Scripting Enterprise Groups-Application Roles mapping

Similar Messages

• LDAP user to application role mapping

  Hi All,
  OBIEE 11.1.1.5
  I have a table with ldap username and role. I have also configured external LDAP server in RPD. Users are able to login to portal.
  Can some one guide me, how to make sure that when user login to OBIEE automatically by table the role will be fetched and mapped with application role created?
  Or, In simple words,
  How can I assign an external ldap user to be mapped to application role? One by one?? or Via table as mentioned above?
  Anyone can help? All documents are not giving this simple picture to me.
  It was easy in 10g, In 11g is it rocket science so that my company can loose the hope to go ahead with 11g?

  Hi,
  1. Create block to initialize USER variable with user name from LDAP
  2. Create block to initialize GROUP variable with role name from external table
  3. In initializtion block for GROUP variable add precedence with User init block to make sure that USER variable have value
  4. If one user can have few roles you should check row-wise-initialization oprion
  Hope it's helpful

• Need help with data filtering on groups/application roles

  Hello,
  I have a situation where I have to apply security on objects (reports, prompts etc) and dimension members (Essbase cube). So the idea is like this:
  Report 1: access to three users (U1, U2, U3), but for dimension Company they have separate rights:
  U1: Company A, Companies A.1-A.7 (children of A) and Companies A.1.1-A.1.9 (children of A.1);
  U2: Company A.1 and Companies A.1.1-A.1.9;
       U3: Company A.1.1
  same for Report 2, but users must have access to different companyes, like Company B, B1...
  In WebLogic Console I created three groups (G1-G3) and placed each user to a group (U1-> G1, U2 ->G2, U3->G3). Then in WebLogic EM I created three application roles (R1-R3) and added for each, corresponding user (R1-> U1, R2->U2, R3-> U3).
  My approach was to use application roles like this:
  R1: include User1 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation2,Dimension"='Company A',"Data_Source_Name"."Dimension_Name"."Generation3,Dimension"='Company A.1', "Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1')
  R2: include User2 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation3,Dimension"='Company A.1', "Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1')
  R3: include User3 and filter data on repository by application role to each generation of the cube ("Data_Source_Name"."Dimension_Name"."Generation4,Dimension"='Company A.1.1').
  I've noticed that, by default, each role inherites BIConsumer and "localmachineusers" application roles, so I set in repository these both roles to filter data as the role 3 (the lowest level of acces), in order for my roles (Roles 1 to 3) to have the highest privileges.
  In repository I cannot see any of my users (U1-U3), but just the application roles they are in.
  For Report 1 I set the access to Roles 1-3 and when I am logged on as U3 this report should display only the data for Company A.1.1, but it doesn't (displays data also for Company A, Companies A.1-A.7).
  In fact it seems, that the data isn't filtered at all, which drives me to the conclusion that my data filter is override by another role, maybe ?
  Could you please give me a clue about what I am missing here ?
  Thank you.

  Amith,
  Please bear this with me - see my comments below (search for petresion_Comments):
  So, we have three users who have access to a report called Report1. But the data that they see in the report needs to be different. The report has a dimension company, and each user needs to see different companies data. So the filtering needs to be done on company dimension.
  petresion_Comment: That's my case to solve.
  Now the groups in weblogic has no purpose in OBIEE 11g unless you are using an LDAP authenticator who has groups defined in the active directory. By this I mean the network people are maintaining the users and group relation necessary for OBIEE. So keeping the weblogic groups apart for a minute, lets deal with users and roles only.
  The three users are assigned to three different roles R1, R2 and R3. By default, all the roles inherit the BIconsumer role, and localmachineusers role you mentioned is not an OTB role. This is something that is probably causing the data filtering to fail. Do a test like create a user in weblogic, assign him only to the localmachineusers role, and go to analytics, and check your roles and groups by going under my account. Make sure this role is not inheriting any other roles like BIAdministrator, BIauthor etc. So in conclusion, when one of your users login, they should inherit only their custom Role (R1 for instance), BIConsumer, Authenticated User, and your custom role localmachineusers.
  petresion_Comment: That is what I checked on the first time (few days ago) and is exactly as you say (BIConsumer, localmachinerole and Role1).
  Do not apply any data filters on the BIConsumer role. This is not a good practice because the filters get applied to every single user that logs into the system.
  petresion_Comment: I know that, but appliyng filters on BIConsumer role I tried to make sure that its privileges doesn't overrides any of my Roles (1,2 or 3). I will remove the filter on BIConsumer.
  Now create the data filters on your custom roles (R1, R2, R3). Save the RPD. Deploy the Rpd through Enterprise Manager.
  petresion_Comment: Only difference in my case is that I stopped BI services, applied changes to rpd in Offline mode and then restarted BI services.But also tried as you mentioned (by the book in fact) and same result. The problem is the same, my roles(1,2,3) don't filter the companies at all.
  Once you are done with all the work above, you should login into analytics as user1. After logging in go to my account, roles and groups, and make sure you see the R1 in the list of groups. Now run the report, and your filters should get applied no matter what. If they are still not getting applied, grab the physical sql and see if the filters are existing in the where condition.
  petresion_Comment: Where can I capture the physical SQL (probably an MDX sent to the Essbase cube ?) ?
  One other reason could be, one of the roles that are assigned to the user1 by default, is overriding the filters. Like for example, if a user is assigned to BIAdmin role, and no matter if you assign him to a different role that has 100's of filters, he will still see all of the data.
  petresion_Comment: As I said before, each of my users are members of their roles, BIComsumer and localmachinerole, so no other privileges (no BIAdmin role).
  Thank you for the patience.
  John

