External Table User-ID authorization?

Similar Messages

• How to Authorize external table users in OBIEE 11g

  Hi All,
  I have created Session System Variables and i am Using External table Data level Authentication and successfully external table Authentication is working.
  My question is i want to Authorize this Extrenal table users in presentation services.e.g. I want to assign some dashboards or Reports to users.
  In 10g when u login with the external table users automatically users will be created in Answers and used to assign this to webcat group.
  In 11g how to achieve this???
  Reply ASAP...
  Thanks and Regards
  Kiran Kumar
  07795980891.

  Hi Kiran,
  Check this link.
  http://www.rittmanmead.com/2010/11/oracle-bi-11g-active-directory-security-using-init-blocks-variables-10g-style/

• Issue in External Table Authentication and Authorization in OBIEE11G

  Hello Gurus,
  Can anyone help me how to configure External Table Authentication and Authorization in OBIEE11g through weblogic server not like in 10g style(Through INIT Blocks).
  I've followed the (Doc ID 1338007.1) document. But when i'm restart the Managed servers and Admin servers after configuring the SQLAuthenticator all my services are showing down.
  I already raised the SR (SR 3-6286054151) on this issue. But still i didn't get any reply from them.
  Can anyone help me out on this issue or can anyone me send the document for "how to configure External Table Authentication and Authorization in OBIEE11g" . It's really appreciate for your quick response.
  my mail ID [email protected]
  Thanks,
  Syam.
  Edited by: 942658 on Oct 13, 2012 10:55 AM

  Hi John,
  Thanks for your quick response.
  We configured "ReadOnlySQL Provider" by following the Oracle's white paper(Doc ID 1338007.1) Please find the below steps what we configured in weblogic console.
  1. Created the Data Source
  2. In the data source specified the Database driver--> *Oracle's Driver Thin for service connections: Versions:9.0.1 and later.
  3. Defined the connection Properties .
  4. Selected targets as Admin server and bi_server.
  Then Activate changes
  5. Created new provider by using ReadOnlySQL Authenticator
  6. In the provider specific tab we given the SQL statements and saved it.
  7. Restarted the Admin and Managed servers.
  After restarted the services when we open the Enterprise Manager page all the services are showed as Undefined - means red.
  Apart from that we followed your suggested link http://askjohnobiee.blogspot.com/2012/09/how-to-oid-authentication-with-groups.html
  For External table authentication do we need to configure BISQLAuthenticator or ReadOnlySQLAuthenticator ?
  If we configure BISQLAuthenticator we just import Groups from database to Console application. Then how can it Authenticated to the User ?
  Please let me know your ideas on this.
  Thanks,
  Syam

• Subject area security validating users and groups from external table

  Hi all.
  I don't have practice to put question here, but there is one problem, that seems don't work correctly in OBIEE.
  I'm trying to put users in groups within external table and this works fine.
  I put security on the subject area level like this:
  SA1 -> GroupA allow, Everyone not allow
  SA2 -> GroupB allow, Everyone not allow
  External table:
  User----------Group
  A---------GroupA;GroupB
  B---------GroupB
  Users A, B and GroupA, GroupB exists in the RPD, but I didn't put users inside them, I want this from table.
  From the init block, external table I'm taking users and join them in the group. Same name users and groups are also in the presentation service.
  When i connect with user A i don't see any subject area, when go to My Account i see in Group Membership/GroupA and GroupB, so it's readed from the external table.
  Why in this case the subject area permission is not working?
  It works if I explicitly put users in groups, in the RPD.
  I have read this blog entry http://kpipartners.blogspot.com/2009/07/groups-webgroups-and-delivers.html and it is said that this works, but I'm interested how.
  What should we have in the presentation part, administration, Manage Privileges -> Access within Oracle BI Answers option for those two subject area?
  This doesn't work or something is missing:
  Re: Security on Subject Areas
  Regards
  Goran
  http://108obiee.blogspot.com

  What should we have in the presentation part, administration, Manage Privileges -> Access within Oracle BI Answers option for those two subject area?Yes, you should remove Everyone and add the relevant groups to each Subject Area. You don't need to set privileges in the RPD, in fact that's probably why it doesn't work for you. Leave your RPD Presentation Catalog as "Everyone" = Read as you will controlling access from the Presentation Services and it should work.

