External Table User-ID authorization?
Hi All,
http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
In this blog, the procedure in connection pool, as data Source Name as Whatever.World, and the Shared Logon as, username. What should actually go in there, or does it really matter?
Thank you.
Hi ssk1974,
What should actually go in there, or does it really matter?Yes you need to give the credentials as per your database,there in that blog he gave an example saying give out your username and password.
In your case give your stage or development database name,user name and password your using for RPD and presentation server.
So you can move ahead with the blog steps....Hope it helps you.
By,
KK
Similar Messages
-
How to Authorize external table users in OBIEE 11g
Hi All,
I have created Session System Variables and i am Using External table Data level Authentication and successfully external table Authentication is working.
My question is i want to Authorize this Extrenal table users in presentation services.e.g. I want to assign some dashboards or Reports to users.
In 10g when u login with the external table users automatically users will be created in Answers and used to assign this to webcat group.
In 11g how to achieve this???
Reply ASAP...
Thanks and Regards
Kiran Kumar
07795980891.Hi Kiran,
Check this link.
http://www.rittmanmead.com/2010/11/oracle-bi-11g-active-directory-security-using-init-blocks-variables-10g-style/ -
Issue in External Table Authentication and Authorization in OBIEE11G
Hello Gurus,
Can anyone help me how to configure External Table Authentication and Authorization in OBIEE11g through weblogic server not like in 10g style(Through INIT Blocks).
I've followed the (Doc ID 1338007.1) document. But when i'm restart the Managed servers and Admin servers after configuring the SQLAuthenticator all my services are showing down.
I already raised the SR (SR 3-6286054151) on this issue. But still i didn't get any reply from them.
Can anyone help me out on this issue or can anyone me send the document for "how to configure External Table Authentication and Authorization in OBIEE11g" . It's really appreciate for your quick response.
my mail ID [email protected]
Thanks,
Syam.
Edited by: 942658 on Oct 13, 2012 10:55 AMHi John,
Thanks for your quick response.
We configured "ReadOnlySQL Provider" by following the Oracle's white paper(Doc ID 1338007.1) Please find the below steps what we configured in weblogic console.
1. Created the Data Source
2. In the data source specified the Database driver--> *Oracle's Driver Thin for service connections: Versions:9.0.1 and later.
3. Defined the connection Properties .
4. Selected targets as Admin server and bi_server.
Then Activate changes
5. Created new provider by using ReadOnlySQL Authenticator
6. In the provider specific tab we given the SQL statements and saved it.
7. Restarted the Admin and Managed servers.
After restarted the services when we open the Enterprise Manager page all the services are showed as Undefined - means red.
Apart from that we followed your suggested link http://askjohnobiee.blogspot.com/2012/09/how-to-oid-authentication-with-groups.html
For External table authentication do we need to configure BISQLAuthenticator or ReadOnlySQLAuthenticator ?
If we configure BISQLAuthenticator we just import Groups from database to Console application. Then how can it Authenticated to the User ?
Please let me know your ideas on this.
Thanks,
Syam -
Subject area security validating users and groups from external table
Hi all.
I don't have practice to put question here, but there is one problem, that seems don't work correctly in OBIEE.
I'm trying to put users in groups within external table and this works fine.
I put security on the subject area level like this:
SA1 -> GroupA allow, Everyone not allow
SA2 -> GroupB allow, Everyone not allow
External table:
User----------Group
A---------GroupA;GroupB
B---------GroupB
Users A, B and GroupA, GroupB exists in the RPD, but I didn't put users inside them, I want this from table.
From the init block, external table I'm taking users and join them in the group. Same name users and groups are also in the presentation service.
When i connect with user A i don't see any subject area, when go to My Account i see in Group Membership/GroupA and GroupB, so it's readed from the external table.
Why in this case the subject area permission is not working?
It works if I explicitly put users in groups, in the RPD.
I have read this blog entry http://kpipartners.blogspot.com/2009/07/groups-webgroups-and-delivers.html and it is said that this works, but I'm interested how.
What should we have in the presentation part, administration, Manage Privileges -> Access within Oracle BI Answers option for those two subject area?
