OBIEE Group Authentication Maintenance

Similar Messages

• Groups Authenticated users & Everyone difference

  Hi Everyone,
  There are builtin groups Authenticated users & Everyone.  when i check for some iviews, folders, their permissions are set to Everyone with enduser as checked and for some objects, the permissions are given as Authenticated users group with enduser as checked. 
  What is the difference between these two.  All the ESS/MSS objects has given the permission as Authenticated users group with Enduser checked. 
  anyone clarify this doubt.
  Regards,
  EP.

  Hi,
  There are two kinds of Properties for an Portal Content Object,
  1. Administrator Permission- create/modify/read/ permissions etc privilatges on the object. These are Design Time Permissions
  2. EndUser- When a user is assigned a end User Permission, he can view the content at runtime i.e. If the iView is assigned to the User (via iView assigned to a role, and role has an entry point and assigned to the user) and he has only the end user Permission, then he can login and view the runtime content only. A kind of end user privilage.
  Now,
  1. Authenticated Users: the Users who have entered their logon info/ used a certificate to Login to the Portal/ to say users who have authenticated themselves to Portal  are the Authenticated Users. The User Group is named so.
  2. Everyone- All the Users- Authenticated or not fall in this group. Sometimes Content can be accessed directly with a URL without any Logon.
  Based on who can access the End user Content, the End User permission is provided in Permission settings, i.e.in the ACL of that Object.
  Hope this answers your question. Reward points for Helpful answers.
  Thanks,
  Vamshi

• What to enter in Group Authentication ?

  Hi People,
  I am connecting to the server however, i am entering the host as what i know. What do i need to enter in group authentication?? 

  What vpn client are you  using? Is this the Cisco ipsec vpn client
  Thanks
  John

• Dynamic Group containing maintenance mode devices

  Hi,
  I am using a scheduled script to put a large number of items in maintenance mode for periods of time where we do not which to receive alerts or cause DA state changes. For these objects, the time is overnight or weekends.
  The script adds all objects in a dynamic group into maintenance mode. This includes both windows and network devices.
  My issue is that when an engineer manually puts an item into maintenance mode for genuine maintenance purposes, it may be overridden. 
  So my idea is to have another dynamic group containing all objects in maintenance mode, and make it an exclusion in the original group. Is this possible or is there a better way?
  FYI The script I am using for the bulk maintenance mode is based from here:
  http://www.systemcentercentral.com/opsmgr-2012-group-maintenance-mode-via-powershell-the-way-it-should-be/

  Hi,
  We can use below command to get all members in a group:
  $Groups = Get-MonitoringObjectGroup  
  $Group = $Groups | where {$_.DisplayName -eq "Group Name"}   
  $Members = $Group.GetRelatedMonitoringObjects()   
  And with below command we could get all members that in maintenance mode:
  $Members | where{$_.inmaintenancemode -eq $true}
  With set-SCOMMaintenanceMode command we can update active maintenance mode entries.
  http://technet.microsoft.com/en-us/library/hh920197(v=sc.20).aspx
  Regards, Yan Li

• Planner group vs maintenance work centre?

  hi
  in IDES server generally planner group and maintenance work centre are same.can they be different if so then please
  explain with example.
  regards
  sanjay

  Hi,
  Work Center - represents a unit that is capable of performing work. It can be a group of person, equipment and special resources used to MANAGE the work order and/or PERFORM work order operations during maintenance execution. It can be used to model a resource availability within the organisation. There are 2 types, Main Work Center (responsible for overall managemetn of the work) and Operational Work Center (executes the operation activities).
  Planner Group - represents a person or group of persons responsible for the PLANNING and PROCESSING of several maintenance Work Orders.
  Cheers,
  Joey

• Support for Cisco VPN "mutual group authentication"

  Hi,
  Does anyone know of support plans for Cisco VPN mutual group authentication in the built-in VPN client on MacOSX?
  Thanks,
  John

