8 Replies Latest reply: Sep 4, 2013 12:35 AM by GeoC RSS

    Linking User from Active Directory to OBIEE 11g groups/roles.

    897863
      Hello Experts


      I have inegrated Active Directory with the OBIEE11g using weblogic. But the issue is I cannot assign the users from AD to the groups present in Weblogic like BI Administrator, BI Author etc.

      If the user belong to Default LDAP (WLS) then I can assign it with teh groups like BI Administratot, BI Author but the users associated with AD is not giving the options to attach it with teh goups.


      How to resolve this . Any guidance.
        • 1. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
          user248025
          Hi,

          you can't assign weblogic group to AD users(AD users fetch the group from AD by default u r config), just map it via weblogic EM create application role and map it u r AD users (users to role mapping)

          Note: Try to keep u r AD users --AD Group as Flat type

          For more refer EM (users to role mapping)
          http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html

          Thanks
          Deva

          Edited by: Devarasu on Nov 21, 2012 1:18 PM
          • 2. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
            DilbertsDog
            You may want to take a look at the below docs,

            They are configuring SSO with OBIEE and AD

            http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/toc.htm
            http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/sso.htm#CEGJJFED
            • 3. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
              897863
              Thanks Deva ,

              Peratining to your statements , could you let me know teh following

              just map it via weblogic EM create application role and map it u r AD users (users to role mapping)

              ------------- How I can do that ...any links or steps process. I couldn't find thsi is the link you provided. Suppose there ia a used "David " and "Steve" coming from AD . Now I have to assign David as BI Admin and Steve as BI Author so that they can login to Analtics and do their respective work.

              Also say I need to create my own groups/roles for data/row level security as well . So I may think of creating two group/roles like US_Read and US_Write for just accessing and another is writing/editing. So how I can do that in EM and assign Steve and Mark comiung from AD to these roles/groups.



              Note: Try to keep u r AD users --AD Group as Flat type


              --------------- This is a very good approach but how do I keep user and AD group in flat file and manage the security in Analytics . Any help here.
              • 4. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
                user248025
                894860 wrote:
                Thanks Deva ,

                Peratining to your statements , could you let me know teh following

                just map it via weblogic EM create application role and map it u r AD users (users to role mapping)

                ------------- How I can do that ...any links or steps process. I couldn't find thsi is the link you provided. Suppose there ia a used "David " and "Steve" coming from AD . Now I have to assign David as BI Admin and Steve as BI Author so that they can login to Analtics and do their respective work.

                Also say I need to create my own groups/roles for data/row level security as well . So I may think of creating two group/roles like US_Read and US_Write for just accessing and another is writing/editing. So how I can do that in EM and assign Steve and Mark comiung from AD to these roles/groups.



                Note: Try to keep u r AD users --AD Group as Flat type


                --------------- This is a very good approach but how do I keep user and AD group in flat file and manage the security in Analytics . Any help here.
                Hi,

                Log in into Web logic EM and by default Em have (autor , Administrator, BI Consumer etc) role so u can use this role to assign u r AD users otherwise u can have own application role (like admin,author, consumer) just Copy Existing option to create u r new role

                i.e: Copy Existing - Creates an application role by copying an existing application role. The copy contains the same members as the original, and is made a grantee of the same application policy as is the original

                once u r created own/default role then u can add User : David to Administrator role and Steve to BI Author role then test it out.

                To Creating an Application Role and assigning users to Application role mapping refer below Note,
                http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/authentication.htm#CACFCEEB

                For the Flat type AD Users (mapped with single AD Group not nested group) let you have 200 users using obiee application so you just want to give them access (not for all users)

                1) 1st u can request u r LDAP n/w team to create AD group
                2) then u can login to MSAD and map that 200 AD users to AD group (this will filter users access to u r bI )
                3) weblogic configuration u r give the group and users -> root structure and once its configured login to em then assign u r AD users to existing default or your own newly created roles

                Note: Make sure you application role have issue on obiee11.1.1.5.0 version (issue : role name should not have _, 01 , space, @,$ ) just use simple name and this issue has been fixed in obiee11.1.1.6.0 and above

                For the data level and object level security are same as obiee10g steps, but one thing obiee11g have object level security issue based application role (this is known issue and its fixed by applying any 5.4 or 6.5 patch)

                Bug 13731968 - PERMISSIONS ON WEB CATALOG OBJECTS NOT SYNCHRONIZED (not yet fixed)
                Bug 13982971 : PERMISSIONS ON WEB CATALOG OBJECTS NOT APPLIED IMMEDIATELY (fixed on 5.4 and 6.5)

                Thanks
                Deva

                Edited by: Devarasu on Nov 22, 2012 1:10 PM
                • 5. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
                  897863
                  Thanks Deva

                  I tried giving David (User Id - SARKAI2) - BI Administartor role and that is done successfully

                  Membership for BIAdministrator …


                  Principal      Display Name     Type Description     


                  BIAdministrators           Group
                  BISystemUser           User
                  SARKAI2                User

                  But when I try logging in Analytics , the role of SARKAI2 is not BI admin but only BI comsumer.

                  Can you pls. let me know if I am doing it properly.
                  • 6. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
                    user248025
                    Hi,

                    Log in to PS

                    http://IP:9704/analytics then go to my account and select tab (Roles and Catalog Groups) --->
                    Are u able to see BI Administrator for that user(SARKAI2) under My Account ? if u r unable to seeing it then go to weblogic EM and double check for Users (just confirm select BIAdministrator role and add User(SARKAI2) to role and then try to login analytics and let me know,

                    http://www.rittmanmead.com/2012/03/obiee-11g-security-week-managing-application-roles-and-policies-and-managing-security-migrations-and-deployments/
                    http://obiee2go.wordpress.com/2012/06/14/obiee-11g6-how-application-roles-groups-and-users-work-in-obiee-11g/

                    Thanks
                    Deva

                    Edited by: Devarasu on Nov 23, 2012 11:18 AM
                    • 7. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
                      897863
                      Hi Deva

                      I had already tried that , but no luck .

                      EM snapshot for SARKAI2
                      --------------------------------------------

                      Membership for BIAdministrator …

                      Principal      Display Name     Type Description


                      BIAdministrators           Group
                      BISystemUser           User
                      SARKAI2                User


                      Roles & Catalog group
                      ----------------------------------------------

                      Authenticated User
                      BI Consumer


                      So even though SARKAI2 is added in BI Administrator role , the same is not reflecting in Analytics.

                      Regds
                      • 8. Re: Linking User from Active Directory to OBIEE 11g groups/roles.
                        GeoC

                        Apologies for reviving old thread. I had the same problem as stated here and managed to find a solution. The application role does not appear in presentation services for the user after logging in, even though the user has been assigned to the application role in EM.

                         

                        The reason is due to case sensitivity of the username when logging in through presentation services. If you do not log in with the same case as is defined for the user in the LDAP repository, then OBIEE cannot reference the roles that have been applied to the user.

                         

                        The solution can be found in WebLogic Console (http://<<server>>:<<port>>/console). Navigate to Home -> bifoundation_domain -> Security -> General -> Advanced. There is an option called "Enable Principal Equals Case Insensitive. Set this option to true (ticked). Apply changes. You should now be able to log in with the user, without having to worry about case sensitivity, and defined application roles should be applied in presentation services.

                         

                        Thanks,

                         

                        Geo