How to avoid multiple application roles per user. — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

How to avoid multiple application roles per user.

Received Response
51
Views
7
Comments
Sunny86
Sunny86 Rank 6 - Analytics Lead

Dear All

How to avoid multiple application roles per user.

Followed the below steps.

in Console (weblogic)

1)Created two groups

  a)SalesReporting

  b)CostReporting

2)Created two Users

  a)Created user SalesMan and assigned the Group SalesReporting

  b)Created user CostAnalyzer and  assigned the Group CostReporting

In Enterprise Manager(Fusion Middleware)

3)Created two Application roles

  a)Role SalesReportingApplicationRole

     Added weblogicGroup SalesReporting and BIConsumer Application Role under the  Application Role

  b)Role CostReportingApplicationRole

   

     Added weblogicGroup CostReporting and BIConsumer Application Role under the  Application Role

Now when we login with SalesMan  User we could see both the CostReportingApplicationRole and SalesReportingApplicationRole

in Roles And Catalog Groups under MY Account

Authenticated User

BI Consumer

CostReportingApplicationRole

SalesReportingApplicationRole

Answers

  • Robert Angel
    Robert Angel Rank 8 - Analytics Strategist

    Hi,

    I am not following why this is a problem?

    What you are describing is 'how it works'....

  • Sunny86
    Sunny86 Rank 6 - Analytics Lead

    Dear Robert,

    Actually I need Sales user under sales application role only, not under cost appication role

  • Hi guess by default "authenticated user" (the application role representing all the users successfully authenticated) is member of "BI Consumer", so by adding "BI Consumer" to your 2 roles you are actually adding these 2 roles to everybody because of the inheritance between "BI Consumer" and "authenticated users".

  • Sunny86
    Sunny86 Rank 6 - Analytics Lead

    Hello Gianni,

    Thanks alot for your reply.  But if i remove it from the members of the group, Will i get login to BI?

  • Well, depends on your whole security model.

    Do not believe OBIEE security is just few clicks adding people here or there, you have to plan it and design it based on your business needs.

    So the answer can be Yes or No depending on how does your full security model looks like.

    I personally always remove 'authenticated user' from BI Consumer (or the role acting as such) and never set permissions or privileges on 'authenticated user' as much as possible (for example: if you use a corporate LDAP/AD for logins everybody in the company could potentially be an 'authenticated user' if you didn't set a strict filter on the branch containing the OBIEE users in your LDAP/AD).

    Maybe worth to have a look at a presentation we did some time ago with @Christian Berg about security. Some models are covered including the "authenticated user" possible issues. https://speakerdeck.com/gianniceresa/obiee-security-its-a-jungle-out-there

  • Sunny86
    Sunny86 Rank 6 - Analytics Lead

    Fixed it by removing BI Consumer from the roles under it and created a identical Application policy from BIConsumer and added the users in it.

  • Can you close the thread by marking answers as required? So far it's still This question is Not Answered.