LDAP user to application role mapping

Hi all

OBIEE 11.1.1.5

I have a table with the user name ldap and role. I also configured external LDAP server to the RPD. Users can connect to the portal.

Can someone guide me, how to ensure that when the connection of the user to OBIEE automatically by the role table is retrieved and mapped with the application role created?

Or, in simple terms,

How can I assign an external ldap user to map to the application role? One by one? or Via the table as shown above?

Can anyone help? All documents are not giving this simple image for me.

It was easy in 10g, 11g is it rocket science so that my company can lose hope to go ahead with 11g?

Hi Hari,

These can be useful for you

http://gerardnico.com/wiki/dat/OBIEE/security_11g
https://blogs.Oracle.com/robreynolds/entry/security_in_obiee_11g_part_1

Tags: Business Intelligence

Similar Questions

  • Mapping of the external LDAP user with the role of the Complutense University of MADRID

    Hello WebCenter content masters,

    I'm having trouble mapping a group LDAP to the role of the Complutense University of MADRID.
    Let me explain the situation.

    I have an external LDAP (Apache DS) with two groups (groupofuniquenames), 'Administrators' and 'Test' and two users 'ldap_admin' and 'ldap_user '. ldap_admin is a uniqueMember administrators and the ldap_test a test uniqueMember.

    At the University Complutense of MADRID, I created a custom role 'Test' with privileges "RWD" group 'Public '.

    I guess that the external LDAP has been configured successfully as an LDAP authenticator provider - myrealm settings tab, since I can see groups and external LDAP users, and they can connect the DCU with their user id and password.

    However, ldap_user is unable to perform the check, and on their profile page, the role is "invited, authenticated."
    And when I pass ldap_user in the test group to the Administrators group, the role is then "invited, authenticated, admin, sysmanager, refineryadmin, rmaadmin, pcmadmin, ermadmin.
    It seems that the Administrators group is mapped correctly, but not the group test.

    I try to apply the advice given in these two threads:
    External LDAP user has only priviledge research at the Complutense University of MADRID
    Unable to map external users to roles in content Webcenter 11 g

    I have created a 'externalLdapMap' identification card, completed the provider.hda file and put the map "Test, Test". I also tried with "Test, contributor" that I was not sure about the first mapping.
    Whatever it is, after restarting the server of the University Complutense of MADRID, I'm still not able to grant the privilege of writing for a user to the Administrators group.

    I missed something in the process?
    Thank you for your attention and of course any help would be greatly appreciated.
    L.

    Hello

    I think that you have enabled the LDAP authenticator credits and that this error will go up.

    You must create an OpenLDAPAuthenticator and do the same settings with flag set up and then test the scenario.

    Thank you
    Srinath

  • How to migrate Application Roles(BIEE 11g) of one env to another?

    Hello

    As far as I know, in BIEE 10 g, Application roles are stored in. The RPD file. But in 11g, users and application roles are stored in Weblogic (if BIEE11g not connect to LDAP server), no?

    If so, how do you migrate the dev env Application roles. production env?

    His part as a tedious task than 10g BI. Migration of security in talking about courtesy obiee BI 11 g: -.
    http://www.obieetalk.com/Oracle-BIEE-11g-%E2%80%93-migrating-security-%E2%80%93-identity-stores-%E2%80%93-part-1
    http://www.obieetalk.com/Oracle-BI-EE-11g-%E2%80%93-migrating-security-%E2%80%93-policy-store-%E2%80%93-part-2
    http://www.obieetalk.com/Oracle-BI-EE-11g-%E2%80%93-migrating-security-%E2%80%93-credential-store-%E2%80%93-part-3

    Award points and close the thread if the question is answered.

    Thank you
    -Aude

  • Application roles

    Hello

    I created roles in the application using transactions management. I see the names of users to roles in the WF_LOCAL_USER_ROLES table. Now, I deleted the names of existing users of application roles and added new names to users. When I check the WF_LOCAL_USER_ROLES table once again, I see both the old and new values. I have to run any simultaneous program to remove the "old"?


    Thank you
    PK

    Hello

    What is the version of the application?

    Please see if the documents of Metalink (567923.1, 813314.1, 833383.1) are applicable to your question.

    Kind regards
    Hussein

  • application role custom (added ldap group) still no connection possible

    Hello
    I created a BIConsumer_USA (using Oracle Enterprise Manager) role for consumers to report BI from the United States, who should have access only
    dashboards US (consisting of BI publisher reports). I added this new application role BIConsumer_USA
    the application role existing BIConsumer (so the permissions are defined) as well as the usersUSA of the LDAP group.
    However, even after doing all this. I can not connect with users who belong to this group and who have the role of BI_Consumer_USA.
    Why is this?

