the onl y attri butes requi red by
Mi croStrategy.

2. Add the cl ai m rul es and concl ude the setup on AD FS.

"Outgoing Claim Ty pe" in the rule editor (als o s hown as the

"Is s ued Claims " in the lis t of rules ) c orres ponds to the SAML
as s ertion attribute names , and they hav e to matc h the
attribute names that were prev ious ly c onfigured in the

Syst em Ad m in ist r at io n Gu id e

"as s ertion attribute mapping" of Mic roStrategy SAML

c onfiguration in addition to the "Name ID" whic h is not part of
the attribute mapping s etting but a mus t for SAML to func tion.

Exampl es of rul e creati on and l i st of created rul es show n bel ow :

Syst em Ad m in ist r at io n Gu id e

In t egr at in g SAML Su p p o r t wit h Azu r e AD

Create an Application

1. Log i n to the Azure management consol e usi ng your di rectory

credenti al s.

2. Sel ect the A zure A ctive D irectory for the SAML app i ntegrati on.

3. C hoose A pp registrations from the menu.

4. Sel ect N ew application registration at the top.

5. U nder N AME, enter the name for the appl i cati on.

6. U nder Type, sel ect Web app and/or Web A PI.

Syst em Ad m in ist r at io n Gu id e

7. U nder Si gn-on U R L, enter a l ocati on for the

As se rt i o n C o n s u m e r S e r v i c e tag retri eved from the
SP Me ta d a t a . x m l of the SAML setup i n Mi croStrategy Web or
Mobi l e.

8. C l i ck C reate.

Configure the Application

1. Sel ect Settings.

2. Sel ect Properties.

3. U nder APP ID U R I, enter the SP Enti ty ID , retri eved from

SP Me ta d a t a . x m l.

U R I format i s requi red. If the SP Enti ty ID i n S P M e t a d a t a . x ml

i s not i n U R I format, update the e n t i t y I D fi el d. For exampl e:

ht tp ( s ) : / / F Q D N / M i c r o S t r a t e g y

4. Sel ect R equired permissions.

l On the APPLIC ATION PER MISSION S drop-dow n, enabl e R ead

D irectory D ata.

l On the D ELEGATED PER MISSION S drop-dow n, enabl e:

l Si gn i n and read user profi l e

l R ead al l users' basi c profi l es

l R ead al l users' ful l profi l es

l R ead al l groups

5. C l i ck Save.

6. C l i ck Manifest.

Syst em Ad m in ist r at io n Gu id e

7. Fi nd the g r o u p M e mb e r s h i p C l a i m s entry and change i t from

N ull to A ll.

"groupMembers hipClaims ": "All"

8. C l i ck Save.

9. C l i ck A pp registrations i n the l eft menu.

10. C l i ck Endpoints at the top.

11. C opy the Federati on Metadata D ocument U R L by cl i cki ng the

i con next to the U R L.

12. Save the U R L as the I D P M e t a d a t a . x m l fi l e i n the

Mi cr oS t r a t e g y / W E B -I N F / c l a s s e s / r e s o u r c e s / S A M L
fol der.

Assertion Attributes

1. Go to your AD Endpoi nts and vi ew the Federati on Metadata

document to obtai n the U R Is for the requi red attri butes.

<auth:ClaimType xmlns:auth="http://docs.oasis-
open.org/wsfed/authorization/200706"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenna
me">
<auth:DisplayName>Given Name</auth:DisplayName>
<auth:Description>First name of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-
open.org/wsfed/authorization/200706"
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnam
e">
<auth:DisplayName>Surname</auth:Display>
<auth:Description>Last name of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-

Syst em Ad m in ist r at io n Gu id e

open.org/wsfed/authorization/200706"
Uri="http://schemas.microsoft.com/identity/claims/displayname">
<auth:DisplayName>Display Name</auth:DisplayName>
<auth:Description>Display name of the user.</auth:Description>

2. C opy these val ues and paste them betw een the 
tags i n the MstrSaml C onfi g.xml fi l e l ocated i n the WEB-
IN F/cl asses/resources/SAML fol der.

<groupAttributeName>http://schemas.microsoft.com/ws/2008/06/identi
ty/claims/groups</groupAttributeName>
<groupFormat>Simple</groupFormat>
<dnAttributeName>DistinguishedName</dnAttributeName>

<displayNameAttributeName>http://schemas.microsoft.com/identity/cl
aims/displayname</displayNameAttributeName>

<emailAttributeName>http://schemas.xmlsoap.org/ws/2005/05/identity
/claims/emailaddress</emailAttributeName>
<adminGroups>2109318c-dee4-4658-8ca0-51623d97c611</adminGroups>
</userInfo>

Az ure AD only s ends the IDs . In the c as e of the admin

permis s ions , the ID needs to be c opied.

Troubleshooting

Af t er t he Changes, t he Web Dep l oym ent Fai l s t o St ar t

Once the w eb.xml fi l e has been changed to i ncl ude the SAML support,
i t refers to the MD and confi gurati on fi l es i n the resources/SAML
fol der. If Web depl oyment fai l s to start, i t i s possi bl e the generated

Syst em Ad m in ist r at io n Gu id e

fi l es from the resources/SAML/stage fol der w ere not copi ed over.

C opy the requi red fi l es to the SAML fol der and restart the appl i cati on.

Azur e Ret ur ns a Log i n Fai l ur e and Asser t i on i s i n Pl ace

Thi s resul ts from bad ID PMetadata. Ensure the correct metadata from
the appl i cati on i s copi ed to the SAML fol der.

Azur e Ret ur ns t he er r or : Ap p l i cat i on w i t h i d ent i f i er “xxx” w as not

f ound i n t he d i r ect or y “xxx”

The App ID U R I does not match the enti tyID set i n the SP Metadata.
R evi ew the U R Is and correct the names accordi ngl y. C hanges can be
made i n the SPMetadata.xml , MstrSaml C onfi g.xml fi l es, and i n Azure.
R estart the appl i cati on after you fi nal i ze the correcti ons.

In t egr at in g SAML Su p p o r t wit h Okt a

Thi s procedure provi des i nstructi ons about i ntegrati ng Mi croStrategy
Web w i th Okta. For more i nformati on, see the Okta documentati on.

Create an Application

1. Log i n as an Okta admi ni strator and go to the Admi n page.

2. Go to A pplications and cl i ck A dd A pplication.

3. Sel ect SA ML 2.0.

4. C l i ck C reate.

Configure the Application

1. Enter your app name.

2. C l i ck N ext.

3. C ompl ete SAML Setti ngs.

Syst em Ad m in ist r at io n Gu id e

l Single Sign on U R L: Al so referred to as "Asserti on C onsumer

Servi ce U R L", i t i s the Mi croStrategy appl i cati on address that
sends and recei ves SAML messages. If SAML setup i s al ready
fi ni shed on Mi croStrategy si de, i t i s the U R L w i thi n the
md :A ss e r t i o n C o n s u m e r S e r v i c e tag at the bottom of the
SP Me ta d a t a . x m l fi l e.

The U R L usual l y takes the bel ow form:

ht tp ( s ) : / /< h o s t s e r v e r >/ < M S TR a p p l i c a t i o n

na me > / s a m l / S S O

l A udience U R I (SP Entity ID ): It corresponds to the e n t i t y I D

val ue at the top of the S P M e t a t a d a . xm l fi l e, w hi ch i s al so the
fi rst i nput fi el d on the Mi croStrategy SAML confi gurati on page.
It i s a uni que i denti fi er of the Mi croStrategy appl i cati on.

l A TTR IB U TE STA TEMEN TS (OPTION A L): Thi s i s to confi gure

w hat SAML attri butes w i l l be sent to Mi croStrategy. If the
defaul t attri bute names w ere used at Mi croStrategy SAML
confi gurati on, the names are: E M a i l, D i s t i n g u i s h e d N a m e,
and D i s p l a y N a m e. The Mi croStrategy-si de attri bute names
can be found i n the M s t r S a m l C o n f i g . x m l fi l e. For exampl e:

<dnAttributeName>DistinguishedName</dnAttributeName>
<displayNameAttributeName>DisplayName</displayNameAttributeName>
<emailAttributeName>EMail</emailAttributeName>

It i s not requi red to confi gure al l three attri butes.

l GR OU P A TTR IB U TE STA TEMEN TS (OPTION A L): Thi s i s

used to grant access to the Mi croStrategy Web or Mobi l e
Admi ni strator page and manage user pri vi l ege i nheri tance. If
the defaul t attri bute name w as used at Mi croStrategy SAML
confi gurati on, the name i s "Groups". The Mi croStrategy-si de

Syst em Ad m in ist r at io n Gu id e

attri bute name can be found i n the M s t r S a m l C o n f i g . x m l

fi l e. For exampl e:

<g ro u p A t t r i b u t e N a m e > G r o u p s < / g r o u p A t t r i b u t e N am

U se the fi l ter to sel ect the groups that are sent over. To send
over al l the groups, sel ect R egex and enter . * i nto the fi el d.

You can l eave the other fi el ds as defaul t or confi gure them as

needed.

Finish SAML Setup

1. On the Okta admi n page, go to A pplications and open the

appl i cati on.

2. Go to A ssignments.

3. C l i ck A ssign to assi gn the appl i cati on to users or groups.

4. Go to Sign On.

5. C l i ck Identity Provider metadata.

Syst em Ad m in ist r at io n Gu id e

6. Save the XML fi l e as I D P M e t a d a t a . x m l, and pl ace i t i n the

Mi cr oS t r a t e g y \ W E B -I N F \ c l a s s e s \ r e s o u r c e s \ S A M L
fol der.

Map p in g SAML User s t o Micr o St r at egy

Mi croStrategy Intel l i gence Server uses the SAML asserti on attri butes
confi gured i n the Idp for authenti cati on. Thi s i nformati on i s passed
from SAML response to map the l ogged i n user to Mi croStrategy users
and groups stored i n the metadata.

User Mapping

Three pi eces of i nformati on sent over i n the SAML response can be

used to map to a Mi croStrategy user:

l N ame ID : Mi croStrategy w i l l l ook for a match of the N ame ID to the

U ser ID of Trusted A uthenticated R equest setti ng.

Syst em Ad m in ist r at io n Gu id e

Thi s fi el d can be set i n D evel oper by openi ng U ser Editor >

A uthentication > Metadata. You can al so set thi s fi el d i n Web
Admi ni strator by openi ng Intelligence Server A dministration
Portal > U ser Manager. The Trusted A uthentication Login fi el d i s
found i n the Authenti cati on tab w hen edi ti ng a user.

l D istinguishedN ame: Mi croStrategy w i l l l ook for a match i n user's

D i sti ngui shed name of LD A P A uthentication setti ng.

Thi s setti ng can be found i n D evel oper by openi ng U ser Editor >
A uthentication > Metadata.

l D isplayN ame: Mi croStrategy w i l l l ook for a match i n user's Full

name fi el d.

Thi s setti ng can be found i n D evel oper by openi ng U ser Editor >
General.

Mic roStrategy will c hec k for matc hes in the ex ac t order they are
pres ented.

When a match i s found i n the metadata, Mi croStrategy w i l l l og the

user i n as the correspondi ng Mi croStrategy user w i th al l of the correct
permi ssi ons and pri vi l eges granted.

If no match i s found, i t means the SAML user does not yet exi st i n
Mi croStrategy, and w i l l be deni ed access. You can choose to have
SAML users i mported to Mi croStrategy i f no match i s found, see
Importi ng and Synci ng SAML U sers.

Group Mapping

The w ay Mi croStrategy w i l l map user groups i s determi ned by the

entri es made i n the Group A ttribute and Group Format fi el ds w hen
the SAML confi gurati on fi l es w ere generated for your appl i cati on.
Groups are mapped betw een an i denti ty provi der and Mi croStrategy i n
one of tw o w ays:

Syst em Ad m in ist r at io n Gu id e

l Simple group names: Group Attri bute must contai n a l i st of

Mi croStrategy U ser Groups and Group Format must be set to Si mpl e
i n Mi croStrategy SAML confi gurati on. The Group Attri bute val ues
w i l l be used to map Mi croStrategy group's Ful l name.

Thi s setti ng can be found i n D evel oper by openi ng Group Editor >
Group D efinition > General.

l D istinguishedN ames:If Mi croStrategy i s confi gured for LD AP

i ntegrati on D i sti ngui shedN ames can be used for group mappi ng.
Group Attri bute must contai n a l i st of LD AP D i sti ngui shedN ames
and the Group Format must be set to D i sti ngui shedN ame i n
Mi croStrategy SAML confi gurati on.

Thi s setti ng can be found i n D evel oper by openi ng Group Editor >
A uthentication > Metadata.

Importing and Syncing SAML Users

N ew users and thei r associ ated groups can be dynami cal l y i mported
i nto Mi croStrategy duri ng appl i cati on l og i n. You can al so confi gure
Intel l i gence Server to sync user i nformati on for exi sti ng Mi croStrategy
users each ti me they l og i n to an appl i cati on. The fol l ow i ng setti ngs
are accessed from the Intelligence Server C onfiguration > Web
Single Sign-on > C onfiguration w i ndow i n D evel oper.

l A llow user to log on if Web Single Sign-on - MicroStrategy user

link not found: C ontrol s access to an appl i cati on w hen a
Mi croStrategy user i s not found w hen checki ng a SAML response. If
unchecked, Mi croStrategy w i l l deny access to the user. If checked,
the user obtai ns pri vi l eges and access ri ghts of a 3rd Party user
and Everyone group.

Import us er and Sy nc us er will not be av ailable unles s this s etting is

c hec k ed as On.

Syst em Ad m in ist r at io n Gu id e

l Import user at logon: Al l ow s Mi croStrategy to i mport a user i nto

the metadata i f no matchi ng user i s found. The i mported user w i l l
popul ate al l the fi el ds that are used to check user mappi ng w i th the
correspondi ng SAML attri bute i nformati on.

All us ers imported this way will be plac ed into the "3rd party us ers "
group in Mic roStrategy , and will not be phy s ic ally added to any
Mic roStrategy groups that matc h its group members hip information.

After confi gurati on i s done, the i mported user w i l l see a pri vi l ege-
rel ated error w hen they try to access the proj ect. AMi croStrategy
admi ni strator needs has to add the proj ect access pri vi l ege for the
i mported user i n 3rd Party U sers group.

l Synch user at logon: Al l ow s Mi croStrategy to update the fi el ds

used for mappi ng users w i th the current i nformati on provi ded by the
SAML response.

