Denied: Authenticated User meaning

3310714

Hi,

We are using OBIEE 12c.  In the Administration --> Manage Privileges view, some privileges are "Denied: Authenticated User" by default.  For example: 

My question is does it mean all users (Including Administrators) will be denied this privilege?  If so, why do I still see the Administration link along the header menu bar?

[Deleted User]

Means: Everybody having "Authenticated User" as an App Role will be denied that Permission. Even if you're an Administrator you will be denied it becuase DENY wins.

3310714

OK, thanks for the clarification.  So if I'm denied access to the Administration menu, why do I still see it in the header? 

[Deleted User]

No you won't see it. The GUI will automatically render without anything where you're not allowed to access.

Thomas Dodds

The BI Administrator Role has an override ... for example this type of thing and row-level security doesn't apply to an admin.

An explicit deny to Authenticated User applies to everyone EXCEPT the Admins. 

[Deleted User]

Thomas Are you sure that holds true for all optoins? Because we have already seen lockouts happening due to inconsistent security settings.

Thomas Dodds

Good point it could be spotty in it's application!

Best to avoid that setting (explicit deny on auth user) in the first place. 

Andrew Fomin.

Unfortunately, I don't have a system to potentially sacrifice during the experiment, but as a guess: browser cache.

[Deleted User]

DENY on AuthUser is something thats anyways reserved for things like writeback in an out of the box setup.

I agree one should be a lot more specific with security control.

3310714

The Denied AuthUser privileges are out of the box, so I didn't mess with it. 

The "Access Administration Menu" in Home and Header category does not control the Administration link on header bar.  That is actually controlled by "Access to Administration" in the Access category.   Now it makes more sense.