BIWA 2007 Implementing Oracle BI EE on Top of Oracle OLAP Cubes 10g and 11g
Oracle BI EE - Act As
-
Upload
rick-brobbel -
Category
Technology
-
view
126 -
download
0
Transcript of Oracle BI EE - Act As
Oracle BI EE JDE Cadran – Accelerate
Act As
Date: 25-11-2015 Author: Rick Brobbel
Last Edited: Rick Brobbel Cadran Consultancy b.v.
Project: Oracle BI EE Subject: Act As Version: v98
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 2 of 13 Subject : Act As Date : 25-11-15
1
Table of Contents
1 Act As ..................................................................................................................................... 3 2
1.1 Implementation ....................................................................................................................... 3 3
1.2 Temporary Delegation ........................................................................................................... 12 4
5
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 3 of 13 Subject : Act As Date : 25-11-15
Oracle BI EE - JDE Cadran - Accelerate – Act As
1 Act As
Act As is used for impersonating users for reviewing and testing permissions and privileges and can be used for (temporary) delegates (i.e. 1 during holidays) or for smaller organizations that want to enforce pure segregation of duties. 2 Reference to the Oracle Documentation that was used for this: Oracle Docs. 3
For this configuration the devil is in the details. Follow below instructions to the minute letter.
4
1.1 Implementation
Step Print Remarks Create a database table with the information
Proxy Level must be small caps. User IDs are case sensitive.
When you enable a user to be a proxy user, you also assign an authority level (called the proxy level). The proxy level determines the privileges and permissions granted to the proxy user when accessing the catalog objects of the target user. The following list describes the proxy levels: • restricted — Permissions are read-only to the
objects to which the target user has access. Privileges are determined by the proxy user's account (not the target user's account).
For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers. • full — Permissions and privileges are inherited
from the target user's account. For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 4 of 13 Subject : Act As Date : 25-11-15
Step Print Remarks
The data in this table is case sensitive, so beware that
• users are entered exactly as they are stored in WLS or MSAD
• levels must be small caps • dates must be numeric as type date does not
work
Repository Metadata Physical Layer
When setting up and changing setup make sure this table is not cacheable.
Repository Session Variables
See details below
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 5 of 13 Subject : Act As Date : 25-11-15
Step Print Remarks Create Repository Session Variable called Proxy to be populated by Initialization Block called ProxyBlock
This Initialization Block sets the value of the variable ProxyBlock, which selects the Target User that can then be used in the Web Catalog.
SELECT TARGETID FROM VALUEOF(OBI_REPOS_USER).ACTAS WHERE UPPER(PROXYID) = UPPER(':USER') AND UPPER(TARGETID) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') AND TO_NUMBER(TO_CHAR(SYSDATE,'YYYYMMDD'))BETWEEN DATEFROM AND DATETHRU
The content of these SQL statement is not in line with the documentation. They were the outcome on the support by Oracle in assistance with SR 3-9403695961 (see known issues below) - Solved The effective period can be used for temporary delegates. See next paragraph.
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 6 of 13 Subject : Act As Date : 25-11-15
Step Print Remarks Create Repository Session Variable ProxyLevel
This Initialization Block sets the value of the variable ProxyLevel, which selects the level that the delegate user can act on (Full or Restricted).
SELECT PROXYLEVEL FROM VALUEOF(OBI_REPOS_USER).ACTAS WHERE UPPER(TARGETID) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') AND UPPER(PROXYID) = UPPER('VALUEOF(NQ_SESSION.RUNASORIGUSER)')
The content of these SQL statement is not in line with the documentation. They were the outcome on the support by Oracle in assistance with SR 3-9403695961 (see known issues below) - Solved This statement does not require the effective period. This is only needed in the Proxy Block.