• Best practices on enterprise and application roles in OIM and OAM 11g?

  Hi, all,
  I wonder if any of you can give me some advice on role design for OIM and OAM 11g. I'd like to have both enterprise roles, such as Accountant II, and application roles, such as App1_User, App1_Admin, etc. Ideally, the enterprise role would automatically give the user the appropriate application roles, but I can't figure out how to do that. We tried using OIM 11g's inheritance, but when the application role is inherited, OAM doesn't see it in OID/OVD and therefore doesn't think the user has the correct authorization to access the application. I thought about using role membership rules, but those seem to only allow you to use user attributes to control membership, which doesn't help at all in my situation.
  How is this situation best handled? Any advice much appreciated!
  Ariel Anderson
  Senior Business Analyst
  Zirous, Inc.

  Hi,
  I am assuming in clustered environment you are having two instances running.
  It must be an issue with a single server,,because the problem is intermittent.
  To see which server is causing problem....just perform the following steps:
  1) Stop server1 and keep running server2..and fire new registration request...
  2) stop server 2..and keep running server1.....and fire new registration request.
  Using above, atleast you can see which server is causing the problem...
  Regards,
  J
  Edited by: J_IDM on Mar 21, 2011 10:52 PM

• How to map Application Roles to Enterprise Roles

  Hello,
  i am having a problem with mapping Application Roles (from ADF Security) to the corresponding Enterprise Roles. I have already seen that it is possible with a tool called Enterprise Manager, but what if i do not have it??
  Can i map the roles in WebLogic Server itself? I have searched for such ability and did not found it. Also have not seen any tutorial on the internet. Someone help me pls.
  The version i am using is 12.1.2.0.0.

  Application roles and permissions defined within WebCenter Portal are stored in its policy store and, consequently, apply to the WebCenter Portal application only.
  Application Roles : Application roles control the level of access a user has to information and services in WebCenter Spaces. Specifically, application roles determine what a user can see and do in their personal space.
  Application Permissions : Again every application role has specific, defined capabilities known as permissions. These permissions allow individuals to perform specific actions in their personal Portal.
  Enterprise roles are different. Enterprise roles are stored within the application's identity store and do not imply any permissions within WebCenter Portal.
  2. How and where do we create these 5 Application Roles in WC 11.1.1.8 version ?
  You can create an application role from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> Roles -> Create Role
  See : Managing Security Across Portals for more info :
  http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27738/wcadm_ps_security.htm#WCADM398
  3. Last, where and how do we MAP these Application Roles TO Enterprise Roles in 11.1.1.8 version ?
  First, You can grant privileges to a specified group (say sales group) of users by granting Enterprise Roles in Enterprise LDAP.
  Next, Create custom application roles (say Contributor, Moderator, UIDesigner, Application Specialist, etc) and assign the appropriate permissions as explained above.
  Then, You can assign one or more Application Roles to a specified group (say sales group) from WebCenter Portal -> Portal Builder -> Administration tab -> Security -> users & Groups
  I hope it helps.

• How to access the mapping of Groups and Roles in the JAVA Application

  We have mapped the EJB roles with the groups through the Visual Administrator. We have developed the SSO. We have developed the application through which we are creating the user and role and mapping that role with the created user. The created role is saved in some LDAP directory. The second application in which ejb methods are mapped with some security roles.The LDAP roles we are getting in Netweaver as groups and we can perform the mapping of the deployed ejb roles with the group.Now for the logged in user we want to get the roles mapped with it so that we can give/deny the access to the methods from EJB as per the role of that user .How we will get the access to the mappings of the roles with the group in the application, if I know the LDAP roles mapped with the user (since these roles are accessible as groups in the NetWeaver)
  For e.g.  From application created the user with the role as "manager". This role is stored in iPlanet directory.
  This directory is mapped in the Netweaver.The manager role is displayed as the group in the Netweaver.
  Created the EJB application with the method "displayTheAccountDetails() with the role as "ManagerRole"
  This role is mapped with the manager group. Now we are having the details about the logged in user and the LDAP roles mapped to it (maneger role). How I will get the access to the details that for this group which ejb role is mapped in the application. So depending on that I can allow/deny the access to the ""displayTheAccountDetails()" method to the logged in user.

