OBIEE SSO enabling and role based reporting

Similar Messages

• Portal and role based access

  We have a requirement to provide role based access to our portal. Employees require full portal access, partners require access to specific applications and resources, while guests should be provided access only to the Internet. People suggested SSL VPN from vendors like Array Networks, Juniper, Portwise etc.
  We are trying to kind of use our portal as a web VPN. Also we wanted to use strong access control.... Are there any ideas other than using SSL VPN's.
  -thanks

  1. You can configure your portal on HTTPS (SSL). That keeps it on secure SSL layer.
  2. Have SSO to distinguish between authenticated_users (logged in users like your employees, partners, etc) and un-authenticated_users (Guest).
  3. Use Groups for translating roles for your users. i.e., Make Groups for your users based on what you called as roles in your message.
  4. Assign access privileges available in portals for pages and portal objects according to your needs to these Groups.
  I dont think VPN will be needed when you are having an extranet-portal (as you hinted internet for guests).
  You can have a darn strong access control using this mechanism.
  hope that helps!
  AMN

• Privileges and Roles Based Views

  Hello,
  I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
  Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
  How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
  I hope someone can help with the config:
  Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
  Priv3 radius user settings
  cisco av-pair cli-view-name=priv3
  Priv 15 or root user settings
  cisco av-pair shell:priv-lvl=15
  cisco av-pair shell:cli-view-name=root
  Config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 3750
  boot-start-marker
  boot-end-marker
  logging buffered 64000
  logging console informational
  logging monitor informational
  enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
  username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
  username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default line
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  system mtu routing 1500
  udld aggressive
  no ip domain-lookup
  ip domain-name CB-DI
  login on-failure log
  login on-success log
  crypto pki trustpoint TP-self-signed-3817403392
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3817403392
  revocation-check none
  rsakeypair TP-self-signed-3817403392
  crypto pki certificate chain TP-self-signed-3817403392
  certificate self-signed 01
    removed
    quit
  archive
  log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
  spanning-tree mode rapid-pvst
  spanning-tree extend system-id
  spanning-tree vlan 10 priority 8192
  vlan internal allocation policy ascending
  ip ssh version 2
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/24
  interface Vlan1
  description ***Default VLAN not to be used***
  no ip address
  no ip route-cache
  no ip mroute-cache
  shutdown
  interface Vlan10
  description ****
  ip address 10.10.150.11 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  ip default-gateway 10.10.150.1
  ip classless
  no ip http server
  ip http secure-server
  logging trap notifications
  logging facility local4
  logging source-interface Vlan10
  logging 10.10.21.8
  logging 172.23.1.3
  access-list 23 permit 10.10.1.65
  snmp-server community transm1t! RO
  snmp-server trap-source Vlan10
  radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
  radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  exec-timeout 60 0
  logging synchronous
  line vty 0 4
  access-class 23 in
  exec-timeout 60 0
  logging synchronous
  transport input ssh
  line vty 5 14
  access-class 23 in
  no exec
  transport input ssh
  parser view priv3
  secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
  ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
  commands interface include shutdown
  commands interface include no shutdown
  commands interface include no
  commands configure include interface
  commands exec include configure terminal
  commands exec include configure
  commands exec include show ip interface brief
  commands exec include show ip interface
  commands exec include show ip
  commands exec include show arp
  commands exec include show privilege
  commands exec include show interfaces status
  commands exec include show interfaces Vlan10 status
  commands exec include show interfaces Vlan1 status
  commands exec include show interfaces GigabitEthernet2/0/12 status
  commands exec include show interfaces GigabitEthernet2/0/11 status
  commands exec include show interfaces GigabitEthernet2/0/10 status
  commands exec include show interfaces GigabitEthernet2/0/9 status
  commands exec include show interfaces GigabitEthernet2/0/8 status
  commands exec include show interfaces GigabitEthernet2/0/7 status
  commands exec include show interfaces GigabitEthernet2/0/6 status
  commands exec include show interfaces GigabitEthernet2/0/5 status
  commands exec include show interfaces GigabitEthernet2/0/4 status
  commands exec include show interfaces GigabitEthernet2/0/3 status
  commands exec include show interfaces GigabitEthernet2/0/2 status
  commands exec include show interfaces GigabitEthernet2/0/1 status
  commands exec include show interfaces GigabitEthernet1/0/12 status
  commands exec include show interfaces GigabitEthernet1/0/11 status
  commands exec include show interfaces GigabitEthernet1/0/10 status
  commands exec include show interfaces GigabitEthernet1/0/9 status
  commands exec include show interfaces GigabitEthernet1/0/8 status
  commands exec include show interfaces GigabitEthernet1/0/7 status
  commands exec include show interfaces GigabitEthernet1/0/6 status
  commands exec include show interfaces GigabitEthernet1/0/5 status
  commands exec include show interfaces GigabitEthernet1/0/4 status
  commands exec include show interfaces GigabitEthernet1/0/3 status
  commands exec include show interfaces GigabitEthernet1/0/2 status
  commands exec include show interfaces GigabitEthernet1/0/1 status
  commands exec include show interfaces Null0 status
  commands exec include show interfaces
  commands exec include show configuration
  commands exec include show
  commands configure include interface GigabitEthernet1/0/1
  commands configure include interface GigabitEthernet1/0/2
  commands configure include interface GigabitEthernet1/0/3
  commands configure include interface GigabitEthernet1/0/4
  commands configure include interface GigabitEthernet1/0/5
  commands configure include interface GigabitEthernet1/0/6
  commands configure include interface GigabitEthernet1/0/7
  commands configure include interface GigabitEthernet1/0/8
  commands configure include interface GigabitEthernet1/0/9
  commands configure include interface GigabitEthernet1/0/10
  commands configure include interface GigabitEthernet1/0/11
  commands configure include interface GigabitEthernet1/0/12
  commands configure include interface GigabitEthernet2/0/1
  commands configure include interface GigabitEthernet2/0/2
  commands configure include interface GigabitEthernet2/0/3
  commands configure include interface GigabitEthernet2/0/4
  commands configure include interface GigabitEthernet2/0/5
  commands configure include interface GigabitEthernet2/0/6
  commands configure include interface GigabitEthernet2/0/7
  commands configure include interface GigabitEthernet2/0/8
  commands configure include interface GigabitEthernet2/0/9
  commands configure include interface GigabitEthernet2/0/10
  commands configure include interface GigabitEthernet2/0/11
  commands configure include interface GigabitEthernet2/0/12
  ntp logging
  ntp clock-period 36028961
  ntp server 10.10.1.33
  ntp server 10.10.1.34
  end
  Thanks!!!!

