Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12c Application Role Auditing

Received Response
61
Views
8
Comments
SJenkins
SJenkins Rank 3 - Community Apprentice
edited Aug 13, 2024 5:51PM in Oracle Analytics Cloud and Server

OBIEE 11g Catalog Groups have been migrated into OBIEE12c WebLogic Application Roles.. (fusion middleware control - security - application roles)

A: is there a way to grant users access to manage those without giving them full access to the rest of weblogic..

B: is there a way to audit who makes the change when a user is put in or taken out of an application role.. Preferably into a table that can be reported on in an OBIEE Subject area..

Answers

  • Thomas Dodds
    Thomas Dodds Rank 8 - Analytics Strategist

    On OBIEE 11g:

    • Oracle recommends that Oracle BI Presentation Catalog groups be used for backward compatibility only and that Application Roles be used instead for new installations.

    Catalog Groups as a way of doing things went away a long time ago ... do you have a mix of them and application roles (due to moving from 10g in the past)?

    You don't want end users managing your application roles ... you want a BI Administrator or at least one of your Oracle Fusion Middleware Admins doing it.

  • SJenkins
    SJenkins Rank 3 - Community Apprentice

    yes, version 10 and 11 we used catalog groups. the Presentation Admins managed who was memebers of them via BI..

    we are working on 12c migration and have converted the catalog groups to application roles.. and I have given the presentation admins access to fusion middleware control so they can continue to manage who is in the roles.. I was just wondering if there was a way to restrict them to only that task and not everything else in the console..

    Management is also asking if there is any way to audit who is adding/removing users from the application roles..

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    If you want a non-Enterprise manager way of handling this where people aren't weblogic admins then best move this out to a DB table where you then handle it via APEX for example and the read that table as a BISQLGroupProvider security provider in the WLS security realm.

  • Robert Angel
    Robert Angel Rank 8 - Analytics Strategist

    Amen - stick it in a database, then mass user account maintenance, auditing, addition, deletion becomes so much easier!

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Yeah. Managing named user rights in EM either through the GUI or through WLST is just awful.

  • Gianni Ceresa
    Gianni Ceresa Mod

    You got already some alternatives above on how to manage that need.

    Staying on the "default" way to manage things you would have to collect and analyse detailed web logs of the Adminserver: the EM interface you use execute actions when you add/remove somebody from a role, so you would probably extract these actions from the webserver log etc.

    But it's for sure not as easy and practical than using a DB table to map users into roles (and APEX on top).

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Not to make too fine a point but next time maybe check which answer arrived in which chronological order :-P

  • Robert Angel
    Robert Angel Rank 8 - Analytics Strategist

    So it goes...

    I said to Dude! on the ideas forum that sometimes the awarding of points is capricious and random @Dude! this is the kind of thing I had in mind...