OBIEE11g - Creating Application roles in Batch

Hi,
Anyone has created Application roles in batch, i.e using some scripts? We need to add around 400+ Application roles and add some membership among them.
If some one can share some existing script please that we can use.
Regards,
Krish
Edited by: Krish on Dec 6, 2011 10:41 AM

Hi Krish,
I haven't done it myself (yet), but you should have a look into; Weblogic Scripting (WLST) and the following command; createAppRole
Good Luck,
Daan Bakboord
http://obibb.wordpress.com

Similar Messages

Can't create Application Role in Obiee 11g Enterprise Manager

Hi All,
I was working on obiee11g enterprise manager. I created some of the groups in weblogic console. Now I wanted to create application roles in enterprise manager for those groups. I am surprised that, the "*Create*" button is inactive on the application role page of enterprise manager. I only i could see tthe actives ones "*Create Like*", "*Edit*" and "*Delete*".
Please assist shoud I need any additional configuration for the same.urgent!!
Thank you in advance,
BK.

Click on Create Like button
Then click cancel on the Create Like dialog box
Go back to the Create button, it now works
But if you log out and log back in, the Create button is disabled again
so may repeat the above process of accessing the 'Create Like' button first to enable the Create button
< Bug:13983399> CREATE BUTTON IS DISABLED IN FUSION MIDDLEWARE CONTROL IN OBIEE 11.1.1.6.0 ENV
Please mark helpful or correct if answered.
Thanks,
- A.Y

Re How to create applications roles

hi all
can anyone guide me about applications roles that how to create in databse and how to assign?
thanks in advance
sarah
Edited by: SarahSarahSarah on Sep 4, 2009 4:54 AM

hi all
i created the application roles like this
SQL> connect sys/sara as sysdba;
Connected.
SQL> create role applicationrole;
Role created.
SQL> connect sarah/sara@orcl
Connected.
SQL> grant select,insert on ins1 to applicationrole;
Grant succeeded.
plz guide me am i doing right or wrong and plz guide me now this role how to assign?
sarah

Applications Roles in FMW (Enterprise Manager) OBIEE11g

Hi,
Please specify, how to migrate new created Application roles in production from Test @Enterprise Manager (FMW).
Regards
Rahul

Good question. In the documentation it's with the hand.
See: http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10540/lifecycle.htm
Application Role (Policy Store) Migration
There are several options for migrating application roles between development, test, and production systems.
For simplicity, this document assumes you will re-key a small number of application role names by hand.
Links to additional content on migrating application roles for larger-scale batch cases are provided later in this appendix.And of course, no appendix ...
Cheers
Nico

Migrate Application Role from uat to prod in 11.1.1.6.10

Hi All,
We have to migrate the UAT Application Roles to Prod instance. I followed Rittman Mead policy store migration. servers in LINUX
http://www.rittmanmead.com/2011/04/oracle-bi-ee-11g-migrating-security-policy-store-part-2/
But at MigrateSecurityStore step, I am facing an issue with the wlst script which is throwing below error.
I am getting bellow error
wls:/offline> migrateSecurityStore(type="appPolicies",srcApp="obi",configFile="/ usr/app/MW/SecurityMigration/jps-config-policy.xml",src="sourceFileStore",dst="t                                                                                                         argetFileStore",overWrite="false")
Oct 17, 2013 11:41:27 AM oracle.security.jps.internal.config.xml.XmlConfigurationFactory initDefaultConfiguration
SEVERE: org.xml.sax.SAXParseException: The XML declaration must end with "?>".
Command FAILED, Reason: The XML declaration must end with "?>".
Traceback (innermost last):
File "<console>", line 1, in ?
File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 955, in migrateSecurityStore
File "/usr/app/MW/oracle_common/common/wlst/jpsWlstCmd.py", line 927, in migrateSecurityStoreImpl
        at oracle.security.jps.internal.tools.utility.source.JpsInitializerSource.getSources(JpsInitializerSource.java:155)
        at oracle.security.jps.internal.tools.utility.JpsUtility.<init>(JpsUtilty.java:62)
        at oracle.security.jps.internal.tools.utility.JpsUtilMigrationPolicyImpl.migrateAppPolicyData(JpsUtilMigrationPolicyImpl.java:151)
        at oracle.security.jps.tools.utility.JpsUtilMigrationTool.executeCommand(JpsUtilMigrationTool.java:231)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
oracle.security.jps.JpsException: oracle.security.jps.JpsException: The XML declaration must end with "?>".
This is config.xml file
<?xml version='1.0' encoding='utf-8'? standalone='yes'?>
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
   <property name="oracle.security.jps.jaas.mode" value="Off"/>
   <propertySets>
<propertySet name="sam1.trusted.issuers.1">
<property name="name" value="www.oracle.com" />
</propertySet>
</propertySets>
   <serviceProviders>
      <serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
         <description>XML-based PolicyStore Provider</description>
      </serviceProvider>
   </serviceProviders>
   <serviceInstance name="srcpolicystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/uat/system-jazn-data.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>
<serviceInstance name="policystore.xml" provider="policystore.xml.provider" location="/usr/app/MW/SecurityMigration/prod/system-jazn-data.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>
   </serviceInstances>
    <jpsContexts default="default">