  DBelt --
  Hopefully this example suffices.
  Setup
  SQL> CREATE USER test IDENTIFIED BY test;
  User created.
  SQL> GRANT CREATE SESSION TO test;
  Grant succeeded.
  SQL> GRANT CREATE PROCEDURE TO test;
  Grant succeeded.
  SQL> CREATE ROLE test_role;
  Role created.
  SQL> GRANT CREATE SEQUENCE TO test_role;
  Grant succeeded.
  SQL> GRANT test_role TO test;
  logged on as Test
  SQL> CREATE OR REPLACE PACKAGE definer_rights_test
    2  AS
    3          PROCEDURE test_sequence;
    4  END definer_rights_test;
    5  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END definer_rights_test;
    9  /
  Package body created.
  SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
    2  AUTHID CURRENT_USER
    3  AS
    4          PROCEDURE test_sequence;
    5  END invoker_rights_test;
    6  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END invoker_rights_test;
    9  /
  Package body created.
  SQL> EXEC definer_rights_test.test_sequence;
  BEGIN definer_rights_test.test_sequence; END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
  ORA-06512: at line 1
  SQL> EXEC invoker_rights_test.test_sequence;
  PL/SQL procedure successfully completed.
  SQL> SELECT test_seq.NEXTVAL from dual;
               NEXTVAL
                     1

• AAA and Role based access (NPS)