  I would like to know the answer to this as well.
  Thanks,
  Josh

• OBIEE 11g authentication

  Hi,
  Can OBIEE 11.1.1.7 support authentication of EBS and LDAP together, like:
  1. Users automatically logging into OBIEE from EBS
  2. Users logging from OBIEE login screen as standalone with LDAP authentication
  I understand the responsibilities/groups need to be common among EBS and LDAP, but how to achieve this both authentications.
  Thanks,
  Ven

  Hi Deva,
  Thanks for your reply.
  I've heard from some people that there's a bug in OBIEE 11.1.1.5 that prevents integration of OBIEE 11 security with EBS 11.
  I'm trying to find anyone who actually succeeded to get the thing done.
  I used the DeliverBI document as well as the official guide.
  Is there any way to "debug" my settings? How can I know - what's wrong?
  Thanks,
  Alex

• OBIEE Groups - RPD Groups, Catalog Groups, LDAP Groups

  Greeting Experts
  I am trying to get a clear understanding of how these different groups play out in the OBIEE world.  Ideally I am looking to get clarity around what the boundaries are for these groups (what they control and don't). Really appreciate if someone could enlighten me
  Thank you very much.

  will LDAP Group security takes precedence over Catalog Group security
  Yes
  when it comes to LDAP security, can it be extended to control Authorizations besides, just User Authentication ?
  Basically LDAP groups are associated with the users and those groups are again associated to Application Roles so Authorization and authentication can be done using Application role rather than a group
  But if you have catalog groups (default 10g security model) you can still assign application roles for those catalog group and enable the object level security (Goto Administrator ---> Manage Catalog Groups ---> select any default 10g group there you can search and add applicatoin roles)
  thanks,
  Saichand

• OBIEE Group By on 2 facts and concatenated columns from different dimensions

  Hi
  I have a different kind of problem involving 2 fact tables with different dimensional attributes.
  Fact 1 has Dim Attributes ( Cust,Facility )
  Measure - Gross Amount
  Fact2 has Dim attributes (Cust,Facility and Risk Group )
  Measure : Exposure Amount
  Since we have 2 facts with different dimensions,
  to exclude the 'Risk Group' dimension column from the group by for the Fact1,
  we set the 'Gross Amount' measure to total level (Risk Group Dimension ) in contents tab.
  So the values from both the fact tables appears in the same report correctly.
  But in the same report we have another requirement where the rating column from the customer dimension has to be concatenated with the ratings column in the facility dimension.
  We have to concatenate customer.rating with the facility.rating and display it in the report.
  when we just pull the individual columns from the dimensions into the report it works fine.
  But when we try to concatenate the 2 columns and show it in the report,
  the concatenated column does not appear in the select or the group by in the SQL Fact2.( Generated by OBIEE )
  The other fact1 has the concatenated column in the select as well as the group by clause ( Generated by OBIEE )
  As a result the report shows the concatenated values only for the results from the Fact1. But the results from Fact2 does not have the concatenated column values.
  The report should look like the below:
  Custor.Name,     Customer.Id,     Facility.Name,     Facility.Id,     Customer.Rating/Facility.Rating,     Risk Group,     Gross Amount,     Exposure Amount
  ===========    =========      ===========     =========   ========================      =========     ===========     ===============
  JPMC                123                    GROSS               123               08/10                                                  LNL                    45,000               25,000
  CLAIRE               456                    NET                    456               07/10                                                  RNK                    50,000               30,000
  Thanks,
  Chandra

  As suggested you really want to move your none-aggregated fact attributes to a logical dimension (using the same physical table as the logical fact). Map this in the BMM layer as a snowflake, Place a hierarchy on this dimension with (at minimum) Total -> Detail levels, then on the other fact table you want to include in the report, set the content level on your other fact measures to the 'Total' level for your new logical Dim and it will allow them to be present in the same report.

