Authorization in OBIEE

Similar Messages

• Regarding Authorization in OBIEE

  Hello Experts,
  I am having trouble rather confusion with Authorization in OBIEE. We have configured Authorization using external table and it is working fine.
  Scenario is:
  We have hierarchy like Senior Managers-> Horizontal Head->ORG Head-> Team Leads
  I created their respective groups for each of them in RPD and in Presentations services.
  Senior Manager Group (SR_Manager) has NO restrictions, all other 3 groups(Horz_Group, ORGH_Group, TL_Groups) have data level security they can view data for Process_ID aligned under them. This we are maintaining in external table.
  My doubt comes in when a Senior Manager is member of other groups as well.
  Let say ABC is Senior Manager as well as Horizontal Head and as a Horizontal Head his access is restricted to 5 Process_IDs.
  My Doubt is shouldn’t ABC see all the data as he part of Senior Manager Group, Senior Manager Membership should supersede all other membership? As per documentation OBIEE should apply LEAST RESTRICTIVE PERMISSIONS?
  Kindly suggest if my doubt is valid.
  Thanks
  Ankita

  Hi Amith,
  Thanks for your reply.
  I would like to confirm from what you replied. You asked to change the scenario for our senior most group.
  For our scenario, Sr_Manager group has no restrictions. Hence, all data should be viewable to members of this group. We have now kept all members belonging to Sr_Manager group to this group only and no other group membership has been provided. This works fine and is giving expected results.
  I would like to bring this to notice that, this problem was not coming initially when all the groups had been created. Any member from Sr_Manager, belonging to other lower groups could view all data as per his least restrictive group membership. But, I am not sure why this is failing now.
  Could you pls suggest any cause of this problem?
  Regards
  Ankita

• LDAP Authorization for OBIEE 10.1.3

  Hello,
  We have setup LDAP authentication (ADSI LDAP) using OBIEE standalone.
  I'm trying to figure out the best way to manage Authorization - user to group assignment in OBIEE.
  Options:
  1. Using external table
  Challange: The client doesn't have other application that manages user to group assignment. If I am using external table authorization, how will they manage changes to user to group or add new user to group?? This will require IT admin to modify table directly in production. They would like to have business super user to handle new user to group assignment.
  2. Import user to LDAP
  This is unfortunately doesn't work with ADSI LDAP. I got error message: This function is not supported for all LDAP type..
  3. I read something about using database DBMS_LDAP package. Basically: Define user to group assignment in LDAP. Define a db function to get db to group assignment. Call this db function in OBIEE.
  I am not sure if this DBMS_LDAP package will work with DB2. Any comments will be helpful.
  4. I thought about using Microsoft Excel to maintain user to group assignment and use the excel connection pool in Authorization init block. However, the OBIEE server is configured in AIX environment, and there is no excel driver for UNIX that's available...
  Has anyone seen this scenario before? Any suggestions will be greatly appreciated..

  When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
  In general, one could follow these articles to achieve AD Authentication:
  [http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
  [http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
  To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
  Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
  In our case, there's an admin who knows what sql is and how to work with it.
  Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

• How does one access custom function in OBIEE RPD for Session Init Block SQL

  Hello:
  We are using SSO for authentication and authorization for OBIEE, using Init Blocks in the RPD and httpHeader as the source of variables in the Instanceconfig.xml file. (As long as the user is member of one group, the results are fine. However, as soon as the user is assigned to multiple groups, group values become URI-encoded.)
  To solve the problem of URI-encoding, we have deployed a function to the DB (ora 10gr2).
  The problem I am running into is that when I call the function from an Init Block (Security), OBIEE Presentation Services (OPS) acts as though the function does not exist or is not called.
  Initialization String: select group_OBIEE(WEBGROUPS) from dual
  ("group_OBIEE" is the function that was deployed.)
  Testing: Successfully tested the function in PL/SQL as well as using the Test button in RPD.
  Reason for the fuction: The function decodes the extra characters using a substr function. SSO uses Shibboleth for Authentication and Authorization.
  For example, for our group name, we expect to obtain the following value:
  edw:hrdir;edw:findir (2 groups separated by a semi-colon)
  However, we are obtaining the following: (Determined via the narrative view in Answers: @{biServer.variables['NQ_SESSION.GROUP']} )
  URI-ENCODED<edw%3ahrdir%3bedw%3bfindir>
  Please note: There are no such problems when we are passing only a single group value (i.e. edw:hrdir). So, in cases when we pass only for Group for the user, we are able to authenticate and authorize w/o a problem.
  Any suggestion on how to call the function or a better way to approach this problem?
  Thanks in advance for your help.