  Hi
  I authenticate all my cisco switches and routers with AAA + NPS + AD
  A server runs NPS service with cisco attribute shell:priv-lvl=15 or 5, depending of AD group.
  But I'd like configure role based with IOS view.
  When I issue the enable view command,  I get
  Password:
  I tried with my AD password, enable configurated password, and always gets
  % Authentication failed
  Mi line vty config
  line vty 0 4
  authorization exec VTY-AAA
  login authentication VTY-AAA
  transport input ssh

  Have you gone through the below listed parser view configuration example. Please check here
  View authentication is performed by an external authentication server via the new attribute "cli-view-name" so you need to use cisco-av-pair as cli-view-name=xxxx
  AAA authentication associates only one view name to a particular user; that is, only one view name can be configured for a user in an authentication server.
  In case you still have any issues, run debug parser view and share the output, I'll try to help.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Difference between ID and Role based Administration - Firefighter 5.3

  In GRC AC 5.3 Firefighter, security guide, there are two sections for role design,
  1. Firefighter Role based Administration
  2. Firefighter ID based Administration
  Can someone explain what is the difference between the two?
  I have read the documentation, but it does not have a clear description of the
  differences between the two.
  Please help.
  Thanks

  HI Prakash,
  Though both of them eventually achieve the same function, that is giving access rights to the user for a certain period under monitring these differ based on the following:
  1. Firefighter Role based Administration
  You identlfy a particular role as a firefighter role and give it to the user.
  2. Firefighter ID based Administration
  You create a separate user altogether and give the normal dialog user, the access to this user's authorization.
  For the implication that both of these have and the differences or comparisons between using 1 & 2, I would suggest you do a bit of Mock testing for both of these. Also, there are a lot of posts related to this on the forum already, which you can refer to, for getting a more detailed idea on this topic. Unlimately, it depends on organization to organization which methodology they folow as per what suits them, according to features which both have. But generally what is preferred is Number 2.
  Regards,
  Hersh.

• OBIEE Cache clear and refresh of reports from DAC

  Hi All,
  I have an existing process where OBIEE cache clear and Dashboard report refresh is happened from DAC.
  But the issue is both do not happen parallely, the both tasks are kept in single text file and they are called from a batch file from DAC. Below is the code
  nqcmd -d AnalyticsWeb -u Administrator -p SADMIN -s D:\OracleBI\server\Bin\PurgeAllCache.txt
  So I want to make them run parellely so that Cache clear and refresh of reports happen parellely. In order to achieve do I need to create seperate batch files or can I manage by changing the above code.
  Please Suggest.

  Can you share the code in the file PurgeAllCache.txt
  There might be some issue with code, make sure you use ';' for each statement.
  or else use 2 files and 2 commands to execute them.
  Pls mark if helps

• Sales hierarchy . role based reports and Data access, Best practice and sol

  Dear all,
  Currently working on a solution for Sales. There a geography and sales position hierarchy.
  e.g. (USA,EU,ASIA) --> EU head -->UK head -->Northern UK head -->London head -->East london--> Postal codes in east london.
  so altogether 7 roles and 7 positions, all these users can see data at it's level and below.
  Also the summary report/ Prompts/ subject area columns for each of these users must be at their corresponding level and just 1 level below.
  e.g. EU head by default must see column EU and country UK, UK head will see report only for UK and Northern UK region and so on.
  After lots of thinking i am planing to take approach of creating 6 sets of similar dashboard/ different prompts/ different global filters/ reports.
  Data level access is not at all issue i am easily able to manage.
  Request experts to guide is there is any other better approach to take for objects in catalog.?
  many thanks in advance.
  Regards,
  Yogen

  Dear Srini,
  Data level Security is not at all issue for me. Have already implement it and so far not a single bug in testing is caught.
  It's about object level security and that too for 6 different types of user demanding different reports i.e. columns and detailed drill downs are different.
  Again these 6 types of users can be read only users or power users (who can do ad hoc analysis) may be BICONSUMER and BIAUTHOR.
  so need help regarding that...as we have to take decision soon.
  thanks,
  Yogen