• OBIEE Group authorization

  Hi,
  We are using the LDAP security for Authenticating the users.. but when I try to Authorize the Users to see a Particular dashboard it is failing. I have created a table in DB with Logon and the group details and created a session variable by using the below sql. But When I try to test this Initialization block the Test Button is not highlighting in the rpd .
  SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
  Please suggest me whether I am doing the correct approach to give access to dashboard.

  Yes... The three steps you have mentioned is the standard way of doing an authentication using LDAP and Authorization using external database.
  When ever a new user is added, you just have to add that user name and group name in the external db table.
  No need to give permissions to that particular user in Presentation Catalog as you might have already given permission to the group to whcih this user belongs.
  While logging in you have to give the correct username as it is configured in your LDAP server. For entering the new user in DB it need not be case sensitive as the Init block query takes care.
  SELECT ‘GROUP’, R.GROUP_NAME FROM WC_USER_AUTH R WHERE UPPER(R.LOGON)=UPPER(‘:USER’)
  Regards,
  Bhavik

• AAA:How to separate the group authentication on Switches through Radius/Tac

  Hi,
  Currently my ACS is being integrated with AD and all the users can access my IOS devices (configured AAA). I only need one group in my AD to access my IOS devices and another group to use VPN access or any other authentications.
  Can anyone tell me how to restrick all other groups in AD to access my network devices except one group in AD which I only want to allow access to my network devices.

  I wanted to do the same thing with the Active Directory where I only wanted on group called "network admin" to have access to my switches. I have 3 ACSs appliances and 100 switches. This is my setup.
  On the ACS Create a "Network Device Group" under NETWORK CONFIGURATION. I called this group "TACACS+ Switches".Once the group is created add all your AAA clients which are your switches.
  (you can accomplish that by first going under INTERFACE CONFIGURATION-click on "Network Device Groups" this will enable the ACS to allow you to create "Network Device Groups" also check the "Group-Level Access Restrictions")
  Then click on GROUP SETUP. edit the 0:default group and disabled that group.Then select a agroup available from the group list and rename the group "Network Admin" and map that group against the AD group named "Network Admin".
  Once that group is correctly mapped.Go back to GROUP SETUP and edit the "Network Admin" group.Within the group you will see an option called "Netwrok Access Restriction (NAR)"
  Click the option DEFINE IP-BASED ACCESS RESTRICTIONS. From The AAA Client drop down menu select the "NDG:TACS+ SWITCHES" for the port enter "*" (asterick) for the address you can specified the the network in whic the switches are residing in my case I used "10.*.*.*" the wild cards will allow any network on the 10. network. then click "enter"
  This is a high level overview on how I did my setup. Remember to properly define your AAA statement under your Cisco IOS switches.
  I hope this help!!