<jpsContext name="sourceFileStore">
<serviceInstanceRef ref="srcpolicystore.xml"/>
</jpsContext> <jpsContext name="targetFileStore">
<serviceInstanceRef ref="policystore.xml"/>
</jpsContext>
</jpsContexts>
</jpsConfig>
Please let me know if i need to provide further inputs.Appreciate your help.

make sure you are running the wlst.sh from this path /MWHOME/Oracle_BI1/common/bin/wlst.sh
you can take a look at this too Migrating Security Policies from Development to Standalone WLS 11g
http://ssssupport.blogspot.com/2013/02/obiee-11g-application-role-migration.html
Obiee11g: Migrating application role from DEV to Prod server in obiee11g

Application role

I create application roles and assign them to an enterprise role at jazn-data.xml in jdeveloper.
However, after deployment I cannot find these application roles. But I can find the enterprise role.

Thanks for your reply. I can see application roles in EM.
I have 2 adf applications. Application A has application role A and B. Application B has application role C and D.
How to set the security in Jdevloper, weblogic admin console or EM that :
users in application role A and B can only login to Application A.
users in application role C and D can only login to Application B.
I deploy the sample application of 048. XML Menu Model site menus protected with ADF Security and JAAS of Oracle ADF Code Corner. However, in the EM, I cannot see application roles.

Migrate one application role between two systems (keeping guid)

Hi
I know there are ways to migrate the whole policy-store from one environment to another. On the other hand there is a tool to create application roles via command line.
I have only a set of application roles which I want to move to another environment. The guid should stay identical so that the application roles get automatically applied on the copied catalog.
Does anybody know if that is also possible? I need to keep the guid but don't want to migrate the whole policy store.
Thank you

user12068228 wrote:
Hi
I know there are ways to migrate the whole policy-store from one environment to another. On the other hand there is a tool to create application roles via command line.Yes, you can create application roles via WLST. Below are the commands:
connect(“Enter Weblogic's Username Here”,”Enter Password Here″,”Hostname:PortNumber″)
createAppRole(“Enter Applicationstripe Here”,”Enter Role Name here”)
P.S: The Application stripe name is obi for the OBIEE set of roles.
I have only a set of application roles which I want to move to another environment. The guid should stay identical so that the application roles get automatically applied on the copied catalog.If I am not wrong, Althought the GUID's can be different after the migration of the application roles between environments, the permissions still stay the same. and I believe the GUID's are system dependent and might be different across two instances. Correct me if I am wrong here.
Does anybody know if that is also possible? I need to keep the guid but don't want to migrate the whole policy store.
Thank you

Creating a Role view in a workflow

I'm trying to create a role view in my workflow with the following code but it gives me an error: com.waveset.util.InternalError: Unable to locate ViewHandler for 'role'.
<Action application='com.waveset.session.WorkflowServices'>
            <Argument name='op' value='createView'/>
            <Argument name='type' value='Role'/>
            <Return from='view' to='view'/>
          </Action>Has anyone created a role from a workflow, java or SPML?

nvm figured it out.
<Action id='0' application='com.waveset.session.WorkflowServices'>
          <Argument name='op' value='createView'/>
          <Argument name='type' value='Role'/>
          <Argument name='viewId' value='Role'/>
          <Argument name='Form' value='Empty Form'/>
          <Argument name='authorized' value='true'/>
          <Return from='view' to='role'/>
        </Action>

Is it possible to create a role with PERM_READER_EXTENSIONS_WEB_APPLICATIONS without Service Invoke?

I need to restrict user access to Workspace processes. Using the adminui, service management, I gave my test group INVOKE_PERM permissions to this service. This works good. The users of the test group can only see this process. However, for these users the SOAP calls do not work. I am using a reader extended form and I am getting the error below. If I add the Reader Extension Web Application role, the SOAP call work, but the user of the test group can see all other processes. I created a role and gave it PERM_READER_EXTENSIONS_WEB_APPLICATIONS, Service Read, INVOKE_PERM and other combinations. This role only works if I add Service Invoke and this give users access to all processes. How can I get a role to provide the Reader Extension without using Service Invoke?
An error has occurred. See error log for more details.
User TORRES, ALEJANDRO G does not have the Service Invoke Permission on Service ReaderExtensionsService.