  You don't need a function to assign the groups in your Init Block. In fact you should not use it. You need to use a standard select and define the Init Block as Row-Wise. This means the BI Server knows the Init Block will return more than one row. You select statement should look like this:
  SELECT 'GROUP', YOUR_GROUP_NAME FROM YOUR GROUP_USERS_TABLE WHERE YOUR_USER_ID_COLUMN = ':USER'

• OBIEE 11.1.1.6.2 Row Wise Init for Roles variable

  Gurus,
  Why is the NQ_SESSION.ROLES ( Row Wise Initialized ) behaving differently when compared to other Row Wise initialized session variables.
  I am using EBS Authentication and Authorization for OBIEE, so my authorization query is
  SELECT DISTINCT 'ROLES', RESPONSIBILITY_KEY
  FROM FND_USER,FND_USER_RESP_GROUPS, FND_RESPONSIBILITY_VL
  WHERE FND_USER.user_id=FND_USER_RESP_GROUPS.user_id
  AND FND_USER_RESP_GROUPS.RESPONSIBILITY_ID = FND_RESPONSIBILITY_VL.RESPONSIBILITY_ID
  AND FND_USER_RESP_GROUPS.RESPONSIBILITY_APPLICATION_ID = FND_RESPONSIBILITY_VL.APPLICATION_ID
  AND FND_USER_RESP_GROUPS.START_DATE < SYSDATE
  AND (CASE WHEN FND_USER_RESP_GROUPS.END_DATE IS NULL THEN SYSDATE ELSE TO_DATE(FND_USER_RESP_GROUPS.end_Date) END) >= SYSDATE
  AND FND_USER.user_name = 'VALUEOF(NQ_SESSION.USER)';
  Now I plan to use these Roles( EBS Responsibility name) which I have populated in a DB table against some Cost Center and below is the how I view the data in DB.
  ID | PROFIT_CENTER | RESPONSIBILITY
  0 | 0 |0
  1 | 100 |BI_Fin_Role
  2 | 200 |BI_P2P_Role
  3 | 300 |BI_Inv_Role
  Then my Profit Centers Initialization Block is now
  SELECT DISTINCT 'PROFIT_CENTER', PROFIT_CENTER FROM WC_OBIEE_PC_SECURITY WHERE RESPONSIBILITY IN (VALUELISTOF(NQ_SESSION.ROLES))
  So User1 has BI_Fin_Role and PC_Security Role so does the User2 has BI_Inv_Role and PC_Security now when User1 logs in they should see only 100 Profit center data and User2 should see only 300.
  I have created data filter for that application role (PC_Security) and limiting with "Dim.Profit Center"."Profit Center" = VALUEOF(NQ_SESSION."PROFIT_CENTER")
  However first problem I encounter is there is no value definition for PROFIT_CENTER, snap that means the VALUELISTOF(NQ_SESSION.ROLES) value is not being passed or recognized by whenever BI Server sends that query to DB.
  This is confirmed by my query log which says:
  [2013-04-29T12:49:06.000+00:00] [OracleBIServerComponent] [TRACE:5] [USER-39] [] [ecid: 11d1def534ea1be0:48033065:13e4213bbd0:-8000-0000000000008dc8] [tid: 47796940] [requestid: fffe0313] [sessionid: fffe0000] [username: ] -------------------- An initialization block named 'PC_Security', on behalf of a Session Variable, issued the following SQL query: [[
  SELECT DISTINCT 'PROFIT_CENTER', PROFIT_CENTER FROM WC_OBIEE_PC_SECURITY WHERE RESPONSIBILITY IN (VALUELISTOF(NQ_SESSION.ROLES))
  Returned 0 rows. Query status: Successful Completion
  So I try to issue the SQL to BI Server thru Issue SQL Directly:
  SELECT "Profit Center"."Profit Center" FROM "SLA Details" WHERE "Profit Center"."Profit Center" = VALUEOF(NQ_SESSION.ROLES)
  and the query log gives be the below log which blew my mind as its being delimited by ';'
  select distinct T1260626.ACCOUNT_SEG3_CODE as c1
  from
  W_GL_ACCOUNT_D T1260626 /* Dim_W_GL_ACCOUNT_D */
  where ( T1260626.ACCOUNT_SEG3_CODE = 'BIAuthor;BIConsumer;PC_Security;BI_Fin_Role;AuthenticatedUser' )
  I have other Row Wise Init blocks for HR_ORG which when fired and used in reports give be stings ('1000','2000',...) which is what I was expecting to see in the filter and query here.
  Am I doing something wrong here can someone please point me to right direction please.
  Any help is much appreciated.
  Thanks,
  VidyaS
  Edited by: VidyaS on Apr 29, 2013 2:47 PM

