OBIEE SSO enabling and role based reporting
Hi,
I had installed SOA10.1.3.1.0 and OBIEE10.1.3.4.0 already on my WINDOWS. I understand that I need to install 10.1.4 infrastructure to enable SSO in OBIEE, can you please tell me what is 10.1.4 infrastructure? is it equivelent to Oracle Identity Management Infrastructure and Oracle Identity Federation 10.1.4? I tried to download this from OTN since last night, but the page is always unaccessible. Where can I download 10.1.4 infrastructure except otn?
I have another question regarding to the role based reporting with SSO. We want users to see different reports based on their roles once they login. What options do we have to implement this? From my understanding, we need to maintain a user role mapping table in our database, create groups in OBIEE and map the user role with the group in OBIEE? Is it true? Are there other options? Is there a existing product we can use to implement this?
Thanks,
Meng
have a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf
Similar Messages
-
We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
-thanks1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
You can have a darn strong access control using this mechanism.
hope that helps!
AMN -
Privileges and Roles Based Views
Hello,
I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great. I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view. I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!! fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
I hope someone can help with the config:
Below is the config I use on the 2960's and 3750's and also what I use on the radius servers. I guess I would need ot use a priv 15 setup and a custom view called priv3?
Priv3 radius user settings
cisco av-pair cli-view-name=priv3
Priv 15 or root user settings
cisco av-pair shell:priv-lvl=15
cisco av-pair shell:cli-view-name=root
Config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive
no ip domain-lookup
ip domain-name CB-DI
login on-failure log
login on-success log
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
removed
quit
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
vlan internal allocation policy ascending
ip ssh version 2
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/24
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
interface Vlan10
description ****
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 10.10.21.8
logging 172.23.1.3
access-list 23 permit 10.10.1.65
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
access-class 23 in
no exec
transport input ssh
parser view priv3
secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
! Last configuration change at 16:34:56 BST Fri Apr 13 2012
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12
ntp logging
ntp clock-period 36028961
ntp server 10.10.1.33
ntp server 10.10.1.34
end
Thanks!!!!DBelt --
Hopefully this example suffices.
Setup
SQL> CREATE USER test IDENTIFIED BY test;
User created.
SQL> GRANT CREATE SESSION TO test;
Grant succeeded.
SQL> GRANT CREATE PROCEDURE TO test;
Grant succeeded.
SQL> CREATE ROLE test_role;
Role created.
SQL> GRANT CREATE SEQUENCE TO test_role;
Grant succeeded.
SQL> GRANT test_role TO test;
logged on as Test
SQL> CREATE OR REPLACE PACKAGE definer_rights_test
2 AS
3 PROCEDURE test_sequence;
4 END definer_rights_test;
5 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END definer_rights_test;
9 /
Package body created.
SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
2 AUTHID CURRENT_USER
3 AS
4 PROCEDURE test_sequence;
5 END invoker_rights_test;
6 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END invoker_rights_test;
9 /
Package body created.
SQL> EXEC definer_rights_test.test_sequence;
BEGIN definer_rights_test.test_sequence; END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
ORA-06512: at line 1
SQL> EXEC invoker_rights_test.test_sequence;
PL/SQL procedure successfully completed.
SQL> SELECT test_seq.NEXTVAL from dual;
NEXTVAL
1 -
AAA and Role based access (NPS)
Hi
I authenticate all my cisco switches and routers with AAA + NPS + AD
A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
But I'd like configure role based with IOS view.
When I issue the enable view command, I get
Password:
I tried with my AD password, enable configurated password, and always gets
% Authentication failed
Mi line vty config
line vty 0 4
authorization exec VTY-AAA
login authentication VTY-AAA
transport input sshHave you gone through the below listed parser view configuration example. Please check here
View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
In case you still have any issues, run debug parser view and share the output, I'll try to help.
~BR
Jatin Katyal
**Do rate helpful posts** -
Difference between ID and Role based Administration - Firefighter 5.3
In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
1. Firefighter Role based Administration
2. Firefighter ID based Administration
Can someone explain what is the difference between the two?
I have read the documentation, but it does not have a clear description of the
differences between the two.
Please help.
ThanksHI Prakash,
Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
1. Firefighter Role based Administration
You identlfy a particular role as a firefighter role and give it to the user.
2. Firefighter ID based Administration
You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
Regards,
Hersh. -
OBIEE Cache clear and refresh of reports from DAC
Hi All,
I have an existing process where OBIEE cache clear and Dashboard report refresh is happened from DAC.
