Managing users and roles in OBIEE 11 G

Similar Questions

• Is it possible to store user and role information in MDS instead of jazn?

  Hello
  
  I want to store user and role information in xml rather than jazn mds. Is - is this possible? Could someone steps who to follow?
  
  Thank you
  Vishnu

  Hello

  SDM is not a polic store nor a system of identity management. It does not really to sense what you're asking. Instead of jazn-"Data.xml", you can use OID and RDBMS to policies and vinifying the identities of users. If it is only the identities of users and groups to move to another bank, then you OID, RDBMS, Active Directory. OAM etc... The jazn-"Data.xml" file btw. is used at design time. The deployment - default - users and groups are created of jazn-"Data.xml" in the built-in LDAP WLS server. Strategies jazn-"Data.xml" file are copied to the system-jazn-"Data.xml" of the target WLS server.

  Frank

• Relationship between users and roles OID

  Hi team,

  We have created users and roles in the IOM and the synchronization of these OID values. Users and roles create under different containers in OID.

  We have the relationship between users and roles of the IOM. How the relationship between users and roles are maintained in the OID.

  Could you please help me on this. Thanks in advance.

  Thank you and best regards,

  Narasimha Rao

  For 11 GR 2 IOM, roles map to the OID groups if there is a ldap synchronization (between IOM and the OID). I know that it works for IOM 11.1.2.2 and OID 11.1.1.7 (also 11.1.1.6 OID as well).

  Between the IOM and the OID ldap synchronization will automatically synchronize users of IOM in OID. So if you add a user to the IOM it will come in OID under the users container.  You create the role of IOM, you should see a group created under the OID. Similarly, if you add users to the IOM for a role of IOM, it will map/synchronization user in OID OID group.

  (Hope this helps, please indicate your answer as answered if it solved your query)

• User and role are the object?

  Dear all,

  1. There are many object as a TABLE, INDEX, VIEW...

  We can change to help change the ddl statement.

  So, can we say user is also a database object or not.

  because we can change the user using ddl statement and corresponding information stored in the data dictionary.

  2. we know that ALTER is a privilege of the object, and we can also change the DBA user. then we can say user is an object?

  3 is an object?

  Thanks in advance,

  Alain Coppey.

  1. There are many object as a TABLE, INDEX, VIEW...

  We can change to help change the ddl statement.

  So, can we say user is also a database object or not.

  because we can change the user using ddl statement and corresponding information stored in the data dictionary.

  2. we know that ALTER is a privilege of the object, and we can also change the DBA user. then we can say user is an object?

  3 is an object?

  Yes - users and roles are objects. But they are SYSTEM objects and not contained in a schema.

  See the section 'Introduction to schema objects' Oracle documentation

  http://docs.Oracle.com/CD/B28359_01/server.111/b28318/schema.htm#i22627

  The first section lists the schema objects - objects belonged to a schema

  The following section lists the system objects, or non-schema,

  Other types of objects are also stored in the database and can be created and manipulated with SQL, but are not contained in a schema:

  • Contexts
  • Directories
  • Settings files ( PFILE s) and server parameter files ( SPFILE s)
  • Profiles of school boards
  • Roles
  • Rollback segments
  • Storage spaces
  • Users

  You won't find the schema objects not listed in the views that display information of schema object, but there are other views system for them.

  So if it is an "interview" questions answers just YES and refer them to this link above. Or you can use this link for the 'sql elements' doc section if you prefer:

  http://docs.Oracle.com/CD/E11882_01/server.112/e41084/sql_elements007.htm

  Schema objects

  Other types of objects are also stored in the database and can be created and manipulated with SQL, but are not contained in a schema:

  Contexts

  Directories

  Editions

  Restore points

  Roles

  Rollback segments

  Storage spaces

  Users

  In this reference, each object type is described in the Chapter 10 , Chapter 19, in the section dedicated to the statement that creates the database object. These statements begin with the keyword CREATE . For example, for the definition of a cluster, see CREATE CLUSTER.

  In this link, unlike the other one, Oracle uses explicitly the terms "run things" and "objects" by referring to the items in the list above.