  This is because the ROLES variable in OBIEE 11g is designed to retrieve the LDAP or DB groups etc.. in form of semicolon delimiters this would be not the same case with other Row Wise init blocks.
  Refer to : OBI 11g - LDAP and semicolon-delimited string for Groups [ID 1274964.1]
  HTH,
  SVS

• Database authorization

  Hi,
  we set authentication on database users (oracle).
  I am intresting about authorization in OBIEE. How to set the groups in repository to manage user's rights. It has something with roles in the database? Do we have to create completely new groups in database and then create same groups in repository?
  Regards,
  Neza

  Neza,
  It's all in the documentation. BI RPD authentication has nothing to do with DB authentication and is independent from Answers Catalog authentication. I suggest you read the chapter about security and then ask if anything isn't clear

• Log in info

  Hi,
  I've a doubt, When we logging to Analytics, where the user information will store. i just want to see the user information and privileges
  Thanks in Advance
  Mallik

  Hi mallik,
  When we logging to Analytics, where the user information will storeDepends on what authentication your using like LDAP,External table and so on.First verify which you guys are using.
  For example if it is LDAP then these links will help you understand about it
  Authorization in OBIEE
  http://gerardnico.com/wiki/dat/obiee/ldap
  UPDATED POST
  Check this http://oraclebispace.blogspot.com/2008/12/authentication-in-obiee.html
  OBIEE login
  hope helps you.
  Cheers,
  KK
  Edited by: Kranthi.K on Apr 20, 2011 1:54 AM

• OBIEE  SSO  with authorization

  Hi Gurus,
  1)I have instance configured the SSO with windows Active Directory and OBIEE.
  2)I also have another instance ( without SSO configured) with external table authentication( user name and password verification) and authorization( groups , which populate the session variables for data filtering) .
  Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory
  and external table groups.
  The reason being , my groups are custom groups in external table, i do not want to maintain users in repository.
  can you please give me pointers if the scenario is possible . Thanks in Advance
  Thanks and Regards
  Satya

  Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory and external table groups.I don't what your issue is? Just do SSO with AD and then load the groups in the GROUP init block via SQL. What is your actual issue?
  In order to filter the data in reports you need to have the same group structure in Web Cat i guess ( correct me if i am wrong).Yes, although you don't need to use the same group names. Inm fact I prefer to have completely separate groups names, some for RPD security some for Web Catalog security. As long as the the groups exist in the proper location (RPD or Web Catalog) and they get assigned in the GROUP init block then OBIEE will be happy, they don't need to exist in both places.
  2) Will not SSO populate the Remote_User variable rather than the USER variable by default.No, you have to tell OBIEE where to put the REMOTE_USER value. You can simply do SELECT ':USER' FROM DUAL or if you have your users defined in a table you can also authenticate that the user exists in this table SELECT ':USER' FROM USER_TABLE WHERE USER_ID = ':USER' which adds another layer of authentication to your SSO solution.

