Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Restrict access (temporarily)

Received Response
81
Views
9
Comments
Charles M
Charles M Rank 6 - Analytics Lead
edited August 13 in Oracle Analytics Cloud and Server

Hi All -

We're looking for a way to "restrict" front-end access, temporarily, to OBIEE/analytics. Is there a best practice for this? I know that there is maintenance mode, but my understanding there is that this just puts the catalog in a read-only mode (users could still log in ... right?).

Any thoughts on how to handle situations (though, sparse) when you'd need to do this - restrict access? I've thought of a couple, but they don't seem graceful/practical ...

Version(s): OBIA 11.1.1.10.1 / OBIEE 11.1.1.9.3

Regards,

Charles.

Answers

  • Srinivas Malyala-Oracle
    Srinivas Malyala-Oracle Rank 4 - Community Specialist

    a) how about bring services down ?

    b) if you want few users to access and few user NOT to access then restrict using role population.

                   While populating role have an additional condition. In a table if maintenance_mode = Y then don't populate roles.

  • Charles M
    Charles M Rank 6 - Analytics Lead

    Hi ... thanks for the reply.

    a) how about bring services down ?

    Right, doable. But, the technical/development team may be working on things behind the scenes (releases, migrations, enhancements, etc.) - mostly, that would be the reason for doing this. There are some users who access the system, even during the overnight hours ... so, just shifting time periods does not completely address.

    b) if you want few users to access and few user NOT to access then restrict using role population.               While populating role have an additional condition. In a table if maintenance_mode = Y then don't populate roles.

    Not familiar with this. Can you elaborate/clarify?

    Regards,

    Charles

  • Srinivas Malyala-Oracle
    Srinivas Malyala-Oracle Rank 4 - Community Specialist

    Could you please provide further details on your environment.

    a) If you have bigip ....may be re-direct it to maintenance page.

    b) If you have OHS server ...then bring down services on OHS ...still OBIEE operations can performed in parallel.

    coming to elaborate/clarify part: how you are doing authentication and authorization ? I am sure for authorization you will be using application roles. How you are populating role for an user ?

    In this mechanism add additional check to see is there maintenance going on or not. As per my knowledge there is no in-built function to tackle this situation.

    Example if you are populating role using following query

    select role from role_table where user= :user_logged

    Modify it to something like below.

    select  case when is_maintenance = 'No' then role else 'most_restricted_role' end

    from role_table

    where user= :user_logged

    here most_restricted_role is nothing but user will not be able to access anything.

  • Christian Berg-0racle
    Christian Berg-0racle Rank 10 - Analytics Guru

    Redirect traffic to a static web page? Setting the access rights to "Deny" for all app roles except BI Administrator?

  • Charles M
    Charles M Rank 6 - Analytics Lead

    Hi - 

    a) If you have bigip ....may be re-direct it to maintenance page.

         Not sure about this. I'd have to reach out to some other teams (Network, UNIX, etc.) to find out. Probably not feasible for us to pursue. Thanks for the suggestion though ...

    b) If you have OHS server ...then bring down services on OHS ...still OBIEE operations can performed in parallel.

         Doesn't look like it. I logged in to FMW EM, and I don't see that there is any OHS server(s). Good thought though!

    how you are doing authentication and authorization

         We use the WebLogic(11g) internal LDAP. Otherwise, all else is handled in FMW, right? This is an OBIA 11.1.1.10.1 instance. Roles are mapped through FMW.

    Regards,

    Charles

  • Charles M
    Charles M Rank 6 - Analytics Lead

    Thanks Christian. How would we implement something like that? I do have access to the application and database tiers, but beyond that I'd need to get other teams involved - not always a straight-forward task ... especially trying to get into a production environment.

  • Christian Berg-0racle
    Christian Berg-0racle Rank 10 - Analytics Guru

    If you have an Apache in front for example it is as simple as a URL redirect.

    IMHO preferable since you don't touch / change the app layer itself and its security.

    https://httpd.apache.org/docs/2.4/rewrite/remapping.html

  • Venkata Rachuri
    Venkata Rachuri Rank 5 - Community Champion

    We also installed a saperate apache server on the machine where OBIEE is installed. When we do maintenance, we stop OBIEE services and fire up apache to redirect URL to static webpage which says ""site is currrently under maintanance" .

    https://www.digitalocean.com/community/tutorials/how-to-create-temporary-and-permanent-redirects-with-apache-and-nginx

    Thanks

    Venkat

  • Charles M
    Charles M Rank 6 - Analytics Lead

    Hi ... thanks everyone for the ideas. Sounds like we have a general consensus on how to approach this, and some good links to further details.

    I'm going to work with our UNIX/Network teams to help us put something similar into place.

    Appreciate the input!