    Given that the LDAP protocol is an IBM Tivoli we should able to use OpenLDAP instead of OVD LDAP provider in the logic of the Web.

  • How to disable MAD for some groups of users / application roles?

    Hi all

    does anyone know how to revoke the privileges of creating mobile applications with MAD an application role?

    Thank you in advance,

    Stefan

    Hello Stefan,

    Good question, I just suspect that you will be disappointed by the response... (at least my answer)

    Don't know if you can really do...

    MAD's Publisher, so if you remove access to the editor you probably also lose permissions on BIMAD.

    BIMAD 'new' URL: /analytics/saw.dll?bipublisherEntry&Action=new&itemType=.xma

    Publisher report 'new' URL: /analytics/saw.dll?bipublisherEntry&Action=new&itemType=.xdo

    I also had a look at the doc on the deployment of BIMAD to see if there are a few references to safety and there is a named party ' 4.2 task 2: update for Oracle BI Mobile App Designer Security Configuration "(here), they say run a WLST script to"update your system (System-jazn-"Data.xml") JAZN file with security grants needed for BI Mobile App Designer. so I thought I'd find the real answer here!

    The content of the script is a little disappointing:

    grantPermission (codeBaseURL = "file:$ {oracle.deployed.app.dir} /bimad_11.1.1$ {oracle.deployed.app.ext}", permTarget = "IdentityAssertion", permClass = "oracle.security.jps.JpsPermission" permActions = "*")

    grantPermission (codeBaseURL = "file:$ {oracle.deployed.app.dir} /bimad_11.1.1$ {oracle.deployed.app.ext}", permTarget = "context = SYSTEM, mapName is oracle.bi.system, keyName = system.user", permClass = "oracle.security.jps.service.credstore.CredentialAccessPermission", permActions = "read")

    grantPermission (codeBaseURL = "file:$ {oracle.deployed.app.dir} /bimad_11.1.1$ {oracle.deployed.app.ext}", permTarget ="context = SYSTEM, mapName = oracle.bi.publisher, keyName = *", permClass = "oracle.security.jps.service.credstore.CredentialAccessPermission", permActions = "*")

    grantPermission (codeBaseURL = "file:$ {oracle.deployed.app.dir} /bimad_11.1.1$ {oracle.deployed.app.ext}", permTarget = "context = APPLICATION name = obi", permClass ="oracle.security.jps.service.policystore.PolicyStoreAccessPermission", permActions = "getApplicationPolicy")

    grantPermission (codeBaseURL = "file:$ {oracle.deployed.app.dir} /bimad_11.1.1$ {oracle.deployed.app.ext}", permTarget ="AppSecurityContext.setApplicationID. *", permClass = "oracle.security.jps.JpsPermission", permActions = "*")

    grantPermission (codeBaseURL = "file:$ {oracle.deployed.app.dir} /bimad_11.1.1$ {oracle.deployed.app.ext}", permTarget ="context = SYSTEM, mapName = oracle.bi.enterprise, keyName = *", "oracle.security.jps.service.credstore.CredentialAccessPermission", permActions = "read" = permClass)

    grantPermission (codeBaseURL = "file:$ {oracle.deployed.app.dir} /bimad_11.1.1$ {oracle.deployed.app.ext}", permTarget ="context = SYSTEM, mapName = oracle.wsm.security, keyName = *", "oracle.security.jps.service.credstore.CredentialAccessPermission", permActions = "read" = permClass)

    createResource (appStripe = "obi", name = "oracle.bi.publisher.developLightDataModel" type = "oracle.bi.publisher.permission" displayName = "Develop model of light data", description = "develop light Data Model")

    grantPermission(appStripe="obi",principalClass="oracle.security.jps.service.policystore.ApplicationRole",principalName="BIAuthor",permClass="oracle.security.jps.ResourcePermission",permTarget="resourceType=oracle.bi.publisher.permission,resourceName=oracle.bi.publisher.developLightDataModel",permActions="_all_")

    Most of the lines is not interesting except the last 2 commands: a resource named 'Developing light Data Model' of type 'oracle.bi.publisher.permission is created.

    And the last command to grant permission to BIAuthor the newly created resource 'oracle.bi.publisher.developLightDataModel' is probably the most interesting.