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 7 of 13 Subject : Act As Date : 25-11-15
Step Print Remarks Edit the instanceconfig.xml
Add code:
<LogonParam> <TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName> <MaxValues>100</MaxValues> </LogonParam>
Save and Restart the Services Create the correct folder structure
Directory: /app/oracle/obiee11117/instances/instance1/bifoundation/OracleBIPresentationServicesComponent/coreapplication_obips1/msgdb/l_en/customMessages FileName: LogonParamSQLTemplate.xml
Create the XML file
<?xml version="1.0" encoding="utf-8" ?> <WebMessageTables xmlns:sawm="com.siebel.analytics.web.messageSystem"> <WebMessageTable system="SecurityTemplates" table="Messages"> <WebMessage name="LogonParamSQLTemplate"> <XML> <logonParam name="RUNAS"> <!-- for EXECUTE PHYSICAL CONNECTION POOL, SQL_Paint.SQL_Paint = --> <!-- SAS Repository physical_dbname.conn_pool_name -->
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 8 of 13 Subject : Act As Date : 25-11-15
Step Print Remarks
<getValues>EXECUTE PHYSICAL CONNECTION POOL "BIRepository"."BIRepositoryConnPool" select TARGETID from ACTAS where PROXYID='@{USERID}'</getValues> <verifyValue>EXECUTE PHYSICAL CONNECTION POOL "BIRepository"."BIRepositoryConnPool" select TARGETID from ACTAS where PROXYID='@{USERID}' and TARGETID='@{VALUE}'</verifyValue> <getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL "BIRepository"."BIRepositoryConnPool" select PROXYID, PROXYLEVEL from ACTAS where TARGETID='@{USERID}'</getDelegateUsers> </logonParam> </XML> </WebMessage> </WebMessageTable> </WebMessageTables>
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 9 of 13 Subject : Act As Date : 25-11-15
Step Print Remarks Grant Privilege to access this function
For each user or role you want to allow this option, make sure the privileges are set correctly.
Act As button shows under user ID
Note that for instance the option Administration is there and the the options under New are fully open to that what a BI Administrator can do.
The user biadmin can select from the users he can impersonate for.
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 10 of 13 Subject : Act As Date : 25-11-15
Step Print Remarks User is now acting as other user
Note that for instance the option Administration is gone and the the options under New are limited to that what a BI Consumer can do.
Logon as TRADER
The delegated user can see users who can take over how in their Account Profile settings.
1
TIPS • Before a proxy user can act as a target user, the target user must have signed into Presentation Services at least once and accessed a
dashboard. • Changes in restrictions or privileges may not be directly visible but are executed and may require restart of the BI Services.
2
3
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 11 of 13 Subject : Act As Date : 25-11-15
1
KNOWN ISSUES SR Description Situation Entered Status Date Resolution SR 3-8744510391
OBIEE - Can't get ActAs functionality to work
Act As setup according to the letter of the documentation. Button appears, but drop down with choice list containing users remains empty.
28 Mar 2014
RESOLVED 28 Jul 2014
Changing the user IDs in the ActAs-table to case sensitive. Also proxy level full or restricted is and must be small caps.
SR 3-9403695961
OBIEE - Act As Permission Inheritance
The permissions (full or restricted) are not inherited properly. And also not reset correctly when stopping act as.
28 Jul 2014
RESOLVED 09 Oct 2014
Bug 18695152 : OBIEE 11G: PRIVILEGES NOT APPLIED TO PROXY (ACT-AS) USERS Full works. Restricted not. Different behavior in my setup compared to the case with Oracle resulted in slightly different SQL statements for the session variable init blocks.
SR 3-9403695961
OBIEE - Act As Permission Inheritance
Level Restricted not working properly
03 Sep 2014
RESOLVED 21 Oct 2014
With new setup instructions it now works.
SR 3-9761586135
Act As - Effective Dates
Attempt to work with effective dates
21 Oct 2014
RESOLVED 26 Nov 2014
When the effective dates are set up as format NUMBER and not DATE it starts to work with the additional instructions from Oracle.
2 3
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 12 of 13 Subject : Act As Date : 25-11-15
1.2 Temporary Delegation
Act As can also be used for temporary delegations, such as holiday or sick leave replacements. Thus an employee can impersonate a 1 colleague, take over that person's restrictions and work with his authentication, still taking segregation of duty into account. 2 This is where the Date From and the Date Thru in the Act As table come in. The logged user can still see and select the Act As user, but when 3 selected outside of the effective period it will return a sign in error: 4
5 6
7 8
Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15 Project : Oracle BI EE Page : 13 of 13 Subject : Act As Date : 25-11-15
1 When another effective date is required simply alter the DateFrom and the DateThru in the ActAs table in the database. 2 When a specific ActAs is no longer applicable simply remove the record from the ActAs table in the database. 3 4 5