LDAP Authorization for OBIEE 10.1.3

Similar Messages

• LDAP authorization for VPN

  I am having problems getting the LDAP authorization to work. None of the instructions I find seem to coincide with my version of ASDM 5.0(7) and ASA 7.0(7).
  SO if anyone has the right instructions for these version can you send me a link?
  I get as far of testing it and it fails. When I test it asks for a user name but never a password. so I am not sure what I am doing wrong.
  Any help appreciated.

  Post your AAA & VPN profile config from the device please?

• Using OWSM for SAML verification and LDAP authorization

  I can verify SAML tokens by using EM security (verifying SAML tokens) but when I use OWSM I get this error at the proxy (by adding the step : SAML - Verify WSS 1.0 Token to the policy of a server agent)
  Exception in thread "main" java.lang.NoSuchMethodError: oracle.security.wss.saml.SAMLAssertionIssuer.<init>(Ljavax/xml/rpc/handler/soap/SOAPMessageContext;Lorg/w3c/dom/Document;Loracle/security/wss/config/SamlTokenConfigType;Z)V
  Also I need to LDAP authorize the subject of SAML after verification of SAML token. Is it just enough to put the LDAP authorize step after SAML verification?
  Won't I need any EXTRACT CREDENTIAL step?
  Regards
  Farbod

  When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
  In general, one could follow these articles to achieve AD Authentication:
  [http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
  [http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
  To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
  Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
  In our case, there's an admin who knows what sql is and how to work with it.
  Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

• Authorization in OBIEE

  We have configured OBIEE with ldap server for authentication, can somebody tell us how can we authorize the user with respect to a particular group.
  Do I need to create similar groups in repository and web catalog ?
  (. We dont want to import all the users and groups from ldap- is there any other way for doing this ?)
  Thanks

  I got a comparable problem.
  With LDAP I can login, but I can't provide the user with the right role or any role at all. I tried to make a table in the database where I could select the role with de :USER (username) but it doesn't work. Also, when I look in "my account" I only see the group "authenticated users".
  Steps so far:
  - Initblock user with ldap (variable = user, ldap variable = sAMAAccountName)
  - Initblock Roles with query
  select role_name
  from obiee_roles
  where user_name = ':USER'
  variabe target (variable = GROUP )
  Execution precedence is FIRST initblock USER.
  I have to be forgotten something.. Maybe someone can help me?
  Thanks!

• Regarding Authorization in OBIEE

  Hello Experts,
  I am having trouble rather confusion with Authorization in OBIEE. We have configured Authorization using external table and it is working fine.
  Scenario is:
  We have hierarchy like Senior Managers-> Horizontal Head->ORG Head-> Team Leads
  I created their respective groups for each of them in RPD and in Presentations services.
  Senior Manager Group (SR_Manager) has NO restrictions, all other 3 groups(Horz_Group, ORGH_Group, TL_Groups) have data level security they can view data for Process_ID aligned under them. This we are maintaining in external table.
  My doubt comes in when a Senior Manager is member of other groups as well.
  Let say ABC is Senior Manager as well as Horizontal Head and as a Horizontal Head his access is restricted to 5 Process_IDs.
  My Doubt is shouldn’t ABC see all the data as he part of Senior Manager Group, Senior Manager Membership should supersede all other membership? As per documentation OBIEE should apply LEAST RESTRICTIVE PERMISSIONS?
  Kindly suggest if my doubt is valid.
  Thanks
  Ankita

  Hi Amith,
  Thanks for your reply.
  I would like to confirm from what you replied. You asked to change the scenario for our senior most group.
  For our scenario, Sr_Manager group has no restrictions. Hence, all data should be viewable to members of this group. We have now kept all members belonging to Sr_Manager group to this group only and no other group membership has been provided. This works fine and is giving expected results.
  I would like to bring this to notice that, this problem was not coming initially when all the groups had been created. Any member from Sr_Manager, belonging to other lower groups could view all data as per his least restrictive group membership. But, I am not sure why this is failing now.
  Could you pls suggest any cause of this problem?
  Regards
  Ankita

