how do you migrate analytics security between environments

Question

Tried to exporarchive from the environment with the security we would like to replicated and imported into the target environment but did not seem to work.  The obiee team only wanted the security changes replicated from the production environment into the test environment.

Used the following command and options:

$DOMAIN_HOME/bitools/bin/importarchive.sh ssi ssi.bar nodatamodel nocontent nodatasets nosearch noaction encryptionpassword=<pw>

I explicitly chose all the no options with the exception of noauthorization hoping that would match the security between environments.

However it appears that certain roles still have access in the test environment that was removed in prod.

Should I be doing something different, using different options, or need to do something to reset just the permissions before I run the import?

TetyanaH-Oracle · Answer

Concur with Gianni.

To add to the above, importarchive.sh command only imports metadata. You must configure your identity store separately in the target environment and|or export|import users|groups if you are using Weblogic default LDAP authenticator.

However, if your intention is to migrate application roles only from one environment to another, then   importarchive.sh command with all parameters except noauthorization should import JAZN metadata content from one environment to another.

Now, why  certain roles still have access in the test environment that was removed in prod  (provided you imported prod bar file into your test env) may need to be investigated further.   In OAS (next generation of BI offering on-prem), roles in the target environment will get overwritten by the roles from the source environment when you run importarchive.sh command. Did you find that in  OBIEE,  when you migrate bar file from one env to another, roles in the target OBIEE environment do not get overwritten and instead "appended" with roles from the source OBIEE  environment?  If that is the case, you may want to address it with Oracle Support via SR for further clarification.

Gianni Ceresa · Answer

Hi,

Seeing the mention "OBIEE", what version are you currently working with? 12.2.1.4, 12.2.1.3, or older than that?

And also another question: by "security", what do you mean exactly?

Do you want the application roles? The users, groups, application roles mapped to an application role? Do you want the policies of the application roles? Or maybe the privileges that you set in the "administration" UI of OBIEE? Or the users and groups that you created and maintain in the WebLogic embedded lightweight LDAP?

Knowing what you look for, and also what you don't look for (because between test and prod there could be many differences in the previously listed pieces, and for a very good reason), will allow to more easily give you a valid answer (and not some random links to documents not really applying to what you really look for).