This doesn't work or something is missing:
Re: Security on Subject Areas
Regards
Goran
http://108obiee.blogspot.comWhat should we have in the presentation part, administration, Manage Privileges -> Access within Oracle BI Answers option for those two subject area?Yes, you should remove Everyone and add the relevant groups to each Subject Area. You don't need to set privileges in the RPD, in fact that's probably why it doesn't work for you. Leave your RPD Presentation Catalog as "Everyone" = Read as you will controlling access from the Presentation Services and it should work.
-
How to implement row level security using external tables
Hi All Gurus/ Masters,
I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
I can use a filter condition in my user level so that he can access his data only.
But when i have 4 tables in external tables
users
groups
usergroups
webgrups
Then in which table I need to give the filter conditions..
Pl let me know this ...You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
Hope this helps -
External Table Authorization Best practices
Hi,
I am working on OBIEE External table Authorization. I am able to successfully implement for one Project (catalog). The field for Authorization table (AuthTable) are
Windows_ID Employeeid Name EmpEMail GroupName Process_ID Process_Name Portal_Path
Here as per requirement a user should see data for a few process. So, I put a column for Process_ID and subsequently I created a INIT block in repository where query are like
Select 'PROCESS_ID',AuthTable. Process_id
From AuthTable
WHERE upper(AuthTable.AD_ID) = upper(':USER')
Then for User Groups I applied FILTERs for all the tables E.G for every Logical Table I applied Filter
Dim_Process."Process ID" = VALUEOF(NQ_SESSION."PROCESS_ID")
I checked data and every thing is correct. But My question is:
We have many projects/catalog for which Filter Criteria will be different so shall we insert a new column for each criteria in SAME AuthTable or there is any other and better way to maintain it. Because if we maintain one table for all the projects/catalog it will be very messy I would prefer to keep different tables for different projects/catalog as there data marts are different.
But Problem is for all other session variables we may use different INIT BLOCKS and hence different tables BUT for PORTALPATH there should be only one INIT BLOCK so only for PORTALPATH sake we need to keep every thing in same table ?
Tell me if I am wrong some where in my understanding or there is a better way to do it.
Regards
SaurabhHi,
Pls refer to this link. Kumar explained it very clearly
http://obieeblog.wordpress.com/category/obiee/obiee-security/
Pls award points, if helpful
Regards,
Sarat Nallapati -
Help with external table authorization
Hi Every One,
I am using OBIEE 11.1.1.6.
I have setup MSAD authentication through rpd and every user is able to login to analytics.
And there is an external table in the database where I have all the user and their groups( all users in MSAD are in this table)
I have created session variable called GROUP to have these usergroups for authorization.
I have created the groups in the front end with exact names that are in the external table.
But I cant set up the Required privilages
every user is seeing all the reports and subject areas.
Do I need to create the application roles with exact names as groups names in rpd?
Do i need to create groups in weblogic console?
Please help me in this regard.Hi,
I have created the groups in the front end with exact names that are in the external table.
Do I need to create the application roles with exact names as groups names in rpd?No need to create any groups or application roles in rpd.
Test Authorization init block properly.
Create application roles under console, which are nothing but groups in your external table. Apply security to dashboards accordingly.
Regards,
Srikanth -
11g hybrid authentication / authorization: WLS plus external table
I've implemented external table authentication / authorization in 11g. Now I'd like to add a twist.
I have an external table containing users B, C, and D. That external table contains all of the columns I need for authentication (including a clear text password) and for authorization (roles, log level, a dynamic table name, and so forth). I have authentication in one initialization block, authorization in another. Everything works fine. I can log in as B, C, or D and see exactly what I'm supposed to see, based on the ROLES.
The clear text passwords are generally not a problem, because this is a training instance and almost all of the passwords are the same. However, I want to add a user whose password should not be held in clear text. For that reason, I'd like to add that user into WLS. I've done that, and I'm able to log in to OBIEE. After confirming that I could log in to OBIEE with user A from the WLS, I added User A to the external table, left its password field blank, and filled in the other columns (roles, loglevel, etc...) that I need to assign into session variables.