This option will als o update all of a us er's group information and import
groups into "3rd party us ers " if matc hing groups are not found. This
may res ult in unwanted ex tra groups being c reated and s tored in the
metadata.

Enable Integrated Authentication

Integrated authenti cati on enabl es a Wi ndow s user to l og i n once to
thei r Wi ndow s machi ne. The user does not need to l og i n agai n
separatel y to D evel oper or Mi croStrategy Web. Thi s type of
authenti cati on uses Kerberos del egati on to val i date a user's
credenti al s. Kerberos del egati on occurs w hen a servi ce needs to
provi de the Kerberos user's credenti al s to access another servi ce. For
exampl e, i n Mi croStrategy w hen doi ng i ntegrated authenti cati on i n
Web, the w eb server needs to "del egate" the user's credenti al s to
Intel l i gence server so that the user can l og i n seaml essl y. In addi ti on
to authenti cati ng users to D evel oper and Mi croStrategy Web,
i ntegrated authenti cati on al so passes user credenti al s dow n to the

Syst em Ad m in ist r at io n Gu id e

database server. Thi s al l ow s each user's credenti al s to be used to

return data from the database.

Mi croStrategy al so supports an Acti ve D i rectory confi gurati on that

makes use of Kerberos C onstrai ned D el egati on to i mprove overal l
securi ty associ ated w i th servi ce communi cati ons. Kerberos
C onstrai ned D el egati on i s a new w ay to del egate Kerberos user's
credenti al s w i th i mproved securi ty. Impl ementi ng Kerberos
C onstrai ned D el egati on i nvol ves speci fyi ng the servi ces that are
al l ow ed i n terms of Intel l i gence Server Kerberos D el egati on, i n
essence creati ng a "w hi te l i st" of al l ow ed servi ces.

For si ngl e si gn-on w i th i ntegrated authenti cati on to w ork, users must

have user names and passw ords that are pri ntabl e, U S-ASC II
characters. Thi s l i mi tati on i s expected behavi or i n Kerberos. Thi s
l i mi tati on i s i mportant to keep i n mi nd w hen creati ng a mul ti l i ngual
envi ronment i n Mi croStrategy.

Act ive Dir ect o r y Acco u n t Co n f igu r at io n

To confi gure your Acti ve D i rectory account you w i l l need to set up a
servi ce account to associ ate w i th Intel l i gence Server as w el l as
create a Servi ce Pri nci pal N ame (SPN ) and enabl e del egati on for
your Intel l i gence Server.

Service Account Setup

For the Acti ve D i rectory user account that you w i l l associ ate w i th the
SPN :

1. Go to U ser Properties > A ccount.

2. In the A ccount options secti on, cl ear the check box next to
A ccount is sensitive and cannot be delegated.

Syst em Ad m in ist r at io n Gu id e

The D o not require K erberos preauthentication option is

unc hec k ed by default and s hould be k ept that way for Mic roStrategy
s erv ic e ac c ounts us ed for Kerberos Cons trained Delegation.

Create the Intelligence Server Service Principal Name (SPN)

Once the user has been created, a Servi ce Pri nci pal N ame for the
Intel l i gence Server must be attached to the user usi ng the s e t s p n
command.

1. Execute the s e t s p n . e x e - L < y o u r _s e r v i c e _a c c o u n t >

command to ensure no other SPN i s associ ated w i th your servi ce
account.

C: \W in d o w s \ s y s t e m 3 2 >

C: \W in d o w s \ s y s t e m 3 2 s e t s p n . e x e - L m s t r s v r _a c c t

Re gi st e r e d S e r v i c e P r i n c i p a l N a m e s f o r
CN =M ic r o S t r a t e g y S e r v e r
Ac co un t , C N = U s e r s , D C = v m n e t -e s x -m s t r , D C = n e t :

2. Add the SPN usi ng the s e t s p n . e x e - A < y o u r _s e r v i c e _

ac co un t > command.

Mic roStrategy s oftware ex pec ts that the s erv ic e name will be

MS TR S V R S v c , and that the Intelligenc e Serv er port number will be
added to the end of the hos tname. The SPN s hould be formated as :
MS TR S V R S v c / < h o s t n a m e > : @ < r e a l m > . The realm
does not need to be s pec ified in the s e t s p n c ommand. It will
automatic ally us e the default realm of the Ac tiv e Direc tory
mac hine.

C: \W in d o w s \ s y s t e m 3 2 >

C: \W in d o w s \ s y s t e m 3 2 > s e t s p n - A
MS TR SV R S v c / e x a m p l e s e r v e r . e x a m p l e . c o m : 3 4 9 5 2
yo ur _ s e r v i c e _a c c o u n t

Syst em Ad m in ist r at io n Gu id e

Re gi st e r i n g S e r v i c e P r i n c i p a l N a m e s f o r C N = y o ur _
se rv ic e _ a c o u n t , C N = U s e r s , D C = e x a m p l e , D C = c o m

MS TR SV R S v c / e x a m p l e s e r v e r . e x a m p l e . c o m : 3 4 9 5 2

Up da te d o b j e c t

If y ou enc ounter any errors , c ontac t y our Ac tiv e Direc tory

adminis trator before c ontinuing.

Enabling Unconstrained Delegation for the Intelligence Server Service

If si ngl e-si gn on authenti cati on to a w arehouse database i s requi red,

an addi ti onal confi gurati on step must be performed on the Acti ve
D i rectory machi ne. Kerberos del egati on w i l l be requi red for the
Intel l i gence Server to authenti cate the end user to the database
server.

1. After creati ng the SPN , open the associ ated servi ce user
account.

2. On the D el egati on tab sel ect Trust this user for delegation to
any service (K erberos only).

3. C l i ck A pply, then OK .

Enabling Constrained Delegation for the Intelligence Server Service

1. After creati ng the SPN , open the associ ated servi ce user
account.

2. On the D el egati on tab sel ect Trust this user for delegation to
specified services only.

3. C l i ck A dd.

4. Provi de the servi ce account for the desti nati on servi ces then
sel ect a regi stered servi ce from the l i st.

Syst em Ad m in ist r at io n Gu id e

5. R epeat steps 3 and 4 unti l each servi ce requi ri ng del egated

access have been added.

ASP v ers ions of s erv ers hos ted on IIS will be us e ex tra protoc ols
to mak e Kerberos Cons trained Delegation work , and the U se any
authentication protocol option needs to be enabled for their
s erv ic e ac c ounts .

6. C l i ck A pply, then OK .

Enabling Constrained Delegation for Intelligence Server to a Data

Source

For Intel l i gence Server to del egate to a data source:

l Sel ect the U se any authentication protocol opti on.

l Add the Intel l i gence Server to the l i st of servi ces that accept
del egated credenti al s.

l Add the data source servi ces to the l i st of servi ces that accept
del egated credenti al s.

If the data s ourc e is an MDX prov ider, ins tead of allowing delegation
to databas e s erv ic es :

l Add the MDX prov ider s erv ic e.

l On the s erv ic e ac c ount of MDX prov ider allow delegation to the

databas e s erv ic es .

Syst em Ad m in ist r at io n Gu id e

In t elligen ce Ser ver Co n f igu r at io n f o r In t egr at ed

Au t h en t icat io n

Configuring Intelligence Server on Windows

For users w i th Intel l i gence Server depl oyed on a Wi ndow s pl atform

do not need to perform any addi ti onal confi gurati on. Authenti cati on i s
passed betw een l i brari es so a Kerberos confi gurati on fi l e and keytab
are not needed. If Intel l i gence Server i s runni ng on domai n account,
the account needs to be an admi ni strator or be enabl ed to act as part
of the operati ng system.

C onti nue to D evel oper C onfi gurati on for Integrated Authenti cati on to
compl ete setup.

Configuring Intelligence Server on Linux for Integrated Authentication

The confi gurati ons l i sted bel ow are requi red to confi gure Intel l i gence
Server w i th your Wi ndow s domai n control l er and Kerberos securi ty.

Kerberos only s upports US-ASCII c harac ters . Do not us e any s pec ial
c harac ters when ins talling or c onfiguring Kerberos .

You hav e performed the s teps des c ribed in Acti ve D i rectory Account
C onfi gurati on .

Inst al l Ker b er os 5

You must have Kerberos 5 i nstal l ed on your Li nux machi ne that hosts
Intel l i gence Server. Your Li nux operati ng system may come w i th
Kerberos 5 i nstal l ed. If Kerberos 5 i s not i nstal l ed on your Li nux
machi ne, refer to the Kerberos documentati on for steps to i nstal l i t.

Syst em Ad m in ist r at io n Gu id e

Ensur e t hat t he Envi r onm ent Var i ab l es ar e Set

Once you have i nstal l ed Kerberos 5, you must ensure that the
fol l ow i ng envi ronment vari abl es have been created:

The v ariables mus t be s et when the Intelligenc e Serv er s tarts in order to

tak e effec t.

Va r ia ble De s c r iption De fa ult Re quir e d/Optiona l

Locat ion of all

${K RB 5_HOME } K erberos / et c/ krb5 Opt ional
conf igurat ion f iles

Locat ion of t he
${K RB 5_CONFI G} def ault K erberos / et c/ krb5/ krb5. conf Required
conf igurat ion f ile

Locat ion of t he
/ et c/ krb5/ krb5_
${K RB 5CCNA ME } K erberos credent ial Opt ional
ccache
cache

${K RB 5_ Locat ion of t he

/ et c/ krb5/ krb5. keyt ab Required
K TNA ME } K erberos keyt ab f ile

For K eberos C onstrained D elegation : The env ironment v ariable

${KRB5_CLIENT_KTNAME} needs to be s et to point to the k ey tab file
us ed by Intelligenc e Serv er.

Conf i gur e t he kr b 5.Keyt ab Fi l e f or t he Int el l i gence Ser ver

You must create and confi gure the k r b 5 . k e yt a b fi l e. The steps to

confi gure thi s fi l e on your Li nux machi ne are provi ded i n the
procedure bel ow .

The proc edure below requires a few v ariables to be entered for v arious
c ommands . This inc ludes information y ou c an gather before y ou begin the

Syst em Ad m in ist r at io n Gu id e

proc edure. The required v ariables in the following proc edure are des c ribed
below:

l IS Ma ch in e N a m e : The name of the Intelligenc e Serv er mac hine.

l IS Po rt : The port number for Intelligenc e Serv er.

l Ke yV er si o n N u m b e r : The k ey v ers ion number, retriev ed as part of

this proc edure.

l En cr yp ti o n T y p e : The enc ry ption ty pe us ed.

We rec ommend that y ou us e r c 4 -h m a c as the enc ry ption ty pe.

Other enc ry ption ty pes may c aus e c ompatibility is s ues with the
Windows Ac tiv e Direc tory .

l DO MA IN _ R E A L M : The domain realm for y our Intelligenc e Serv er, whic h

mus t be entered in upperc as e.

To Create a krb5.keytab File

1. Log i n to your Li nux machi ne.

2. R etri eve the key versi on number for your Intel l i gence Server
servi ce pri nci pal name, usi ng the fol l ow i ng command:

kv no MS T R S V R S v c /I S M a c h i n e N a m e:I S P o r t@D O M A I N _
RE AL M

The key versi on number i s di spl ayed on the command l i ne.

3. In the command l i ne, type the fol l ow i ng commands:

ktutil
addent -password -p MSTRSVRSvc/
ISMachineName:ISPort@DOMAIN_REALM -k KeyVersionNumber -e
EncryptionType
wkt /etc/krb5/krb5.keytab
exit

Syst em Ad m in ist r at io n Gu id e

4. To veri fy the keytab fi l e, type the fol l ow i ng command:

kinit -k -t /etc/krb5/krb5.keytab
MSTRSVRSvc/ISMachineName:ISPort@DOMAIN_REALM

The command shoul d run w i thout prompti ng you for a username

and passw ord.

Conf i gur e t he kr b 5.conf Fi l e f or t he Int el l i gence Ser ver

You must create and confi gure a fi l e named k r b 5 . c o n f. Thi s fi l e i s

stored i n the / e t c / k r b 5 / di rectory by defaul t.

If y ou c reate a k r b 5 . c o n f file in a direc tory other than the default, y ou

mus t update the K R B 5 _C O N F I G env ironment v ariable with the new
loc ation. Refer to y our Kerberos doc umentation for s teps to modify the
KR B5 _ CO N F I G env ironment v ariable.

The contents of the k r b 5 . c o n f shoul d be as show n bel ow :

[libdefaults]
default_realm = DOMAIN_REALM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
forwardable = true
no_addresses = true

[realms]
DOMAIN_REALM = {
kdc = DC_Address:88
admin_server = DC_Admin_Address:749
}

[domain_realm]
.domain.com = DOMAIN_REALM
domain.com = DOMAIN_REALM
.subdomain.domain.com = DOMAIN_REALM
subdomain.domain.com = DOMAIN_REALM

The vari abl es i n the syntax above are descri bed bel ow :

Syst em Ad m in ist r at io n Gu id e

l DO MA IN _ RE A L M: The domai n real m used for authenti cati on

purposes. A domai n real m i s commonl y of the form E X A M P L E . C O M,
and must be entered i n uppercase.

l do ma in .c o m and s u b d o m a i n . d o m a i n . c o m: U se thi s for al l

domai ns and subdomai ns w hose users must be authenti cated usi ng
the defaul t Kerberos real m.

l DC _ A dd re s s : The host name or IP address of the Wi ndow s

machi ne that hosts your Acti ve D i rectory domai n control l er. Thi s
can be the same address as D C _A d m i n _A d d r e s s.

l DC _ A dm in _ A d d r e s s: The host name or IP address of the Wi ndow s

machi ne that hosts your Acti ve D i rectory domai n control l er
admi ni strati on server. Thi s can be the same address as D C _
Ad dr es s .

Develo p er Co n f igu r at io n f o r In t egr at ed Au t h en t icat io n

To enabl e i ntegrated authenti cati on i n a Wi ndow s Mi croStrategy
envi ronment you w i l l need to confi gure your Mi croStrategy users and
the Proj ect sources.