    It deserves to be tested (no luck my test environment crashed just before that I was able to test it).

    You can try to revoke that permission of BiAuthor (using "revokePermission") and give it to another (smaller) role of app and see if it does what you're trying to reach.

  • Moving users to one role other than unauthenticated

    We deploy a NAC VGW OOB (4.7.2) solution and I working with the role of Unauthenticateed SSO.

    When I look at the users online, they are all:

    WindowsADServer Unauthenticated role

    But the function as I hope.

    I also have a role as an employee we have created as well as a consulting role.

    How I associated a user to a role? (Other than non-authenticated.)

    Also

    The access rule that I use for the role of the employee and consultant's role are identical.

    The only real difference is that the employee devices have a range more restricted opportunities for certification - which is an AV input and specific registry that identify him as an "active". Consulting the devices can use a broader set of AV and such.

    Rob,

    An authentication provider can be a role only. The caveat is that if you use the mapping rules and the help of LDAP attributes, you can then map to different roles then.

    More details about the Protocol LDAP Mapping here: http://tinyurl.com/2ex5uol

    HTH,

    Faisal

  • Weblogic portal WebCenter group and application role mappings goes after each deployment

    Hello

    I use jdev 11.1.1.6.0 version.

    I created the Group of weblogic server and assigned to users to that group.

    and created the same role used in jazn-"Data.xml".

    I traced RoleManager Taskflow using weblogic with the application role group

    but after each deployment this mapping is removed and manually I have to create mapping once more.

    For example.

    I created user1, user2 in weblogic security realarm and assigns them to the 'employee' group

    Jazn-"Data.xml" I created the role of 'employee' in the Application roles

    and pages.xml this application role to ensure safety to the pages.

    RoleManager Taskflow using

    Employee weblogic group added to the employee of application role.

    This mapping is removed after each deployment.

    Help me...

    You must disable the security properties of the Application deployment options > deployment... Follow the link and uncheck the boxes as required.

  • It is not possible to program the report with a user with the role of the author.

    Hello

    I tried to schedule the report using weblogic user (who has the admin role) it worked perfectly. But when I try to log on by using the user (who has the role of the author) and when I try to schedule a report I get the following error. It is clustered environment.


    [nQSError: 77006] Oracle BI presentation server error: A fatal error occurred during the processing of the request. The server responded with: an authentication failure.
    Error codes: IHVF6OM7:OPR4ONWY:U9IM8TAC
    Geographical area: saw.connectionPool.getConnection, saw.securitysubsystem.checkauthentication.runimpl, saw.securitysubsystem.checkauthentication, saw.delivers.rpc.getDeviceContent, saw.rpc.server.responder, saw.rpc.server, saw.rpc.server.handleConnection, saw.rpc.server.dispatch, saw.threadpool.socketrpcserver, saw.threads
    ODBC driver returned an error (SQLDriverConnectW).
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access to the requested connection is denied.
    [nQSError: 43113] The message returned by OBIS.
    [nQSError: 13039] The imposter does not exist in the Security Service of BI. (08004)



    Error codes:
    Geographical area: saw.delivers.rpc.getDeviceContent, saw.rpc.server.responder, saw.rpc.server, saw.rpc.server.handleConnection, saw.rpc.server.dispatch, saw.threadpool.socketrpcserver, saw.threads
    .
    Error codes: AGEGTYVF
    AgentID: / users/richard/Test Mail Report
    ... Retry Agent response content loop... Sleep for 8 seconds. [nQSError: 77006] Oracle BI presentation server error: A fatal error occurred during the processing of the request. The server responded with: an authentication failure.
    Error codes: IHVF6OM7:OPR4ONWY:U9IM8TAC
    Geographical area: saw.connectionPool.getConnection, saw.securitysubsystem.checkauthentication.runimpl, saw.securitysubsystem.checkauthentication, saw.delivers.rpc.getDeviceContent, saw.rpc.server.responder, saw.rpc.server, saw.rpc.server.handleConnection, saw.rpc.server.dispatch, saw.threadpool.socketrpcserver, saw.threads
    ODBC driver returned an error (SQLDriverConnectW).
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access to the requested connection is denied.
    [nQSError: 43113] The message returned by OBIS.
    [nQSError: 13039] The imposter does not exist in the Security Service of BI. (08004)