  A simple NET search for "objects nonschema oracle 11g" returns this link as the first result.

  The documentation is your friend! Some info may be harder to find, but the docs usually include information for ALL Oracle basic terms and functionality.

• creating users and roles of WL server for an application that is secured by security ADF

  Greetings
  
  I have an application that uses the security of adf, pre-deployment I created the users and roles to grant access or permissions to certain pages in mid CA. the thing is that I need to know if its possible to create users and roles through my the weblogic Server console and that roles and users can have permissions in my app I try but the only thing that works is authentication... I can not pass authorization
  
  Thanks for your help

  It should work very easily.

  What you have to do is give the domain name as domain (default myrealm) weblogic, this step you already have you're abe to authenticate.

  Now in jazn-"Data.xml", there are 2 types of roles. Application role & business role. Select business roles when assigning permissions. These should also be the same roles myrealm.

  You can also use the application role and have a relationship between the application role & business role.

  Only the care you need to take are to deploy the application in the EAR file, deployed a flag there migrate suite security users and security groups object. Deselect it.
  When you use the user groups and migrate the Application roles.

  Vincent

• Additional portal for creating users and groups in OBIEE.

  Good afternoon everyone

  We are facing a situation where a resource by another company needs to create and manage their own users who will access OBIEE.

  That means that for the moment we have create users in Weblogic, but we cannot provide the resource with access to weblogic due to many other services running in the Weblogic causing a safety hazard.

  My question: is there another way, we can provide access to this resource through a portal that will only be able to manage the users and groups that will access OBIEE and not be able to view all other settings?

  Concerning

  Benoit

  Hi Benoit,.

  Cool, can you close the thread if it is right for you? Currently, it is still marked as

  This issue is no answer.

  If you have detailed follow-up questions (which I think you will to the BISQLProviders) you can make a custom thread and we will deal with this matter else on its own.

  See you soon

• Users and groups in OBIEE 11 g

  Hello
  
  I'm trying to bind LDAP with OBIEE 11 G. I am now using Rittman Blog
  
  http://www.rittmanmead.com/2010/11/Oracle-BI-EE-11g-security-integration-with-Microsoft-Active-Directory/
  
  whenever I click users and groups, it takes a hell of time (more than 30 minutes) to display users and groups, please suggest if something can be made abou it
  
  All other tabs and setting work correctly.
  
  I found something at Adminserver.log
  
  Please suggest
  
  Concerning
  Saurabh

  Hello

  If you are using the username in the form attribute: sAMAccountName, then use "user of the name filter" as:

  (& (sAMAccountName = %u(objectclass=user))

• Bug? Synchronization mixes DB users and roles.

  Hello

  I can't synchronize my physical datamodel with the database (datamodeler 4.0.3). For some reason, the synchronization process has a preference for database roles on DB-users. So what happens is: my database contains a user EWDS_OWNER_REF, but the synchronization process creates a role EWDS_OWNER_REF insteand and assigns all privileges to this role. This occurs even if the user EWDS_OWNER_REF is already present in the model.

  An idea for a workaorund?

  Thanks in advance!

  Hello

  Thanks for reporting this.  I will record a bug on this issue.

  There is a solution.  Go to the Data Modeler > model > physical synchronization preferences page and select the checkbox synchronize to USER type.

  David

• How to upgrade the users and groups of OBIEE 10.1.3.4.0 in OBIEE 11 g

  Hello
  I need to upgrade my system OBIEE 10 g and 11g.
  Since I was around, say 100 user in my filing of 10g, so how can I get users to OBIEE 11 g. And also, I do not use any LDAP server in 10 g. So can anyone please help me with this problem
  ??
  Thanks in advance
  
  Kind regards
  Nikhil

  Hey Sarah,

  Follow this http://www.adivaconsulting.com/adiva-blog/item/18-obiee11g-upgrade.html

  If the tag answer your messages by assigning points.