But the issue is both do not happen parallely, the both tasks are kept in single text file and they are called from a batch file from DAC. Below is the code
nqcmd -d AnalyticsWeb -u Administrator -p SADMIN -s D:\OracleBI\server\Bin\PurgeAllCache.txt
So I want to make them run parellely so that Cache clear and refresh of reports happen parellely. In order to achieve do I need to create seperate batch files or can I manage by changing the above code.
Please Suggest.Can you share the code in the file PurgeAllCache.txt
There might be some issue with code, make sure you use ';' for each statement.
or else use 2 files and 2 commands to execute them.
Pls mark if helps -
Sales hierarchy . role based reports and Data access, Best practice and sol
Dear all,
Currently working on a solution for Sales. There a geography and sales position hierarchy.
e.g. (USA,EU,ASIA) --> EU head -->UK head -->Northern UK head -->London head -->East london--> Postal codes in east london.
so altogether 7 roles and 7 positions, all these users can see data at it's level and below.
Also the summary report/ Prompts/ subject area columns for each of these users must be at their corresponding level and just 1 level below.
e.g. EU head by default must see column EU and country UK, UK head will see report only for UK and Northern UK region and so on.
After lots of thinking i am planing to take approach of creating 6 sets of similar dashboard/ different prompts/ different global filters/ reports.
Data level access is not at all issue i am easily able to manage.
Request experts to guide is there is any other better approach to take for objects in catalog.?
many thanks in advance.
Regards,
YogenDear Srini,
Data level Security is not at all issue for me. Have already implement it and so far not a single bug in testing is caught.
It's about object level security and that too for 6 different types of user demanding different reports i.e. columns and detailed drill downs are different.
Again these 6 types of users can be read only users or power users (who can do ad hoc analysis) may be BICONSUMER and BIAUTHOR.
so need help regarding that...as we have to take decision soon.
thanks,
Yogen -
Hi All,
I have created three roles A,B,C and some reports.
How can I restrict report links as
Role A- Analyze, Edit, Refresh, Print, Export, Add to Briefing Book, Copy
Role B- Analyze, Refresh, Export, Add to Briefing Book
Role C- Analyze, Refresh
Help me as soon as possible.
Thanks in advance.
HareeHi,
create three different sections for these reports in dashboard edit. now
provide access to section 1 for Role A
provide access to section 2 for Role B
provide access to section 3 for Role C
provide respective previlleges as per your req in admin manage previlleges and also in properties of report in dashboard section.
so each Role C user can only see section 3 in dashboard and he will have only access to Analyze, Refresh
got it?
Thanks
Jay. -
NxOS and Role Based Authorization
Guys,
Basic setup - using default default user admin I login and no problems - commands such as show mod and config changes, no problem: role =
network-admin
I create a user account with the same role as the admin user and I cannot issue the same commands - permission denied?
Stumped - any ideas what's missing here?
ThanksOut of desperation, I tried combinations of shorter usernames, similar to the admin username
The result - for whatever reason it seems (I cannot confirm as such) if you use usernames for authentication locally in excess of 8 characters you cannot get full network-admin role privilidges
even though when you do a show user-account, it displays your full username and the correct role.
It seems almost as if the authenticaion element works, but the the role categorisation seems to fail for whatever reason (what I would call authorisation).
Feels like a bug to me, anyway putting it on tacacs tomorrow hopefully with different results
I am running 4.2(1)SV1(4) on an nexus 1000v. I hope this saves you some time.
Apologies if this is a known issue or "feature" - but I was not aware of it. -
XWS-Security, JAAS and role-based authorization
What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
Thanks in advance.Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?
-
OIM 11.1.1.5 provisioning role based objectclasses and attributes
TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
Some background:
I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE. At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them. In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'. ie. Student, Employee, Guest, etc objectclasses. I have all of the roles identified in OIM and can map them to an objectclass in LDAP
My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations?
Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
Should I create a child form containing the objectclasses and try to provision them?
Can/should I create a child form for each set of attributes by role? Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc. Would prepop and the rest of the main form functions work the same?
Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
Any help will be greatly appreciated and thank you in advanceIt is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
There may be a smarter and more out of the box way to do it but this will work.
Martin -
Making users available for OpenSSO realm group and role assignment?? Help.
Here is the situation. We have 3 Open SSO realms set up. One we have called OpenSSO-Admin, a second called OpenSSO-Provider and a third OpenSSO-Internal. We are having issues provisioning and managing the OpenSSO-Internal OpenSSO-Provider realms, but OpenSSO-Admin seems to be fine.
Here is the behavior that is manifest.
In the 2 'broken' realms, when we create users and assign them to the appropriate Open SSO realm, they appear to be provisioned correctly in IDM as well as the realm (We have validated user creation in LDAP and everything about the user appears to be fine). When we view the groups and roles in the specific resources, we are presented with a list of users that are in Brackets and appear to be provisioned. The brackets indicate that the users are not found as available users. The bracketed users can not be unassigned, nor can any others. note, our bracketed users in the list of assigned users are created from a workflow which assigns them directly to the appropriate group and role based on their business role.
