This discussion is archived
8 Replies Latest reply: Sep 3, 2013 10:35 PM by GeoC RSS

Linking User from Active Directory to OBIEE 11g groups/roles.

897863 Newbie
Currently Being Moderated
Hello Experts


I have inegrated Active Directory with the OBIEE11g using weblogic. But the issue is I cannot assign the users from AD to the groups present in Weblogic like BI Administrator, BI Author etc.

If the user belong to Default LDAP (WLS) then I can assign it with teh groups like BI Administratot, BI Author but the users associated with AD is not giving the options to attach it with teh goups.


How to resolve this . Any guidance.
  • 1. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    user248025 Guru
    Currently Being Moderated
    Hi,

    you can't assign weblogic group to AD users(AD users fetch the group from AD by default u r config), just map it via weblogic EM create application role and map it u r AD users (users to role mapping)

    Note: Try to keep u r AD users --AD Group as Flat type

    For more refer EM (users to role mapping)
    http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html

    Thanks
    Deva

    Edited by: Devarasu on Nov 21, 2012 1:18 PM
  • 2. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    DilbertsDog Newbie
    Currently Being Moderated
    You may want to take a look at the below docs,

    They are configuring SSO with OBIEE and AD

    http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/toc.htm
    http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/sso.htm#CEGJJFED
  • 3. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    897863 Newbie
    Currently Being Moderated
    Thanks Deva ,

    Peratining to your statements , could you let me know teh following

    just map it via weblogic EM create application role and map it u r AD users (users to role mapping)

    ------------- How I can do that ...any links or steps process. I couldn't find thsi is the link you provided. Suppose there ia a used "David " and "Steve" coming from AD . Now I have to assign David as BI Admin and Steve as BI Author so that they can login to Analtics and do their respective work.

    Also say I need to create my own groups/roles for data/row level security as well . So I may think of creating two group/roles like US_Read and US_Write for just accessing and another is writing/editing. So how I can do that in EM and assign Steve and Mark comiung from AD to these roles/groups.



    Note: Try to keep u r AD users --AD Group as Flat type


    --------------- This is a very good approach but how do I keep user and AD group in flat file and manage the security in Analytics . Any help here.
  • 4. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    user248025 Guru
    Currently Being Moderated
    894860 wrote:
    Thanks Deva ,

    Peratining to your statements , could you let me know teh following

    just map it via weblogic EM create application role and map it u r AD users (users to role mapping)

    ------------- How I can do that ...any links or steps process. I couldn't find thsi is the link you provided. Suppose there ia a used "David " and "Steve" coming from AD . Now I have to assign David as BI Admin and Steve as BI Author so that they can login to Analtics and do their respective work.

    Also say I need to create my own groups/roles for data/row level security as well . So I may think of creating two group/roles like US_Read and US_Write for just accessing and another is writing/editing. So how I can do that in EM and assign Steve and Mark comiung from AD to these roles/groups.



    Note: Try to keep u r AD users --AD Group as Flat type


    --------------- This is a very good approach but how do I keep user and AD group in flat file and manage the security in Analytics . Any help here.
    Hi,

    Log in into Web logic EM and by default Em have (autor , Administrator, BI Consumer etc) role so u can use this role to assign u r AD users otherwise u can have own application role (like admin,author, consumer) just Copy Existing option to create u r new role

    i.e: Copy Existing - Creates an application role by copying an existing application role. The copy contains the same members as the original, and is made a grantee of the same application policy as is the original

    once u r created own/default role then u can add User : David to Administrator role and Steve to BI Author role then test it out.

    To Creating an Application Role and assigning users to Application role mapping refer below Note,
    http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/authentication.htm#CACFCEEB

    For the Flat type AD Users (mapped with single AD Group not nested group) let you have 200 users using obiee application so you just want to give them access (not for all users)

    1) 1st u can request u r LDAP n/w team to create AD group
    2) then u can login to MSAD and map that 200 AD users to AD group (this will filter users access to u r bI )
    3) weblogic configuration u r give the group and users -> root structure and once its configured login to em then assign u r AD users to existing default or your own newly created roles

    Note: Make sure you application role have issue on obiee11.1.1.5.0 version (issue : role name should not have _, 01 , space, @,$ ) just use simple name and this issue has been fixed in obiee11.1.1.6.0 and above

    For the data level and object level security are same as obiee10g steps, but one thing obiee11g have object level security issue based application role (this is known issue and its fixed by applying any 5.4 or 6.5 patch)

    Bug 13731968 - PERMISSIONS ON WEB CATALOG OBJECTS NOT SYNCHRONIZED (not yet fixed)
    Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY (fixed on 5.4 and 6.5)

    Thanks
    Deva

    Edited by: Devarasu on Nov 22, 2012 1:10 PM
  • 5. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    897863 Newbie
    Currently Being Moderated
    Thanks Deva

    I tried giving David (User Id - SARKAI2) - BI Administartor role and that is done successfully

    Membership for BIAdministrator …


    Principal      Display Name     Type Description     


    BIAdministrators           Group
    BISystemUser           User
    SARKAI2                User

    But when I try logging in Analytics , the role of SARKAI2 is not BI admin but only BI comsumer.

    Can you pls. let me know if I am doing it properly.
  • 6. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    user248025 Guru
    Currently Being Moderated
    Hi,

    Log in to PS

    http://IP:9704/analytics then go to my account and select tab (Roles and Catalog Groups) --->
    Are u able to see BI Administrator for that user(SARKAI2) under My Account ? if u r unable to seeing it then go to weblogic EM and double check for Users (just confirm select BIAdministrator role and add User(SARKAI2) to role and then try to login analytics and let me know,

    http://www.rittmanmead.com/2012/03/obiee-11g-security-week-managing-application-roles-and-policies-and-managing-security-migrations-and-deployments/
    http://obiee2go.wordpress.com/2012/06/14/obiee-11g6-how-application-roles-groups-and-users-work-in-obiee-11g/

    Thanks
    Deva

    Edited by: Devarasu on Nov 23, 2012 11:18 AM
  • 7. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    897863 Newbie
    Currently Being Moderated
    Hi Deva

    I had already tried that , but no luck .

    EM snapshot for SARKAI2
    --------------------------------------------

    Membership for BIAdministrator …

    Principal      Display Name     Type Description


    BIAdministrators           Group
    BISystemUser           User
    SARKAI2                User


    Roles & Catalog group
    ----------------------------------------------

    Authenticated User
    BI Consumer


    So even though SARKAI2 is added in BI Administrator role , the same is not reflecting in Analytics.

    Regds
  • 8. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
    GeoC Explorer
    Currently Being Moderated

    Apologies for reviving old thread. I had the same problem as stated here and managed to find a solution. The application role does not appear in presentation services for the user after logging in, even though the user has been assigned to the application role in EM.

     

    The reason is due to case sensitivity of the username when logging in through presentation services. If you do not log in with the same case as is defined for the user in the LDAP repository, then OBIEE cannot reference the roles that have been applied to the user.

     

    The solution can be found in WebLogic Console (http://<<server>>:<<port>>/console). Navigate to Home -> bifoundation_domain -> Security -> General -> Advanced. There is an option called "Enable Principal Equals Case Insensitive. Set this option to true (ticked). Apply changes. You should now be able to log in with the user, without having to worry about case sensitivity, and defined application roles should be applied in presentation services.

     

    Thanks,

     

    Geo

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points