Configure the Project Source

1. In D evel oper ri ght cl i ck on your Proj ect Source.

2. C l i ck Modify Project Source.

3. On the C onnection tab, under Server N ame, type the server

name exactl y as i t appears i s the Servi ce Pri nci pal N ame
created i n Acti ve D i rectory Account C onfi gurati on w i th the format
MS TR SV R S v c / < h o s t n a m e > : @ < r e a l m >.

4. In the A dvanced tab U se Integrated A uthentication.

Syst em Ad m in ist r at io n Gu id e

Mapping Users to Active Directory

1. In Proj ect Source open A dministration > U ser Manager.

2. R i ght cl i ck on a user and sel ect Edit > A uthentication >

Metadata.

3. Enter the Acti ve D i rectory user l og i n under Trusted

A uthentication R equest U ser ID .

4. C l i ck OK .

Linking Integrated Authentication Users to LDAP Users

When users l og i n to Mi croStrategy usi ng thei r i ntegrated

authenti cati on credenti al s, thei r LD AP group membershi ps can be
i mported and synchroni zed.

By defaul t, users' i ntegrated authenti cati on i nformati on i s stored i n

the u se rP ri n c i p a l N a m e LD AP attri bute. If your system stores
i ntegrated authenti cati on i nformati on i n a di fferent LD AP attri bute,
you can speci fy the attri bute w hen you confi gure the i mport.

To Im p or t LDAP U ser and Gr oup Inf or m at i on f or Int egr at ed

Aut hent i cat i on U ser s

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th admi ni strati ve pri vi l eges.

2. From the A dministration menu, sel ect Server, and then sel ect
C onfigure MicroStrategy Intelligence Server.

3. Expand the LD A P category, then expand Import, and then sel ect
Options.

4. Sel ect the Synchronize user/group information with LD A P

during Windows authentication and import Windows link
during B atch Import check box.

Syst em Ad m in ist r at io n Gu id e

5. Sel ect the B atch import Integrated A uthentication/Trusted

A uthentication unique ID check box.

6. By defaul t, users' i ntegrated authenti cati on ID s are stored i n the

us er Pr i n c i p a l N a m e LD AP attri bute. If your system stores
i ntegrated authenti cati on i nformati on i n a di fferent LD AP
attri bute, cl i ck Other, and type the LD AP attri bute that contai ns
users' ID s.

7. C l i ck OK .

Co n f igu r e Micr o St r at egy Ap p licat io n Ser ver s f o r In t egr at ed

Au t h en t icat io n
C onfi gurati on of your Mi croStrategy appl i cati on servers i s si mi l ar to
the process for al l ow i ng Intel l i gence Server to use i ntegrated
authenti cati on. You w i l l need to create a user and associ ated Servi ce
Pri nci pal N ame (SPN ) i n Acti ve D i rectory for each appl i cati on server
servi ce. You w i l l then need to perform pl atform speci fi c confi gurati on
steps to each of the servers. See the appropri ate secti on for your
appl i cati on server depl oyments:

l Enabl i ng Integrated Authenti cati on for the Li brary ServerJ2EE-

C ompl i ant Appl i cati on Servers

l Enabl i ng Integrated Authenti cati on for IIS

Enabling Integrated Authentication for the Library ServerJ2EE-

Compliant Application Servers

If you use a J2EE-compl i ant appl i cati on server to depl oy

Mi croStrategy Web, Mi croStrategy Li brary, Mi croStrategy Mobi l e
Server, or to depl oy Mi croStrategy Web Servi ces to support
Mi croStrategy Offi ce, you can support i ntegrated authenti cati on. If you
are confi guri ng i ntegrated authenti cati on on your Mi croStrategy

Syst em Ad m in ist r at io n Gu id e

Li brary server you do not need to perform the steps regardi ng

generati on and confi gurati on of .j aas fi l es.

Cr eat e a Ser vi ce Pr i nci p al N am e f or Your Li b r ar yAp p l i cat i on Ser ver

You must create a Servi ce Pri nci pal N ame (SPN ) for your J2EE
appl i cati on server, and map i t to the domai n user that the appl i cati on
server runs as. The SPN i denti fi es your appl i cati on server as a
servi ce that uses Kerberos. For i nstructi ons on creati ng an SPN , see
Acti ve D i rectory Account C onfi gurati on.

The SPN shoul d be i n the fol l ow i ng format:

HT TP / AS Ma c h i n e N a m e

The format i s descri bed bel ow :

l HT TP : Thi s i s the servi ce cl ass for the appl i cati on server.

l AS Ma ch in e N a m e: Thi s i s the ful l y qual i fi ed host name of the server

w here the appl i cati on server i s runni ng. It i s of the form m a c h i n e -
na me .e xa m p l e . c o m. Integrated authenti cati on w i l l onl y functi on
w hen accessi ng the appl i cati on server usi ng the A S M a c h i n e N a me
used to regi ster the SPN . If the ful l y qual i fi ed host name w as
regi stered as SPN , then usi ng the machi ne name or IP address w i l l
not w ork. Shoul d the appl i cati on server be accessi bl e through
FQD N and machi ne name, addi ti onal SPN s w i l l need to be
regi stered to the AD servi ce account.

In your Acti ve D i rectory, confi gure the appl i cati on server’ s domai n
user to be trusted for del egati on, and map the user to thi s SPN . For
exampl e, i f you regi ster the SPN to the Acti ve D i rectory user j 2 e e -
http , enabl e the A ccount is trusted for delegation opti on for the
user. Al so, enabl e the Trust this computer for delegation to any
service (K erberos only) opti on for the machi ne w here your
appl i cati on server i s hosted.

Syst em Ad m in ist r at io n Gu id e

Conf i gur e t he k r b 5 . k e yt a b Fi l e f or t he Ap p l i cat i on Ser ver

You must create and confi gure a k r b 5 . k e y t a b fi l e for the

appl i cati on server. In U N IX, you must use the k u t i l uti l i ty to create
thi s fi l e. In Wi ndow s, you must use the k t p a s s uti l i ty to create the
keytab fi l e.

The proc edure below requires a few v ariables to be entered for v arious
c ommands . This inc ludes information y ou c an gather before y ou begin the
proc edure. The required v ariables in the following proc edure are des c ribed
below:

• AS Ma ch i n e N a m e: The name of the machi ne that the

Li braryappl i cati on server i s i nstal l ed on.

• Ke yV er s i o n N u m b e r: The key versi on number, retri eved as part

of thi s procedure.

• DO MA IN _ R E A L M: The domai n real m for the Li braryappl i cati on

server. It i s of the form E X A M P L E . C O M, and must be entered i n
uppercase.

• En cr yp t i o n T y p e: The encrypti on type used.

It is rec ommended that y ou us e r c 4 -h m a c as the enc ry ption ty pe.

Other enc ry ption ty pes may c aus e c ompatibility is s ues with the
Windows Ac tiv e Direc tory .

• Ke yt ab _ P a t h: For J2EE appl i cati on servers under Wi ndow s,

thi s speci fi es the l ocati on of the k r b 5 . k e y t a b fi l e. It i s of the
form C: \t e m p \ e x am p l e . k e y t a b.

• AS Us er and A S U s e r P a s s w o r d: The user account for w hi ch the

SPN w as regi stered, for exampl e j 2 e e -h t t p and i ts passw ord.

To create a kr b 5 . k e y ta b fi l e i n Li nux

If y our applic ation s erv er and Intelligenc e Serv er are hos ted on the

Syst em Ad m in ist r at io n Gu id e

s ame mac hine, it is required that y ou us e s eparate k ey tab and

c onfiguration files for eac h. For ex ample, if y ou are us ing
kr b5 .k e y t a b and k r b 5 . c o n f for the Intelligenc e Serv er, us e
kr b5 - ht t p . k e y t a b and k r b 5 -h t t p . c o n f for the applic ation
s erv er.

1. Log i n to your Li nux machi ne.

2. R etri eve the key versi on number for your appl i cati on server
servi ce pri nci pal name, usi ng the commands show n bel ow :

kinit ASUser
kvno ASUser

The vari abl es are descri bed i n the prerequi si tes above.

The key versi on number i s di spl ayed on the command l i ne.

3. In the command l i ne, type the fol l ow i ng commands:

If y our applic ation s erv er is ins talled on the s ame mac hine as the
Intelligenc e Serv er, replac e k r b 5 . k e yt a b below with a different
file name than the one us ed for the Intelligenc e Serv er, s uc h as
kr b5 -h t t p . k e y t a b .

ktutil
addent -password -p ASUser@DOMAIN_REALM -k KeyVersionNumber -e
EncryptionType rc4-hmac
wkt /etc/krb5/krb5.keytab
exit

4. To veri fy the keytab fi l e, type the fol l ow i ng command:

ki ni t -k -t / e t c / k r b 5 / k r b 5 . k e y t a b
AS Us er @D O M A I N _R E A L M

The command shoul d run w i thout prompti ng you for a passw ord.

To create a kr b 5 . k e y ta b fi l e i n Wi ndow s

Syst em Ad m in ist r at io n Gu id e

1. Log i n to your Wi ndow s machi ne.

2. From a command prompt, type the fol l ow i ng command:

ktpass ^
-out Keytab_Path ^
-princ ASUser@DOMAIN_REALM ^
-pass ASUserPassword ^
-crypto RC4-HMAC-NT ^
-pType KRB5_NT_PRINCIPAL

Conf i gur e t he k r b 5 . c o nf Fi l e f or t he Li b r ar yAp p l i cat i on Ser ver

You must create and confi gure a fi l e named k r b 5 . c o n f.

For Linux only : If y our Library applic ation s erv er and Intelligenc e Serv er
are hos ted on the s ame mac hine, it is required that y ou us e a s eparate
c onfiguration file. For ex ample, if y ou c reated k r b 5 . c o n f for the
Intelligenc e Serv er, us e k r b 5 -h t t p . c o n f for the applic ation s erv er.

If you have created a di fferent keytab fi l e i n Enabl i ng Integrated

Authenti cati on for the Li brary ServerJ2EE-C ompl i ant Appl i cati on
Servers, page 274, repl ace k r b 5 . k e y t a b bel ow w i th your ow n
keytab fi l e.

The contents of the k r b 5 . c o n f shoul d be as show n bel ow :

[libdefaults]
default_realm = DOMAIN_REALM
default_keytab_name = Keytab_Path
forwardable = true
no_addresses = true

[realms]
DOMAIN_REALM = {
kdc = DC_Address:88
admin_server = DC_Admin_Address:749
}

Syst em Ad m in ist r at io n Gu id e

[domain_realm]
.domain.com = DOMAIN_REALM
domain.com = DOMAIN_REALM
.subdomain.domain.com = DOMAIN_REALM
subdomain.domain.com = DOMAIN_REALM

The vari abl es i n the syntax above are descri bed bel ow :

l DO MA IN _ RE A L M: The domai n real m used for authenti cati on

purposes. A domai n real m i s commonl y of the form E X A M P L E . C O M,
and must be entered i n uppercase.

l Ke yt ab _ Pa t h: The l ocati on of your k r b 5 .k e y t a b fi l e. In Li nux, i t

i s of the form / e t c / k r b 5 / k r b 5 . k e y t a b. In Wi ndow s, i t i s of the
form C: \t e m p \ k r b 5 . k e y t a b.

l do ma in .c o m and s u b d o m a i n . d o m a i n . c o m: U se these for al l

domai ns and subdomai ns w here users must be authenti cated usi ng
the defaul t Kerberos real m.

l DC _ A dd re s s : The host name or IP address of the Wi ndow s

machi ne that hosts your Acti ve D i rectory domai n control l er. Thi s
can be the same address as D C _A d m i n _A d d r e s s.

l DC _ A dm in _ A d d r e s s: The host name or IP address of the Wi ndow s

machi ne that hosts your Acti ve D i rectory domai n control l er
admi ni strati on server. Thi s can be the same address as D C _
Ad dr es s .

Conf i gur e t he j a a s . c o nf Fi l e f or t he Ap p l i cat i on Ser ver

You must confi gure the Java Authenti cati on and Authori zati on Servi ce
(JAAS) confi gurati on fi l e for your appl i cati on server.

This s tep is not required for Mic roStrategy Library Serv er.

D ependi ng on the versi on of the Java D evel opment Ki t (JD K) used by

your appl i cati on server, the format of the j a a s . c o n f fi l e vari es

Syst em Ad m in ist r at io n Gu id e

sl i ghtl y. R efer to your JD K documentati on for the appropri ate format.

Sampl e j aas.conf fi l es for the Sun and IBM JD Ks fol l ow . The fol l ow i ng
vari abl es are entered i n the . a c c e p t secti on of the j a a s . c o n f fi l e.:

l AS Ma ch in e N a m e: The name of the machi ne that the appl i cati on

server i s i nstal l ed on.

l DO MA IN _ RE A L M: The domai n real m used for authenti cati on

purposes. It i s of the form E X A M P L E . C O M, and must be entered i n
uppercase.

Sample jaas.conf for Sun JD K 1.7 and above

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="ASUser@DOMAIN_REALM"
useKeyTab=true
doNotPrompt=true
storeKey=true
debug=true;
};

Sample jaas.conf for IB M JD K

com.ibm.security.jgss.initiate {
com.ibm.security.auth.module.Krb5LoginModule required
useDefaultKeytab=true
principal="ASUser@DOMAIN_REALM"
credsType=both
debug=true
storeKey=true;
};

Save the j aa s . c o n f fi l e to the same l ocati on as your k r b 5 . c o nf

fi l e.

Conf i gur e t he JVM St ar t up Par am et er s

This s tep is not required for Mic roStrategy Library Serv er.

Syst em Ad m in ist r at io n Gu id e

For your J2EE-compl i ant appl i cati on server, you must set the
appropri ate JVM startup parameters. The vari abl es used are
descri bed bel ow :

l JA AS _ Pa th : The path to the j a a s . c o n f fi l e. In Li nux, i t i s of the

form /e tc / k r b 5 / j a a s . c o n f. In Wi ndow s, i t i s of the form
C: \t em p\ j a a s . c o n f.

l KR B5_Path: The path to the krb5.conf fi l e. In Li nux, i t i s of the form

/e tc /k rb 5 / k r b 5 . c o n f. In Wi ndow s, i t i s of the form
C: \t em p\ k r b 5 . c o n f .

You must modi fy the JVM startup parameters l i sted bel ow :

-Djava.security.auth.login.config=JAAS_Path
-Djava.security.krb5.conf=KRB5_Path
-Djavax.security.auth.useSubjectCredsOnly=false

Enab l e t he SPN EGO M echani sm

This s tep is not required for Mic roStrategy Library Serv er.

