1 2 3 Previous Next 30 Replies Latest reply: May 23, 2012 7:05 PM by Mark T. RSS

    Cannot add new WLS users to roles, cannot log in as new users

    Mark T.
      I'm using normal "out-of-the-box" WLS security authentication in OBIEE. I have created a new user in WLS, and I've assigned that user to the BIAuthors group. In FMC, I've created a new role, and assigned that new user to that new role.

      I cannot log in to Answers as that new user.

      Everything APPEARS to be normal in WLS and FMC. I can add a new user. I can add a new role. I can add an existing user to the new role. I can add the new user to the new role. I can add the new user to an existing role.

      But when I open the repository in online mode, things aren't working quite right.

      1. For any existing users, all is well. I can see the checkmarks for the relationships between the existing users and any of the roles that they are associated with in FMC, including any relationships for the new role.

      2. But for the NEW user, there are no checkmarks next to the names of the roles to which that user is assigned in FMC. I added the new user to an old role and to the new role, but neither of those roles has the checkmark next to it.

      I've tried various things, including a complete restart of the entire machine after adding the new user and role. No matter what I try, I cannot get that new user logged in into Answers. I think it's related to the fact that there are no checkmarks in the repository for the roles associated with that user. Question is: why will those relationships get established just fine (in the repository) for existing users, but not for new users?

      Thing is, I've added these "existing" users in the past. These aren't users that were installed with OBIEE. I just added them normally later. So there's nothing special about them.

      Thoughts and ideas welcome...
        • 1. Re: Cannot add new WLS users to roles, cannot log in as new users
          Mark T.
          Here's some additional information, boiled down to its lowest level.

          I have two installations of OBIEE 11g, two separate machines, two separate WLS installations. Completely separate, standalone systems in every respect.

          On Machine A, I go into WLS and add a user to myrealm. I do nothing else. I attempt to log in to Answers as that new user - and it works. The new user has been assigned the rights for the BI Consumer role by default. If I open my repository in online mode and view the list of users, that list includes the new user, and there is a checkmark next to the BIConsumer role. My understanding is that this is the proper, expected behavior.

          On Machine B, I go into WLS and add a user to myrealm. I do nothing else. I attempt to log in to Answers as that new user - and it FAILS. If I open my repository in online mode and view the list of users, that list includes the new user, but there is NO check mark next to any role. And nothing that I do from that point forward on Machine B will make a checkmark appear.

          I've tried adding the user to several roles in FMC, including BIAdministrator. Nothing I do makes any checkmarks appear in the user list in the repository, nor can the user log in to Answers.

          The frustrating thing is that I have, in the past, added other new users to this WLS, and I can see checkmarks for them. I can also assign additional roles for those users, and I can see THOSE checkmarks after doing so. It's only the new users that just refuse to be assigned to any new roles.
          • 2. Re: Cannot add new WLS users to roles, cannot log in as new users
            J.A.M
            If you create a new role in EM, you still need to assign polices to it, or by default it has no rights. You do not need to create a role in EM though. If you create a user and group in WL and then assign that user to the group, that user has permissions to login to Answers, even if they are not assigned a role. The roles are more for Admin access than anything else. If you go into Answers, you can then set permissions on what the group can see or even create a catalog group, add the WL group or user to that catalog group and then assign permissions to that catalog group.
            • 3. Re: Cannot add new WLS users to roles, cannot log in as new users
              Mark T.
              Your reply is accurate, but it does not address my issue. I'm very clearly saying that I've created a user in machine A, not assigned any roles or groups, and that I'm able to log in to Answers. Creating a user in machine B, and not assigning any roles or groups, I can NOT log in to Answers. It has nothing to do with roles.
              • 4. Re: Cannot add new WLS users to roles, cannot log in as new users
                J.A.M
                OK I am confused in regards to your setup. You have Server A and Server B. Is this a cluster or separate environments. If clustered, there should not be 2 Web Logic admin consoles.
                • 5. Re: Cannot add new WLS users to roles, cannot log in as new users
                  Mark T.
                  Two completely separate machines, not two parts of a cluster. Completely separate, standalone systems in every respect
                  • 6. Re: Cannot add new WLS users to roles, cannot log in as new users
                    J.A.M
                    What do the logs say? It should be writing something to thew sawlog under Presentation Services.
                    • 7. Re: Cannot add new WLS users to roles, cannot log in as new users
                      Mark T.
                      Nope. When I try to log in, absolutely nothing is written to sawlog0.log. Nothing. Nada.