• OBIEE Authorization  (LDAP)

  Hi
  Obiee Experts
  i have query in obiee ?????
  i did Authentication for AIX ( Unix server 6.1). How to config Authorization for LDAP .
  could you please share step by step
  ( we have 250 groups in ldap server how to maping with obiee level . we can apply object level and at same time data level security also )

  Did you have to change the function in anyway - apart from the bits to customise for your own AD server, user & pw to use?

• How to Authorize external table users in OBIEE 11g

  Hi All,
  I have created Session System Variables and i am Using External table Data level Authentication and successfully external table Authentication is working.
  My question is i want to Authorize this Extrenal table users in presentation services.e.g. I want to assign some dashboards or Reports to users.
  In 10g when u login with the external table users automatically users will be created in Answers and used to assign this to webcat group.
  In 11g how to achieve this???
  Reply ASAP...
  Thanks and Regards
  Kiran Kumar
  07795980891.

  Hi Kiran,
  Check this link.
  http://www.rittmanmead.com/2010/11/oracle-bi-11g-active-directory-security-using-init-blocks-variables-10g-style/

• Authorization issue in OBIEE 11.1.1.5.0

  Experts,
  We are facing a strange problem in our OBIEE 11g environment. User role is not properly getting refreshed. for example yesterday one user don't have any role assigned and today we assigned a role(Which has answers and dashboards access) to the user but user still see Accesss Denied page for answers and dashboards. This issue is happening from many user and for some users it is automatically gone after few days. Users and groups are maintained in OVD. I removed the OVD cache settings in em. Any pointers greatly appriciated.

  Try these
  1. Edit the NQSConfig.INI file to reset the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES to NO and restart the Oracle BI Servers.
  2. Remove, set to none, or comment out the line (see UpgradeAndExit in the following example) added to the instanceconfig.xml file (that instructs Oracle BI Presentation Server to refresh GUIDs on restart).
  <ps:Catalog xmlns:ps="oracle.bi.presentation.services/config/v1.1">
  <ps:UpgradeAndExit>false</ps:UpgradeAndExit>
  <ps:UpdateAccountGUIDs>none<ps:UpdateAccountGUIDs>
  Restart the Presentation Server for the instanceconfig.xml file that was updated.

• OBIEE Group authorization

  Hi,
  We are using the LDAP security for Authenticating the users.. but when I try to Authorize the Users to see a Particular dashboard it is failing. I have created a table in DB with Logon and the group details and created a session variable by using the below sql. But When I try to test this Initialization block the Test Button is not highlighting in the rpd .
  SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
  Please suggest me whether I am doing the correct approach to give access to dashboard.

  Yes... The three steps you have mentioned is the standard way of doing an authentication using LDAP and Authorization using external database.
  When ever a new user is added, you just have to add that user name and group name in the external db table.
  No need to give permissions to that particular user in Presentation Catalog as you might have already given permission to the group to whcih this user belongs.
  While logging in you have to give the correct username as it is configured in your LDAP server. For entering the new user in DB it need not be case sensitive as the Init block query takes care.
  SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
  Regards,
  Bhavik