• Please help: WebLogic + BI + SQL Group Authenticator

  Hi all, i have big problem with solution on my company project. I please somebody help me.
  This is my problem:
  I have bifoundation_domain :
  WebLogic Server Version: 10.3.5.0
  EM 11g
  Oracle Business Intelligence 11.1.1.7.0
  with this structure:
  bifoundation_domain
  |- AdminServer
  |- bi_cluster
    |- bi_server1
  So and i need use Weblogic embedded LDAP (DefaultAuthenticator in realms security providers) and i need loading GROUPS from DATABASE. I read and tried a lot of articles, blogs, manuals but
  within positive result.
  My procedure is:
  In WLS console :
  - create jdbc datasource with name "bip_apps_DS"
  - create BI SQL Group provider (with name BIGroupLoader) with this settings
  <sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:bisql-group-providerType">
    <sec:name>BIGroupLoader</sec:name>
    <sec:control-flag>OPTIONAL</sec:control-flag>
    <ext:data-source-jndi-name>bip_apps_DS</ext:data-source-jndi-name>
    <ext:sql-list-member-groups>SELECT ROLE_NAME FROM V_SYS_AUTH_ROLES WHERE LOGIN_NAME = ?</ext:sql-list-member-groups>
    <ext:sql-list-groups>SELECT NAME FROM UA_ROLES WHERE NAME LIKE ?</ext:sql-list-groups>
    <ext:sql-group-exists>SELECT NAME FROM UA_ROLES WHERE NAME = ?</ext:sql-group-exists>
    <ext:sql-is-member>SELECT LOGIN_NAME FROM V_SYS_AUTH_ROLES WHERE ROLE_NAME = ? AND LOGIN_NAME = ?</ext:sql-is-member>
    <ext:sql-get-group-description>SELECT DESCRIPTION FROM UA_ROLES WHERE NAME = ?</ext:sql-get-group-description>
  </sec:authentication-provider>
  (my DB schema is correct)
  and i move him on first place in providers list.
  So after these steps in WLS console i see in security realm->groups my groups from DB. Everything is OK.
  Now i need use GROUPS from my database in EM in the context of create BI users roles (maping BI application roles on GROUPS (enterprise roles)).
  So i created a database adapter for the Virtualized Identity Store
  this is it:
  <?xml version = '1.0' encoding = 'UTF-8'?>
  <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">
    <dataBase id="directoryType" version="0">
    <root>%ROOT%</root>
    <active>true</active>
    <serverType>directoryType</serverType>
    <routing>
    <critical>true</critical>
    <priority>50</priority>
    <inclusionFilter/>
    <exclusionFilter/>
    <plugin/>
    <retrieve/>
    <store/>
    <visible>Yes</visible>
    <levels>-1</levels>
    <bind>true</bind>
    <bind-adapters/>
    <views/>
    <dnpattern/>
    </routing>
    <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">
    <plugins>
    <plugin>
    <name>VirtualAttribute</name>
    <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class>
    <initParams>
    <param name="ReplaceAttribute" value="uniqueMember={cn=%uniquemember%,ou=people,ou=myrealm,dc=bifoundation_domain}"/>
    </initParams>
    </plugin>
    </plugins>
    <default>
    <plugin name="VirtualAttribute"/>
    </default>
    <add/>
    <bind/>
    <delete/>
    <get/>
    <modify/>
    <rename/>
    </pluginChains>
    <driver>oracle.jdbc.driver.OracleDriver</driver>
    <url>%URL%</url>
    <user>%USER%</user>
    <password>%PASSWORD%</password>
    <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>
    <includeInheritedObjectClasses>true</includeInheritedObjectClasses>
    <maxConnections>10</maxConnections>
    <mapping>
    <joins/>
    <objectClass name="groupofuniquenames" rdn="cn">
    <attribute ldap="cn" table="V_SYS_AUTH_ROLES" field="ROLE_NAME" type=""/>
    <attribute ldap="description" table="V_SYS_AUTH_ROLES" field="ROLE_NAME" type=""/>
    <attribute ldap="uniquemember" table="V_SYS_AUTH_ROLES" field="LOGIN_NAME" type=""/>
    </objectClass>
    </mapping>
    <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>
    <connectionWaitTimeout>10</connectionWaitTimeout>
    <oracleNetConnectTimeout>0</oracleNetConnectTimeout>
    <validateConnection>false</validateConnection>
    </dataBase>
  </adapters>
  and run command to register:
  ./libovdadapterconfig.sh -adapterName BIGroupLoader -adapterTemplate bi_sql_groups_adapter_template.xml
  -host localhost -port 7001 -userName weblogic -domainPath /OFM/BI/user_projects/domains/bifoundation_domain
  -dataStore DB -root ou=people,ou=myrealm,dc=bifoundation_domain -contextName default -dataSourceJNDIName bip_apps_DS
  Adapter is creatted successfully within errors!
  I restarted managed server(bi_server1) and AdminServer, all bi commponets etc. BUT WITHOUT RESULT. I still dont see GROUPS in Enterprise manager in
  BI->coreapplication->security->application roles
  I tried set in security setting of webLogic domain in EM virtualize=true.
  This procedure is described on all sites but not funkcionaly for me. Do you know somebody where is mistake? Etc. need i installing OVD server? I dont know. Please helm me. after 10 days i really hopeless :( ..so sorry for my english