I found the answer to my question. I had to give INVOKE permission to all the services used by the process.

OBIEE 11g issue - same user assigned to the multiple application role

Hi All,
We are facing an issue when assigning a user to the multiple application role and applying the data level filter on the different column of the same table.
For example, we have a table Department with three columns Department No, Department name, Department location.
Application Role A1 and A2 are created.
Data Level security Applied on the application role A1: Department Name='Finance'
Data Level Security Applied on the application role A2: Department location='US'
The user "User1" is created in LDAP and is assigned to both the Application roles A1 and A2.
When logged in with "User1", none of the filters of Role A1 or A2 is applied in the report. If this user is assigned to only one role, either A1 or A2, then the filter is applied. It seems the filter will not be applied if a user belongs to multiple roles with data filter applied on the same table across these roles.
Please reply if anyone has faced similar issue.

Hi All,
Regarding the above issue to update the analysis we came up that the user if assigned to the multiple group with the data filter applied on the same column of the table is getting an *"OR"* join.
We had a requirement to get an "AND" in the query condition. Please let us know if any one faced the issue and the resolution of the same.
Regards,
Jyotshna

Qualifications not shown in all e-rec application / role

Hi,
we have created qualifications and they are shown/ accessible in some e-rec application roles, but not all.
So, I don't think the problem is to activate any feature.
The roles where qualifications are not shown are: Employee (Internal) and Internal Recruiter.
Does anyone have experience with the same type of issue, or have any documentation available?
Thank you!
Kind regards,
Hilde Bakkemyr

The button "New entry" is also missing from Qualifications, but not from "work experience", "edication" etc. Can this be a web service issue, if so, does anyone know what transaction and settings must be made?
regards,
hilde

LDAP user to application role mapping

Hi All,
OBIEE 11.1.1.5
I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
Or, In simple words,
How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
Anyone can help? All documents are not giving this simple picture to me.
It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

Hi,
1. Create block to initialize USER variable with user name from LDAP
2. Create block to initialize GROUP variable with role name from external table
3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
4. If one user can have few roles you should check row-wise-initialization oprion
Hope it's helpful

Modify Script to Create User Role on Single Database.

Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GO

Thanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.

Webcenter Application Roles not getting imported in UCM on Migration

Hi All,
I migrated the webcenter resources (Service Data, Customizations and security policies) and UCM content (Using configuration utility, Archiver and Folder Archive components). After migration I am able to see the application roles in the destination webcenter spaces instance by navigating to Webcenter Spaces -> Security -> Application Roles, but I am not able to see the corresponding accounts created in the UCM for that particular user.
For Ex: I have a application role: s1a472022_f8bb_48e1_a519_15841780df72#-#Moderator in Webcenter Spaces for user ABC
In UCM I am not able to see the account AUTHEN/s1a472022f8bb48e1a51915841780df72 for the user ABC.
I verified in the source UCM instance and I am able to see the accounts in that instance.
Please help me out. Let me know if extra details required.
Thanks,
Sachin

Hi Srinath,
Yes, I have migrated data from UCM1 to UCM2 using insert script. But, I think there should be some other way also. There may be some options to check while creating export archive. We can migrate UCM schema tables also while migrating the content but I was not able to find USEREXTENDEDATTRIBUTES table. There are some other options like export additional user config, I need to check those options also.
Thanks,
Sachin

OBIEE 11g Custom Application Roles

Hello Experts,
I would need to create our Custom BI Consumer, Author Application Roles. I have followed the steps are
1) Created an Application Role "Revenue Data Access Role" for Data Level Security and added the users into it
2) Selected the existing BI Consumer Role & Created Like "Revenue Dashboard Consumer Access Role" and added "Revenue Data Access Role" into it.
3) Selected the existing BI Consumer Application Policies & Created like "Revenue Dashboard Consumer Access Role"
After Restarting OBIEE, I could see that Data level security is working fine but the users don't have Consumer Level access at dashboard level. am i missing anything here? Please advice.

John,
We can do it in repository level right..Manage---Security-Application Role.... double click the application role there u can set right?Correct me if am wrong?
Thanks,
SN.
Edited by: 926238 on Sep 1, 2012 5:57 PM

OBIEE11g - Creating Application roles in Batch

Similar Messages

Maybe you are looking for