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• External Table Authorization Best practices

  Hi,
  I am working on OBIEE External table Authorization. I am able to successfully implement for one Project (catalog). The field for Authorization table (AuthTable) are
  Windows_ID     Employeeid     Name     EmpEMail     GroupName     Process_ID     Process_Name     Portal_Path
  Here as per requirement a user should see data for a few process. So, I put a column for Process_ID and subsequently I created a INIT block in repository where query are like
  Select 'PROCESS_ID',AuthTable. Process_id
  From AuthTable
  WHERE upper(AuthTable.AD_ID) = upper(':USER')
  Then for User Groups I applied FILTERs for all the tables E.G for every Logical Table I applied Filter
  Dim_Process."Process ID" = VALUEOF(NQ_SESSION."PROCESS_ID")
  I checked data and every thing is correct. But My question is:
  We have many projects/catalog for which Filter Criteria will be different so shall we insert a new column for each criteria in SAME AuthTable or there is any other and better way to maintain it. Because if we maintain one table for all the projects/catalog it will be very messy I would prefer to keep different tables for different projects/catalog as there data marts are different.
  But Problem is for all other session variables we may use different INIT BLOCKS and hence different tables BUT for PORTALPATH there should be only one INIT BLOCK so only for PORTALPATH sake we need to keep every thing in same table ?
  Tell me if I am wrong some where in my understanding or there is a better way to do it.
  Regards
  Saurabh

  Hi,
  Pls refer to this link. Kumar explained it very clearly
  http://obieeblog.wordpress.com/category/obiee/obiee-security/
  Pls award points, if helpful
  Regards,
  Sarat Nallapati

• Help with external table authorization

  Hi Every One,
  I am using OBIEE 11.1.1.6.
  I have setup MSAD authentication through rpd and every user is able to login to analytics.
  And there is an external table in the database where I have all the user and their groups( all users in MSAD are in this table)
  I have created session variable called GROUP to have these usergroups for authorization.
  I have created the groups in the front end with exact names that are in the external table.
  But I cant set up the Required privilages
  every user is seeing all the reports and subject areas.
  Do I need to create the application roles with exact names as groups names in rpd?
  Do i need to create groups in weblogic console?
  Please help me in this regard.

  Hi,
  I have created the groups in the front end with exact names that are in the external table.
  Do I need to create the application roles with exact names as groups names in rpd?No need to create any groups or application roles in rpd.
  Test Authorization init block properly.
  Create application roles under console, which are nothing but groups in your external table. Apply security to dashboards accordingly.
  Regards,
  Srikanth

