ODI security

Similar Messages

• Deletion Key - Deleting Hosts on ODI Security Manager

  Hi,
  im heaving some trouble using ODI Security Manager. To delete manually inserted Hosts, is required a "Deletion Key" (after a generation of a unblock file with the connection info).
  Problem: how (or where) do i get (or generate) this Deletion Key???
  some guides say to look for oracle technical support. Where i can find this technical support (link, fone, fax, e-mail)??
  this means that everytime i need a deletion key, i have to send it to oracle??
  i need to understand how this process works.
  thanks for the help.

  Well,
  If there a possibility to add new hosts, there must be a way to delete them.
  In fact this should be a simple thing to do.
  how this simple task become such a complex process?!
  but the main reason, is that i'm in project where the client has a lot of demands, and i need to be prepared to any requests. (especially a simple task like this)
  thanks for the attention.

• Demystify ODI Security -- Documentation is very weak on this topic.

  I see 3,000 hits to one thread on ODI Security but I haven't gotten that "Ah-ha!" moment where I now understand ODI security. The SNPS_USERS.PDF (ODI User's Guide) is very light on the security section.
  I'm trying to do something I hope is very simple: Create a new user that can execute the scenarios I choose and only for certain contexts. I've been able to create a new user. I've also been able to apply a profile to the new user. But when I try to grant specific SCENARIOS I get this error:
  *"This user already have generic privilege on this object type. You do not need to set instance privileges."*
  Does anyone have any good examples on how to setup ODI security?
  -Chris Rothermel
  Edited by: Chris Rothermel on Apr 12, 2010 2:40 PM

  Chris,
  I agree that ODI security is poorly documented and seems more like witchcraft.
  Having said that, see this Re: Security
  This may give you insight into how Generic and Non Generic privileges work
  Create a brand new user.
  For your case, do the following:
  1. Create a duplicate of CONNECT profile and name it CONNECT_WITHOUT_CONTEXT.
  2. Expand it and goto Context-> Dbl-click View.
  3. Uncheck the "Generic Privilege" checkbox.
  4. Grant CONNECT_WITHOUT_CONTEXT to the user.
  5. Drag-drop the Contexts that you want the user to access from Topology Manager onto the user.
  Now user will only be able to see the contexts that you explicitly grant him.
  6. Also, for your case use NG Designer instead of regular Designer profile.
  7. The Execute Method in the Scenario object underneath this profile has been unchecked for "Generic Privilege"
  8. Login to Operator and drag-drop the scenarios on the user.
  HTH

• Explanation about objects in ODI security manager

  Hi,,
  I'm looking for the document which gives the clear explanation about the objects/profiles which are in security manager of ODI.
  I want to understand first to assign those to the users.
  Any info is appreciated.
  Thanks
  K

  Yes that could be done but only for certain Objects as an example Text objects can be overriden by Induvidul apolicies. Refer URL
  http://cisco.com/en/US/products/ps6498/products_user_guide_chapter09186a00805ac23c.html#wp1199068

• Odi security user creation

  Hi,
  can any one please share any links about.i want create a user for development work repository only not topology.
  please suggest which privileges need to give for new user.
  Thanks....
  Surya

  Hi Bhabani,
  Thanks for your reply.
  I need to create a user which is to connect only development work repository(don't having the topology editing privi). for this i given designer and ngdesinger profile acess to user,
  but still that user getting the topology editing also.could please share any links/blogs for creating,assinging profiles to users.
  Regards,
  Surya

• Needed urgent help for user creation in security manager in ODI 11g

  Hi Gurus,
  I have an urgent requirement in ODI security manager and i am completely helpless. We need specific steps for the user creation with sufficient priviledges. The detailed requirements are:
  1. There is a group of users under the framework team and these users should be able to edit the Knowledge modules only. All other objects (e.g. projects, interface, procedures or development related objects) should only be in read only mode for them.
  2. There is a group of users under the development team. The priviledges of these users should be mutually exclusive to that of the framework team users. i.e. the development team should be able to edit or delete all development related objects (e.g. projects, interface, proc etc.) but the knowledge modules should only be in read only mode for them.
  Now I will explain what i have tried out:
  I am working on ODI 11.1.1.5.
  I have created a user with NG DESIGNER and CONNECT profile. Dragged and dropped all the projects on the user and selected all methods in all repositories (check sign). However when i connect with that user i cannot open the KMs (as far as development team is concerned its fine) but i can also not open interfaces as well as procedures (which is not acceptable from development point of view).
  Also when i tried creating a user from the framework team point of view i could not see any option related to KMs (To give edit priviledge).
  Please help me out guys. I have also searched oracle documentation and believe me the security manager section is not very good. If you guys can help me out with specific steps it would be great (I have tried the hints given in oracle documentation and they dont work, the ODI security manager behaves strangely :-(
  Thanks in advance,
  SB

  Similar requirement here guys. Any pointers. I was able to achieve this by restricting development user from supervisor access. In that case the development user can not edit the interfaces. Any known defefct?