As part of a Mi croStrategy Web or Mobi l e Server JSP depl oyment, you

must modi fy the w e b . x m l fi l e for Mi croStrategy Web or Mobi l e, to
enabl e the Si mpl e and Protected GSSAPI N egoti ati on Mechani sm
(SPN EGO). Thi s i s accompl i shed by removi ng the comments around
the fol l ow i ng i nformati on i n the w e b . x m l fi l e:

For Mi croStrategy Web:

<filter>
<display-name>SpnegoFilter</display-name>
<filter-name>SpnegoFilter</filter-name>
<filter-class>com.microstrategy.web.filter.SpnegoFilter</filter-
class>
</filter>
<filter-mapping>
<filter-name>SpnegoFilter</filter-name>

Syst em Ad m in ist r at io n Gu id e

<servlet-name>mstrWeb</servlet-name>
</filter-mapping>

For Mi croStrategy Mobi l e Server:

<filter>
<display-name>SpnegoFilter</display-name>
<filter-name>SpnegoFilter</filter-name>
<filter-class>com.microstrategy.mobile.filter.SpnegoFilter</filter-
class>
</filter>
<filter-mapping>
<filter-name>SpnegoFilter</filter-name>
<servlet-name>mstrMobileAdmin</servlet-name>
</filter-mapping>

Enab l i ng Int egr at ed Aut hent i cat i on f or t he Li b r ar y Ser ver

1. Launch the Li brary Admi n page by enteri ng the fol l ow i ng U R L i n

your w eb brow ser

ht tp :/ / < F Q D N > : / M i c r o S t r a t e g y L i b r a r y / a d m in

w here < F Q D N > i s the Ful l y Qual i fi ed D omai n N ame of the

machi ne hosti ng your Mi croStrategy Li brary appl i cati on and
 i s the assi gned port number.

2. On the Library Web Server tab, sel ect Integrated from the l i st of
avai l abl e A uthentication Modes.

3. C l i ck Save.

4. R estart your Web Server to appl y the change.

R estart your appl i cati on server for al l the above setti ngs to take
effect.

Syst em Ad m in ist r at io n Gu id e

Enabling Integrated Authentication for IIS

Integrated authenti cati on i n Mi croStrategy requi res communi cati on

betw een your Kerberos securi ty system, IIS, and your database.

You must confi gure IIS to enabl e i ntegrated authenti cati on to the
Mi croStrategy vi rtual di rectory to support i ntegrated authenti cati on to
Mi croStrategy Web, or Mi croStrategy Web Servi ces to support
Mi croStrategy Offi ce.

If y ou are us ing Mic ros oft Analy s is Serv ic es , to s upport report

s ubs c riptions , y ou mus t us e c onnec tion mapping to pas s us ers '
c redentials to Analy s is Serv ic es . For s teps to enable c onnec tion
mapping, s ee C onnecti on Maps: Standard Authenti cati on,
C onnecti on Maps, and Parti ti oned Fact Tabl es, page 341 .

Enab l e Int egr at ed Aut hent i cat i on t o t he M i cr oSt r at egy Vi r t ual

Di r ect or y

1. On the Mi croStrategy Web server machi ne, access the IIS

Internet Servi ce Manager.

2. Brow se to and ri ght-cl i ck the MicroStrategy vi rtual fol der and

sel ect Properties.

3. Sel ect the D irectory Security tab, and then under A nonymous
access and authentication control, cl i ck Edit.

4. C l ear the Enable anonymous access check box.

5. Sel ect the Integrated Windows authentication check box.

6. C l i ck OK .

7. If you w ant to enabl e i ntegrated authenti cati on for Mi croStrategy

Mobi l e, repeat the above procedure for the MicroStrategyMobile
vi rtual fol der.

Syst em Ad m in ist r at io n Gu id e

8. If you w ant to enabl e i ntegrated authenti cati on for Mi croStrategy

Web Servi ces, repeat the above procedure for the
MicroStrategyWS vi rtual fol der.

9. R estart IIS for the changes to take effect.

Conf i gur i ng Web / M ob i l e Ser ver f or Const r ai ned Del egat i on

Currently ASP Web c an only delegate us ers from the s ame domain

U si ng Kerberos constrai ned del egati on requi res the fol l ow i ng

addi ti onal confi gurati on to your Web/Mobi l e Server:

l ASP i mpersonati on needs to be di sabl ed

l Kerberos mode i n s y s _d e f a u l t . x m l needs to be set to

DE LE GA TI O N

l ASP appl i cati on pool (i f runni ng on system account):

AppPool Identi ty doesn't w ork. use Local System

l For IIS version 7 and older: If ASP runs on domai n account, the
account needs to be an admi ni strator or be enabl ed to act as part of
the operati ng system.

Cr eat i ng a Ser vi ce Pr i nci p al N am e f or IIS

It i s recommended that you create a Servi ce Pri nci pal N ame (SPN ) for
IIS, and map i t to the domai n user that the appl i cati on server runs as.
The SPN i denti fi es your appl i cati on server as a servi ce that uses
Kerberos. For i nstructi ons on creati ng an SPN , refer to the Kerberos
documentati on.

The SPN shoul d be i n the fol l ow i ng format:

HTTP/ASMachineName

The format i s descri bed bel ow :

Syst em Ad m in ist r at io n Gu id e

l HT TP : Thi s i s the servi ce cl ass for the appl i cati on server.

l AS Ma ch in e N a m e: Thi s i s the ful l y qual i fi ed host name of the server

w here the appl i cati on server i s runni ng. It i s of the form m a c h i n e -
na me .e xa m p l e . c o m.

Enab l i ng Sessi on Keys f or Ker b er os Secur i t y

To enabl e si ngl e si gn-on authenti cati on to Mi croStrategy Web from a

Mi crosoft Wi ndow s machi ne, you must modi fy a Wi ndow s regi stry
setti ng on the machi ne hosti ng IIS.

Modi fi cati on of the a l l o w t g t s e s s i o n k e y regi stry setti ng i s

requi red by Mi crosoft to w ork w i th Kerberos securi ty. For i nformati on
on the i mpl i cati ons of modi fyi ng the regi stry setti ng and steps to
modi fy the regi stry setti ng, see the fol l ow i ng Mi crosoft documentati on:

The doc umentation below is produc ed by a third-party v endor and thus

is s ubjec t to c hange. Mic roStrategy mak es no guarantee on the
av ailability or ac c urac y of third-party doc umentation.

l For Mi crosoft Wi ndow s 2003, cl i ck here.

Conf i gur i ng t he kr b 5.i ni Fi l e

If your Intel l i gence Server i s hosted on a Wi ndow s machi ne, you must
confi gure the k r b 5 . i n i fi l e. Thi s fi l e i s i ncl uded w i th an i nstal l ati on
of Mi croStrategy Web, and can be found i n the fol l ow i ng di rectory:

C:\Program Files (x86)\Common Files\MicroStrategy\

The path l i sted above assumes you have i nstal l ed Mi croStrategy i n

the C :\ Pr og r a m F i l e s ( x 8 6 ) di rectory.

Kerberos only s upports US-ASCII c harac ters . Do not us e any s pec ial
c harac ters when ins talling or c onfiguring Kerberos .

Syst em Ad m in ist r at io n Gu id e

Once you l ocate the k r b 5 . i n i fi l e, open i t i n a text edi tor. The

content w i thi n the fi l e i s show n bel ow :

[libdefaults]
default_realm = <DOMAIN NAME>
default_keytab_name = <path to keytab file>
forwardable = true
no_addresses = true

[realms]
<REALM_NAME> = {
kdc = <IP address of KDC>:88
admin_server = <IP address of KDC admin>:749
}

[domain_realm]
.domain.com = <DOMAIN NAME>
domain.com = <DOMAIN NAME>
.subdomain.domain.com = <DOMAIN NAME>
subdomain.domain.com = <DOMAIN NAME>

You must confi gure the k r b 5 . i n i fi l e to support your envi ronment by

repl aci ng the entri es encl osed i n < >, w hi ch are descri bed bel ow :

l <D OM AI N N A M E > and < R E A L M _N A M E >: The domai n real m used for
authenti cati on purposes. A domai n real m i s commonl y of the form
EX AM PL E. C O M , and must be entered i n uppercase.

l : The IP address or host name of the

Wi ndow s machi ne that hosts your Acti ve D i rectory domai n
control l er. Thi s can be the same address as .

l : The host name or IP address of

the Wi ndow s machi ne that hosts your Acti ve D i rectory domai n
control l er admi ni strati on server. Thi s can be the same address as
.

Syst em Ad m in ist r at io n Gu id e

l do ma in .c o m and s u b d o m a i n . d o m a i n . c o m: U se thi s for al l

domai ns and subdomai ns w hose users must be authenti cated usi ng
the defaul t Kerberos real m.

In t egr at ed Au t h en t icat io n Lo gin f o r Micr o St r at egy

Lib r ar yAp p licat io n s

Enabling integrated authentication login mode for MicroStrategy Web

For Mi croStrategy Web users to be abl e to use thei r Wi ndow s

credenti al s to l og i n to Mi croStrategy Web, you must enabl e
i ntegrated authenti cati on as an avai l abl e l ogi n mode. The procedure
bel ow descri bes the requi red steps for thi s confi gurati on.

To Enable Integrated Authentication Login Mode for MicroStrategy Web

1. From the Wi ndow s Start menu, go to A ll Programs >

MicroStrategy Tools > Web A dministrator.

2. On the l eft, sel ect D efault Properties.

3. In the Login area, for Integrated A uthentication, sel ect the

Enabled check box.

If y ou want integrated authentic ation to be the default login mode

for Mic roStrategy Web, for Integrated A uthentication , s elec t
the D efault option

4. C l i ck Save.

Syst em Ad m in ist r at io n Gu id e

Enabling Integrated Authentication Login Mode for MicroStrategy

Library

1. On the machi ne w here the Mi croStrategy Li brary appl i cati on i s

i nstal l ed, open the c o n f i g O v e r r i d e . p r o p e r t i e s fi l e.

l Wi ndow s: C : \ P r og r a m F i l e s ( x 8 6 ) \ C o m m o n
Fi le s\ M i c r o S t r a t e g y \ T o m c a t \ a p a c h e -t o m c a t -
8. 0. 30 \ w e b a p p s \ M i c r o S t r a t e g y L i b r a r y \ W E B -
IN F\ cl a s s e s \ c o n f i g

l Li nux: < t o m c a t _
di re ct o r y > / w e b a p p s / M i c r o S t r a t e g y L i b r a r y / W E B -
IN F/ cl a s s e s / c o n f i g

2. Add fol l ow i ng entri es to c o n f i g O v e r r i d e . p r o p e r t i e s:

l au th .k e r b e r o s . c o n f i g =: set to fi l e path of k r b 5 . c o n f fi l e

l au th .k e r b e r o s . k e y t a b =: set to fi l e path of f i l e . k e y t ab
fi l e

l au th .k e r b e r o s . p r i n c i p a l =: set to Servi ce Pri nci pal

N ame (SPN ) of the Li brary Web Server

l au th .k e r b e r o s . d e b u g = f a l s e

l au th .k e r b e r o s . i s I n i t i a t o r = t r u e

Enabling Integrated Authentication Login Mode for MicroStrategy

Mobile

To al l ow your Mi croStrategy Mobi l e users to use thei r Wi ndow s

credenti al s to l og i nto Mi croStrategy, you create a Mobi l e
confi gurati on, and sel ect Integrated Authenti cati on as the
authenti cati on method. For steps to create a Mobi l e confi gurati on for
your organi zati on, see the Mi croStrategy Mobi l e Admi ni strati on
Gui de.

Syst em Ad m in ist r at io n Gu id e

Co n f igu r e Web Br o wser f o r In t egr at ed Au t h en t icat io n

Integrated Authenti cati on w i th Kerberos requi res that the brow ser
bei ng used to access Mi croStrategy WebLi brary be confi gured to
retri eve the currentl y l ogged i n user from the cl i ent machi ne. The
steps for enabl i ng thi s functi onal i ty are di fferent for the three certi fi ed
brow sers for Mi croStrategy.

Kerberos s hould already be c onfigured on the Mic roStrategy Library s erv er,
Mic roStrategy Web s erv er, and the Mic roStrategy Intelligenc e s erv er.

Microsoft Internet Explorer

1. From the Internet Expl orer Setti ngs menu choose Internet
Options > A dvanced.

2. C heck the Enable Integrated Windows A uthentication setti ng.

3. Go to Security tab > Trusted sites > Sites and add

Mi croStrategy Web.

4. C l i ck C lose.

5. C l i ck C ustom level... and ensure that A nonymous logon i s not

sel ected. Any of the other opti ons are acceptabl e.

6. R estart your computer.

Google Chrome

C hrome reads a key, A u t h N e g o t i a t e D e l e g a t e W h i t e l i s t, w hi ch

confi gures C hrome to al l ow certai n si tes to al l ow del egati on and use
Kerberos. The key can be i mpl emented as a pol i cy i n a Group Pol i cy
Obj ect or added manual l y i n the regi stry on the cl i ent machi ne w here
C hrome i s i nstal l ed. To l earn more about the pol i cy, see Googl e
D ocumentati on.

To add the key manual l y to the regi stry:

Syst em Ad m in ist r at io n Gu id e

1. C l ose any open i nstances of C hrome

2. C reate a key w i th the path:

Co mp ut e r \ H K E Y _LO C A L _
MA CH IN E \ S O F T W A R E \ P o l i c i e s \ G o o g l e \ C h r o m e

3. Add a new 'Stri ng' val ue named

Au th Ne g o t i a t e D e l e g a t e W h i t e l i s t.

4. Popul ate thi s 'Stri ng' w i th the host of the Mi croStrategy Web si te,
l i ke show n bel ow :

Mozilla Firefox

Fi refox has tw o fl ags, n e t w o r k . n e g o t i a t e -a u t h . t r u s t e d -u ri s

and n et wo rk . n e g o t i a t e -a u t h . d e l e g a t i o n -u r i s, w hi ch
confi gure i t to trust certai n si tes to al l ow del egati on and use
Kerberos.