  Do you, guys, work together?
  See the last answer in this thread: How database works in UCM?

• Can't create Application Role in Obiee 11g Enterprise Manager

  Hi All,
  I was working on obiee11g enterprise manager. I created some of the groups in weblogic console. Now I wanted to create application roles in enterprise manager for those groups. I am surprised that, the "*Create*" button is inactive on the application role page of enterprise manager. I only i could see tthe actives ones "*Create Like*", "*Edit*" and "*Delete*".
  Please assist shoud I need any additional configuration for the same.urgent!!
  Thank you in advance,
  BK.

  Click on Create Like button
  Then click cancel on the Create Like dialog box
  Go back to the Create button, it now works
  But if you log out and log back in, the Create button is disabled again
  so may repeat the above process of accessing the 'Create Like' button first to enable the Create button
  < Bug:13983399> CREATE BUTTON IS DISABLED IN FUSION MIDDLEWARE CONTROL IN OBIEE 11.1.1.6.0 ENV
  Please mark helpful or correct if answered.
  Thanks,
  - A.Y

• Map wls roles to application roles

  how can i map weblogic roles to my application roles ?
  already, i config db authentication in wls
  but how can i map it to jazen-data.xml file ?

  Hi,
  either you create the same roles in jazn-data.xml in which case they are automatically used after deployment or you have a look at how to map user groups (not application roles) created in jazn-data.xml to WLS groups using the weblogic.xml file
  Frank

• Is it possible to modify the tag structure tree and the role map via scripting?

  We use unstructured FrameMaker to produce training materials which we distribute as tagged PDF to meet accessibility requirements.
  When FrameMaker creates a tagged PDF, it does a fairly good job of populating the structure based on the PDF setup information for the paragraph formats in the FrameMaker documents. However, there are some limitations in the support that FrameMaker provides. For example, almost all paragraphs are assigned to the P role even if they are headings and should be mapped to H1-H6.
  We want to be able to easily post-process a PDF that has been generated from FrameMaker to fix some of the tag structure issues (including tag names and the role map) so that the PDF will provide the optimum experience for a user of the JAWS screen reader.
  I spent some time reading the SDK documentation but didn't find much information about manipulating a tagged PDF via the API, especially via scripting.
  Does anyone have any examples or references which explain how to do it?

  AFAIK, it's not possible with a script. You might want to ask in the SDK forum, as it could be possible with a plugin.

• Applications Roles in FMW (Enterprise Manager) OBIEE11g

  Hi,
  Please specify, how to migrate new created Application roles in production from Test @Enterprise Manager (FMW).
  Regards
  Rahul

  Good question. In the documentation it's with the hand.
  See: http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10540/lifecycle.htm
  Application Role (Policy Store) Migration
  There are several options for migrating application roles between development, test, and production systems.
  For simplicity, this document assumes you will re-key a small number of application role names by hand.
  Links to additional content on migrating application roles for larger-scale batch cases are provided later in this appendix.And of course, no appendix ...
  Cheers
  Nico

• Hide/Show UI Controls by Enterprise/Application Roles

  How i can show/Hide A UI Control by the Enterprise/Application Roles??
  is there any way to do this?
  My JDevdeveloper is 11.1.2.3

  Use the rendered/visible/disabled attribute of your UI components.
  rendered="#{securityContext.userInRole[’ADMIN’]}"

• Displaying Application Roles / Groups in OBIEE

  All,
  We followed this blog - http://www.rittmanmead.com/2010/10/obiee-11gr1-security-explained-working-with-the-default-security-configuration/ - to implement security in our reports in OBIEE. We created four AD groups and four corresponding Application Roles for the four organizational segments in the company. This is working really well. However, the business wants to display a message saying "NOTE: You are in Role <Role Name> so you are seeing partial data for that Segment" or something like that. Is there a way to obtain the current users groups and/or application roles so they can be displayed in an analysis or dashboard?
  Thanks in advance!