• Profiles in ODI

  Hello there, I am new to ODI and I had a couple of questions about the profiles.
  I would like to know what profile(s) i need to assign in order to allow a developer to work in a given repository/project without being able to change a data model.
  I need them to be able to view, edit, delete interfaces, packages, variables, Copy and modify....not modify the original.
  Any help you be great.
  Thank you,
  IT Intern

  Ok, but I do not completely understand what every
  method does. Basically I want the Devs to not be able
  to change any metadata and just to be able to work on
  their own projects, or projects which I allow them
  too.As far I as have been able to determine there is no documentation of what each method does. Generally they correspond to the right-click options, but there are often other methods required to perform a specific action.
  The best way I have determined to build a custom security profile is to go through the tedious work of granting a profile a few methods at a time, then logging into the Designer application to test the privilege. You will then inevitably get an some obscure error and need to guess at what method the profile is missing.
  We are in the process of setting up our ODI environment and I recently spent a few weeks(!) of time developing custom security profiles. We had a similar goal of creating a role that gave developers read-only access to models and non-generic project access (= access only to projects they created or had been granted). We also had another major requirement to restrict users from making changes to the production work repository.
  We did successfully create profiles to meet the goals of that role -- as well as several other roles we required -- but discovered a significant security issue. Any user could log into Security Manager and drag-n-drop any instance (project, model, work repository, etc.) that they could see from Designer onto any other user that had a non-generic type profile and grant that user access to the instance. This was true, even though we hadn't granted them the appropriate Security Manager methods that control this "drag-n-drop" functionality. The consequence is that we couldn't really create a secure environment that utilized any non-generic privileges. (Our assessment is that ODI security is still pretty buggy; Oracle should invest some time in unit testing their ODI security model.)
  We decided to change direction: We have an open development environment where every developer has full (generic) access to all projects in the development work repository (still have read-only access to models). To meet our secure production requirement, we also ended up creating the production environment as a separate master repository with separate authorized users.

• Setup ODI for multi user

  I am looking for best practice for setting up ODI to be use for multiple users.
  I would like to have several users to be able to work on the same package.
  Can they use the same work repository? How do I use version control?
  Thanks,
  Charles

  Hi,
  I'm at a project with more the 25 ODI developers, 4 ODI Topology "man', 3 Odi Security "man", more then 50 Metadata Profile and 12 Operator Profile.
  The Work Repository is the same for all (development context) and the organization is at Project level. It's means each group of Developer that works at a specific department has his own project and have rights only at this Project.
  That is my 5° big ODI environment implementation and until now was the best way that I find to work..
  Good luck!

• Profile for ODI

  are the profile defined in the ODI security manager the default one or you can define your own parameters.
  can some one send me some link or some document which can show me how to define profile and user authorization.
  Thanks to you all .

  Hi,
  Yes u can have your OWN profiles with defined objects in security manager.
  Rather than the standard "oracledi_user" document there is no document as such which talk about this.
  Thanks,
  G

• 'connect without context' profile takes away data/view data rights in model

  Demystify ODI Security -- Documentation is very weak on this topic.
  Non-generic profiles-This concept works perfectly well for projects/folders/packages.
  But as soon as I bring in the new profile: CONNECT_WITHOUT_CONTEXT, the user loses the ability to query data from within ODI.
  (‘data’, ‘view data’ options in the model/datastore section).
  I have tried NG versus generic profiles of metadata admin-but somehow the data/view data option errors out:
  Cannot display table’s data.
  But if I use the regular CONNECT, the options come back.

  That is because the CONTEXT links the Logical and the Physical. All Model objects are related to a logical schema. Each logical is related to a physical schema via the context. If you have no context, then you break the link, therefore ODI does not know 'where to look' for the data and will error.
  Cheers
  Bos

• Are there any ways to increase security in ODI

  Hi,
  Are there any other ways to increase security in ODI. I have heard about External password storage, External authentication and SSO from over here: http://docs.oracle.com/cd/E17904_01/integrate.1111/e12643/whatsnew.htm#CHDEAIAB
  apart from these are there any methods?

  I do not fully understand the meaning of "Top" in the phrase "Top In App Purchase". In Settings there is an option to invoke restrictions. One restriction option is to prohibit In-App Purchases.