1. N avi gate to a b o u t : c o n f i g i n the brow ser.

2. Fi nd the tw o fl ags i n the l i st of confi gurati on setti ngs.

3. D oubl e-cl i ck on each fl ag and enter the host of the Mi croStrategy

Syst em Ad m in ist r at io n Gu id e

Web si te, as show n bel ow :

Lin kin g In t egr at ed Au t h en t icat io n User s t o LDAP User s

When users l og i n to Mi croStrategy Li brary usi ng thei r i ntegrated
authenti cati on credenti al s, thei r LD AP group membershi ps can be
i mported and synchroni zed.

By defaul t, users' i ntegrated authenti cati on i nformati on i s stored i n

l The LDAP s erv er has been c onfigured, as des c ribed in Setti ng up LD AP

Authenti cati on i n Mi croStrategy Web, Li brary, and Mobi l e, page
198 .

l You hav e c onfigured the s ettings for importing us ers from y our LDAP
direc tory ., as des c ribed in Managi ng LD AP Authenti cati on, page 202 .

To Import LDAP User and Group Information for Integrated

Authentication Users

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th admi ni strati ve pri vi l eges.

2. From the A dministration menu, go to Server > C onfigure

MicroStrategy Intelligence Server.

Syst em Ad m in ist r at io n Gu id e

3. Go to LD A P > Import > Options. The Import Opti ons are

di spl ayed.

4. Sel ect the Synchronize user/group information with LD A P

during Windows authentication and import Windows link
during B atch Import check box.

5. Sel ect the B atch import Integrated A uthentication/Trusted

A uthentication unique ID check box. The U se D efaul t LD AP
Attri bute opti on i s enabl ed.

6. By defaul t, users' i ntegrated authenti cati on ID s are stored i n the

7. C l i ck OK .

En ab lin g In t egr at ed Au t h en t icat io n t o Dat a So u r ces

Through the use of i ntegrated authenti cati on, you can al l ow each
user's credenti al s to be passed to your database server. You must
enabl e thi s opti on at the proj ect l evel .

If y our reports or doc uments us e s ubs c riptions , us ing integrated

authentic ation for y our data s ourc es prev ents the s ubs c riptions from
running.

Your databas e s erv er mus t be c onfigured to allow integrated authentic ation

for all Mic roStrategy us ers that us e it as a data warehous e. Refer to y our
third-party databas e s erv er doc umentation for ins truc tions on enabling this
s upport.

Syst em Ad m in ist r at io n Gu id e

To Enable Integrated Authentication to Data Sources

1. In D evel oper, l og i n to the proj ect w hose data sources you w ant
to confi gure.

2. In the A dministration menu, sel ect Projects, then choose

Project C onfiguration.

3. Expand the D atabase instances category.

4. Expand A uthentication, and sel ect Warehouse.

5. Enabl e the For selected database instances radi o button.

6. From the Metadata authentication type drop-dow n l i st, choose

K erberos.

7. In the D atabase Instance pane, enabl e the check boxes for al l

the database i nstances for w hi ch you w ant to use i ntegrated
authenti cati on, as show n bel ow .

If y ou are c onnec ting to a Mic ros oft SQL Serv er, Teradata, or TM1
data s ourc e, us e this s etting only if y our Intelligenc e Serv er is
running on Windows .

Syst em Ad m in ist r at io n Gu id e

8. C l i ck OK .

En ab lin g In t egr at ed Au t h en t icat io n f o r t h e Micr o St r at egy

Had o o p Gat eway
The Mi croStrategy H adoop Gatew ay i s a data processi ng engi ne that
you i nstal l i n your H adoop ® envi ronment. The H adoop Gatew ay l ets
you anal yze unstructured data i n H adoop, and provi des hi gh-speed
paral l el data transfer betw een the H adoop D i stri buted Fi l e System
(H D FS) and your Mi croStrategy Intel l i gence Server.

To enabl e i ntegrated authenti cati on for your H adoop cl uster, refer to

your thi rd-party documentati on.

For speci fi c steps to enabl e i ntegrated authenti cati on for your H adoop
cl uster, refer to the documentati on for your H adoop cl uster
di stri buti on.

Syst em Ad m in ist r at io n Gu id e

Enable Single Sign-On to Library with Trusted

Authentication
You can enabl e Si ngl e Si gn-on (SSO) authenti cati on for
Mi croStrategy Li brary usi ng thi rd-party authenti cati on provi der such
as IBM Ti vol i Access Manager, C A Si teMi nder, Oracl e Access
Manager, or Pi ngFederate ® .

Trus ted authentic ation mode c annot be us ed in c ombination with any

other log in mode.

En ab le Tr u st ed Au t h en t icat io n Mo d e
1. Launch the Li brary Admi n page by enteri ng the fol l ow i ng U R L i n
your w eb brow ser

ht tp :/ / < F Q D N > : / M i c r o S t r a t e g y L i b r a r y / a d m in

w here < F Q D N > i s the Ful l y Qual i fi ed D omai n N ame of the

machi ne hosti ng your Mi croStrategy Li brary appl i cati on and
 i s the assi gned port number.

2. On the Library Web Server tab, sel ect Trusted from the l i st of
avai l abl e A uthentication Modes.

3. Sel ect your authenti cati on provi der from the Provider drop-dow n
menu.

4. C l i ck the C reate Trusted R elationship button to establ i sh

trusted communi cati on betw een Li brary Web Server and
Intel l i gence Server.

Ens ure the Intelligenc e Serv er information is entered c orrec tly

before es tablis hing this trus ted relations hip.

5. C l i ck Save.

6. R estart your Web Server to appl y the changes.

Syst em Ad m in ist r at io n Gu id e

En ab le A Cu st o m Au t h en t icat io n Pr o vid er
1. Edi t Li br a r y / W E B-I N F / c l a s s e s / a u t h / t r u s t e d / c u s t o m_
se cu ri t y . p r o p e r t i e s i n a text edi tor.

2. Fi l l i n L o g i n P a r a m and D i s t i n g u i s h e d N a m e based on your

setup w i th authenti cati on provi der.

l Lo gi nP a r a m i s the name of the header vari abl e that your

provi der w i l l use for authenti cati on.

l Di st in g u i s h e d N a m e i s the name of the header vari abl e that

w i l l suppl y the D i sti ngui shed N ame of the user for LD AP
synchroni zati on.

3. R estart Mi croStrategy Li brary to appl y the changes.

Implementing Windows NT Authentication

If you use Wi ndow s 2003 as your netw ork operati ng system and your
users are al ready defi ned i n a Wi ndow s 2003 di rectory, then you can
enabl e Wi ndow s authenti cati on i n Mi croStrategy to al l ow users
access w i thout havi ng to enter thei r l ogi n i nformati on.

The Apple Safari web brows er does not s upport Windows authentic ation
with Mic roStrategy Web.

U se the procedures i n the rest of thi s secti on to enabl e si ngl e si gn-on

w i th Wi ndow s authenti cati on i n Mi croStrategy Web. For hi gh-l evel
steps to confi gure these setti ngs, see Steps to Enabl e Si ngl e Si gn-On
to Mi croStrategy Web U si ng Wi ndow s Authenti cati on, page 298.

To use Wi ndow s authenti cati on you must create users i n the

Mi croStrategy envi ronment and then l i nk them to Wi ndow s users.
Li nki ng enabl es Intel l i gence Server to map a Wi ndow s user to a
Mi croStrategy user. See Li nki ng a Wi ndow s D omai n U ser to a
Mi croStrategy U ser, page 302.

Syst em Ad m in ist r at io n Gu id e

You can al so create Mi croStrategy users from exi sti ng Wi ndow s by

i mporti ng ei ther user defi ni ti ons or group defi ni ti ons.

To use Wi ndow s authenti cati on w i th Mi croStrategy Web, you must be

runni ng Mi croStrategy Web or Web U ni versal under Mi crosoft IIS.
N on-IIS w eb servers do not support Wi ndow s authenti cati on. See
Enabl i ng i ntegrated authenti cati on for IIS.

If the Wi ndow s domai n account i nformati on i s l i nked to a

Mi croStrategy user defi ni ti on, a Mi croStrategy Web user can be
l ogged i n automati cal l y through Mi croStrategy Web. When a user
accesses Mi croStrategy Web, IIS detects the Wi ndow s user and sends
the l ogi n i nformati on to Intel l i gence Server. If the Wi ndow s user i s
l i nked to a Mi croStrategy user, Intel l i gence Server starts a sessi on for
that user. For i nformati on on setti ng up Mi croStrategy Web to al l ow
si ngl e si gn-on usi ng Wi ndow s authenti cati on, see Enabl i ng Wi ndow s
Authenti cati on Logi n for Mi croStrategy Web, page 305.

En ab lin g Win d o ws Au t h en t icat io n in Micr o St r at egy Web t o

Allo w Sin gle Sign -On
Si ngl e si gn-on authenti cati on al l ow s users to type thei r l ogi n
credenti al s once, and have access to mul ti pl e softw are appl i cati ons
securel y, because the system can appl y that si ngl e authenti cati on
request to al l the appl i cati ons that the user need access to. It i s
possi bl e to use Wi ndow s authenti cati on to enabl e si ngl e si gn-on for
Mi croStrategy Web.

There are several confi gurati ons that you must make to enabl e
Wi ndow s authenti cati on i n Mi croStrategy Web. To properl y confi gure
Mi croStrategy Web, Mi crosoft Internet Informati on Servi ces (IIS), and
the l i nk betw een Mi crosoft and Mi croStrategy users, fol l ow the
procedure Steps to Enabl e Si ngl e Si gn-On to Mi croStrategy Web
U si ng Wi ndow s Authenti cati on, page 298.

Syst em Ad m in ist r at io n Gu id e

Steps to use Wi ndow s authenti cati on w i th Mi crosoft Sharepoi nt and

Mi croStrategy Web are i n the Mi croStrategy D evel oper Li brary
(MSD L). The Mi croStrategy SD K and MSD L contai n i nformati on on
customi zi ng Mi croStrategy Web.

Before c ontinuing with the proc edures des c ribed in the res t of this s ec tion,
y ou mus t firs t s et up a Windows domain that c ontains a domain name for
eac h us er that y ou want to allow s ingle s ign-on ac c es s to Mic roStrategy
Web with Windows authentic ation.

In addition, y ou mus t be c onnec ted to the Mic roStrategy Web mac hine
without a prox y . Windows authentic ation does not work ov er a prox y
c onnec tion. For more information, inc luding s ome pos s ible work -arounds ,
s ee Mic ros oft's IIS doc umentation.

Steps to Enable Single Sign-On to MicroStrategy Web Using

Windows Authentication

1. Enabl e i ntegrated Wi ndow s authenti cati on for Mi crosoft IIS. See

Enabl i ng Wi ndow s Authenti cati on for Mi crosoft IIS, page 299.

2. If you are usi ng Mi croStrategy Web U ni versal on a J2EE-based

appl i cati on server such as Apache Tomcat, enabl e the
Mi croStrategy ISAPI fi l ter i n IIS, to support Wi ndow s
authenti cati on. For steps, see Enabl i ng Wi ndow s Authenti cati on
for J2EE-Based Appl i cati on Servers, page 300.

3. C reate a l i nk betw een a Wi ndow s domai n user and a

Mi croStrategy Web user for each person that w i l l be accessi ng
Mi croStrategy Web w i th Wi ndow s authenti cati on. See Li nki ng a
Wi ndow s D omai n U ser to a Mi croStrategy U ser, page 302.

4. D efi ne a proj ect source to use Wi ndow s authenti cati on. See
D efi ni ng a Proj ect Source to U se Wi ndow s Authenti cati on, page
304.

Syst em Ad m in ist r at io n Gu id e

5. Enabl e Wi ndow s authenti cati on i n Mi croStrategy Web. See

Enabl i ng Wi ndow s Authenti cati on Logi n for Mi croStrategy Web,
page 305.

6. C onfi gure each Mi croStrategy Web user's brow ser for si ngl e
si gn-on. See C onfi guri ng a Brow ser for Si ngl e Si gn-On to
Mi croStrategy Web, page 306.

Enabling Windows Authentication for Microsoft IIS

Mi crosoft Internet Informati on Servi ces i s an Internet server that i s

i ntegral to Wi ndow s authenti cati on. You must confi gure IIS to enabl e
Wi ndow s authenti cati on i n the Mi croStrategy vi rtual di rectory to
support i ntegrated authenti cati on to Mi croStrategy Web.

The steps to perform thi s confi gurati on are provi ded i n the procedure
bel ow , w hi ch may vary dependi ng on your versi on of IIS. The
fol l ow i ng l i nks can hel p you fi nd i nformati on on how to enabl e
i ntegrated authenti cati on for your versi on of IIS:

l IIS 7: See http://technet.mi crosoft.com/en-us/l i brary/

cc754628(WS.10).aspx for i nformati on on enabl i ng Wi ndow s
authenti cati on for IIS 7.

If y ou are us ing IIS 7 on Windows Serv er 2008, ens ure the following:

l The Mic roStrategy WebPool applic ation pool is s tarted, and the
Managed Pipeline is s et to Integrated .

l ASP.NET Impers onation is enabled. For information on enabling

ASP.NET Impers onation in IIS 7, s ee
http://technet.mi crosoft.com/en-us/l i brary/cc730708
(WS.10).aspx .

l IIS 6: See http://technet.mi crosoft.com/en-us/l i brary/

cc780160(WS.10).aspx for i nformati on on enabl i ng Wi ndow s
authenti cati on for IIS 6.

Syst em Ad m in ist r at io n Gu id e

l IIS 5: See http://support.mi crosoft.com/kb/215383 for i nformati on on

enabl i ng Wi ndow s authenti cati on for IIS 5.

The third-party produc ts dis c us s ed below are manufac tured by v endors

independent of Mic roStrategy , and the information prov ided is s ubjec t to
c hange. Refer to the appropriate third-party v endor doc umentation for
updated IIS s upport information.

To Enable Windows Authentication in Microsoft IIS

1. On the Mi croStrategy Web server machi ne, access the IIS

Internet Service Manager.

2. N avi gate to and ri ght-cl i ck the Mi croStrategy vi rtual fol der, and
sel ect Properties.

3. Sel ect the D irectory Security tab, and then under A nonymous
access and authentication control, cl i ck Edit.

4. C l ear the A nonymous access check box.

5. Sel ect the Integrated Windows authentication check box.

6. C l i ck OK .

7. R estart IIS for the changes to take effect.

Enabling Windows Authentication for J2EE-Based Application Servers

If you use a J2EE-compl i ant appl i cati on server other than IIS to
depl oy Mi croStrategy Web, you must confi gure IIS to share users'
Wi ndow s authenti cati on credenti al s w i th your appl i cati on server. To
al l ow IIS to share users' Wi ndow s authenti cati on credenti al s w i th your
appl i cati ons server, you must add the Mi croStrategy ISAPI fi l ter to IIS,
as descri bed i n the steps bel ow .