• OBIEE 11g Security Structure

  Ok, having an issue with security and will give an overview of security setup and the issue.
  First, security structure. We are using a Web SSO, so users go to this SSL website, enter their LAN ID and password to login which redirects to Answers. The authentication and authorization are done by initialization blocks which were set up in 10g and upgraded to 11g, so the idea is to hold the security structure. There is a database table that has user id and roles. So when a user connects, it looks in the table based on the blocks and allows them to see what they are suppose to. This security is all setup and tested working. Next the idea was to integrate BI Publisher using that security. By default it uses Fusion Middleware, but based on our security I need to set it to use Oracle BI Server. Now when I do this, I can get people to login and then link over to publisher no issues. If I build a report in publisher and embed it in a dashboard page, when a user click that page, including the "weblogic" user, it loads with error: oracle.xdo.XDOException: Unable to create saw session. please verify the server connection. Now, if I go back and change the security structure back to Fusion Middleware and log in as weblogic user, the report loads with no errors, but end users can no longer access BI Publisher.
  So the question is, if I integrate security with BI Publisher using Oracle BI Server as the selection, is there something I may be missing in order to view BI Publisher embedded content in Answers/Dashboards?

  J.A.M wrote:
  So the question is, if I integrate security with BI Publisher using Oracle BI Server as the selection, is there something I may be missing in order to view BI Publisher embedded content in Answers/Dashboards?Yes, there are additional steps that are required. Please check below instructions:
  1) Every user must be a part of the BIConsumer role.
  2) Steps to allow data sources to the BIConsumer in BI Publisher:
  -- Administration->Roles and Permissions->Add Data Sources:BIConsumer-> Your Datasource Name
  3) Add BIConsumer role to all the XMLPRoles in EM and add all your custom/ootb roles that are being used to the BIConsumer role.
  4) In BI Publisher –
  To access OBIEE catalog through BI Publisher
  Administration -> Server Configuration -> Catalog -> Oracle BI EE Catalog -> Test Connection -> Upload to BI Presentation Catalog
  5) In OBIEE -- Make sure the data model and report's permissions are set appropriately in the catalog.
  Hope this helps.
  Thanks,
  -Amith.

• OBIEE Security 10g to 11g: Groups

  I had a Security scenario that I wanted to throw out to the forum...
  In 10g, we made use of the GROUP system variable to pull a users group membership from a database table. This was a Session Variable initialized upon each login.
  Data-level and object-level security was different for each group.
  In our environment users had the ability to switch groups, so they could be active in one of the groups and inactive in the others. We provided a form (WriteBack) that allowed them to set what group they wanted to be active for. They would then log out and log back in and have their new group assignments.
  In the Session Variable this was done by pulling in only groups that were flagged as Active. This worked great as it was done at the Session level. So I could login once and see Dashboard A, swtich my role, then log back in and NOT see Dashboard A.
  I know 11g still has the concept of WEBGROUPS, that would mimic the above, but my understanding is that Oracle is pushing the use of Application Roles.
  My question is how would the above behavior be ported over to 11g using Application Roles? I didn't think the population of an Application Role was Session Based, my belief is that it is populated when the Admin Server/Managed Servers are bought up pulling from the applcable Security Provider.
  Edited by: DustinC on Jan 19, 2012 1:29 PM
  Edited by: DustinC on Jan 20, 2012 3:54 PM
  Edited by: DustinC on Jan 22, 2012 12:45 PM
  Edited by: DustinC on Jan 23, 2012 11:40 AM

  Q1. how deploy external database security(users, groups) to OBIEE 11g.
  we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
  Solution:
  http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
  http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
  Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
  Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
  while configuring AD via weblogic console we need to give the users and group info
  Solution refer:
  http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
  Thanks
  Deva

• OBIEE Re Login on print selection

  Hi,
  We have OBIEE 10.1.3.4.1 configured for SSO and are using client side authorization option and passing the username in the URL. When we try to print a report using print html; a popup window opens up but instead of showing the HTML report it gets redirected to the obiee login page. This is because the new popup window is not passing the nquser in the URL. When we manually add the nquser to the popup window URL than it works fine and we do not have to login again. Has anyone faced this issue before and implemented possible solutions? Is there a way to avoid this popup and display the print results in the main obiee page? Thanks!
  ~Narenda

  Passing the the username in the URL is not SSO nor does it login the user to OBIEE properly. I suggest that you implement a proper SSO solution via the REMOTE_USER server method, a cookie or an HTTP header.