• How to do Setup and Security implementation in ODI

  HI Friends,
  I have few question regarding ODI installations.I am using
  Oracle DB version is Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
  ODI is ODI 11.1.1.5 version.
  While installing can we go for
  One Master repository for Dev and UAT, mainly because we have one physical server for UAT connecting to UAT DB and Dev DB. And a separate Master repository for Production?
  We have 2 groups of users .One is developer and One is tester.
  Tester donot have a permission to use or check the development codes.They have only the Run permission in operator.
  How to do this security implementation in ODI while installing.
  Plz confirm me on this.
  Thanks,
  Lony

  The way I did it is,
  Created an Execution Mode work repository for the QA purpose and thus only Scenarios & Load Plans were deployed on this QA repo. This had its own Master Repo as well.
  For dev the Dev mode work repo is created where all the interfaces, packages, procedures can be developed or modified as and when required.
  Thus, the testers have access only to the QA environment.
  Otherwise you can assign roles to the users after the installation in the security tab. Give the operator, connect role to the testers.

• Security & privileges in ODI

  Hi All,
  I want to know, how can I provide selective rights to ODI users. Suppose We have 4 developers in ODI, only one user is supposed to create TOPOLOGY,only one user is supposed to stop the executing process from operator.
  Thanks in advance :)

  You have create non generic profiles and grant privilege as your requirement. refer this
  http://docs.oracle.com/cd/E17904_01/integrate.1111/e12643/security.htm
  Thanks.

• Re: Generating Security files for BIAPPS ODI in linux

  Hi,
        DId you have to make any additional setting after have installed ODI ? I mean, I've installed OBIEE, ODI (just with Java EE components and Bi Apps).
        When I've ran configApps.sh I have got the following error at Configuring ODI step :
  configure_odi: Problem invoking WLST - Traceback (innermost last):
  configure_odi:   File "/u01/app/oracle/OBIEE/Oracle_BI1/bifoundation/install/configure_odi.py", line 261, in ?
  configure_odi:   File "/u01/app/oracle/OBIEE/Oracle_BI1/bifoundation/install/configure_odi.py", line 206, in _configureOdiDwIntegration
  configure_odi:  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  configure_odi:  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  configure_odi:  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  configure_odi:  at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
  configure_odi:
  configure_odi: java.lang.Exception: java.lang.Exception: DW_FILE data server update failed with return code: 1
  configure_odi:
  java.lang.Exception: java.lang.Exception: WLST Script task failed with status 1
          at oracle.as.install.biapps.biappsconfig.standard.ODIConfigTask.doExecute(ODIConfigTask.java:65)
          at oracle.as.install.bi.biconfig.standard.AbstractProvisioningTask.execute(AbstractProvisioningTask.java:70)
          at oracle.as.install.bi.biconfig.standard.StandardProvisionTaskList.execute(StandardProvisionTaskList.java:66)
          at oracle.as.install.bi.biconfig.BIConfigMain.doExecute(BIConfigMain.java:113)
          at oracle.as.install.engine.modules.configuration.client.ConfigAction.execute(ConfigAction.java:375)
          at oracle.as.install.engine.modules.configuration.action.TaskPerformer.run(TaskPerformer.java:88)
          at oracle.as.install.engine.modules.configuration.action.TaskPerformer.startConfigAction(TaskPerformer.java:105)
          at oracle.as.install.engine.modules.configuration.action.ActionRequest.perform(ActionRequest.java:15)
          at oracle.as.install.engine.modules.configuration.action.RequestQueue.perform(RequestQueue.java:96)
          at oracle.as.install.engine.modules.configuration.standard.StandardConfigActionManager.start(StandardConfigActionManager.java:186)
          at oracle.as.install.engine.modules.configuration.boot.ConfigurationExtension.kickstart(ConfigurationExtension.java:81)
          at oracle.as.install.engine.modules.configuration.ConfigurationModule.run(ConfigurationModule.java:86)
          at java.lang.Thread.run(Thread.java:662)
  Caused by: java.lang.Exception: WLST Script task failed with status 1
          at oracle.as.install.bi.biconfig.standard.WLSTScriptTask.doExecute(WLSTScriptTask.java:119)
          at oracle.as.install.biapps.biappsconfig.standard.ODIConfigTask.doExecute(ODIConfigTask.java:62)
          ... 12 more
        Does it related to create some credientials to ODI into WLST ?
  thanks

  Hi ,
  I was using a  wlst.sh from wrong location .( /u01/app/oracle/Middleware/wls)
  I have to use middleware/Oracl_BI1/common/bin   wlst.sh.
  Thanks
  Venkat

• Security in ODI-specific access to projects and folders

  Is there anyway to give project or folder-specific access within ODI?
  Some users want to be able to run jobs-but I dont want them to see other projects within ODI.
  Thanks.

  I have managed to create a 'connect without context' profile for non-generic versions, and it works great for projects and folders.
  Now, how do I do the same for models and datastores?I want users to be able to access, view, and query data only in specific model/datastores. I have tried assigning specific view rights etc to the specific tables-but everytime the user tries to 'view data' or 'data', he gets an error:
  cannot display table's data (java.lang.nullpointerexception)
  If I use generic privileges with the existing profiles, everything works great. But we want to make access more specific for each user.
  Edited by: 784749 on Apr 6, 2011 10:45 AM