Syst em Ad m in ist r at io n Gu id e

The third-party produc ts dis c us s ed below are manufac tured by v endors

independent of Mic roStrategy , and the information prov ided is s ubjec t to
c hange. Refer to the appropriate third-party v endor doc umentation for
the lates t information.

In your MicroStrategy installation folder, locate the MBWBAUTH.dll file. By

default, the file is located in C:\Program Files (x86)\Common
Files\MicroStrategy.

Depending on the v ers ion of IIS y ou are us ing, refer to one of the following
proc edures to enable the Mic roStrategy ISAPI filter:

l To Enabl e the Mi croStrategy ISAPI Fi l ter i n IIS 6, page 301

l To Enabl e the Mi croStrategy ISAPI Fi l ter i n IIS 7, page 302

To Enable the MicroStrategy ISAPI Filter in IIS 6

1. In IIS, ri ght-cl i ck the defaul t w eb si te, and sel ect Properties.

2. C l i ck the ISA PI Filters tab. A l i st of ISAPI fi l ters for your IIS

i nstal l ati on i s show n.

3. C l i ck A dd.

4. Brow se to the l ocati on of the M B W B A U T H . d l l fi l e. By defaul t, the

fi l e i s l ocated i n C :\ P r o g r a m F i l e s ( x 8 6 ) \ C o m m o n
Fi le s\ M i c r o S t r a t e g y.

5. Sel ect MB W B A U T H . d l l and cl i ck OK . The M B W B A U T H ISAPI fi l ter

i s added to the l i st of ISAPI fi l ters.

6. R estart your IIS server.

Syst em Ad m in ist r at io n Gu id e

To Enable the MicroStrategy ISAPI Filter in IIS 7

1. In IIS, sel ect the defaul t w eb si te. The D efaul t Web Si te H ome
page i s show n.

2. In the D efaul t Web Si te H ome page, doubl e-cl i ck ISA PI Filters.

A l i st of ISAPI fi l ters for your IIS i nstal l ati on i s show n.

3. In the Acti ons pane, cl i ck A dd.

4. In the Filter name fi el d, type a name for the fi l ter. For exampl e,
Mi cr oS t r a t e g y IS A P I F i l t e r.

5. N ext to the Executabl e fi el d, cl i ck Brow se (...).

6. Brow se to the l ocati on of the M B W B A U T H . d l l fi l e. By defaul t, the

fi l e i s l ocated i n C :\ P r o g r a m F i l e s ( x 8 6 ) \ C o m m o n
Fi le s\ M i c r o S t r a t e g y.

7. Sel ect MB W B A U T H . d l l and cl i ck OK .

8. C l i ck OK .

9. R estart your IIS server.

Linking a Windows Domain User to a MicroStrategy User

Once IIS has been confi gured to al l ow i ntegrated Wi ndow s

authenti cati on, a l i nk must be created betw een a user's Mi croStrategy
user name and the user's Wi ndow s domai n user name. The requi red
steps are detai l ed bel ow .

To Link a Windows Domain User to a MicroStrategy User

1. In D evel oper, l og i n to a proj ect source usi ng an account w i th

admi ni strati ve pri vi l eges.

Syst em Ad m in ist r at io n Gu id e

2. From the Fol der Li st, expand a proj ect source, then expand
A dministration, and then expand U ser Manager.

3. N avi gate to the Mi croStrategy user you w ant to l i nk a Wi ndow s

user to. R i ght-cl i ck the Mi croStrategy user and sel ect Edit.

4. Expand A uthentication, then sel ect Metadata.

5. U nder Windows A uthentication, i n the Link Windows user

area, provi de the Wi ndow s user name for the user you w ant to
l i nk the Mi croStrategy user to. There are tw o w ays to do thi s:

l C l i ck B rowse to sel ect the user from the l i st of Wi ndow s users

di spl ayed.

l C l i ck Search to search for a speci fi c Wi ndow s user by

provi di ng the Wi ndow s l ogi n to search for and, opti onal l y, the
Wi ndow s domai n to search. Then cl i ck OK to run the search.

6. C l i ck OK .

Linking a Windows Login to an LDAP User

When usi ng LD AP w i th Mi croStrategy, you can reduce the number of

ti mes a user needs to enter the same l ogi n and passw ord by l i nki ng
thei r Wi ndow s system l ogi n w i th thei r LD AP l ogi n used i n
Mi croStrategy.

By creati ng a l i nk betw een a Wi ndow s system l ogi n, an LD AP user,

and a Mi croStrategy user, a si ngl e l ogi n i nto the machi ne
authenti cates the user for the machi ne as w el l as i n Mi croStrategy.

For exampl e, a user l ogs i n to thei r Wi ndow s machi ne w i th a l i nked

LD AP l ogi n and passw ord and i s authenti cated. The user then opens
D evel oper and connects to a proj ect source usi ng Wi ndow s
authenti cati on. R ather than havi ng to enter thei r l ogi n and passw ord
to l og i n to Mi croStrategy, the user's l ogi n and passw ord
authenti cated w hen l oggi ng i n to thei r machi ne i s used to

Syst em Ad m in ist r at io n Gu id e

authenti cate the user. D uri ng thi s process, the user account and any
rel evant user groups are i mported and synchroni zed for the user.

The LDAP Serv er is c onfigured as the Mic ros oft Ac tiv e Direc tory Serv er
domain c ontroller, whic h s tores the Windows s y s tem login information.

To Link a Windows Login with LDAP and MicroStrategy

1. In D evel oper, l og i n to a proj ect source. You must l og i n as a

user w i th admi ni strati ve pri vi l eges.

2. From the A dministration menu, sel ect Server, and then sel ect
C onfigure MicroStrategy Intelligence Server.

3. Expand the LD A P category, then expand Import, and then sel ect
Options.

4. Sel ect the Synchronize user/group information with LD A P

during Windows authentication and import Windows link
during B atch Import check box.

5. C l i ck OK .

Defining a Project Source to Use Windows Authentication

For Mi croStrategy Web users to gai n access to a proj ect i n a speci fi c

proj ect source usi ng Wi ndow s authenti cati on, the proj ect source must
fi rst be confi gured have Wi ndow s authenti cati on enabl ed. The steps
for enabl i ng thi s confi gurati on are detai l ed bel ow .

To Define a Project Source to Use Windows Authentication

1. In D evel oper, l og i n to a proj ect source usi ng an account w i th

admi ni strati ve pri vi l eges.

2. R i ght-cl i ck the proj ect source and sel ect Modify Project Source

Syst em Ad m in ist r at io n Gu id e

3. On the A dvanced tab, sel ect the U se network login id

(Windows authentication) opti on.

4. C l i ck OK .

Enabling Windows Authentication Login for MicroStrategy Web

There are tw o w ays to enabl e access to Mi croStrategy Web usi ng

Wi ndow s authenti cati on. Access can be enabl ed for the Mi croStrategy
Web appl i cati on as a w hol e, or i t can be enabl ed for i ndi vi dual
proj ects at the proj ect l evel .

For steps to enabl e Wi ndow s authenti cati on for al l of Mi croStrategy

Web, see To Enabl e Wi ndow s Authenti cati on Logi n for Mi croStrategy
Web, page 305.

For steps to enabl e Wi ndow s authenti cati on for a proj ect, see To
Enabl e Wi ndow s Authenti cati on Logi n for a Proj ect, page 306.

To Enable Windows Authentication Login for MicroStrategy Web

1. From the Wi ndow s Start menu, poi nt to A ll Programs, t hen

MicroStrategy Tools, and t hen sel ect Web A dministrator

2. On the l eft, under Intelligence Server, sel ect D efault

Properties.

3. In the Login area, for Windows A uthentication, sel ect the

Enabled check box.

If y ou want Windows authentic ation to be the default login mode for

Mic roStrategy Web, for Windows Authentic ation, s elec t the Default
option.

4. C l i ck Save.

Syst em Ad m in ist r at io n Gu id e

To Enable Windows Authentication Login for a Project

1. Log i nto a Mi croStrategy Web proj ect as a user w i th

admi ni strati ve pri vi l eges.

2. At the upper l eft of the page, cl i ck the MicroStrategy i con, and

sel ect Preferences.

3. On the l eft, sel ect Project D efaults, then Security.

4. In the Login modes area, for Windows A uthentication, sel ect

the Enabled check box.

If y ou want Windows authentic ation to be the default login mode for

this projec t in Mic roStrategy Web, als o s elec t the D efault opt ion.

5. N ext to A pply, choose w hether to appl y these setti ngs to al l

proj ects, or j ust to the one you are currentl y l ogged i nto.

6. C l i ck A pply.

Configuring a Browser for Single Sign-On to MicroStrategy Web

If a Mi croStrategy Web user pl ans to use si ngl e si gn-on to l og i n to

Mi croStrategy Web, each user's brow ser must be confi gured to enabl e
i ntegrated authenti cati on. The process to enabl e i ntegrated
authenti cati on i s di fferent dependi ng on the brow ser they use:

l For Internet Expl orer, you must enabl e i ntegrated authenti cati on for
the brow ser, as w el l as add the Mi croStrategy Web server U R L as a
trusted si te. D ependi ng on your securi ty pol i cy, i ntegrated
authenti cati on may be enabl ed by defaul t for Internet Expl orer.

l For Fi refox, you must add the Mi croStrategy Web server U R L as a

trusted si te. The U R L must be l i sted i n the about:confi g page, i n the
setti ngs netw ork.negoti ate-auth.trusted-uri s and netw ork.negoti ate-
auth.del egati on-uri s.

Syst em Ad m in ist r at io n Gu id e

Enabling Single Sign-on to Web, Mobile, and Office with

Third-Party Authentication
You can enabl e si ngl e si gn-on (SSO) authenti cati on for the fol l ow i ng
Mi croStrategy appl i cati ons usi ng a thi rd-party tool such as IBM Ti vol i
Access Manager, C A Si teMi nder, Oracl e Access Manager, or
Pi ngFederate ® :

l Mi croStrategy Web

l Mi croStrategy Mobi l e

l Mi croStrategy Web Servi ces, to support Mi croStrategy Offi ce (IBM

Ti vol i Access Manager and C A Si teMi nder onl y)

This information applies to Mic roStrategy Offic e, the add-in for

Mic ros oft Offic e applic ations whic h is no longer ac tiv ely dev eloped.

It was s ubs tituted with a new add-in, Mic roStrategy for Offic e, whic h
s upports Offic e 365 applic ations . The initial v ers ion does not y et hav e
all the func tionalities of the prev ious add-in.

For more information, s ee the Mi croStrategy for Offi ce page i n the

2019 U pdate 1 R eadme and the Mi croStrategy for Offi ce Onl i ne
H el p .

Once a user i s authenti cated i n the thi rd-party system, the user's
permi ssi ons are retri eved from a user di rectory, such as LD AP, and
access i s granted to the Mi croStrategy appl i cati on.

In thi s securi ty model , there are several l ayers. For exampl e, w hen a
user l ogs i n to Ti vol i , Ti vol i determi nes w hether the user's credenti al s
are val i d. If the user l ogs i n w i th val i d credenti al s to Ti vol i , the user
di rectory (such as LD AP) determi nes w hether that val i d user can
connect to Mi croStrategy. The user's Mi croStrategy pri vi l eges are
stored w i thi n the Mi croStrategy Access C ontrol Li st (AC L). What a
user can and cannot do w i thi n the Mi croStrategy appl i cati on i s stored
on Intel l i gence Server i n the metadata w i thi n these AC Ls. For more

Syst em Ad m in ist r at io n Gu id e

i nformati on about pri vi l eges and AC Ls i n Mi croStrategy, see C hapter

2, Setti ng U p U ser Securi ty.

For Mi croStrategy to be abl e to get a user's pri vi l eges from the

metadata, Intel l i gence Server must be confi gured to be a trusted
machi ne i n Mi croStrategy Web, Mobi l e, and Offi ce. Thi s al l ow s the
i nformati on to be passed betw een the tw o machi nes.

The fol l ow i ng di agram i l l ustrates the archi tecture of a securi ty system

that uses thi rd-party authenti cati on.

Mi croStrategy enabl es thi s type of access by passi ng tokens betw een

Mi croStrategy, the user di rectory, and the thi rd-party authenti cati on
provi der. Properl y confi guri ng these l evel s of communi cati on i s
cri ti cal to i mpl ementi ng SSO authenti cati on.

The dis tinguis hed name of the us er pas s ed from the third-party prov ider
is URL-dec oded by default within Mic roStrategy Web, Mobile, or Web
Serv ic es before it is pas s ed to the Intelligenc e Serv er.

Si ngl e si gn-on authenti cati on performs the step of al l ow i ng a user

access to Mi croStrategy products. You al so must confi gure

Syst em Ad m in ist r at io n Gu id e

Mi croStrategy users to defi ne pri vi l eges and permi ssi ons that control
w hat a user can perform and access w i thi n the products.

Set t in g Up Th ir d -Par t y SSO Au t h en t icat io n in Micr o St r at egy

Pr o d u ct s
The fol l ow i ng hi gh-l evel steps are requi red to set up thi rd-party SSO
authenti cati on i n Mi croStrategy Web, Mobi l e, or Web Servi ces, and
each i s detai l ed bel ow :

l C reati ng U sers and Li nks i n Thi rd-Party Authenti cati on Systems,

page 309

l Enabl i ng Si ngl e Si gn-On Authenti cati on to Mi croStrategy Web,

Mobi l e, or Offi ce, page 310

l Importi ng and Li nki ng Thi rd-Party Authenti cati on U sers i n

Mi croStrategy, page 323

l To Log i n to Mi croStrategy Web U si ng Ti vol i Si ngl e Si gn-On, page

327

Cr eat in g User s an d Lin ks in Th ir d -Par t y Au t h en t icat io n

Syst ems
Before Mi croStrategy can be confi gured to accept Ti vol i , Si teMi nder,
Pi ngFederate or Oracl e Access Manager authenti cati on, certai n
prel i mi nary setti ngs must be establ i shed. Thi s ensures that a l i nk
exi sts betw een the authenti cati on provi der and Mi croStrategy
products, and that the l i nk i s functi oni ng as requi red.