  See you soon,.
  KK

• Security ADF of application using DB tables for users and roles

  Hello
  I followed the below documents to use SQL authentication instead of jazn.
  
  http://Biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html
  
  
  http://Biemond.blogspot.com/2008/12/using-WebLogic-provider-as.html
  
  The second paper after completing the ADF Security Assistant, there are steps to create roles and application below at point
  
  * "We need to use myrealm as Kingdom and not jazn.com. Create the role of valid users. "
  
  Could someone suggest where to put these roles?
  
  Thanks in advance!
  Vinod

  Hi Vinod,

  If you set up SQLAuthenticator in the JDeveloper's integrated Weblogic Server, so what happened to your case is expected, because you deleted the Weblogic instance where SQLAuthenticator has been configured. Yes, you have deleted the domaine_par_defaut instance that is located in the directory specified above. JDeveloper will recreate a new instance (not configured) the next time you run.

  To avoid reconfiguring SQLAuthenticator, you must set it up on a stand-alone instance of Weblogic (which is not located on the JDeveloper/systems user... folder.

  Kind regards

  Pino

• Object grants to users and roles

  A question about the Oracle grants. Searched and found wires that are close, but not exactly what I'm looking for.
  I'm on an Oracle 10 g Enterprise Edition (64-bit) database running on Sun Solaris 5.10
  
  We have a test database (say TEST1) having 2 schema SCHEMA1 and SCHEMA2. These patterns have nearly 2000 items in each of them.
  Then we have a different database (say TEST2) with the same 2 schemas with the same name and containing as many objects.
  
  My goal is to export these two patterns of TEST1 and import them into TEST2. By doing this, I chose the path is, am I completely drop every single object from the 2 diagrams in TEST2. And then, do an import. I do import with grants = y option enabled.
  
  The dilemma I am, is that, although the DDLS objects are identical between SCHEMA1 and SCHEMA2 TEST1, SCHEMA1 and SCHEMA2 TEST2 respectively, users on the databases are different. Of course, I like to keep all subsidies of the object to other users in TEST2 after my import just the way which is prior to importation. So, looking for a way to pre-generate a script before the Tomb object so that I can just run the script and retrieve all my grants do lose I. as...
  GRANT SELECT ON TEST2.table10 to USER01;
  GRANT INSERT ON TEST2.table10 to USER02.
  GRANT INSERT ON TEST2.table20 to USER02;...
  
  (I really don't like if the TEST1 grants is imported when you import, thus introducing unnecessary grants... wanted to just make sure that TEST2 does not lose a thing)
  
  Another round here, is that we also have a good amount of roles that have received subsidies for SCHEMA1 and SCHEMA2 of TEST2 database objects. How to generate a script that has something like...
  
  GRANT SELECT ON TEST2.table1 to ROLE1.
  GRANT INSERT ON TEST2.table1 to ROLE2.
  GRANT INSERT ON TEST2.table2 to ROLE2;...
  
  Thank you

  You can start from these scripts:

  SQL> grant select on a.t13 to b;
  
  Grant succeeded.
  
  SQL> select 'grant ' || privilege || ' on ' || owner || '.' || table_name || ' to ' || grantee || ';'
    2  from dba_tab_privs
    3  where owner = 'A'
    4  /
  
  'GRANT'||PRIVILEGE||'ON'||OWNER||'.'||TABLE_NAME||'TO'||GRANTEE||';'
  ------------------------------------------------------------------------------------------------------------------------------
  grant SELECT on A.T13 to B;
  
  SQL> create role role1;
  
  Role created.
  
  SQL> grant insert, delete on a.t10 to role1;
  
  Grant succeeded.
  
  SQL>  select 'grant ' || privilege || ' on ' || owner || '.' || table_name || ' to ' || role || ';'
    2  from role_tab_privs
    3  where owner = 'A'
    4  /
  
  'GRANT'||PRIVILEGE||'ON'||OWNER||'.'||TABLE_NAME||'TO'||ROLE||';'
  ------------------------------------------------------------------------------------------------------------------------------
  grant INSERT on A.T10 to ROLE1;
  grant DELETE on A.T10 to ROLE1;
  

  With greetings
  Krystian Zieja

• University Complutense of MADRID and Weblogic users, groups, roles, and permissions

  Hello
  
  I could not get the AAU to honour the permissions of the user defined in Weblogic. Here's what I do:
  
  1. create a Weblogic group called "contributor".
  