• Problem with LDAP authentication for users in a group

  I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
  I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
  [6707]  memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
  [6707]          mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]          mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
  [6707]  msNPAllowDialin: value = TRUE
  I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
  ldap attribute-map AuthUsers
    map-name  memberOf IETF-Radius-Class
    map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
  aaa-server LDAP protocol ldap
  aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
   ldap-base-dn DC=COMPANY,DC=com
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
   server-type microsoft
   ldap-attribute-map AuthUsers
  group-policy NOACCESS internal
  group-policy NOACCESS attributes
   vpn-simultaneous-logins 0
   vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
   webvpn
    anyconnect ask none default anyconnect
  group-policy GroupPolicy_COMPANY_SSL_VPN internal
  group-policy GroupPolicy_COMPANY_SSL_VPN attributes
   wins-server none
   dns-server value 10.10.100.102
   vpn-tunnel-protocol ikev1 ikev2 ssl-client
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value SPLIT-TUNNEL
   default-domain value net.COMPANY.com
   webvpn
    anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
  tunnel-group COMPANY_SSL_VPN type remote-access
  tunnel-group COMPANY_SSL_VPN general-attributes
   address-pool COMPANY-SSL-VPN-POOL
   authentication-server-group LDAP
   authorization-server-group LDAP
   authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
   default-group-policy NOACCESS
   authorization-required
  tunnel-group COMPANY_SSL_VPN webvpn-attributes
   group-alias COMPANY_SSL_VPN enable
  tunnel-group COMPANY_SSL_VPN ipsec-attributes
   ikev1 pre-shared-key *****

  I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

• LDAP realm for authentication and ACL in Database

  We are thinking of using LDAP realm for authentication and we want to use ACL from a Database. But the documentation says: "WebLogic Server defers to the LDAP realm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file"
  Can we use LDAP realm for authentication and manage our ACL from a Database? or do we have to use the weblogic.properties file? Do the weblogic security API help in the above scenario? Thanks Ram

  Unfortunately, there is no easy way to do this in wls 6.0.
  The only way to handle it is to write your own custom realm
  that uses ldap for users and groups and a database for acls -
  probably not a viable alternative.
  -Tom
  "kevin doherty" <[email protected]> wrote:
  >
  Jeffrey Hirsch <[email protected]> wrote:
  You should be able to use the DelegatedRealm interface to utilize the authentication methods from LDAP and the authorization methods from RDBMSRealm...
  I'm trying to do this too, but we are using WL6 and I see that the DelegatedRealm interface has been deprecated in this version. I'd greatly appreciate more information on doing this in WL6.
  Thanks!
  -kd

• Issues when configure LDAP server in OBIEE

  Hi,
  I have a big issue, I configure LDAP server for authentication of users, and everything looks fine, but my problem is when I log in Interactive Dashbaords, I enter without any problem, but some parameters and some filters and some functions are NOT working, for example:
  -In a parameter I have this condition for Default value: SELECT YEAR(Tiempo.Dia) FROM Finanzas WHERE Tiempo.dia = CURRENT_DATE, and returns me a null value, but if I change to this SELECT YEAR(Tiempo.Dia) FROM Finanzas WHERE Tiempo.dia = CURRENT_DATE-1, returns me "2010"
  I have similar behaviors in other parameters, and some filters and some functions.
  Everything happen in Development instance. I configure LDAP server in Development instance.
  In Production instance nothing of this is happen, but I do not configure LDAP server yet.
  What do anyone think is happen here? This happens because I configure LDAP server? What do you think that mades this behavior for my parameters, filters and functions?
  Do you think is a better practice to clone Production instance to Development instance? If so, how can I do a clone instance, only for OBIEE?
  Regards,
  Arnulfo
  Edited by: ArnulfoPA on 25-may-2010 15:35

  The date returned by CURRENT_DATE is determined by the system in which the Oracle BI Server is running. So, does CURRENT_DATE returns an equal values on prom and dev instances in your case?

• LDAP Authorization Example

  Hello;
  Does anyone have a good example of an LDAP authorization script? The examples on the Cisco website don't provide enough detail. This version of LDAP is Windows 2003 Active Directory.
  Thank You

  Refer this document to Configuring an LDAP Server for VPN Concentrator User Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/ldapapp.htm#1533072

• SSO for OBIEE and WebLogic 10.3

  Hey, and thanks in advance for any replies.
  I'm struggling trying to get the single sign on integration working for OBIEE (10.1.3.4.1) and Oracle WebLogic 10.3. I've got the active directory hooks enabled, but there doesn't seem to be any passthrough from the browser to weblogic to the application on the back end (using NTLM and Internet Explorer).
  Any tips on getting this running?
  Thanks,
  Eric

  There are no "passthroughs from the browser to weblogic" for SSO. I think you are getting confused between SSO and external authentication. By "got the active directory hooks" I presume you meant you configured LDAP in your RPD, right? But that's just for external authentication. How are you trying to do SSO? What portal are you trying to integrate OBIEE with?

