Categories
Managing OBIEE 12c Privileges Programmatically
I have found documentation for OBIEE 11g at https://docs.oracle.com/middleware/11119/biee/BIESC/authentication.htm#BABGJJDC
which states:
Presentation Services privileges can be assigned to a new application role programmatically using SecurityService Service. For more information, see "SecurityService Service" in Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition
The link SecurityService Service does not reference assigning privileges programmatically to application roles. What documentation it does provide is incomplete and does not provide any "how to" for what it does include.
Two questions:
1. Is there any complete, usable documentation, with examples, that shows how to assign privileges to roles programmatically?
2. Does that documentation exist for OBIEE 12c?
Answers
-
You might be able to use:
You can set permissions for various presentation and marketing objects by using the command-line tools biserverxmlexec and biserverxmlcli.
https://docs.oracle.com/middleware/1221/biee/BIEXR/xml_about.htm#BIEXR4133
0 -
This is SOOOO close to what I need, but it just barely misses. These instructions refer to permissions for web catalog objects. I need privileges (create Dashboard, Save Content with HTML Markup, and so forth.)
0 -
Mark T. wrote:Two questions:1. Is there any complete, usable documentation, with examples, that shows how to assign privileges to roles programmatically?2. Does that documentation exist for OBIEE 12c?
ad 1. No
ad 2. No
Because really I wouldn't suggest you go off and do that "programmatically" as you say unless you know very well what you're doing. Yes it is possible, but:
Have you ever looked at how the privileges and their assigned application roles and/users are stored? If yes - are you prepared to try it?
0 -
Christian, thank you for the reply. I'll have to let my client decide whether he would like to try it or not. The client is a university system with over a dozen separate campuses developing their own RPDs with multiple subject areas, and all will be merged into a master repository at the main campus. This is going to create several dozen subject areas, and the admin is not looking forward to using the Privileges screen to manage them. So, on his behalf, I'm going to guess that his answer is "yes, I REALLY want to try it".
Is there any place we can look to even get an idea of how to start? We know the privileges are stored in the privs folder in the web catalog, and we know that they can (allegedly) be managed with the runcat command. But as you noted, there is no documentation. How can we take the first steps toward figuring it out? Is there any internal, unpublished documentation for runcat?
0 -
Mark T. wrote:and we know that they can (allegedly) be managed with the runcat command.
How? In which way?
Mark T. wrote:Is there any place we can look to even get an idea of how to start? We know the privileges are stored in the privs folder in the web catalog,
Venkat wrote a bit about it years ago:
https://www.rittmanmead.com/blog/2011/10/oracle-bi-ee-11g-security-auditing-web-catalog-security/
If you look at it you'll see why I said "are you sure?"
0 -
Runcat.sh is just a java wrapper on top of the Web Services that Presentation Services provides. So if runcat can do it, so can you, via the web services API. You can look these up in the documentation, or you may find a tool like JD-GUI useful (if you don't mind almost certainly violating your Oracle T&C to not reverse engineer/decompile their software).
The other route is a network traffic inspector (e.g. chrome dev tools) and see what happens when you change permission grants manually through the admin page, and work out if you can replicate the same programatically.
0