OBIEE 12c Users and Groups are Stored in Which File? jazn-data.xml? system-jazn-data.xml?

chillychin

So in 11g the XML file system-jazn-data.xml was used to store users and their groups.

I noticed in 12c it seems to now have changed to /bi/bidata/service_instances/ssi/metadata/authmodel/jazn/jazn-data.xml

I was playing around with my user, and in enterprise manager, I am putting myself into different groups.

I check in OBIEE under "My Account" and I can see my groups are getting updated.

BUT when I check the jazn-data.xml, I dont see my new groups?

So my question is, does it take some time to "propagate" my user group changes from EM into the jazn-data.xml file?

Or is the jazn-data.xml the correct file even to find a users group?

Gianni Ceresa

Internal LDAP is a proper LDAP for that, but things are also stored in the OPSS schema of the DB in 12c (mappings between application roles and groups or users etc.).

All in all it's a good idea to stay out of these things and just keep using the UI for management

[Deleted User]

Yes 12c changed the way things are managed and stored to the OPSS database schema tables.

The WLS-embedded LDAP shouldn't be used to manage the security as a primary place by the way. it has zero account management capabilities for example. Password rules, expiration,....

You should really take a look at the security presenation that Gianni and me wrote: http://www.slideshare.net/GianniCeresa/obiee-security-its-a-jungle-out-there

It explains all the core concepts

chillychin

Will definitely take a look at the presentation!

We actually use Active Directory to manage our LDAP users for "authentication", but we also assign users to OBIEE security groups for "authorization" to certain reports, subject areas etc (not sure if I got authentication and authorization mixed up now that I am talking out loud)

Originally, in 11g we had an external table to the system-jazn-data.xml - This way we could query users and what groups they existed in.

Once our 12c went fully live, I was under the impression that the jazn-data.xml file "appeared" to have all the same things in terms of users/groups and I was hoping to just replicate what we had before.

But once I started playing around with my own user, swapping groups and such I noticed that the file was not updating. Nor did I see any new users I recently added either so it really made me wonder whats the point of even having this file at all then?

I will have to test tomorrow and take a look at the OPSS schema and figure out whats in there. I actually never looked around in there.

chillychin

Ok my curiosity got the best of me and I logged into work remotely to see the contents of the OPSS schema

None of the tables are really "labelled" (CT_##)

If my users and security groups are stored in here, which table would it be?

Again, I just want to be able to see which user is assigned to which group quickly. Which was why we created an external table previously for querying the system-jazn-data.xml file

[Deleted User]

Once more and more explicitly: Thou. Shalt. NOT. Touch. Those. Tables. ... Ever!

chillychin wrote:but we also assign users to OBIEE security groups for "authorization" to certain reports,

What does that mean? What is an "OBIEE security group" for you? Which exact concept are you talking about because this simply does not exist. You can't invent words for other things and then expect other people to comprehend what you mean ;-)

Gianni Ceresa

chillychin wrote:If my users and security groups are stored in here, which table would it be?

Don't get me wrong, I'm not saying it's nice and easy to get info out of the OPSS schema, but if you really want to you can.

All the CT_* tables are kind of aggregated into the JPS_ATTRS.

PS: as you double post (against the rules) and so do not really value time and content posted back, it isn't worth to go into more details about the OPSS schema ...

[Deleted User]

Gianni Ceresa wrote: I'm not saying it's nice and easy to get info out of the OPSS schema, but if you really want to you can and it work quite nicely.

WHY? Just WHY? That's absolutely pointless since almost every single "issue" that even makes you LOOK into this tables is a false non-issue cause by - simply put: wrong usage and PEBKAC

Gianni Ceresa

Christian Berg wrote:That's absolutely pointless since almost every single "issue" that even makes you LOOK into this tables is a false non-issue cause by - simply put: wrong usage and PEBKAC

I agree, it's a badly (wrongly) managed security ...

chillychin

My apologies for the duplicate post, I was not aware that the two forums were linked up.

When I was chatting with a colleague he mentioned to "go and try posting in this OTHER forum"

I incorrectly assumed that the forums were seperate.

For those that stumble across this thread, I am stopping in this thread and am hoping for help and continuation in this thread under the MOSC forum

OBIEE 12c Users and Groups are Stored in Which File? jazn-data.xml? system-jazn-data.xml?

Emily Cikovsky-Oracle

@chillychin , Oracle Support monitors this forum as well as MOSC, so you don't need to stop commenting here. That said, the nature of your questions look like they might do well as an SR - especially when you need detailed product specifics for numerous tables, etc. - so then Oracle Support/MOS is your best bet. Let us know if you have further questions! Emily