                      If I log in to system "B" as an existing user, the sawlog0.log shows that I've logged in. Same when I log off. But if I attempt to log in to system "B" as the new user, nothing is written to sawlog0.log.
                      • 8. Re: Cannot add new WLS users to roles, cannot log in as new users
                        Mark T.
                        Ping. Two months ago this was an irritation. Now it's a problem that needs a resolution within 48 hours. Any thoughts at all?

                        Incidentally, when I add users to WLS in system "B", assign them into the BI Authors group in WLS, and then go to the repository and view the users in Manage ... Identity, I see the new users listed there, but there are NO checkboxes checked for any groups. Something isn't communicating correctly between WLS and OBIEE.

                        Help!!
                        • 9. Re: Cannot add new WLS users to roles, cannot log in as new users
                          Dhar
                          Hi Mark,

                          I am sorry if I missed any points reading this thread. But there seems to be a known problem between the Administration tool and the EM in synching up the new roles and users.

                          New roles, that were created in EM do not reflect immediately in the Administration tool, yes even in online mode.

                          So, even if the new user is showing up, the Admin tool might not have got this user's relation to the new role since it did not get the new role created itself at the first place. I think this is a communication issue between the Admin tool and WLS.

                          The resolution was to bounce the BI Services, so that the admin tool can sync again with the EM for new roles and users.

                          Can you please let me know, if you have tried this option earlier and still see the users in machine B are not tied to any new roles created.

                          There were some other threads too with this kind of issue earlier. You may want to refer some details at OBIEE 11g security - users not showing in RPD

                          Hope this helps.

                          Thank you,
                          Dhar
                          • 10. Re: Cannot add new WLS users to roles, cannot log in as new users
                            Mark T.
                            Hello, Dhar. Thanks for the reply.

                            Yes indeed, I have restarted services. I've even restarted the entire machine. No luck.
                            • 11. Re: Cannot add new WLS users to roles, cannot log in as new users
                              Dhar
                              Hi Mark,

                              I have tried this setup just now in 11.1.1.5 and everything works fine. Please find my steps below

                              1. Created a user 'abc'(with no association to any groups) in weblogic console.
                              2. Could successfully login to BI and realized the roles are 'BIConsumer' and 'authenticated' user.
                              3. Opened the .rpd online and could see the user too with association to 'BIConsumer' role in the properties dialog.

                              For further analysis, can you please let me know, some more details like

                              1. The username you were trying to create( any special chars etc)
                              2. OBIEE version.
                              3. Any info from weblogic AdminServer/biserver1 logs after enabling debug mode. (I am sure there should be something useful here ;) )

                              Thank you,
                              Dhar
                              • 12. Re: Cannot add new WLS users to roles, cannot log in as new users
                                Mark T.
                                1. Attempting to create user name called retro40. No special characters.

                                2. Did what you suggested - created a new user called abc and didn't assign to any groups.

                                3. Tried to log in to OBIEE - no go.

                                4. Looked in the RPD - the user is there, no checkmarks for any group membership.

                                5. Went back to WLS, explicitly assigned the user to the BIAuthors group.

                                6. Still can't log in, still no checkmarks for any group membership in the RPD

                                I like the idea of taking a look at the debug logs. Can you point me in the right direction to turn on debugging and see the logs? I'd google it myself, but I'm teaching a class today, so if you can give me a push I'd really appreciate it.

                                Thanks!!
                                • 13. Re: Cannot add new WLS users to roles, cannot log in as new users
                                  505687
                                  Is B a copy of A or fresh installs on both? Was there some copying of the web catalog from A to B at some point? Try refreshing the GUIDs on B:

                                  http://docs.oracle.com/cd/E21764_01/core.1111/e10105/testprod.htm#BABFIHFJ

                                  (Section 21.4.7.4 Refreshing the User GUIDs).

                                  Regards,

                                  Robert
                                  • 14. Re: Cannot add new WLS users to roles, cannot log in as new users
                                    Mark T.
                                    B was a copy of A.

                                    I'm familiar with refreshing GUIDs, and I actually tried that last night.

                                    Unfortunately, it didn't help.

                                    Thank you for the idea though. Good thought.
                                    1 2 3 Previous Next