• Problem with Authorization for Planning folder

  Hi an having a problem with providing authorization for a planning folder
  i am getting the following error when i test it with test user
  Error while calling up RFC
  Message no. UPC202
  Diagnosis
  You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
  "You do not have authorization for InfoCube ZT_MR_T "
  Procedure
  Inform the system administrator.
  we are not pulling the data from any other server, all the data is on the sif any one has faced the same issue let me know.
  Regards,
  Abraham

  Calling Thru Trans code: BPS0 in ECC 6
  getting this error:
  Error while calling up RFC
  Message No. UPC202
  Diagnosis
  You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
  "An error occurred during the receipt of a complex parameter."
  after i check in bw trans code:st22
  Following this error message:
  Category                   Internal Kernel Error
  Runtime Errors         PARAMETER_CONVERSION_ERROR
  Application Component  BC-MID-RFC
  Short text
      An error occurred during the receipt of a complex parameter.
  What happened?
      During a remote function call, an error occurred while converting
      a complex parameter.
  What can you do?
      Note which actions and input led to the error.
      For further help in handling the problem, contact your SAP administrator
      You can use the ABAP dump analysis transaction ST22 to view and manage
      termination messages, in particular for long term reference.
  Error analysis
      An error occurred during the conversion of a complex parameter.

• Problem with Authorization for BW BPS planning Folder

  Hi an having a problem with providing authorization for a planning folder
  i am getting the following error when i test it with test user
  Error while calling up RFC
  Message no. UPC202
  Diagnosis
  You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
  "You do not have authorization for InfoCube ZT_MR_T "
  Procedure
  Inform the system administrator.
  if any one has faced the same issue let me know.
  Regards,
  Abraham

  HI ,
  I Checked it out we dont have that cube in our system.
  Regards,
  Abraham

• Authorization for opening & Closing posting periods - OB52

  Hi,
  Is there any way to set authorization for opening & closing of posting periods in OB52?
  My scenario:
  I have 2 company codes - A & B assigned to 2 different posting period variant - say PPA & PPB.
  The user belonging to CoCd A should not be able to open/close posting period of CoCd B and vice versa.
  Is this possible through any authorization settings?
  Request your help on this.
  Regards,
  Sridevi

  Hi Sridevi
  Please go through the following:
  You can assign authorization groups for permitted posting periods. This means that, for example, some posting periods can only be opened for particular users within monthly or annual closing. You can only assign the authorization group at document header level and it only affects period 1. The authorization object is called F_BKPF_BUP (Accounting document: Authorizations for posting periods). Read the corresponding chapter on "User maintenance" in the "Assigning authorizations" topic.
  "User maintenance"
  Due to the modular authorization concept of the system, you can define authorization profiles which are tailored to the workplace of your employees. You can, for example, assign authorization to a workplace in the Accounts Receivable, Accounts Payable or General Ledger Accounting areas.
  By assigning authorizations you define which business-related objects your employees are allowed to process and which editing functions are allowed.
  In the following activities for authorization management, you must carry out the following for employees who are to work with the system:
  Assign authorizations
  The authorizations are assigned by specifying permitted values for the pre-defined objects.
  Define profiles
  In the SAP system, authorizations are grouped together in workplace profiles. Therefore one or more profiles must be allocated to the individual employee in the master record.
  I hope this helps.
  Regards
  Kavitha

• Authorizations for materials and material groups

  Hello experts,
  Is it possible to limit the authorization to make purchase requerisiton of some materials or material groups depending on the user?
  I heard that it is possible be able to update some materials using the authorization M_MATE_MAT and including them in the material master, material group and user. But this also works for the creation of purchasing documents (PR,PO,RFQ,...)? Do I have to include this authorization for all the materials? If they do not have I understand that works for every people.
  Thanks in advance for your help
  Best regards,

  Hi Madii,
               actually Authorization works at the object level, i.s if you have provided the authorization for the user to makePR with certain Material Grp, then if you dont define that grp in the PO role, but still user will get the authorization from the PR role.
  why you want to allow the user to make the PR of certain Mtrl Grp for which he should not be making the PO.
  or let a different Body take care of the other mtrl Grp.
  Hope it helps.
  Regards,
  Yawar Khan

• Authorization for certain warehouse in stock transfer

  I'm trying to create an authorization for stock transfer when To Warehouse equals a certain value. Is there a way to do it?

  Hi,
  How could I do it with an approval procedure?
  You can create approval stages and template by using query
  Is it with a query?
  Yes
  Will it be similar to a formatted search?
  Yes
  Try this query for row level with only one item.
  Select Distinct 'True' FROM OWTR T0 inner join WTR1 T1 on T0.docentry = T1.docentry
  Where $[$23.5.0] = 'ExScrap'
  Note: Replace Exscrap with your warehouse name.
  Thanks & Regards,
  Nagarajan