• 11g hybrid authentication / authorization: WLS plus external table

  I've implemented external table authentication / authorization in 11g. Now I'd like to add a twist.
  I have an external table containing users B, C, and D. That external table contains all of the columns I need for authentication (including a clear text password) and for authorization (roles, log level, a dynamic table name, and so forth). I have authentication in one initialization block, authorization in another. Everything works fine. I can log in as B, C, or D and see exactly what I'm supposed to see, based on the ROLES.
  The clear text passwords are generally not a problem, because this is a training instance and almost all of the passwords are the same. However, I want to add a user whose password should not be held in clear text. For that reason, I'd like to add that user into WLS. I've done that, and I'm able to log in to OBIEE. After confirming that I could log in to OBIEE with user A from the WLS, I added User A to the external table, left its password field blank, and filled in the other columns (roles, loglevel, etc...) that I need to assign into session variables.
  Here's the problem: the authorization init block properly assigns ALL session variables for users B, C, and D. It assigns all session varaibles EXCEPT the ROLES variable for user A. I've confirmed this by creating an Answers analysis that shows me the values of the session variables. The ROLES session variable for user A shows "authenticated-role;BIConsumer;AuthenticatedUser". For all other users (those who are authenticated using the clear text passwords in the external table) the ROLES variable is populated correctly, based on the values in the ROLES column in the external table. In short, the authorization init block is properly assigning the ROLES session variable only for those users that were authenticated using the authentication init block, but is assigning all other session variables correctly for all users, even the one in WLS.
  Here's my authentication init block code:
  select bi_user
  from bi_auth_ldap
  where bi_user = ':USER'
  and bi_user_pwd = ':PASSWORD'
  Here's the authorization init block code:
  select roles, bi_user_name, to_number(loglevel,0), channel_tbl
  from bi_auth_ldap
  where bi_user = ':USER'
  (returned results are assigned into ROLES, DISPLAYNAME, LOGLEVEL, and CHANNEL_TBL session variables, respectively)
  It feels like the ROLES session variable is populated in conjuction with the user logging on and being authenticated via WLS, and that the initialization block isn't able to overwrite that variable. Can an OBIEE developer confirm that for us, please? Once set in WLS, is it not possible to overwrite the ROLES session variable with SQL from an initialization block? If it IS possible, can you post some code that will accomplish it?
  Thanks!

  It occurs to me that Oracle's support model is a fantastic way to make money. Let's see, I wonder if I could become a billionaire doing this:
  Create some software. Sell that software. Then, charge customers several thousand MORE dollars, year after year, plus about $60 per bug, so that they have the right to report MY bugs to me. Yeah, that's the ticket - people PAYING for the right to report bugs to me. Oh, and if more than one person reports the same bug, I get to keep ALL of the money from ALL of them.
  Let's summarize, make sure I haven't missed something: You buy my software, you PAY ME additionally to report MY bugs to me, I don't necessarily have to fix the bugs (but I keep your money whether I fix it or not), and I can collect multiple times from different people who report the same bug.
  Sweeeeeeet.........
  Billionaire Acres, here I come!

• External table authorization

  I have done external table authentication by creating user related details in db, but i'm unable to view user specific data (row level data security) ie external table authoriztion. I have not used user groups..It is showing details pertaining to all users
  Looking forward for your valuable suggestion....

  Hi,
  Pls refer to this link. Kumar explained it very clearly
  http://obieeblog.wordpress.com/category/obiee/obiee-security/
  Pls award points, if helpful
  Regards,
  Sarat Nallapati

• Importing Users from external table in obiee 11g

  Hi Every one,
  Do any one help me giving suggestions that how we can import users from external table.
  I am using obiee 11.1.1.6.
  In that external table Which i am using there are 56K users.
  They are able to login to obiee analytics.
  But for setting object level security I need to make diffrent groups with these users to assign the dashbords and required objects in front end.
  But how can we get all these users into BI server or presentation server to make them into groups.
  Thanks in advance.
  Edited by: 861096 on Mar 13, 2012 8:44 AM

  Hi,
  or if your lowest level is the same like
  Day->month->year->Total
  Day->businessMonth->businessyear->Total
  Then yes, it is.
  Create the first, then you start to create the second by adding your top(business year) level on the same level as the one you have (year) both under your total.
  Then when you would add your second base level, there is a special option for it, something like use other hierarchy level/shared level (sorry can't recall and does not have a connection right now) then you select your existing day level under your businessmonth level.
  Hope this helps,
  Regards,
  D