You must compl ete al l of the fol l ow i ng steps to ensure proper

confi gurati on of your authenti cati on provi der and Mi croStrategy
products.

Syst em Ad m in ist r at io n Gu id e

Creating a User in Your Third-Party Authentication System

You can enabl e SSO authenti cati on i n Mi croStrategy by associ ati ng a

Mi croStrategy user to a user i n Ti vol i , Si teMi nder, Pi ngFederate or
Oracl e Access Manager. To test thi s associ ati on, you must create a
user i n your authenti cati on system to confi rm that access has been
properl y confi gured i n Mi croStrategy products.

For steps to create a new user, refer to your authenti cati on provi der's
documentati on.

Creating a Link to MicroStrategy Applications in Your Third-Party

Authentication System

You l i nk Ti vol i to Mi croStrategy appl i cati ons usi ng j uncti ons,

Si teMi nder usi ng Web Agents, and Oracl e Access Manager usi ng
Webgates. These l i nks redi rect users from the respecti ve provi der to
Mi croStrategy, and are requi red to enabl e SSO authenti cati on. You
must create one l i nk each, as appl i cabl e, for Mi croStrategy Web,
Mi croStrategy Mobi l e, and Mi croStrategy Web Servi ces to support
Mi croStrategy Offi ce.

Orac le Ac c es s Manager authentic ation is only av ailable for

Mic roStrategy Web.

For steps to create a j uncti on (i n Ti vol i ), a Web Agent (i n Si teMi nder),

or a Webgate (Oracl e Access Manager), refer to the product's
documentati on.

En ab lin g Sin gle Sign -On Au t h en t icat io n t o Micr o St r at egy

Web , Mo b ile, o r Of f ice
Once the i ni ti al thi rd-party authenti cati on setup i s compl ete, you must
enabl e trusted authenti cati on i n Mi croStrategy Web, Mobi l e or Offi ce,
and establ i sh trust betw een the Mi croStrategy product and

Syst em Ad m in ist r at io n Gu id e

Intel l i gence Server. Thi s al l ow s the authenti cati on token to be passed

from one system to the other.

Note that for Mic roStrategy Web Serv ic es to s upport Mic roStrategy
Offic e, y ou mus t es tablis h trus t between Offic e and the Intelligenc e
s erv er, and enable trus ted authentic ation in the c onfiguration files for
Web Serv ic es .

Thi s secti on expl ai ns the fol l ow i ng requi red steps to enabl e SSO
authenti cati on i n Mi croStrategy Web, Mobi l e, or Web Servi ces:

l Enabl i ng Trusted Authenti cati on i n Mi croStrategy Web, page 311

l Enabl i ng Trusted Authenti cati on i n Mi croStrategy Mobi l e, page 313

l Establ i shi ng Trust Betw een Mi croStrategy Web or Mobi l e and

Intel l i gence Server, page 314

l Establ i shi ng Trust Betw een Mi croStrategy Web Servi ces and
Intel l i gence Server, to Support Mi croStrategy Offi ce, page 318

l Enabl i ng Trusted Authenti cati on i n Mi croStrategy Web Servi ces to

Support Mi croStrategy Offi ce, page 320

If you use Internet Informati on Servi ces (IIS) as your w eb server for
Mi croStrategy Web or Web Servi ces, you must enabl e anonymous
authenti cati on to the Mi croStrategy vi rtual di rectori es to support SSO
authenti cati on to Mi croStrategy Web, Mobi l e, or Offi ce. Thi s i s
di scussed i n Enabl i ng Anonymous Authenti cati on for Internet
Informati on Servi ces, page 322.

Enabling Trusted Authentication in MicroStrategy Web

To enabl e users to l og i n to Mi croStrategy Web usi ng SSO

authenti cati on, you must enabl e trusted authenti cati on as an
avai l abl e authenti cati on mode i n Mi croStrategy Web.

Syst em Ad m in ist r at io n Gu id e

To Enable Trusted Authentication in MicroStrategy Web

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, and then sel ect Web A dministrator.

2. On the l eft si de of the page, cl i ck D efault Properties.

3. Scrol l dow n to the Logi n area and, under Login mode, sel ect the
Enabled check box next to Trusted A uthentication R equest.
Al so sel ect the D efault opti on next to Trusted A uthentication
R equest, as show n bel ow :

4. From the Trusted A uthentication Providers drop-dow n l i st,

sel ect IB M Tivoli A ccess Manager, C A SiteMinder,
PingFederate, or Oracle A ccess Manager.

To use a custom authenti cati on provi der, sel ect C ustom SSO.
For i nformati on about addi ng custom authenti cati on provi ders,
refer to your Mi croStrategy SD K documentati on.

5. C l i ck Save.

Using Certificate Authentication with SiteMinder

C A Si teMi nder can be confi gured to use ei ther certi fi cate

authenti cati on or basi c authenti cati on. Mi croStrategy Web's

Syst em Ad m in ist r at io n Gu id e

site mi nd er _ s e c u r i t y . p r o p e r t i e s fi l e i ndi cates that the fi rst

Si teMi nder header vari abl e to be used i s S M _U N I V E R S A L I D. Thi s
vari abl e provi des i nformati on for certi fi cate authenti cati on. If thi s
vari abl e i s empty, then the i nformati on i n the vari abl e S M _U S E R i s
used for basi c authenti cati on. For i nformati on about confi guri ng your
Si teMi nder system to use certi fi cate authenti cati on, see the
Si teMi nder documentati on.

Enabling Trusted Authentication in MicroStrategy Mobile

To enabl e users to l og i n to Mi croStrategy Mobi l e usi ng SSO

authenti cati on, you must enabl e trusted authenti cati on as an
avai l abl e authenti cati on mode i n Mi croStrategy Mobi l e. For
i nstructi ons on confi guri ng mobi l e devi ces to use trusted
authenti cati on, refer to the Admi ni steri ng Mi croStrategy Mobi l e
secti on i n the Mi croStrategy Mobi l e Admi ni strati on Gui de.

To Enable Trusted Authentication in MicroStrategy Mobile

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, and then sel ect Mobile A dministrator.

2. On the l eft si de of the page, cl i ck D efault Properties.

3. From the Trusted A uthentication Providers drop-dow n l i st,

sel ect IB M Tivoli A ccess Manager, C A SiteMinder,
PingFederate, or Oracle A ccess Manager.

To use a custom authenti cati on provi der, sel ect C ustom SSO.
For i nformati on about addi ng custom authenti cati on provi ders,
refer to your Mi croStrategy SD K documentati on.

4. C l i ck Save.

To create a mobi l e confi gurati on to send to users' mobi l e devi ces,

refer to the Admi ni steri ng Mi croStrategy Mobi l e secti on i n the
Mi croStrategy Mobi l e Admi ni strati on Gui de.

Syst em Ad m in ist r at io n Gu id e

Establishing Trust Between MicroStrategy Web or Mobile and

Intelligence Server

To enabl e the authenti cati on token to pass from your thi rd-party
authenti cati on provi der to Mi croStrategy Web or Mobi l e, and then to
Intel l i gence Server, a trust rel ati onshi p must be establ i shed betw een
Mi croStrategy Web or Mobi l e and Intel l i gence Server. The steps to
establ i sh trust are descri bed bel ow .

If you need to del ete an establ i shed trust rel ati onshi p, see To D el ete
a Trust R el ati onshi p, page 317.

If y ou are us ing multiple Intelligenc e Serv er mac hines in a c lus ter, y ou

mus t firs t s et up the c lus ter, as des c ribed in C hapter 9, C l usteri ng
Mul ti pl e Mi croStrategy Servers , and then es tablis h trus t between
Web or Mobile Serv er and the c lus ter.

To es tablis h trus t between Mic roStrategy Web or Mobile and Intelligenc e

Serv er, y ou mus t hav e the following priv ileges :

l By pas s all objec t s ec urity ac c es s c hec k s

l Configure s ec urity s ettings

l Enable Intelligenc e Serv er adminis tration from Web

l Web adminis tration

For i nformati on on assi gni ng pri vi l eges to users, see C hapter ,

C ontrol l i ng Access to Functi onal i ty: Pri vi l eges.

To Establish Trust Between MicroStrategy Web or Mobile and

Intelligence Server

1. Open Mi croStrategy Web Admi ni strator or Mi croStrategy Mobi l e

Admi ni strator, as appl i cabl e:

Syst em Ad m in ist r at io n Gu id e

l From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, and then sel ect Web A dministrator.

l From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, and then sel ect Mobile A dministrator.

2. On the l eft, cl i ck Servers.

3. C onfi rm that Mi croStrategy Web or Mobi l e Server i s currentl y

connected to an Intel l i gence Server. If an Intel l i gence Server i s
not connected, i n the U nconnected Servers tabl e, under
A ction, cl i ck C onnect for the appropri ate Intel l i gence Server.

4. In the C onnected Servers tabl e, under Properties, cl i ck the

Modify i con .

5. N ext to Trust relationship between Web/Mobi l e Server and

MicroStrategy Intelligence Server, as appl i cabl e, cl i ck Setup.

6. Type a U ser name and Password i n the appropri ate fi el ds. The
user must have admi ni strati ve pri vi l eges for Mi croStrategy Web
or Mobi l e, as appl i cabl e.

7. From the opti ons provi ded, sel ect the authenti cati on mode used
to authenti cate the admi ni strati ve user.

Syst em Ad m in ist r at io n Gu id e

8. In the Web Server A pplication or Mobile Server A pplication

fi el d, type a uni que name for the trust rel ati onshi p.

For exampl e, you can use the U R Ls for the appl i cati ons usi ng
Ti vol i , as fol l ow s:

Mi croStrategy Web:
ht tp s: / /
Ma ch in e N a m e/J u n c t i o n N a m e/ M i c r oS t r a t e g y / a s p

Mi croStrategy Mobi l e:
ht tp s: / /
Ma ch in e N a m e
/J un ct i o n N a m e/ M i c r o S t r a t e g y M o b i l e / a s p

9. C l i ck C reate Trust R elationship.

10. C l i ck Save.

To Ver i f y t he Tr ust Rel at i onshi p

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Products, and then sel ect D eveloper.

2. Log i n to a proj ect source as a user w i th admi ni strati ve

pri vi l eges.

3. From the A dministration menu, poi nt to Server, and then sel ect
C onfigure MicroStrategy Intelligence Server.

4. On the l eft, expand the Web Single Sign-on category, and veri fy
that the trusted rel ati onshi p i s l i sted i n the Trusted Web
A pplication R egistration l i st.

5. C l i ck OK .

Syst em Ad m in ist r at io n Gu id e

To Delete a Trust Relationship

1. Open Mi croStrategy Web Admi ni strator or Mi croStrategy Mobi l e

Admi ni strator, as appl i cabl e:

l From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, and then sel ect Web A dministrator.

l From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Tools, and then sel ect Mobile A dministrator.

2. On the l eft, cl i ck Servers.

3. C onfi rm that Mi croStrategy Mobi l e i s currentl y connected to an

Intel l i gence Server. If an Intel l i gence Server i s not connected, i n
the U nconnected Servers tabl e, under A ction, cl i ck C onnect
for the appropri ate Intel l i gence Server.

4. In the C onnected Servers tabl e, under Properties, cl i ck the

Modify i con .

5. N ext to Trust relationship between MicroStrategy Web/Mobi l e

Server and MicroStrategy Intelligence Server, as appl i cabl e,
cl i ck D elete.

6. Provi de your l ogi n i nformati on i n the appropri ate fi el ds.

Syst em Ad m in ist r at io n Gu id e

7. C l i ck D elete trust relationship.

8. C l i ck Save.

Establishing Trust Between MicroStrategy Web Services and

Intelligence Server, to Support MicroStrategy Office

To establ i sh trust betw een Mi croStrategy Offi ce and Intel l i gence

Server, you must use Mi croStrategy Offi ce to connect to the proj ect
source you w ant to use trusted authenti cati on for, and then establ i sh
the trust rel ati onshi p betw een Offi ce and the Intel l i gence Server.
Once you have compl eted thi s step, you must edi t the
proj ec ts ou r c e s . x m l fi l e for Web Servi ces to enabl e trusted
authenti cati on for the proj ect source. Both procedures are descri bed
bel ow .

Syst em Ad m in ist r at io n Gu id e

To Establish Trust Between MicroStrategy Web Services and

Intelligence Server

1. On a machi ne w here Mi croStrategy Offi ce i s i nstal l ed, open a

Mi crosoft Offi ce product, such as Excel .

2. In the Mi crosoft Offi ce ri bbon, under the Mi croStrategy Offi ce tab,

cl i ck MicroStrategy Office. Mi croStrategy Offi ce starts, w i th a
l i st of proj ect sources you can connect to.

3. From the l i st of proj ect sources on the l eft, sel ect the proj ect
source you w ant to enabl e trusted authenti cati on for.

4. In the ri ght pane, enter the l ogi n ID and passw ord for a user w i th
admi ni strati ve pri vi l eges, and cl i ck Get Projects. A l i st of
proj ects i s di spl ayed.

5. Sel ect any proj ect, and cl i ck OK .

6. In the Mi croStrategy Offi ce tool bar, cl i ck Options.

7. U nder the General category, sel ect Server.

8. N ext to Trust relationship between Web Services and

Intelligence Server, cl i ck C reate.

To U se t he Thi r d -Par t y Aut hent i cat i on U RL f or Web Ser vi ces

1. In the Web Services U R L fi el d, enter the U R L for the Ti vol i

Juncti on or Si teMi nder Web Agent, as appl i cabl e, that you
created for Mi croStrategy Web Servi ces.

2. C l i ck OK .

Syst em Ad m in ist r at io n Gu id e

Enabling Trusted Authentication in MicroStrategy Web Services to

Support MicroStrategy Office

To al l ow users to l og i n to Mi croStrategy Offi ce usi ng si ngl e si gn-on

(SSO), you must do the fol l ow i ng:

l Edi t the w eb . c o n f i g fi l e for Web Servi ces or

MW SC on fi g . p r o p e r t i e s fi l e for J2EE appl i cati on servers, to
choose a trusted authenti cati on provi der.

l Edi t the p ro j e c t s o u r c e s . x m l fi l e for Mi croStrategy Web

Servi ces and confi gure the proj ect source to use a thi rd-party
securi ty pl ug-i n. For addi ti onal i nformati on on the setti ngs i n the
pr oj ec ts o u r c e s . x m l fi l e, refer to the Instal l i ng and
Admi ni steri ng Mi croStrategy Offi ce secti on i n the Mi croStrategy for
Offi ce Onl i ne H el p.