    Error codes:
    Geographical area: saw.delivers.rpc.getDeviceContent, saw.rpc.server.responder, saw.rpc.server, saw.rpc.server.handleConnection, saw.rpc.server.dispatch, saw.threadpool.socketrpcserver, saw.threads
    .
    Error codes: AGEGTYVF
    AgentID: / users/richard/Test Mail Report
    ... Retry Agent response content loop... Sleep for 6 seconds. [nQSError: 77006] Oracle BI presentation server error: A fatal error occurred during the processing of the request. The server responded with: an authentication failure.
    Error codes: IHVF6OM7:OPR4ONWY:U9IM8TAC
    Geographical area: saw.connectionPool.getConnection, saw.securitysubsystem.checkauthentication.runimpl, saw.securitysubsystem.checkauthentication, saw.delivers.rpc.getDeviceContent, saw.rpc.server.responder, saw.rpc.server, saw.rpc.server.handleConnection, saw.rpc.server.dispatch, saw.threadpool.socketrpcserver, saw.threads
    ODBC driver returned an error (SQLDriverConnectW).
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access to the requested connection is denied.
    [nQSError: 43113] The message returned by OBIS.
    [nQSError: 13039] The imposter does not exist in the Security Service of BI. (08004)



    Error codes:
    Geographical area: saw.delivers.rpc.getDeviceContent, saw.rpc.server.responder, saw.rpc.server, saw.rpc.server.handleConnection, saw.rpc.server.dispatch, saw.threadpool.socketrpcserver, saw.threads
    .
    Error codes: AGEGTYVF
    AgentID: / users/richard/Test Mail Report

    Exceeded number of retries of request for the GetResponseContent method.





    Can someone help me with this.

    Thank you
    Rondo.

    Published by: RONDO on December 12, 2012 16:07

    Check Doc ID 1446877.1

    According to the doc Fix to apply the hotfix 13553428:

    The fix for this problem is to apply the hotfix for the following new bug.

    Bug 13553428 - QA:BLK:DELIVER Corp. OID LDAP users FAILED WITH the COPYCAT DOES'NT ARE.

    Patch 13553428: QA:BLK:DELIVER users to Corp OID LDAP FAILED WITH the COPYCAT DOES'NT ARE.

    The patch is available on MOS and can be applied to all platforms.

    Or access via this link:
    https://updates.Oracle.com/Orion/services/download/p13553428_111160_Generic.zip?Aru=14732325&patch_file=p13553428_111160_Generic.zip

    Please refer to the Readme file. It is important to shut down the system before applying the patch. Then restart.
    When you restart Weblogic should automatically detect that bimiddleware.ear has changed to OH and automatically redeploy it the application

    If it helps pls mark as correct

    Published by: VIEREN Srini December 12, 2012 19:39

  • How to find what the role application role

    Hello IDM experts, when a request for a role is made by an applicant, inside the composite custom for the approval process, I'm going to get the ID of the application using the API of the IOM. Now, using this ID of the application, how can I get the name of the requested role?

    I know we can get the beneficiary using the IOM APIs, and then we can get a role object. Is there a simpler way without going through the notion of beneficiary? In my case, the plaintiff will ask only a single role both in the query (to put it simply).

    Another thing is, there is method getAttribute() on role class. But the guide API does not say what are these various attributes. Y at - it a guide who talk to us of these various attributes?

    Thank you for your great help.

    Published by: Jyothi on November 4, 2012 19:11

    You will get the role name of the load itself. In the payload as you get the requestId, in the same way, you will have the requested object. In your case since you ask for the role, the payload will contain the name of the role. What to do create an application role and then check the application of the EM. EM, you can find the XML payload, and there you can see the data sent in the payload.
    I donot have an environment running for role now, but I think that the payload contains all the attributes of the same role. So you can directly read the attribute "owned by" off the coast of the payload and assigned to this user. If this isn't the case, you can use the API of the IOM to connect to IOM and read a list of choices that contains this mapping or simply add _APPROVERS as the name of the approver group.

    -Marie

  • Difference between a business and Application roles

    Dear all,

    I am struggling to understand the difference between Application roles and company safety of the ADF?

    Could someone please help me understand the subtle difference between the two?
    I tried to do some reading, but I still don't understand the underlying concepts.

    Thank you.

    Neliel,

    To put it simply:

    Application roles are the roles that you define (in JDeveloper) for your application. You grant permissions on various objects to application roles.
    Business roles are roles defined in WebLogic. Users/groups in the identity provider are granted to these kinds of roles. Map application to business roles roles.

