Categories
Reg. Access Privilege to New User in OBIEE 11g
Answers
-
Hi Cesar,
The issue I am facing is this..
On creating an user in weblogic console under security realm ->myrealms", I am able to access OBI presentation services and access all folders.
Please provide a light on this.
Regards
Prasanna
0 -
Hello Prassana,
OK, at the final step on this, to set up the Authorization, you have to go inside your Oracle BI Administration Tool, and set up like this:
- Authenticated User "NO ACCESS"
- <YourApplicationRole> put with Read or ReadWrite (if you use WriteBack functionality),.
Kind Regards
0 -
Hi Cesar,
Thanks for the response.
This looks like a restriction on Subject Area Access, will this be enough to apply the restriction on different folders?
I would like to put the restriction on Presentation Catalog folders.
Regards
Prasanna
0 -
If you mean, if a specific "user" with a specific "Application Role", should have a permission for a "only one or various catalog folders", you could set up like this,
1. First, your "Shared Folders",
This setting, ensure that your Oracle BI Administrator is the only one user that has access for all Folders in the Presentation Catalog Folders.
2. If you want to do access to a specific "Application Role" to a specic "Folder Catalog"
Kind Regards
0 -
Hi Cesar,
Let me illustrate my problem with some screenshots.
I have created an user(highlighted in yellow) as below
As shown below, the user is not linked to any group.
Also, no new Application Roles have been created in em.
On logging to Presentation Services, as RBDUser, as shown below, I have the access to all folders under "Shared Folders".
In a nutshell, the user 'RBDUser' has access to all the sub-folders under Shared Folders eventhough no application roles/groups are associated to the respective user.
I am just amazed on how, the complete access is given to a new user which doesnt have any rights associated with it.
Would be grateful if you can help me out of this issue.
Regards
Prasanna
0 -
Hello Prassana,
OK, right there:
1. Check the default security setting,
Authenticated Role
The Authenticated role is a special application role provided by the Oracle Fusion Middleware security model and is made available to any application deploying this security model. Oracle Business Intelligence uses the authenticated application role to grant permissions implicitly derived by the role and group hierarchy of which the Authenticated role is a member. The Authenticated role is a member of the BIConsumer role by default and, as such, all Authenticated role members are granted the permissions of the BIConsumer role implicitly.
Every user who successfully logs in to Oracle Business Intelligence becomes a member of the Authenticated role, which is a replacement Everyone Catalog group in release 10g . The Authenticated role is not part of the obi application stripe and is not searchable in the Oracle Business Intelligence policy store. However, the Authenticated role is displayed in the administrative interface for the policy store, is available in application role lists, and can be added as a member of another application role.
http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/install.htm#BIESC768
So when you log in you implicity got the "Authenticated-Role" in Oracle BI, and implicity you get the permissions of Oracle BI Consumer, for that reason, when you go inside
Shared Catalog, you can see all folder.
Please, check these screeamshoot.
So, let's start with a replication of your case:
1. I created a new user
2. I setting up the configuration folder, for BI Administrator Role, just the privilegies to check all catalog:
3. If you log in as a "prassana" which doesnt have any "Group".
Kind Regards,
0 -
Hi Cesar,
Thanks for taking up my case and spending some time on it!
I found out, BI Consumer Role is having the access to Shared Folders by default. I gonna remove the below permissions and set the permissions for the custom Application Roles.
Let me try this out and know if any issues arise.
Regards
Prasanna
0 -
Hello Prassana,
There is no a issue, is part of the setting security by default,
- In other words, you set up the "Authentication" for your new user ( user and password), however your user doesnt have any "GROUP".
Until now, we have something like this, see screemshot:
-When you auntheticated in Oracle BI Analytics, you got the "Authenticated-Role"( "Every user who successfully logs in to Oracle Business Intelligence becomes a member of the Authenticated role" ), the "Authenticated-Role" implicity (automatically) get all the privileges of Oracle BI Consumer (
Authenticated role is a member of the BIConsumer role by default and, as such, all Authenticated role members are granted the permissions of the BIConsumer role implicitly.)
-In the "Shared Folder" permissions by default we have "BI Administrator Role" and "BI Consumer Role", as you mentioned your requirement,
first we need to removed "BI Consumer Role", and give the full control of the shared folder only for your users who have the "BI Administrator Role".
Note: When set up this, ensure check:
"Apply permissions to sub-folders"
"Apply permissions to items within folder"
Kind Regards,
0
