Oracle BI EE JDE Cadran – Accelerate

Act As

Date: 25-11-2015 Author: Rick Brobbel

Last Edited: Rick Brobbel Cadran Consultancy b.v.

Project: Oracle BI EE Subject: Act As Version: v98

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 2 of 13 Subject : Act As Date : 25-11-15

1

Table of Contents

1 Act As ..................................................................................................................................... 3 2

1.1 Implementation ....................................................................................................................... 3 3

1.2 Temporary Delegation ........................................................................................................... 12 4

5

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 3 of 13 Subject : Act As Date : 25-11-15

Oracle BI EE - JDE Cadran - Accelerate – Act As

1 Act As

Act As is used for impersonating users for reviewing and testing permissions and privileges and can be used for (temporary) delegates (i.e. 1 during holidays) or for smaller organizations that want to enforce pure segregation of duties. 2 Reference to the Oracle Documentation that was used for this: Oracle Docs. 3

For this configuration the devil is in the details. Follow below instructions to the minute letter.

4

1.1 Implementation

Step Print Remarks Create a database table with the information

Proxy Level must be small caps. User IDs are case sensitive.

When you enable a user to be a proxy user, you also assign an authority level (called the proxy level). The proxy level determines the privileges and permissions granted to the proxy user when accessing the catalog objects of the target user. The following list describes the proxy levels: • restricted — Permissions are read-only to the

objects to which the target user has access. Privileges are determined by the proxy user's account (not the target user's account).

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers. • full — Permissions and privileges are inherited

from the target user's account. For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 4 of 13 Subject : Act As Date : 25-11-15

Step Print Remarks

The data in this table is case sensitive, so beware that

• users are entered exactly as they are stored in WLS or MSAD

• levels must be small caps • dates must be numeric as type date does not

work

Repository Metadata Physical Layer

When setting up and changing setup make sure this table is not cacheable.

Repository Session Variables

See details below

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 5 of 13 Subject : Act As Date : 25-11-15

Step Print Remarks Create Repository Session Variable called Proxy to be populated by Initialization Block called ProxyBlock

This Initialization Block sets the value of the variable ProxyBlock, which selects the Target User that can then be used in the Web Catalog.

SELECT TARGETID FROM VALUEOF(OBI_REPOS_USER).ACTAS WHERE UPPER(PROXYID) = UPPER(':USER') AND UPPER(TARGETID) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') AND TO_NUMBER(TO_CHAR(SYSDATE,'YYYYMMDD'))BETWEEN DATEFROM AND DATETHRU

The content of these SQL statement is not in line with the documentation. They were the outcome on the support by Oracle in assistance with SR 3-9403695961 (see known issues below) - Solved The effective period can be used for temporary delegates. See next paragraph.

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 6 of 13 Subject : Act As Date : 25-11-15

Step Print Remarks Create Repository Session Variable ProxyLevel

This Initialization Block sets the value of the variable ProxyLevel, which selects the level that the delegate user can act on (Full or Restricted).

SELECT PROXYLEVEL FROM VALUEOF(OBI_REPOS_USER).ACTAS WHERE UPPER(TARGETID) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') AND UPPER(PROXYID) = UPPER('VALUEOF(NQ_SESSION.RUNASORIGUSER)')

The content of these SQL statement is not in line with the documentation. They were the outcome on the support by Oracle in assistance with SR 3-9403695961 (see known issues below) - Solved This statement does not require the effective period. This is only needed in the Proxy Block.

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 7 of 13 Subject : Act As Date : 25-11-15

Step Print Remarks Edit the instanceconfig.xml

Add code:

<LogonParam> <TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName> <MaxValues>100</MaxValues> </LogonParam>

Save and Restart the Services Create the correct folder structure

Directory: /app/oracle/obiee11117/instances/instance1/bifoundation/OracleBIPresentationServicesComponent/coreapplication_obips1/msgdb/l_en/customMessages FileName: LogonParamSQLTemplate.xml