• External tables with user defined fuction help

  Can any one help me
  I have problem with using user defined function while creating the External table.
  The user defined function Just takes an input empno and returns one number.
  CREATE TABLE EMPXT_1(empno NUMBER(4)
  ORGANIZATION EXTERNAL
  TYPE ORACLE_LOADER
  DEFAULT DIRECTORY TEST_DIR
  ACCESS PARAMETERS(
  RECORDS FIXED 4
  STRING SIZES ARE IN BYTES
  NOBADFILE
  NODISCARDFILE
  LOGFILE '211205.KNU.LOG'
  FIELDS
  NOTRIM
  (empno POSITION(1) integer external(4) p_1(:empno)
  LOCATION
  ('empxt_1.dat')
  REJECT LIMIT UNLIMITED
  NOPARALLEL
  content of expxt_1.dat
  7849
  SELECT * from EMPXT_1;
  ERROR at line 1:
  ORA-29913: error in executing ODCIEXTTABLEOPEN callout
  ORA-29400: data cartridge error
  KUP-00554: error encountered while parsing access parameters
  KUP-01005: syntax error: found "double-quoted-string": expecting one of:
  "comma, defaultif, nullif, optionally, ), terminated"
  KUP-01007: at line 8 column 49
  ORA-06512: at "SYS.ORACLE_LOADER", line 14
  ORA-06512: at line 1

  hi,
  may be u have do these
  for ORA-29913 error
  1. you have to grant read and write to a directory.
  for other errors do check this document
  http://www.lc.leidenuniv.nl/awcourse/oracle/server.920/a96525/kupus.htm
  hope this may help u
  Trinath Somanchi

• How to provide Admin access to users that are in external table

  Hello All,
  I have configured external table authentication in OBIEE 11.1.1.5.0, i am able to login, i have some couple of users, i want to provide for some users as ADMIN Privileges
  . Also how to identify these users in application roles, when i am trying to add in the application roles, i am not able to find these users.
  Thanks,
  Sreekanth

  Try
  DBA_STMT_AUDIT_OPTS
  DBA_PRIV_AUDIT_OPTS
  DBA_OBJ_AUDIT_OPTS
  SYS@etest> audit role;
  Audit succeeded.
  SYS@etest> SELECT * FROM DBA_STMT_AUDIT_OPTS;
  USER_NAME                      PROXY_NAME
  AUDIT_OPTION                             SUCCESS    FAILURE
  ROLE                                     BY ACCESS  BY ACCESS

• Using users from an external table in the BI Publisher add-in for Word

  After installing the BI Publisher add-in in Word, I find that I can connect to BI Publisher (http://hostname:9704/xmlpserver) only using IDs that are defined within WLS. I'm using an Oracle database table and external authentication to get my users logged in to the Answers environment, and they use the BI Publisher features of Analytics as well. But if I try to connect from the add-in to xmlpserver as one of those externally authenticated users, it fails.
  Do I have to create new users in WebLogic Security for those folks who need to build BIP templates in Word? If not, how can I get the add-in to recognize and use the external table authentication?
  I'm in 11.1.1.6.2 BP1, but I've noticed the problem for a long time, possibly back to 10g.

  As you probably noticed, your formulas won't import into Project Siena - only the data.
  I've created a sample application for you to demonstrate how you create formulas in Project Siena.
  Here's the link to the project:
  https://onedrive.live.com/redir?resid=D64FC13017F614FD!47783&authkey=!AN3UxGDTP1vNbbU&ithint=folder%2cjpg
  In this example, I'm doing the heavy lifting on the Calculate button.
  Here's what I did to create the project.
  I added two input text boxes for height and weight
  I added a calculate button.
  I added a label to display the result.  In the Default Text I added
  BMI which is a context variable.  I could have called it BMIResult - it's up to you.
  Here's the formula for OnSelect of the Calculate button:
  UpdateContext({BMI: Round((Value(txtWeight!Text) / Value(txtHeight!Text * txtHeight!Text)), 2)*703})
  Note: If you haven't done so already, click 'Express View' in the lower right hand corner to see the properties.
  UpdateContext is a formula that is used to change results - in this case the variable, BMI.
  I used the Round function so it displays 2 digits for the decimal.
  I used the Value formula to convert the input boxes to numbers.
  This should get you started in the right direction - let me know if you need further explanation.
  One more thing to add - when creating a context variable, you will see a yellow exclamation mark until you have a formula that references it.
  Thor

• Can BIP be logged in using BIEE user from external tables?