  If you are still looking for sol? send me email  [email protected]

• Secondary group authentication

  We have an Open Directory server populated with a couple hundred users and a few dozen groups. Users have primary groups assigned as well as secondary groups. Using WGM's Inspector, I can see the primary group ID number but do not see any of the secondary group IDs.
  We are using the Authen::Simple::LDAP perl module to authenticate users against open directory as they browse protected web pages. This module's filter command allows us to specify uid or gid numbers. The authentication works when we specify the users' primary group but I don't see any part of the user's record listing the secondary groups.
  Is it necessary to specify a new directory attribute, something like "secondary group membership" that would list multiple group IDs? Since use of secondary groups works fine for AFP shares, I don't understand why this would be necessary. If it is necessary, what documentation do you suggest to understand the newly assigned Attributes and Values?
  Thank you!

  Hi Mohammad,
  Does the Cisco VPN Client support double authentication?
  A. No. Double authentication is not supported on the Cisco VPN Client.
  You may find further information about the Cisco VPN client here.
  As you said the Only client that supports double authentication is the Cisco AnyConnect Secure Mobility Client.
  Please proceed to rate and mark as correct this Post!
  Let me know if there are further questions on this!
  David Castro,

• OBIEE 11G authentication integration with EBS 11 - is it possible?

  Hi experts,
  My OBIEE 11.1.1.5 is installed on Linux 64 bit machine.
  I've thoroughly performed all the action listed in the guide, but I'm getting the famous 'You are not logged in' message.
  Has anybody succeeded to enable security integration between OBIEE 11 and EBS 11?
  Thanks in advance,
  Alex

  Hi Deva,
  Thanks for your reply.
  I've heard from some people that there's a bug in OBIEE 11.1.1.5 that prevents integration of OBIEE 11 security with EBS 11.
  I'm trying to find anyone who actually succeeded to get the thing done.
  I used the DeliverBI document as well as the official guide.
  Is there any way to "debug" my settings? How can I know - what's wrong?
  Thanks,
  Alex

• OBIEE Group By

  I have two columns Tracking Name and Tracking Group. Now i need to display
  Column A Column B Column C Column D
  ABC Original Root Error
  Now , column B = case when Tracking Group = ' Original' then Tracking Name else '' end .Similarly column C = case when Tracking Group = ' Root then Tracking Name else '' end and column D = case when Tracking Group = 'Error' then Tracking Name else '' end.
  Now in my report i am getting
  ABC Original
  Rooot
  Error
  How to solve this

  Hu Saichand,
  Yes i am applying count on the INSTANCE_ID column in the fact column.
  I am joining with JOB_ID.
  The SQL is not passing the GROUP BY when i see in the Advance Tab see below:
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 14026] Unable to navigate requested expression: COUNT OF JOBS RAN:[DAggr(FACT_S_NQ_INSTANCE.COUNT OF JOBS RAN by [ FACT_S_NQ_INSTANCE.JOB_ID] SB FACT_S_NQ_INSTANCE)]. Please fix the metadata consistency warnings. (HY000)
  SQL Issued: SELECT FACT_S_NQ_INSTANCE."COUNT OF JOBS RAN" saw_0, FACT_S_NQ_INSTANCE.JOB_ID saw_1 FROM "POC SCH Final" ORDER BY saw_1
  There must be something which will pass the GROUP BY clause on the JOB_ID, i thought setting the content level will do the trick but there is change in the error mesaage with or without the content tab setting.
  Rgds,
  Amit
  Edited by: amitsharma73 on Sep 22, 2010 10:27 PM