  2 create a role in the UMC called "contributor" with permissions of read/write on the PUBLIC group
  
  3. Add a user in Weblogic called "testuser" and make him a member of the employee group
  
  4. connect to the Complutense University of MADRID as a "testuser".
  
  5 testuser has only the permissions "guest."
  
  UCM is NOT honoring the contributor of Weblogic group membership. The documentation says if I create a Weblogic group with exactly the same name as being instrumental in the University Complutense of MADRID, the permissions should be granted properly but I didn't actually work.
  
  Someone saw this? I would supremely, manage users and authorization in a unique place with a minimum of fuss.
  
  Thank you! -JDM

  Hello

  Stop the server of the University Complutense of MADRID managed and the WLS server.

  Start the WLS server, wait until it starts completely, and then start the server from the Complutense University of MADRID.

  After this test to see if the issue still persists.

  Thank you
  Srinath

• Manage users of OBIEE 11 g analytics with the Console of Administration of WLS?

  Hello everyone.
  I want manage users of analytics. Is there an effective way to provide access to specific folders in the catalog in the correspondence with the attributes of user? For example.
  User1: Director
  Role1: reports2011 (R)
  Role2: statistics2011 (R)
  3: wages2011 (R)
  
  User2: commonUser
  Role1 reports2011 (R)
  
  the util_3: admin
  role4: "all_folders" (RW)
  
  I'm looking for new ways to do this feature.
  
  Thank you
  Lives

  The specific roles of BI and policies in the administration Console are for this exact purpose (use of BI, BI author etc..)

  Please refer to these excellent posts: http://www.rittmanmead.com/2012/03/obiee-11g-security-week-understanding-obiee-11g-security-application-roles-and-application-policies/

  http://www.rittmanmead.com/2012/03/OBIEE-11g-security-week-subject-area-catalog-and-functional-area-security-2/

  http://www.rittmanmead.com/2012/03/OBIEE-11g-security-week-managing-application-roles-and-policies-and-managing-security-migrations-and-deployments/

  Please check if useful/correct.

• How to create user defined groups and users with custom permissions as only open and export in obiee 11 g?

  Hello

  I want to give as open & export to the level of permissions.

  How to create user defined groups and users with custom permissions as only open and export in obiee 11 g?

  For example, if the group permissions, inturn should reflect on the users.

  Please help me.

  Thanks in advance,

  A.Kavya.

  Your question is quite broad and fuzzy then I suggest the security catalog presentation to read documentation: http://docs.oracle.com/middleware/1221/biee/BIESC/mgrgrpsusers.htm#CIHIBJGD

  And I think that you mix you two things which are managed in different places:

  ) an object as read access permissions, write, delete... which control you through the object "Permissions" dialog box

  

  

  (b) functional privileges controlled through "Manage privileges" under "Administration".

  

• Managing Director and structures not dishes user/group

  Hello, I am trying to build a directory structure with several containers under an organization allowing to memorize the different portions of userdata and group data (i.e. not only UO = unit of organization and people = group, but also a few UO like them). Server software is 7u2 OUCS release. Users in 'other' containers are filled in LDAP (ODSEE 11) by replication, filling the same attributes as a freshly created account by DA has.
  
  The delegated administration interface and other parts of the software accept this and work well with this configuration, the user information display, which allows connections and so forth - with the exception of attempts to change the user accounts in the containers of spare in the DA (add/remove application solutions, change quotas, etc.). First of all, I checked that it is not a LDAP problem - I use both ldapmodify command line and a GUI LDAPBrowser to edit the entries with no hiccups.
  
  I followed him that when you try to save the account information for the accounts in non-standard containers, the DA try always to use a path hardcoded (i.e. uid = username, ou = people, o = DOMAINNAME, dc = DOMAIN, dc = NAME) despite the fact that the user account is (and DA displays of) uid = USER name, or = morePeople, o = DOMAINNAME dc = DOMAIN, dc = NAME.
  