  Use VALUEOF(NQ_SESSION.ROLES) as one of column expression and call that column in Narrative view using @n.
  where n is the column order from left to right.
  You might need to format the values to , separated.
  Ref: http://docs.oracle.com/cd/E14571_01/bi.1111/e10540/variables.htm#BIEMG3104
  If helps mark as correct.
  Edited by: Srini VEERAVALLI on Jan 29, 2013 4:33 PM

• Assign application roles after authentication

  Hi,
  It's been some time now I'm struggling with this issue...
  I have a client application (not a web one) trying to access an EJB resource.
  The EJB is first looked up through jndi and then asked to invoke a method, say test().
  In ejb-jar.xml I have the following:
  <security-role >
  <role-name>AN_APP_ROLE</role-name>
  </security-role>
  <method-permission >
  <role-name>AN_APP_ROLE</role-name>
  <method >
  <ejb-name>EJB NAME</ejb-name>
  <method-intf>Remote</method-intf>
  <method-name>test</method-name>
  <method-params>
  </method-params>
  </method>
  </method-permission>
  I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
  I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
  As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
  this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
  Nevertheless access is denied when the client tries to access the protected test() method.
  It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
  I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
  Any hint?!
  cheers,
  Francesco
  p.s: in jazn.xml I have
  <property name="role.mapping.dynamic" value="true"/>

  Hi,
  It's been some time now I'm struggling with this issue...
  I have a client application (not a web one) trying to access an EJB resource.
  The EJB is first looked up through jndi and then asked to invoke a method, say test().
  In ejb-jar.xml I have the following:
  <security-role >
  <role-name>AN_APP_ROLE</role-name>
  </security-role>
  <method-permission >
  <role-name>AN_APP_ROLE</role-name>
  <method >
  <ejb-name>EJB NAME</ejb-name>
  <method-intf>Remote</method-intf>
  <method-name>test</method-name>
  <method-params>
  </method-params>
  </method>
  </method-permission>
  I manage to have OID perform the authentication, so that I can perform the EJB lookup and call non protected methods. Issues arise when trying to get the roles working.
  I know that i can <security-role-mapping> AN_APP_ROLE to an oid group; what I am trying to accomplish is to have oid do the authentication and be able to fetch the application roles from a database.
  As a starting point what I've done is a client LoginModule that first authenticates against the OID (by looking up an EJB resource) and then, in the commit(), do the following:
  this.subject.getPrincipals ().add (new RoleExtended("AN_APP_ROLE"));
  Nevertheless access is denied when the client tries to access the protected test() method.
  It seems that somehow even if the Subject has the role within its principals, the container doesn't threat it such.
  I am pretty stuck, and starting to wonder if this is the right approach...Nevertheless I don't think putting the application roles in oid is a good idea, since application roles should remain an application property not a enterprise directory one.
  Any hint?!
  cheers,
  Francesco
  p.s: in jazn.xml I have
  <property name="role.mapping.dynamic" value="true"/>

• OBIEE 11g - Application role migration from DEV to UAT or to PROD

  Hello All,
  there are blogs which mentioned about application role migration from dev to UAT or Prod..
  Kindly provide the correct path of below two files which we use for application Role migration
  1. system-jazn-data.xml
  2. jps-config.xml
  I have searched these files but noticed there are 3 or 4 files with same name under different paths.
  Kindly help. TIA
  Regards

  if you mess up these files, your system will get corrupted.
  You need to take proper back up and then get it done.
  another way where you can avoid this risk is to manually enter the roles. Creating roles is one time effort unless you keep deleting and creating new roles. If you manually do it you will have more control on migration and you can fix if there an issue easily. Note, the migration of roles does not map the groups to roles . You still have to manually map them.
  OBIEEHOME\user_projects\domains\bifoundation_domain\config\fmwconfig
  1. system-jazn-data.xml
  2. jps-config.xml

• Problem with Security Role mapping and LDAP

  Hi,
  In Oracle Internet Directory I've created a group called OIDGroup1.OIdGroup1 has 2 users : OIDuser1 and OIDuser2.
  OIDGroup1 is mapped to EjbRole1 (is a security role defined in ejb-jar.xml, EjbRole1 can do everything in the application).Now if I login as OIDuser1 or OIDuser2, application said that the user does not
  have authorization to execute some method. The mapping in my orion-application.xml is :
  <security-role-mapping name="EjbRole1">
  <group name="admin/OIDGroup1"/>
  </security-role-mapping>
  <jazn provider="LDAP" location="ldap://myhost:4032"><jazn-web-app auth-method="SSO"/></jazn>
  if I modified orion-application.xml like this :
  <security-role-mapping name="EjbRole1">
  <group name="admin/OIDGroup1"/>
  <user name="admin/OIDuser1"/>
  </security-role-mapping>
  then login as OIDuser1, it works. But it does not work with OIDuser2.
  That's is a problem for me because our customer can not manage the user/group
  easily : each time they have a a new user, instead of simply adding this user
  in the OIDGroup1 (with graphic interface of OIDAS), they have to modify
  orion-application.xml.
  Do you have any idea ?
  Thanks in advance
  regards

  I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).