• Role based Report Links

  Hi All,
  I have created three roles A,B,C and some reports.
  How can I restrict report links as
  Role A- Analyze, Edit, Refresh, Print, Export, Add to Briefing Book, Copy
  Role B- Analyze, Refresh, Export, Add to Briefing Book
  Role C- Analyze, Refresh
  Help me as soon as possible.
  Thanks in advance.
  Haree

  Hi,
  create three different sections for these reports in dashboard edit. now
  provide access to section 1 for Role A
  provide access to section 2 for Role B
  provide access to section 3 for Role C
  provide respective previlleges as per your req in admin manage previlleges and also in properties of report in dashboard section.
  so each Role C user can only see section 3 in dashboard and he will have only access to Analyze, Refresh
  got it?
  Thanks
  Jay.

• NxOS and Role Based Authorization

  Guys,
  Basic setup - using default default user admin I login and no problems - commands such as show mod and config changes, no problem: role =
  network-admin
  I create a user account with the same role as the admin user and I cannot issue the same commands - permission denied?
  Stumped - any ideas what's missing here?
  Thanks

  Out of desperation, I tried combinations of shorter usernames, similar to the admin username
  The result - for whatever reason it seems (I cannot confirm as such) if you use usernames for authentication locally in excess of 8 characters you cannot get full network-admin role privilidges
  even though when you do a show user-account, it displays your full username and the correct role.
  It seems almost as if the authenticaion element works, but the the role categorisation seems to fail for whatever reason (what I would call authorisation).
  Feels like a bug to me, anyway putting it on tacacs tomorrow hopefully with different results
  I am running 4.2(1)SV1(4) on an nexus 1000v.  I hope this saves you some time.
  Apologies if this is a known issue or "feature" - but I was not aware of it. 

• XWS-Security, JAAS and role-based authorization

  What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
  A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
  Thanks in advance.

  Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?

• OIM 11.1.1.5 provisioning role based objectclasses and attributes

  TL;DR You can't provision some attributes in our LDAP directory without the objectclass and I can't figure out the best way to inject the dynamic objectclasses into the create user process without the user being created already.
  Some background:
  I have configured our oim 11.1.1.5 instance and LDAP connector to provision ODSEE.  At another's recommendation, I put all possible LDAP attributes in a single form regardless of which objectclass was needed for them.  In ODSEE, sets of attributes are allowed through objectclasses for each 'Role'.  ie. Student, Employee, Guest, etc objectclasses.  I have all of the roles identified in OIM and can map them to an objectclass in LDAP
  My question is, how can I provision role based objectclasses along with the common ones that are configured in the lookup so that when the associated attributes are provisioned, I don't get objectclass violations? 
  Can I append objectclasses to the list stored in the Configuration lookup in ldapUserObjectClass?
  Should I create a child form containing the objectclasses and try to provision them?
  Can/should I create a child form for each set of attributes by role?  Common attribs in the LDAP_USR form and role based attribs in UD_LDAP_STU, UD_LDAP_EMP, UD_LDAP_GST, etc.  Would prepop and the rest of the main form functions work the same?
  Anything else I'm not thinking of? I am still a novice with some of these topics and may be way off base.
  Any help will be greatly appreciated and thank you in advance

  It is definitely doable if you use a custom LDAP connection implementation and just add objectclass update calls as needed as precursor tasks for the Update tasks.
  Here is a small LDAP demo tool that you can adapt to do the update: http://iamreflections.blogspot.com/2010/08/manage-ad-with-jndi-demo-tool.html
  There may be a smarter and more out of the box way to do it but this will work.
  Martin

• Making users available for OpenSSO realm group and role assignment?? Help.