Create the XML file

<?xml version="1.0" encoding="utf-8" ?> <WebMessageTables xmlns:sawm="com.siebel.analytics.web.messageSystem"> <WebMessageTable system="SecurityTemplates" table="Messages"> <WebMessage name="LogonParamSQLTemplate"> <XML> <logonParam name="RUNAS"> <!-- for EXECUTE PHYSICAL CONNECTION POOL, SQL_Paint.SQL_Paint = --> <!-- SAS Repository physical_dbname.conn_pool_name -->

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 8 of 13 Subject : Act As Date : 25-11-15

Step Print Remarks

<getValues>EXECUTE PHYSICAL CONNECTION POOL "BIRepository"."BIRepositoryConnPool" select TARGETID from ACTAS where PROXYID='@{USERID}'</getValues> <verifyValue>EXECUTE PHYSICAL CONNECTION POOL "BIRepository"."BIRepositoryConnPool" select TARGETID from ACTAS where PROXYID='@{USERID}' and TARGETID='@{VALUE}'</verifyValue> <getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL "BIRepository"."BIRepositoryConnPool" select PROXYID, PROXYLEVEL from ACTAS where TARGETID='@{USERID}'</getDelegateUsers> </logonParam> </XML> </WebMessage> </WebMessageTable> </WebMessageTables>

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 9 of 13 Subject : Act As Date : 25-11-15

Step Print Remarks Grant Privilege to access this function

For each user or role you want to allow this option, make sure the privileges are set correctly.

Act As button shows under user ID

Note that for instance the option Administration is there and the the options under New are fully open to that what a BI Administrator can do.

The user biadmin can select from the users he can impersonate for.

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 10 of 13 Subject : Act As Date : 25-11-15

Step Print Remarks User is now acting as other user

Note that for instance the option Administration is gone and the the options under New are limited to that what a BI Consumer can do.

Logon as TRADER

The delegated user can see users who can take over how in their Account Profile settings.

1

TIPS • Before a proxy user can act as a target user, the target user must have signed into Presentation Services at least once and accessed a

dashboard. • Changes in restrictions or privileges may not be directly visible but are executed and may require restart of the BI Services.

2

3

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 11 of 13 Subject : Act As Date : 25-11-15

1

KNOWN ISSUES SR Description Situation Entered Status Date Resolution SR 3-8744510391

OBIEE - Can't get ActAs functionality to work

Act As setup according to the letter of the documentation. Button appears, but drop down with choice list containing users remains empty.

28 Mar 2014

RESOLVED 28 Jul 2014

Changing the user IDs in the ActAs-table to case sensitive. Also proxy level full or restricted is and must be small caps.

SR 3-9403695961

OBIEE - Act As Permission Inheritance

The permissions (full or restricted) are not inherited properly. And also not reset correctly when stopping act as.

28 Jul 2014

RESOLVED 09 Oct 2014

Bug 18695152 : OBIEE 11G: PRIVILEGES NOT APPLIED TO PROXY (ACT-AS) USERS Full works. Restricted not. Different behavior in my setup compared to the case with Oracle resulted in slightly different SQL statements for the session variable init blocks.

SR 3-9403695961

OBIEE - Act As Permission Inheritance

Level Restricted not working properly

03 Sep 2014

RESOLVED 21 Oct 2014

With new setup instructions it now works.

SR 3-9761586135

Act As - Effective Dates

Attempt to work with effective dates

21 Oct 2014

RESOLVED 26 Nov 2014

When the effective dates are set up as format NUMBER and not DATE it starts to work with the additional instructions from Oracle.

2 3

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 12 of 13 Subject : Act As Date : 25-11-15

1.2 Temporary Delegation

Act As can also be used for temporary delegations, such as holiday or sick leave replacements. Thus an employee can impersonate a 1 colleague, take over that person's restrictions and work with his authentication, still taking segregation of duty into account. 2 This is where the Date From and the Date Thru in the Act As table come in. The logged user can still see and select the Act As user, but when 3 selected outside of the effective period it will return a sign in error: 4

5 6

7 8

Cadran Consultancy b.v.

Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 13 of 13 Subject : Act As Date : 25-11-15

1 When another effective date is required simply alter the DateFrom and the DateThru in the ActAs table in the database. 2 When a specific ActAs is no longer applicable simply remove the record from the ActAs table in the database. 3 4 5