Deleted all default roles and groups within Enterprise Manager Console — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Deleted all default roles and groups within Enterprise Manager Console

Received Response
155
Views
20
Comments
Carsten Weber
Carsten Weber Rank 5 - Community Champion

Hi guys,

I have deleted all Oracle predefined roles and groups within Enterprise Manager Console this morning without knowing, what impact this issue will have.

I did it because I also created some own roles and groups manually and I also assigned our weblogic user to them. Within the Oracle BI webplatform my adjustments seemed to work but now I have the major problem, that the weblogic user does not have the propper rights to access the Enterprise Manager Console and the BI Administration Tool anymore.

I have already contacted the oracle support via SR: SR 3-14963522241 : Deleted default groups and roles (https://support.oracle.com/epmos/faces/SrDetail?_adf.ctrl-state=kh2rr90vv_9&srDetailRelativeDateParam=null&queryModeName… )

I have also checked the OTN and the web for any help on this problem and I found some threads within the OTN which are similar but not really helpful for my case.

The Oracle version of OBI EE is: 12.2.1.0.0

I sadly also do not have any backup of the "jps-config.xml"-file. The only thing we did in the past to upgrade from Oracle BI 12.1.0.0.0 to 12.2.1.0.0

Do you guys see any chance to restore the default roles and groups within Oracle Enterprise Manager Console using Linux Shell?

Thx in advance

Carsten

«1

Answers

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner
    1715906 wrote:Hi guys,I have deleted all Oracle predefined roles and groups within Enterprise Manager Console this morning without knowing, what impact this issue will have.

    Hi Carsten,

    If your custom roles are supposed to inherit from standard roles...they won't anymore.

    Any application policy and granted permission set to those standard roles (any be extension their inheritants)...won't work anymore.

    So it really depends if you actually need the vanilla stuff or not.

  • Carsten Weber
    Carsten Weber Rank 5 - Community Champion

    Does anyone know where the assigned rules and groups - which are used in Oracle Enterprise Manager Console - are stored on the file system?

    My thought was that I could simply replace this file with a file of a clean installation. Can maybe someone provide me such file since I only want to retrieve the default groups and roles?

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Well you can import a vanilla BAR file and only import security while not importing RPD+webcat but that will wipe out your config:

    https://docs.oracle.com/middleware/12211/biee/BIESG/GUID-D74741C6-D069-4ABF-A574-C9A57A7FE6D0.htm#BIESG9320

  • Syedsalmancs110
    Syedsalmancs110 Rank 6 - Analytics Lead

    Hi Carsten,

    Don't think OBIEE 12c Application Roles and Groups assignment are File based like OBIEE 11g , from OBIEE 12c OPSS(Oracle Platform Security Services) are database based and it is still unknown(at least to me) where application role and group assignment are stored in OBIEE 12c onward.

    Could you please confirm if you deleted Administrators group from Weblogic Console(http://machinename:port/console) too??

    Because "Administrators" group is the one which when assigned to user give Admin Privilege to access Admin Console and Enterprise Manager(http://machinename:port/em) as this group is assigned to Global Privileges within Roles in Admin Console.

    Addition: Do you have any user which is still part of Administrator group you can try login with that user , if you have one.

    Better work with Oracle Weblogic Support to try and recover the same,but as far I think its going to be bit difficult task.

    Thanks and Regards,

    Syed Hamd Salman

  • Syedsalmancs110
    Syedsalmancs110 Rank 6 - Analytics Lead

    Well I think Vanilla BAR file would not give him access back to Admin Console and Enterprise Manager, will it?

    Isn't it just going to get him back Default Application Roles along with SampleAppLite RPD and Catalog.

  • Syed Hamd Salman wrote:...from OBIEE 12c OPSS(Oracle Platform Security Services) are database based and it is still unknown(at least to me) where application role and group assignment are stored in OBIEE 12c onward

    There are a bunch of tables in one of the schemas created by the RCU, but it's isn't a simple relational model where you easily find who is part of which group etc.

    All these things are stored into a LDAP (the Weblogic embedded LDAP) which is stored in the database, so the format is more than weird and by hand it isn't really manageable directly at the DB level (better to stay away).

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    sigh

    Ok what do you expect? That I tell him which OPSS.CT_xyz table to hack? No. Definitely no. You're not supposed to touch these tables. EVER.

  • Khalid Ibrahim
    Khalid Ibrahim Rank 4 - Community Specialist

    Carsten,

    Can you access either Weblogic enterprise manager  . (normally <host>:<port>/em)?

    or Weblogic Server Administration Console  (Normally <host>:port/console) ?

  • Carsten Weber
    Carsten Weber Rank 5 - Community Champion

    I do not have access to enterprise manager and also not to weblogic server administration console using the weblogic admin user.

    I just found out that there still exists one default Oracle role called "Admin". Unfortunately this role is not linked to any using within our system.

    Do you think it is worth it to use one of our database backups which contains our repository?

  • Syedsalmancs110
    Syedsalmancs110 Rank 6 - Analytics Lead

    Hi Carsten,

    Could you try below steps and see if it helps you to gain back access to Admin Console and Enterprise Manager.

    a) Stop your OBIEE Stack i.e. Admin Server, Managed Server and BIEE Services by running below command from following location <DOMAIN _HOME>\bitools\bin

    ./stop.sh (FOR UNIX)

    stop.cmd (FOR WINDOWS)

    b) On your OBIEE Server at following location <DOMAIN _HOME>\servers\AdminServer rename your "data" folder to "data_backup"


    Don't worry this folder(data) would be recreated during Admin Server startup.

    c) Now just bring back UP your Admin Server by running below command from following location <DOMAIN _HOME>\bitools\bin

    ./start.sh -i AdminServer (FOR UNIX)

    start.cmd -i AdminServer (FOR WINDOWS)

    Now what I am hoping from above step is this will overwrite your Embedded LDAP security and Weblogic user would be assigned back to Administrator Group giving back you access to Weblogic Console and Enterprise Manager and if steps are successful and you get back the access to Console and EM then you can import 12C default BAR file to get back your default Application Roles too as suggested by Christian Berg in previous post, but that could only done once you have have your admin user back, right now you have your Admin User(weblogic) but it is not part of Administrator group hence will not be able to run WLST commands I guess.

    But be aware that these steps if successful will not recover your newly created Users and Groups which doesn't come by default with OBIEE 12c.

    Thanks and Regards,

    Syed Hamd Salman