Here's the problem: the authorization init block properly assigns ALL session variables for users B, C, and D. It assigns all session varaibles EXCEPT the ROLES variable for user A. I've confirmed this by creating an Answers analysis that shows me the values of the session variables. The ROLES session variable for user A shows "authenticated-role;BIConsumer;AuthenticatedUser". For all other users (those who are authenticated using the clear text passwords in the external table) the ROLES variable is populated correctly, based on the values in the ROLES column in the external table. In short, the authorization init block is properly assigning the ROLES session variable only for those users that were authenticated using the authentication init block, but is assigning all other session variables correctly for all users, even the one in WLS.
Here's my authentication init block code:
select bi_user
from bi_auth_ldap
where bi_user = ':USER'
and bi_user_pwd = ':PASSWORD'
Here's the authorization init block code:
select roles, bi_user_name, to_number(loglevel,0), channel_tbl
from bi_auth_ldap
where bi_user = ':USER'
(returned results are assigned into ROLES, DISPLAYNAME, LOGLEVEL, and CHANNEL_TBL session variables, respectively)
It feels like the ROLES session variable is populated in conjuction with the user logging on and being authenticated via WLS, and that the initialization block isn't able to overwrite that variable. Can an OBIEE developer confirm that for us, please? Once set in WLS, is it not possible to overwrite the ROLES session variable with SQL from an initialization block? If it IS possible, can you post some code that will accomplish it?
Thanks!It occurs to me that Oracle's support model is a fantastic way to make money. Let's see, I wonder if I could become a billionaire doing this:
Create some software. Sell that software. Then, charge customers several thousand MORE dollars, year after year, plus about $60 per bug, so that they have the right to report MY bugs to me. Yeah, that's the ticket - people PAYING for the right to report bugs to me. Oh, and if more than one person reports the same bug, I get to keep ALL of the money from ALL of them.
Let's summarize, make sure I haven't missed something: You buy my software, you PAY ME additionally to report MY bugs to me, I don't necessarily have to fix the bugs (but I keep your money whether I fix it or not), and I can collect multiple times from different people who report the same bug.
Sweeeeeeet.........
Billionaire Acres, here I come! -
I have done external table authentication by creating user related details in db, but i'm unable to view user specific data (row level data security) ie external table authoriztion. I have not used user groups..It is showing details pertaining to all users
Looking forward for your valuable suggestion....Hi,
Pls refer to this link. Kumar explained it very clearly
http://obieeblog.wordpress.com/category/obiee/obiee-security/
Pls award points, if helpful
Regards,
Sarat Nallapati -
Importing Users from external table in obiee 11g
Hi Every one,
Do any one help me giving suggestions that how we can import users from external table.
I am using obiee 11.1.1.6.
In that external table Which i am using there are 56K users.
They are able to login to obiee analytics.
But for setting object level security I need to make diffrent groups with these users to assign the dashbords and required objects in front end.
But how can we get all these users into BI server or presentation server to make them into groups.
Thanks in advance.
Edited by: 861096 on Mar 13, 2012 8:44 AMHi,
or if your lowest level is the same like
Day->month->year->Total
Day->businessMonth->businessyear->Total
Then yes, it is.
Create the first, then you start to create the second by adding your top(business year) level on the same level as the one you have (year) both under your total.
Then when you would add your second base level, there is a special option for it, something like use other hierarchy level/shared level (sorry can't recall and does not have a connection right now) then you select your existing day level under your businessmonth level.
Hope this helps,
Regards,
D -
External tables with user defined fuction help
Can any one help me
I have problem with using user defined function while creating the External table.
The user defined function Just takes an input empno and returns one number.
CREATE TABLE EMPXT_1(empno NUMBER(4)
ORGANIZATION EXTERNAL
TYPE ORACLE_LOADER
DEFAULT DIRECTORY TEST_DIR
ACCESS PARAMETERS(
RECORDS FIXED 4
STRING SIZES ARE IN BYTES
NOBADFILE
NODISCARDFILE
LOGFILE '211205.KNU.LOG'
FIELDS
NOTRIM
(empno POSITION(1) integer external(4) p_1(:empno)
LOCATION
('empxt_1.dat')
REJECT LIMIT UNLIMITED
NOPARALLEL
content of expxt_1.dat
7849
SELECT * from EMPXT_1;
ERROR at line 1:
ORA-29913: error in executing ODCIEXTTABLEOPEN callout
ORA-29400: data cartridge error
KUP-00554: error encountered while parsing access parameters
KUP-01005: syntax error: found "double-quoted-string": expecting one of:
"comma, defaultif, nullif, optionally, ), terminated"
KUP-01007: at line 8 column 49
ORA-06512: at "SYS.ORACLE_LOADER", line 14
ORA-06512: at line 1hi,
may be u have do these
for ORA-29913 error
1. you have to grant read and write to a directory.
