This content has been marked as final. Show 30 replies
Here's some additional information, boiled down to its lowest level.
I have two installations of OBIEE 11g, two separate machines, two separate WLS installations. Completely separate, standalone systems in every respect.
On Machine A, I go into WLS and add a user to myrealm. I do nothing else. I attempt to log in to Answers as that new user - and it works. The new user has been assigned the rights for the BI Consumer role by default. If I open my repository in online mode and view the list of users, that list includes the new user, and there is a checkmark next to the BIConsumer role. My understanding is that this is the proper, expected behavior.
On Machine B, I go into WLS and add a user to myrealm. I do nothing else. I attempt to log in to Answers as that new user - and it FAILS. If I open my repository in online mode and view the list of users, that list includes the new user, but there is NO check mark next to any role. And nothing that I do from that point forward on Machine B will make a checkmark appear.
I've tried adding the user to several roles in FMC, including BIAdministrator. Nothing I do makes any checkmarks appear in the user list in the repository, nor can the user log in to Answers.
The frustrating thing is that I have, in the past, added other new users to this WLS, and I can see checkmarks for them. I can also assign additional roles for those users, and I can see THOSE checkmarks after doing so. It's only the new users that just refuse to be assigned to any new roles.
If you create a new role in EM, you still need to assign polices to it, or by default it has no rights. You do not need to create a role in EM though. If you create a user and group in WL and then assign that user to the group, that user has permissions to login to Answers, even if they are not assigned a role. The roles are more for Admin access than anything else. If you go into Answers, you can then set permissions on what the group can see or even create a catalog group, add the WL group or user to that catalog group and then assign permissions to that catalog group.
Your reply is accurate, but it does not address my issue. I'm very clearly saying that I've created a user in machine A, not assigned any roles or groups, and that I'm able to log in to Answers. Creating a user in machine B, and not assigning any roles or groups, I can NOT log in to Answers. It has nothing to do with roles.
Ping. Two months ago this was an irritation. Now it's a problem that needs a resolution within 48 hours. Any thoughts at all?
Incidentally, when I add users to WLS in system "B", assign them into the BI Authors group in WLS, and then go to the repository and view the users in Manage ... Identity, I see the new users listed there, but there are NO checkboxes checked for any groups. Something isn't communicating correctly between WLS and OBIEE.
I am sorry if I missed any points reading this thread. But there seems to be a known problem between the Administration tool and the EM in synching up the new roles and users.
New roles, that were created in EM do not reflect immediately in the Administration tool, yes even in online mode.
So, even if the new user is showing up, the Admin tool might not have got this user's relation to the new role since it did not get the new role created itself at the first place. I think this is a communication issue between the Admin tool and WLS.
The resolution was to bounce the BI Services, so that the admin tool can sync again with the EM for new roles and users.
Can you please let me know, if you have tried this option earlier and still see the users in machine B are not tied to any new roles created.
There were some other threads too with this kind of issue earlier. You may want to refer some details at OBIEE 11g security - users not showing in RPD
Hope this helps.
I have tried this setup just now in 18.104.22.168 and everything works fine. Please find my steps below
1. Created a user 'abc'(with no association to any groups) in weblogic console.
2. Could successfully login to BI and realized the roles are 'BIConsumer' and 'authenticated' user.
3. Opened the .rpd online and could see the user too with association to 'BIConsumer' role in the properties dialog.
For further analysis, can you please let me know, some more details like
1. The username you were trying to create( any special chars etc)
2. OBIEE version.
3. Any info from weblogic AdminServer/biserver1 logs after enabling debug mode. (I am sure there should be something useful here ;) )
1. Attempting to create user name called retro40. No special characters.
2. Did what you suggested - created a new user called abc and didn't assign to any groups.
3. Tried to log in to OBIEE - no go.
4. Looked in the RPD - the user is there, no checkmarks for any group membership.
5. Went back to WLS, explicitly assigned the user to the BIAuthors group.
6. Still can't log in, still no checkmarks for any group membership in the RPD
I like the idea of taking a look at the debug logs. Can you point me in the right direction to turn on debugging and see the logs? I'd google it myself, but I'm teaching a class today, so if you can give me a push I'd really appreciate it.