You need adminis trativ e ac c es s to the mac hine where Mic roStrategy Web
Serv ic es is ins talled.

To Enable Trusted Authentication in MicroStrategy Office

To Choose a Tr ust ed Aut hent i cat i on Pr ovi d er

1. D ependi ng on your Web Servi ces envi ronment, on the machi ne

w here Mi croStrategy Web Servi ces i s i nstal l ed, do one of the
fol l ow i ng:

l If you are usi ng IIS as your appl i cati on server, open the
we b. co n f i g fi l e i n a text edi tor, such as N otepad. By defaul t,
the fi l e i s l ocated i n C : \ P r o g r a m F il e s
(x 86 )\ M i c r o S t r a t e g y \ W e b S e r vi c e s.

l If you are usi ng Web Servi ces i n a J2EE-compl i ant appl i cati on
server, open the M W S C o n f i g . p r o p e r t i e s fi l e i n a text

Syst em Ad m in ist r at io n Gu id e

edi tor, such as N otepad. By defaul t, the fi l e i s l ocated i n the

fol der w here your appl i cati on server depl oys Web Servi ces.

2. D ependi ng on your Web Servi ces envi ronment, do the fol l ow i ng:

3. In the we b . c o n f i g fi l e, l ocate the fol l ow i ng l i ne:

4. In the MW S C o n f i g .p r o p e r t i e s fi l e, l ocate the fol l ow i ng l i ne:

TRUSTEDAUTHPROVIDER=1

5. C hange v a l u e or T R U S T E D A U T H P R O V I D E R, as appl i cabl e, to

one of the fol l ow i ng, as appl i cabl e:

l To use Ti vol i as the authenti cati on provi der, type 1.

l To use Si teMi nder as the authenti cati on provi der, type 2 .

l To use a custom authenti cati on provi der, type 3.

If y ou are us ing a c us tom authentic ation prov ider, y ou mus t mak e

additional modific ations to the c u s t o m _s e c u r i t y . p r o p e r t i e s
file, whic h is loc ated by default in C : \ P r o g r a m F i l e s
(x 86 )\ M i c r o S t r at e g y \ W e b S e r v i ce s \ r e s o u r c e s . For
information on thes e modific ations , refer to the Mi croStrategy
D evel oper Li brary (MSD L) .

To Conf i gur e Web Ser vi ces t o U se Tr ust ed Aut hent i cat i on

1. On the machi ne w here Mi croStrategy Web Servi ces i s i nstal l ed,

open the p r o j e c t so u r c e s . x m l fi l e i n a text edi tor, such as
N otepad. By defaul t, the fi l e i s l ocated i n C : \ P r o g r a m F i l e s
(x 86 )\ M i c r o S t r a t e g y \ W e b S e r v i ce s.

2. In the pr o j e c t s o ur c e s . x m l fi l e, l ocate the

tag descri bi ng the proj ect source you w ant
to enabl e SSO for.

Syst em Ad m in ist r at io n Gu id e

3. In the tag, repl ace the content of the

<A ut hM o d e > tag w i th M W S S i m p l e S e c u r i t y P l u g i n. The
contents of the new tag shoul d appear
si mi l ar to the fol l ow i ng:

 N a m e 
<S er v e r N a m e > N a m e < / S e r v e r N a m e >
<A ut h M o d e > M W S S i m p l e S e c u r i t y P l u g I n < / A u t h M o d e >
 0 
</ Pr o j e c t S o u r c e >

4. Save pr o j e c t s o u r c e s . x m l.

Enabling Anonymous Authentication for Internet Information Services

If you use Internet Informati on Servi ces (IIS) as your w eb server, you
must enabl e anonymous authenti cati on to the Mi croStrategy vi rtual
di rectory to support SSO authenti cati on to Mi croStrategy Web, Web
Servi ces or Mobi l e.

The steps to perform thi s confi gurati on are provi ded bel ow , w hi ch
may vary dependi ng on your versi on of IIS. C l i ck here to fi nd more
i nformati on about usi ng anonymous authenti cati on w i th IIS.

l IIS 7

l IIS 8

l IIS 10

You c annot us e Windows authentic ation to authentic ate us ers in

Mic roStrategy Web or Mobile if y ou enable anony mous authentic ation to
the Mic roStrategy v irtual direc tory in IIS. The s teps below s hould only
be us ed as part of an SSO authentic ation s olution with Tiv oli.

Syst em Ad m in ist r at io n Gu id e

To Configure IIS to Enable Anonymous Authentication to the

MicroStrategy Web, Web Services, and Mobile Virtual Directories

1. On the Mi croStrategy Web server machi ne, access the IIS

Internet Servi ce Manager.

2. Brow se to and ri ght-cl i ck the MicroStrategy vi rtual fol der and

sel ect Properties.

3. On the D irectory Security tab, under A nonymous access and

authentication control, cl i ck Edit.

4. Sel ect the A llow anonymous access check box.

5. C l i ck OK .

6. C l i ck OK .

7. To enabl e anonymous authenti cati on to Mi croStrategy Web

Servi ces, repeat the above procedure for the MicroStrategyWS
vi rtual di rectory.

8. To enabl e anonymous authenti cati on to Mi croStrategy Mobi l e,

repeat the above procedure for the MicroStrategyMobile vi rtual
di rectory on the Mobi l e Server machi ne.

9. R estart IIS for the changes to take effect.

Imp o r t in g an d Lin kin g Th ir d -Par t y Au t h en t icat io n User s in

Micr o St r at egy
For thi rd-party authenti cati on users to access Mi croStrategy
appl i cati ons, the users must be granted Mi croStrategy pri vi l eges.
Whether the LD AP D N i s sent i n the request to Intel l i gence Server i s
confi gured w hen the Ti vol i j uncti on or Si teMi nder Web Agent i s
created. For detai l s about creati ng a j uncti on or Web Agent, refer to
your Ti vol i or Si teMi nder documentati on.

Syst em Ad m in ist r at io n Gu id e

A Ti vol i or Si teMi nder user can be:

l Imported as a new Mi croStrategy user upon l oggi ng i n to

Mi croStrategy Web, w hi ch assi gns the user pri vi l eges that are
defi ned for the Mi croStrategy user. For steps to perform thi s
confi gurati on, see Importi ng Ti vol i U sers as Mi croStrategy U sers,
page 324.

l Al l ow ed guest access to Mi croStrategy Web. The Ti vol i user

i nheri ts the pri vi l eges of the Publ i c/Guest group i n Mi croStrategy.
Guest access to Mi croStrategy Web i s not necessary for i mported or
l i nked Ti vol i users. For steps to perform thi s confi gurati on, see
Enabl i ng Guest Access to Mi croStrategy Web or Mobi l e for Ti vol i
U sers, page 326.

A Ti vol i or Si teMi nder user can al so be associ ated w i th an exi sti ng

Mi croStrategy user, usi ng the Mi croStrategy U ser Edi tor. Associ ati ng
Ti vol i users rather than enabl i ng Ti vol i users to be i mported w hen
they l og i n to Mi croStrategy Web enabl es you to assi gn Mi croStrategy
pri vi l eges and other securi ty setti ngs for the user pri or to thei r i ni ti al
l ogi n. For steps to perform thi s confi gurati on, see Li nki ng Ti vol i U sers
to Exi sti ng Mi croStrategy U sers, page 325.

If a Ti vol i or Si teMi nder user has al ready been i mported i nto

Mi croStrategy, and a Mi croStrategy user has been associ ated w i th the
Ti vol i or Si teMi nder user, the Mi croStrategy metadata i s synchroni zed
w i th the i nformati on from the user di rectory, such as the LD AP server.
The w ay thi s synchroni zati on takes pl ace depends upon several
factors.

Importing Tivoli Users as MicroStrategy Users

When Mi croStrategy i s confi gured to i mport a Ti vol i user, the Ti vol i

user i s i mported as a Mi croStrategy user the fi rst ti me that the user
l ogs i n to Mi croStrategy Web after the confi gurati on i s compl eted. A

Syst em Ad m in ist r at io n Gu id e

Ti vol i user i s i mported i nto Mi croStrategy onl y i f the Ti vol i user has
not al ready been i mported as or associ ated w i th a Mi croStrategy user.

When a Ti vol i user i s i mported i nto Mi croStrategy:

l The Ti vol i user name i s i mported as the trusted authenti cati on

request user ID for the new Mi croStrategy user.

l The Mi croStrategy user i s added to the Everyone group by defaul t.

If no pri vi l eges are defi ned through a user di rectory such as LD AP,
then the i mported user i nheri ts the pri vi l eges associ ated w i th the
Mi croStrategy Everyone group.

l Securi ty pri vi l eges are not i mported from Ti vol i ; these must be
defi ned i n Mi croStrategy by an admi ni strator.

To iImport Tivoli Users as MicroStrategy Users

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Products, and then sel ect D eveloper.

2. Log i n to a proj ect source as a user w i th admi ni strati ve

pri vi l eges.

3. From the A dministration menu, poi nt to Server, and then

C onfigure MicroStrategy Intelligence Server.

4. On the l eft, expand the Web Single Sign-on category.

5. On the ri ght, sel ect the Import user at login check box.

6. C l i ck OK .

Linking Tivoli Users to Existing MicroStrategy Users

As an al ternati ve to i mporti ng users, you can l i nk (or associ ate) Ti vol i

users to exi sti ng Mi croStrategy users to retai n the exi sti ng pri vi l eges
and confi gurati ons defi ned for the Mi croStrategy users. Li nki ng Ti vol i
users rather than enabl i ng Ti vol i users to be i mported w hen they l og

Syst em Ad m in ist r at io n Gu id e

i n to Mi croStrategy Web enabl es you to assi gn pri vi l eges and other

securi ty setti ngs for the user pri or to thei r i ni ti al l ogi n.

To Link Tivoli Users to Existing MicroStrategy Users

1. From the Wi ndow s Start menu, poi nt to A ll Programs, then

MicroStrategy Products, and then sel ect D eveloper.

2. Log i n to a proj ect source as a user w i th admi ni strati ve

pri vi l eges.

3. In the fol der l i st on the l eft, expand A dministration, and then

expand U ser Manager.

4. Brow se to the Mi croStrategy user to l i nk to a Ti vol i user.

5. R i ght cl i ck the user and sel ect Edit.

6. Expand A uthentication, then sel ect Metadata.

7. U nder Trusted A uthentication R equest, i n the U ser ID fi el d,

type the Ti vol i user name to l i nk to the Mi croStrategy user.

The name y ou ty pe in the U ser ID field s hould be the s ame as the

one that the us er employ s when prov iding their Tiv oli login
c redentials .

8. C l i ck OK .

Enabling Guest Access to MicroStrategy Web or Mobile for Tivoli Users

If you choose to not i mport or l i nk Ti vol i users to a Mi croStrategy

user, you can enabl e guest access to Mi croStrategy Web for the Ti vol i
users. Guest users i nheri t thei r pri vi l eges from the Mi croStrategy
Publ i c/Guest group.

Syst em Ad m in ist r at io n Gu id e

Lo ggin g in t o Micr o St r at egy Web Usin g Tivo li Sin gle Sign -On
Once al l of the prel i mi nary steps have been compl eted and tested,
users may begi n to si gn i n to Mi croStrategy usi ng thei r Ti vol i
credenti al s. Si gn-on steps are provi ded i n the procedure bel ow .

To Log in to MicroStrategy Web Using Tivoli Single Sign-On

1. Open a w eb brow ser.

2. Type the fol l ow i ng U R L i n the address fi el d:

ht tp s: / /
Ma ch in e N a m e/J u n c t i o n N a m e/M i c r o S t r a t e g y W e b U R L

Where the vari abl es i n i tal i cs are as fol l ow s:

l Ma ch in e N a m e i s the name of the machi ne runni ng Ti vol i .

l Ju nc ti o n N a m e i s the name of the j uncti on created i n Ti vol i .

l Mi cr oS t r a t e g y W e b U R L i s the U R L to access Mi croStrategy

Web. For exampl e, M i c r o S t r a t e g y / a s p.

3. Type your Ti vol i user name and passw ord.

4. C onnect to a Mi croStrategy proj ect.

5. C l i ck Trusted A uthentication.

You are l ogged i n to the Mi croStrategy proj ect w i th your Ti vol i

user credenti al s.

If you are prompted to di spl ay both secure and non-secure i tems

on the w eb page, you can confi gure your w eb brow ser to hi de
thi s w arni ng message. R efer to your w eb brow ser documentati on
regardi ng thi s confi gurati on.

Syst em Ad m in ist r at io n Gu id e

Enabling Badge Authentication for Web and

Mobile
If you use an LD AP di rectory to central l y manage users i n your
envi ronment, you can add them to your Identi ty netw ork, and al l ow
them to l og i nto Mi croStrategy Web or Mobi l e by usi ng thei r badges
from Mi croStrategy Badge.

The users i n your LD AP di rectory can l og i nto Mi croStrategy Web by:

l Scanni ng a QR code usi ng the Badge app on thei r smart phones, i f

Badge i s confi gured as the pri mary authenti cati on method.

l Suppl ementi ng thei r user name and passw ord w i th a numeri cal
Badge C ode that i s provi ded vi a the Badge app on thei r smart
phones, i f Badge i s confi gured as the second factor of
authenti cati on.

The hi gh-l evel steps to enabl e Badge authenti cati on for Web and
Mobi l e are as fol l ow s:

1. Set up an Identi ty netw ork. Your netw ork i s the group of users i n
your organi zati on w ho can use the Badge app on thei r smart
phone to val i date thei r i denti ty to l og i nto Mi croStrategy. For
steps, see the Identi ty H el p.

2. Add your LD AP di rectory to your Identi ty netw ork. For steps to

add your LD AP di rectory to Identi ty, see the Identi ty H el p.

3. If you are i mporti ng users from LD AP, connect LD AP by

l everagi ng the connecti on betw een LD AP and your Mi croStrategy
Identi ty Server. Al ternati vel y, you can manual l y connect your
LD AP di rectory to Mi croS