for other errors do check this document
http://www.lc.leidenuniv.nl/awcourse/oracle/server.920/a96525/kupus.htm
hope this may help u
Trinath Somanchi -
How to provide Admin access to users that are in external table
Hello All,
I have configured external table authentication in OBIEE 11.1.1.5.0, i am able to login, i have some couple of users, i want to provide for some users as ADMIN Privileges
. Also how to identify these users in application roles, when i am trying to add in the application roles, i am not able to find these users.
Thanks,
SreekanthTry
DBA_STMT_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_OBJ_AUDIT_OPTS
SYS@etest> audit role;
Audit succeeded.
SYS@etest> SELECT * FROM DBA_STMT_AUDIT_OPTS;
USER_NAME PROXY_NAME
AUDIT_OPTION SUCCESS FAILURE
ROLE BY ACCESS BY ACCESS -
Using users from an external table in the BI Publisher add-in for Word
After installing the BI Publisher add-in in Word, I find that I can connect to BI Publisher (http://hostname:9704/xmlpserver) only using IDs that are defined within WLS. I'm using an Oracle database table and external authentication to get my users logged in to the Answers environment, and they use the BI Publisher features of Analytics as well. But if I try to connect from the add-in to xmlpserver as one of those externally authenticated users, it fails.
Do I have to create new users in WebLogic Security for those folks who need to build BIP templates in Word? If not, how can I get the add-in to recognize and use the external table authentication?
I'm in 11.1.1.6.2 BP1, but I've noticed the problem for a long time, possibly back to 10g.As you probably noticed, your formulas won't import into Project Siena - only the data.
I've created a sample application for you to demonstrate how you create formulas in Project Siena.
Here's the link to the project:
https://onedrive.live.com/redir?resid=D64FC13017F614FD!47783&authkey=!AN3UxGDTP1vNbbU&ithint=folder%2cjpg
In this example, I'm doing the heavy lifting on the Calculate button.
Here's what I did to create the project.
I added two input text boxes for height and weight
I added a calculate button.
I added a label to display the result. In the Default Text I added
BMI which is a context variable. I could have called it BMIResult - it's up to you.
Here's the formula for OnSelect of the Calculate button:
UpdateContext({BMI: Round((Value(txtWeight!Text) / Value(txtHeight!Text * txtHeight!Text)), 2)*703})
Note: If you haven't done so already, click 'Express View' in the lower right hand corner to see the properties.
UpdateContext is a formula that is used to change results - in this case the variable, BMI.
I used the Round function so it displays 2 digits for the decimal.
I used the Value formula to convert the input boxes to numbers.
This should get you started in the right direction - let me know if you need further explanation.
One more thing to add - when creating a context variable, you will see a yellow exclamation mark until you have a formula that references it.
Thor -
Can BIP be logged in using BIEE user from external tables?
I've setup the BIEE Session Initialization Blocks using data from external table in database.
And now Oracle BI Interactive Dashboards can be logged in using user "sysadmin" which stored in external table.
