Oracle Business Intelligence

Products Banner

Assistance with getting Active Directory authentication with OBIEE

Received Response

Trying to figure out how I can limit folder access based on AD group, I am thinking that I may be able solve this if I remove the BI Consumer roles Read access from the Shared Folders root. What are the repercussions to this? And what are the steps to revert back if I happen to lock myself out? I am worried this will cause problems for my system admin accounts.



  • This is a follow-up / report of your question from your other thread:

    Please stick to one thread for your question or - if your original question is completely resolved - close the original thread.

    Looking at the exchange to far though: I suggest you take what Gianni has told you in his multiple, extremely exhaustive responses and think about its application. The forums are a place to exchange and get help - not a free marketplace to get work done. If you are facing a specific issue, clearly state it and people will have a look at it.

    If you are struggling with the implementation of a clearly laid out concept, such as a security matrix and diagram, which has been explained in the other thread.

    Folder security is nothing but folder security. If you draw out your security diagram and design it first, the above questions will become clear automatically. You can't expect the tool to automagically work, nor can you simply "do stuff". You have to design it and think about it. The above question looks at detailed knob twisting while the general vision and the global security concept is being disregarded. Take 4 steps back, take a pen and first draw a diagram of what you want. The rest will become clear as a result of that.

  • Hi @Christian Berg-0racle ,

    Thank you for the details. I understand what you are saying and I understand that I will likely have to do a trial and error in order to achieve my desired results. The issue is I don’t know if I will end up wasting time because at this point it does not seem like what I need to do is possible. I have it written down on how I need it set up.

    I want to try removing “Read” permissions from the BI Consumer role in my Shared Folders root to see if this resolves the issue. It seems like maybe i only need to provide Traverse rights at the Shared Folder root if I am understanding the Traverse permission. I think this is safe to do as the BI Service Administrator still has full control if I need to revert back. With that said how can I backup my environment just in case I do need to revert back?

  • " With that said how can I backup my environment just in case I do need to revert back?"

    You can always take a backup of your catalog through either Catalog Manager or through the command line. It's anyways a best practice to have cyclical backups instituted on an environment.

  • Hi @Christian Berg-0racle ,

    Just to confirm - the way to back up the OBIEE Catalog is to backup the physical catalog folder or .atr files? In the event I need to revert the entire catalog, I can simply stop my OBIEE services, replace the catalog folder or the .atr files with my backups to do a full restore? There are no other steps required? If so I will see about setting up a batch file. It also seems the runcat can potentially be automated to just do archives rather than doing physical copies of the folders.

    Appreciate the details.

  • No. That's precisely why I said "Catalog Manager or the run at command line".

    You do not touch the file system. Ever.

    With runcat you can script the whole thing and run it daily with your losing of choice like Windows scheduler or bash on Linux.

    The script can simply put your whole environment into maintenance mode (no changes allowed) when doing the backup export so for that you need to stop nothing.

    So basically the script will

    - connect to the OBI server in online mode

    - set the environment in maintenance mode

    - export the catalog

    - unset the maintenance mode


    Import is also possible in online mode or you can stop the environment and do it offline. Your choice.

  • Hi @Christian Berg-0racle ,

    Thank you so much for that, but I have only one more help to request you

    I am having some issues getting my credentials to pass in properly when trying to script this out. I am seeing the error below when I attempt to connect. At this point I have not tried passing in any -cmd commands for runcat.cmd as I am just trying to get the connection to work first.

    The command is simply:

    %DOMAIN_HOME% \bitools\bin\runcat.cmd -online http://usws22pdoprww01:9502/analytics -credentials D:/Oracle/scripts/Credentials/

    I have tried adding the /saw.dll to the end of the URL but that also does not work. This http://usws22pdoprww01:9502/analytics URL does work if I manually use runcat.cmd.

    Nothing seems to get it to actually open the catalog. I can manually type in my credentials if I execute runcat.cmd so it seems to be something with the syntax.

    I have also tested a different account with the same results. The Catalog Manager opens and it looks like it opens some catalog because in the File Menu it shows that something is open.

  • What are you trying to do? That command above doesn't contain any....command.

    This is a command:

    runcat.cmd -cmd maintenanceMode -on -online https://bla/analytics/saw.dll -credentials C:\Oracle\Backup\cred_store

    You have to use the API as it's designed. Type

    runcat.cmd -help

    to understand what it does and how it works and then

    runcat.cmd -cmd COMMANDYOUWANT -help

    for the details.

  • Christian, It's working perfectly. I appreciate the details on this

    Thank you so much for your assistance. How can I do to close the thread?

  • Marking a response as the "answer" does it and other forum users now see the thread as "Solution Accepted" and know the thread contains a valid solution.