  Eventually, this "hard code" follows DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties that the list of parts of the LDAP structure:
  
  #############################################################################
  #
  # Ldap configuration.
  # List of hosts from ldap. Form is < ldaphost >: < PortNumber >. (By default the port = 389)
  # Add additional hosts with ldaphost - < number >
  # Schema type is '1' or '2 '.
  # Reconnect interval is in seconds
  # Group and people container is dn of dn (for example ou = people) Organization
  #
  #############################################################################
  ldaphost-1 = oucsldap01:389
  ldaphost-2 = oucsldap02:389
  ldaphost-suffix = dc = DOMAIN, dc = NAME
  ldaphost-dcsuffix = dc = DOMAIN, dc = NAME
  ldaphost-maxcount = 50
  ldaphost-schematype = 2
  ldaphost-reconnectinterval = 60
  peoplecontainer ldaphost = or = People
  groupcontainer ldaphost = or = Groups
  ldaphost-orgadminrole = cn = Admin role organization
  #####
  
  While the root of organization dn is not explicit here (and shouldn't be), the container of default people is... I could guess a logical programming error like this: indeed, the 'or = People' container should be used by default when you create a user through the DA; as likely a mistake, it could also be used when editing existing users - instead of their full DN/existing parent DN.
  
  Issues related to the:
  
  (1) anyone have a working configuration with several containers of user/group in an organization like this? Would you care to share details and solutions, if he had to?
  
  (2) I think that the 'field/organization shared hosting' mode might help here - at least it is planned to have several LDAP trees with their Managing Directors as a single e-mail domain. Before I go and reconfigure everything, I'd like to hear if there are stories of success with this route? It is a good solution (or solution) for this config?
  
  Thank you
  Jim Klimov

  I wanted to follow that reconfigure the directory structure according to domain hosting, with branches for SIE-synchronized accounts as one of the organizations which share the domain secondary and manually created accounts only OUCS being in another subsidiary organization. This method works for messaging components and the DA, as user ID are in OU = people in their organization. A little unfortunately, SIE config seems to allow only a single branch of target Department and set up groups (CN) here as well. Well, for our needs change the attributes of the user and application solutions via DA, that's enough. Sometimes, there are misfires (cannot save changes), but they are intermittent and more difficult to debug trace. usually disappear with the restart of the web container DA. Department LDAP instances are configured with plugins to apply the uniqueness of uid in the entire organization and the uniqueness of the values of the email messaging address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) in order to avoid setbacks between user accounts in different branches.

  Also, we had a problem with the calendar server after migrating LDAP entries: since our deployment used the nsUniqueID for identification of calendar user, relocation of entries (as we did) generated new values for new entries and users got new databases empty caledar. It wasn't a major problem on this POC and latest releases OUCS with a davUniqueID attribute must be specifically immune to this problem. However, for the other trodding this way I can suggest that they export the LDAP database in LDIF, including unique identifiers, re-create the suffixes if necessary (the Organization SIE in Department target should be a separate suffix of LDAP database), edit the LDIF entry path and import the LDIF anew. This would erase the old LDAP data and should add nsUniqueIDs old entries moved unlike (recreation via ldapadd) or relocation via a ldapmodrdn.

  We also hit a problem with DA refusing to return the list of accounts (that returns 0 or 25 empty entries in a table). LDAP logs showed that the Protocol LDAP side everything is ok, and expected responses amount was. Boss research often produced good food with a subset of users in da end, we linked the problem to binary EIS encoded base64 attributes (dspswuserlink and al.; some of these values as output garbaged commadmin queries in a terminal) and created an LDAP ACI, which forbade all our DA-admin user to read, to search compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, to apply this ACI not to a user explicitly named admin, but to all users with administrator privileges of DA (by group or role? what channel to cover them all in advance)? Or, perhaps, no one except the user account of EIS should see these attributes SIE?

  Hope this report helps others who are experimenting at the forefront of this road to integration of messaging

  Jim Klimov