And user "sysadmin" has its group information of "XMLP_ADMIN" from external table
But BIP can't with error like follows:
PS: xmlp-server-config.xml
<property name="COMPRESS_REPORT_DATA" value="false"/>
<property name="BI_SERVER_SECURITY_URL" value="jdbc:oraclebi://10.100.100.69:9703/"/>
<property name="SAW_SESSION_TIMEOUT" value="90"/>
<property name="BI_SERVER_SECURITY_DRIVER" value="oracle.bi.jdbc.AnaJdbcDriver"/>
<property name="SAW_PORT" value="9704"/>
<property name="SAW_PROTOCOL" value="http"/>
<property name="COMPRESS_REPORT_OUTPUT" value="false"/>
<property name="SAW_URL_SUFFIX" value="analytics/saw.dll"/>
<property name="SECURITY_MODEL" value="BI_SERVER"/>
2009-06-28 17:32:50.484 NOTIFICATION connect to NQSSECONDARYCCS=;PORT=;SSLKEYSTO
REPASSWORD=***;PRIMARYCCS=;USER=sysadmin;PRIMARYCCSPORT=;TRUSTANYSERVER=;LOGFILE
PATH=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3\;SECONDARYCCSPORT=;TRUSTSTOREPASSWORD=
***;LOGLEVEL=;SSL=;HOST=10.100.100.69;CATALOG=;PASSWORD=***;
2009-06-28 17:32:50.703 NOTIFICATION connect to NQSSECONDARYCCS=;PORT=;SSLKEYSTO
REPASSWORD=***;PRIMARYCCS=;USER=Administrator;IMPERSONATE=sysadmin;PRIMARYCCSPOR
T=;TRUSTANYSERVER=;LOGFILEPATH=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3\;SECONDARYCC
SPORT=;TRUSTSTOREPASSWORD=***;LOGLEVEL=;SSL=;HOST=10.100.100.69;CATALOG=;PASSWOR
D=***;
2009-06-28 17:32:50.921 WARNING java.io.IOException: [nQSError: 43001] validate user sysadmin from St
ar failed:invalid user/password
It's wired that a user can login to Oracle BI Interactive Dashboards but can't to BIP while they use the same authentication.That should work..
If you are able to login in BIEE with the external user,
and configured BI security model as BIEE, then you should be able to login.
May be, restart the services and try. this is not going to change any, but just in case, you have modified any setting for which the restart may be required.,. -
External table authentication not updating user group changes
Hello
I have a question..
In OBIEE, i am using external table authentication. I have user and user group tables where users and groups are stores.. Every Time I create a new user and assign them to a group, these records get inserted immediately to these tables with the correct user and group ID that matches with each other.. Then in my initialization block I have the query that fetches the user name and psswd as well as groups names..
All these are working at the initial user creation. For example, when I create user A and assign it to group A, the DB table has all of the records inserted correctly. When I log in to OBIEE using User A login, I see it is assigned to Group B.
The problem comes when I change the user A from Group B to Group C. When I did that, although the DB table gets updated correctly, OBIEE session seems to still be the previous one. As a result, when I log in the second time, I see the user A is still assigned to Group B instead of Group C.. This seems to be cached..
I double check these user tables in OBIEE, none of them are cache enabled.. The connection pool setting of the isolation level is set as default..
When I reinstall OBIEE all over again and re-log in the first time, this User is now assigned to Group C..
So seems to be that it is caching issue.
How should I go about solving this issue
Appreciate in advanceMake sure you check the box for 'Required for authentication' and also 'Use caching' should not check.
Edited by: Srini VEERAVALLI on May 15, 2013 9:05 PM
Maybe you are looking for
-
Safe to delete file from Time Machine hard drive?
Is it safe to delete a file from an external hard drive that's being used for Time Machine backups? The file is not a backup -- it's a .dmg from the manufacturer of the hard drive. Other than that one file, I don't use the drive for anything other th
-
Taking user input in a PL/SQL block
Can someone tell me if it is possible to to take user input from within a PL/SQL loop? I mean I want that for each iteration in the loop, the program first take user input, and then based on that input, it perform specific operations. Then it repeats
-
Connecting new ipod to computer already programed w/ ipod shuffle
Help, I'm dumb. I was given an ipod shuffle a while back. Installed it, loved it, bought a bigger, better one, but can't use it yet. Can't get my itunes program on computer to recognize that I have a new ipod. How can I make computer w/ ipod shuffle
-
Dear Experts, I'm running a BI query to extract data then used VBA code to import external data from another Excel file. After storing the external data in a variable, I'm having trouble getting back to my original worksheet using VBA command Window
-
Email Vendor Remittance Advice
Hi, We have a requirement of emailing vendor remittance, I have activate the BTE 2040 and it is working fine for me. Now my question is I need your help in two areas 1) Changing the file name, currently it is generating payment advice note dated XXXX