The third realm, OpenSSO-Admin works fine and we can add, and manage users in the groups and roles within the realm.
We have ruled out the workflow as a source as the problem persists when we use the tool to manage users. We can create a user from scratch and add them to the realms. In the 'Broken' relms, the users do not appear in thelist of available users to be assigned to the groups or roles. Yet in the 'good realm, everything appears fine. We can move users from one realm to another and the problem persists in the broken realms, but when a user is added to the 'good' realm, everything is fine.
I have tried reconciling and get no different results.
Question is, We have isolated that the issue seems to be in the generation / management of the left hand "Available Users" list. How and where is this generated from and how can we check/fix or regenerate this list?
Thanks.
JoeI should clarify. We are using Sun IDM 8.1
-
HI Experts,
I have come across few questions about the Role-based visibility for OBIEE reports and Dashboards. Can anyone please let me what exactly is this and if possible provide some pointers.
Thanks in Advance.
VRhave a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf
-
Unable to make OBIEE components SSO enabled
Hi,
I have installed OBIEE 10.1.3.4 in windows env.
I tried to SSO enble all the components that comes within OC4J of cluster (ascontrol, bi office..).
From the OC4J instance admin security provider section, I checked all these applications to use SSO and JAZN (file based user repository).
This way only Appliaction server (ascontrol) got SSO enabled not the other components in the oc4j. Am I missing something?
Thanks
SaikrishnaThank you very much for reply.
After doing little research I found out that somehow I need to use SSPI to get the user credentials.
I have no idea how can I use SSPI in java. Please let me know if you know about any third party DLL that do this. Do I need to use JNI to use SSPI in java code?
Thanks. -
We are running through a scenario where user1 is assigned to role1 and run a report and after couple minutes user1 is assigned to role2 and run the same report, in 2nd run i see an error in saw log, even though there is presentation server cache that was generated by user1 is previous run it s not shared to the same user if his roles is chnaged, Is this expected behaviour ? by the way we dont have any row level security jut object level
[2014-01-20T08:11:54.000-07:00] [OBIPS] [ERROR:31] [] [saw.views.dashboard] [ecid: 2f571434fbbd5490:72a3494e:14398c832ad:-8000-0000000000daa36e,0:1] [tid: 1545778944] Invalid request ID (ml75inai8rfs23tn9ih04bh236). The request you are attempting to access has either expired or is from a previous logon.[[
File:reportquerycache.cpp
Line:68
Location:
saw.views.dashboard
saw.httpserver.processrequest
saw.rpc.server.responder
saw.rpc.server
saw.rpc.server.handleConnection
saw.rpc.server.dispatch
saw.threadpool.socketrpcserver
saw.threads
SessionID: hjhbcvfak396tc89uuu550g8bgv75v2rshv2oeq
Thanks for your help
SrixThe variable DISABLE_CACHE_HIT is used to enable or disable Oracle BI Server result cache hits and not the presentation server cache. So the behavior seems to be correct. You can manage the presentation server cache settings in hte instanceconfig.xml file. Refer to the documentation below to understand the parameters you can configure: ( http://docs.oracle.com/cd/E21764_01/bi.1111/e10541/querycaching.htm#i1218900 )
Maybe you are looking for
-
i used the technique described in this post http://discussions.apple.com/thread.jspa?messageID=3470962� to fix the problem of the alarm message coming up offscreen. worked great for me and many others (many thanks). now that i have downloaded
-
Dump While Executing ME21N, ME22N and ME23N
Hi, Am getting the below Short Dump while executing ME21N, ME22N and ME23N. Runtime Errors SYNTAX_ERROR Date and Time 08.07.2009 15:41:00 |Short text Synt
-
Vendor Master Replication from 2 Backend System
Hi Experts, I am facing a problem in replicating the vendor masters from two Different Logical ECC systems. The vendor master at 1st Backend system Vendor Master: 0011000196 Company Code: C001 Pur.Organization: P001 The vendor Master at
-
For transferring data - where are these files located?
I have to transfer critical data from one Mac to another, but cannot simply do a "backup" or overwrite certain files on the 2nd Mac as the first has some system file problems (and the 2nd Mac works fine). So to be safe, I want to transfer these files
-
EEM- Email alert with IP SLA Based on Packet Loss
hi joseph, i need your advise, i want to get alert email based on IP SLA Packet loss the scenarion as below : 1. If the traffic hit threshold packet loss greater than 20% as long 15 minutes --> send email 2. If reset condition packet loss eq 0% as lo