  I've setup the BIEE Session Initialization Blocks using data from external table in database.
  And now Oracle BI Interactive Dashboards can be logged in using user "sysadmin" which stored in external table.
  And user "sysadmin" has its group information of "XMLP_ADMIN" from external table
  But BIP can't with error like follows:
  PS: xmlp-server-config.xml
  <property name="COMPRESS_REPORT_DATA" value="false"/>
  <property name="BI_SERVER_SECURITY_URL" value="jdbc:oraclebi://10.100.100.69:9703/"/>
  <property name="SAW_SESSION_TIMEOUT" value="90"/>
  <property name="BI_SERVER_SECURITY_DRIVER" value="oracle.bi.jdbc.AnaJdbcDriver"/>
  <property name="SAW_PORT" value="9704"/>
  <property name="SAW_PROTOCOL" value="http"/>
  <property name="COMPRESS_REPORT_OUTPUT" value="false"/>
  <property name="SAW_URL_SUFFIX" value="analytics/saw.dll"/>
  <property name="SECURITY_MODEL" value="BI_SERVER"/>
  2009-06-28 17:32:50.484 NOTIFICATION connect to NQSSECONDARYCCS=;PORT=;SSLKEYSTO
  REPASSWORD=***;PRIMARYCCS=;USER=sysadmin;PRIMARYCCSPORT=;TRUSTANYSERVER=;LOGFILE
  PATH=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3\;SECONDARYCCSPORT=;TRUSTSTOREPASSWORD=
  ***;LOGLEVEL=;SSL=;HOST=10.100.100.69;CATALOG=;PASSWORD=***;
  2009-06-28 17:32:50.703 NOTIFICATION connect to NQSSECONDARYCCS=;PORT=;SSLKEYSTO
  REPASSWORD=***;PRIMARYCCS=;USER=Administrator;IMPERSONATE=sysadmin;PRIMARYCCSPOR
  T=;TRUSTANYSERVER=;LOGFILEPATH=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3\;SECONDARYCC
  SPORT=;TRUSTSTOREPASSWORD=***;LOGLEVEL=;SSL=;HOST=10.100.100.69;CATALOG=;PASSWOR
  D=***;
  2009-06-28 17:32:50.921 WARNING java.io.IOException: [nQSError: 43001] validate user sysadmin from St
  ar failed:invalid user/password
  It's wired that a user can login to Oracle BI Interactive Dashboards but can't to BIP while they use the same authentication.

  That should work..
  If you are able to login in BIEE with the external user,
  and configured BI security model as BIEE, then you should be able to login.
  May be, restart the services and try. this is not going to change any, but just in case, you have modified any setting for which the restart may be required.,.

• External table authentication not updating user group changes

  Hello
  I have a question..
  In OBIEE, i am using external table authentication. I have user and user group tables where users and groups are stores.. Every Time I create a new user and assign them to a group, these records get inserted immediately to these tables with the correct user and group ID that matches with each other.. Then in my initialization block I have the query that fetches the user name and psswd as well as groups names..
  All these are working at the initial user creation. For example, when I create user A and assign it to group A, the DB table has all of the records inserted correctly. When I log in to OBIEE using User A login, I see it is assigned to Group B.
  The problem comes when I change the user A from Group B to Group C. When I did that, although the DB table gets updated correctly, OBIEE session seems to still be the previous one. As a result, when I log in the second time, I see the user A is still assigned to Group B instead of Group C.. This seems to be cached..
  I double check these user tables in OBIEE, none of them are cache enabled.. The connection pool setting of the isolation level is set as default..
  When I reinstall OBIEE all over again and re-log in the first time, this User is now assigned to Group C..
  So seems to be that it is caching issue.
  How should I go about solving this issue
  Appreciate in advance

  Make sure you check the box for 'Required for authentication' and also 'Use caching' should not check.
  Edited by: Srini VEERAVALLI on May 15, 2013 9:05 PM