    Here is a raw illustration:

    Users/Groups ----granted----> enterprise roles <---mapped to----- application roles <---- granted to ---- adf security permissions

    This is definitely a simplification - I think I got the semantics of a correct basis, however :)

    Ah, Abhijit beat me to it, and I forgot this blog

    John

  • Cisco Unity Connection (CUC) - import LDAP user based on the security group and then assign a model

    Need to CUC automatically import users and assign a certain user or role model if they are added to a specific security group. (These are the help desk users).  Username admin accounts they will use to sign in CUC differs from that there windows account that is linked to their profile of voicemail.

    Current - now we must import new recruits and assign the correct model

    Want - when a user is added to a security group in AD, so when CUC doing his nightly sync, it automatically import user and assign a preconfigured for the account and all user model is automatic and I have never import it back these users.

    At the present time the course help desk users are already imported via LDAP and have the role that was.

    Suggestions?

    Not something that the UCA can do out of the box.

    The UCC does not offer, is to do the LDAP synchronization and once they are in CUC, to import, choose the model.

  • Application role does not properly

    Hello

    I have an authorizattion init block which assigns the following values when a user "pconde"

    USER: pconde

    GROUP: ManagerGroup

    I have the catalogue of group "ManagerGroup" created through the option manage catalog groups. Now, I created a new role of application with the following details:

    Name - Manager

    Display name - sales managers

    I also added the "ManagerGroup" group to this application role.

    I assigned filters to the data level the 'Manager' via Manage application role-> identity

    When I connect through my pconde of the user, level data filters are not get picked up. The application role Manager sees all the data yet that the weblogic user see. It seems that the application role may not correctly setup.

    What I am doing wrong?

    Yes I did. In fact, my problem is different. The session of ROLES was not get properly completed. I rectified this and my problem was solved.

  • How to limit the authorized person of the role of certain application roles in the IOM 11 GR 2 PS1?

    Hello

    I'm running on IOM 11 GR 2 PS1 BP06.

    I have a need to grant permission to role to an Application administrator so that that person can grant or revoke the application role to a user.  I need to limit the application to ABC (assuming that we have a lot of applications).

    Is there a way to achieve the IOM 11 GR 2 PS1?  If so, how can I achieve this?

    Thank you

    Khanh

    You should be able to configure your policy on approval and customized soa composite appropriate to handle the scenario.  Set it to know about the admin and check the request data if that user is a member of a role that is authorized to submit without approval.  If found, then auto approve, otherwise, either dismiss it or go through the award of accreditation.

    -Kevin

  • Cannot delete the application role - error OBIEE main

    I tried to fix my personal account of OBIEE today and tried to remove me an applicaation role in enterprise manager and received the following error

    Cannot delete the main application role; main < user name > is not a member of the application role < role >

    Has anyone seen this error?

    My user id also seems to be capitalized - ex userid: Userid rather than what I expect it to be in all the tiny userid

    Hi Christian

    You are right that I am on 11.1.1.7.140225

    I was able to fix this very weird error in fact goes here/home/itadm/u01/obiee/user_projects/domains/bifoundation_domain/config/fmwconfig

    Open the file system-jazn - data .xml

    And by removing the additional entry manually

    So I deleted the following

    weblogic.security.principal.WLSUserImpl rodneyc

    Then when I went back to EM the user had gone as planned. I'm guessing that something screwed up in this file, but all right

    Thank you for the help

Maybe you are looking for

  • close the reference on "read text file" - Ref num vs prefer class conflicts

    Dear users, Vi Analyzer asks me to close the refernce created by VI "read text file". So, I would close a refnum created by primitive VI "read text file". I used a direct wire, wiring by top and bottom of the casting, but each of them attend class co

  • Calculator is not working

    Calculator hot key turns off automatically

  • Installation of Win XP to new PC.

    Remember - this is a public forum so never post private information such as numbers of mail or telephone! Ideas: final of my wife's PC crashed after 10 years. I want to build a new PC. I installed win. XP about 3 years ago. Can I use the software of

  • Port number in Windows 7

    Hello I am trying to use my computer to program an Arduino and some photos, but I need to do, the port numbers.I used to do this very easily on XP, but now I can't find the port numbers in Windows 7! Thanks in advance for the help. Amin Kassab Bachi

  • Problem with photosmart c4380 using the black cartridge XL

    Why my photosmart c4380 suddenly not recognize the Black XL cartridge which was working previously?  When I replace it with the previous cartridge (standard size), he seems to recognize and begins the process of allignment.  I have another XL cartrid