Access denied when using rpdupload

Hussain Akbar

I am using Oracle BI Analytics 12.2.1.3.0 on OL 8.9. I use the command:

/home/oracle/Oracle/Middleware/Oracle_Home/user_projects/domains/mydomain/bitools/bin/datamodel.sh uploadrpd -I myrpd.rpd -SI ssi -U rpdupload -P <rpduserpwd> -W <rpdpwd>

This gives me an error: "Connection failed, the server processes may be down"

Checking bi-lcm-rest.log.0 shows that the response returned was "javax.ws.rs.WebApplicationException : HTTP 401 Unauthorized","oracle.bi.restkit.security.auth.RequiredGroupAuthoriser"

If I add the "rpdupload" user into the Administrators group, the command works. However, this introduces a security weakness and I want this to be a restricted user.

I tried other groups, such as Deployers, but that didn't work.

[Deleted User]

Exact same answer as in Stack Overflow:

Several things:
1.) All functionality is governed by Application Policies
2.) Application Policies are tied to Application Roles for authorization purposes
3.) Randomly changing "groups" (which are not the same thing as Application Roles) will not solve your issue
4.) The Application Policy for managing RPDs is by default only granted to the BI Service Administrator Application Role
5.) Nothing is stopping you from creating a new customer Application Role with the required functional Application Policies granted and to which you then assign your rpduploaduser

The platform supports this all very easily it just needs to be utilized according to suitable rules and standards. Plan your security properly and think about what should work how.

SteveF-Oracle

• @Hussain
  
  Friendly reminder, OBI 12.2.1.3 ended Error Correction support long ago. You will want to move to Oracle Analytics Cloud or Oracle Analytics Server (preferred), or to OBI 12.2.1.4 on FMw 12.2.1.4 until DEC 2025, when Premier Support ends.
  
  Also, OBI 12.2.1.3 was never certified on OL8
  
  You may want to review this doc ID pertaining to a potential solution for your issue.

OBIEE 12c: "HTTP 401 Unauthorized" Error While Using the datamodel.sh Script (Doc ID 2395138.1)

[ Edit: }

Looking a little closer: This was known issue back in that time-frame.

You must have Oracle BI EE BI Service Administrator privileges to run the command line utility and issue any of the commands. Additionally, the user must be part of "Administrators" group in weblogic security.

A Bug/ER was logged. This is not the case in the newer updates of the product.

[Deleted User]

When you grant the right policies it'll work for custom app roles as well.

Subha_Tripathy-Oracle

Hi @Hussain Akbar

Thank you for posting in Oracle Analytics Forum .

For either the Oracle BI EE
installation or client installation, you must have Oracle BI EE BI
Service Administrator privileges to run the command line utility and issue any of the commands. Additionally, the user must be part of "Administrators" group in weblogic security.

So It is true that user should be a part of Administrator group to perform download and upload RPD.

Thanks
Subha

Gianni Ceresa

So It is true that user should be a part of Administrator group to perform download and upload RPD.

Not at all !

Please, don't ignore how security and privileges works in OBIEE (and OAS).

You can grant all the required policies even to BIConsumer if you want, and your BIConsumer random users (make authenticated users part of that role to make sure everybody has it) will be able to download and upload the RPD.

It's driven by policies, and policies aren't OAC where you can't touch them: in OBIEE and OAS you can grant whatever policy you want to any of your application roles.

It does work like that for 10+ years, except if it did change today for an unknown reason, it isn't true that "you should be part of Administrator"…

Administrator is just a name of an applicaton role that happen to have, by default, that policy granted. But nothing and nobody prevent anyone to customize their security model and create specialized application roles to have a more fine grained control on who can do what.

SteveF-Oracle

There was a bug in 12.2.1.2 and 12.2.1.3, it's not true after.

Hussain Akbar

Yes & yes. Functions are governed by policies which can be updated. The policy names are mapped to WebLogic groups. (Aren't they be default? I think so.) As I mentioned, I did put the user in the Service Administrators group and the group is mapped to the policy. I also tried putting the user directly into the role in Enterprise Manager. When that didn't work, I was attempting to see why not, which is when I added the user to the Administrators group. As I said, I didn't want to go with that option, hence the reason for posting the question.

As @SteveF-Oracle and @Subha_Tripathy-Oracle mentioned, 12.2.1.2 required the user to be in that group while 12.2.1.3 & later doesn't. I'll ask the client to upgrade to 12.2.1.4.

As for @SteveF-Oracle comment re OL8, they have a separate team that manages OS installations. They upgraded / migrated all systems from different flavours & releases to OL8.