  Here is the situation. We have 3 Open SSO realms set up. One we have called OpenSSO-Admin, a second called OpenSSO-Provider and a third OpenSSO-Internal. We are having issues provisioning and managing the OpenSSO-Internal OpenSSO-Provider realms, but OpenSSO-Admin seems to be fine.
  Here is the behavior that is manifest.
  In the 2 'broken' realms, when we create users and assign them to the appropriate Open SSO realm, they appear to be provisioned correctly in IDM as well as the realm (We have validated user creation in LDAP and everything about the user appears to be fine). When we view the groups and roles in the specific resources, we are presented with a list of users that are in Brackets and appear to be provisioned. The brackets indicate that the users are not found as available users. The bracketed users can not be unassigned, nor can any others. note, our bracketed users in the list of assigned users are created from a workflow which assigns them directly to the appropriate group and role based on their business role.
  The third realm, OpenSSO-Admin works fine and we can add, and manage users in the groups and roles within the realm.
  We have ruled out the workflow as a source as the problem persists when we use the tool to manage users. We can create a user from scratch and add them to the realms. In the 'Broken' relms, the users do not appear in thelist of available users to be assigned to the groups or roles. Yet in the 'good realm, everything appears fine. We can move users from one realm to another and the problem persists in the broken realms, but when a user is added to the 'good' realm, everything is fine.
  I have tried reconciling and get no different results.
  Question is, We have isolated that the issue seems to be in the generation / management of the left hand "Available Users" list. How and where is this generated from and how can we check/fix or regenerate this list?
  Thanks.
  Joe

  I should clarify. We are using Sun IDM 8.1

• OBIEE Role-based visibility

  HI Experts,
  I have come across few questions about the Role-based visibility for OBIEE reports and Dashboards. Can anyone please let me what exactly is this and if possible provide some pointers.
  Thanks in Advance.
  VR

  have a look on page 137 and further http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b31770.pdf

• Unable to make OBIEE components SSO enabled

  Hi,
  I have installed OBIEE 10.1.3.4 in windows env.
  I tried to SSO enble all the components that comes within OC4J of cluster (ascontrol, bi office..).
  From the OC4J instance admin security provider section, I checked all these applications to use SSO and JAZN (file based user repository).
  This way only Appliaction server (ascontrol) got SSO enabled not the other components in the oc4j. Am I missing something?
  Thanks
  Saikrishna

  Thank you very much for reply.
  After doing little research I found out that somehow I need to use SSPI to get the user credentials.
  I have no idea how can I use SSPI in java. Please let me know if you know about any third party DLL that do this. Do I need to use JNI to use SSPI in java code?
  Thanks.

• How does presentation server cache shared by users and roles in OBIEE 11.1.1.6.7

  We are running through a scenario where user1 is assigned to role1 and run a report and after couple minutes user1 is assigned to role2 and run the same report, in 2nd run i see an error in saw log, even though there is presentation server cache that was generated by user1 is previous run it s not shared to the same user if his roles is chnaged, Is this expected behaviour ? by the way we dont have any row level security jut object level
  [2014-01-20T08:11:54.000-07:00] [OBIPS] [ERROR:31] [] [saw.views.dashboard] [ecid: 2f571434fbbd5490:72a3494e:14398c832ad:-8000-0000000000daa36e,0:1] [tid: 1545778944] Invalid request ID (ml75inai8rfs23tn9ih04bh236).  The request you are attempting to access has either expired or is from a previous logon.[[
  File:reportquerycache.cpp
  Line:68
  Location:
  saw.views.dashboard
  saw.httpserver.processrequest
  saw.rpc.server.responder
          saw.rpc.server
  saw.rpc.server.handleConnection
  saw.rpc.server.dispatch
  saw.threadpool.socketrpcserver
          saw.threads
  SessionID: hjhbcvfak396tc89uuu550g8bgv75v2rshv2oeq
  Thanks for your help
  Srix

  The variable DISABLE_CACHE_HIT is used to enable or disable Oracle BI Server result cache hits and not the presentation server cache. So the behavior seems to be correct. You can manage the presentation server cache settings in hte instanceconfig.xml file. Refer to the documentation below to understand the parameters you can configure: ( http://docs.oracle.com/cd/E21764_01/bi.1111/e10541/querycaching.htm#i1218900 )