Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 17 Oracle Analytics Lounge
- 218 Oracle Analytics News
- 44 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 81 Oracle Analytics Trainings
- 15 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Deleted all default roles and groups within Enterprise Manager Console
Hi guys,
I have deleted all Oracle predefined roles and groups within Enterprise Manager Console this morning without knowing, what impact this issue will have.
I did it because I also created some own roles and groups manually and I also assigned our weblogic user to them. Within the Oracle BI webplatform my adjustments seemed to work but now I have the major problem, that the weblogic user does not have the propper rights to access the Enterprise Manager Console and the BI Administration Tool anymore.
I have already contacted the oracle support via SR: SR 3-14963522241 : Deleted default groups and roles (https://support.oracle.com/epmos/faces/SrDetail?_adf.ctrl-state=kh2rr90vv_9&srDetailRelativeDateParam=null&queryModeName… )
I have also checked the OTN and the web for any help on this problem and I found some threads within the OTN which are similar but not really helpful for my case.
The Oracle version of OBI EE is: 12.2.1.0.0
I sadly also do not have any backup of the "jps-config.xml"-file. The only thing we did in the past to upgrade from Oracle BI 12.1.0.0.0 to 12.2.1.0.0
Do you guys see any chance to restore the default roles and groups within Oracle Enterprise Manager Console using Linux Shell?
Thx in advance
Carsten
Answers
-
1715906 wrote:Hi guys,I have deleted all Oracle predefined roles and groups within Enterprise Manager Console this morning without knowing, what impact this issue will have.
Hi Carsten,
If your custom roles are supposed to inherit from standard roles...they won't anymore.
Any application policy and granted permission set to those standard roles (any be extension their inheritants)...won't work anymore.
So it really depends if you actually need the vanilla stuff or not.
0 -
Does anyone know where the assigned rules and groups - which are used in Oracle Enterprise Manager Console - are stored on the file system?
My thought was that I could simply replace this file with a file of a clean installation. Can maybe someone provide me such file since I only want to retrieve the default groups and roles?
0 -
Well you can import a vanilla BAR file and only import security while not importing RPD+webcat but that will wipe out your config:
0 -
Hi Carsten,
Don't think OBIEE 12c Application Roles and Groups assignment are File based like OBIEE 11g , from OBIEE 12c OPSS(Oracle Platform Security Services) are database based and it is still unknown(at least to me) where application role and group assignment are stored in OBIEE 12c onward.
Could you please confirm if you deleted Administrators group from Weblogic Console(http://machinename:port/console) too??
Because "Administrators" group is the one which when assigned to user give Admin Privilege to access Admin Console and Enterprise Manager(http://machinename:port/em) as this group is assigned to Global Privileges within Roles in Admin Console.
Addition: Do you have any user which is still part of Administrator group you can try login with that user , if you have one.
Better work with Oracle Weblogic Support to try and recover the same,but as far I think its going to be bit difficult task.
Thanks and Regards,
Syed Hamd Salman
0 -
Well I think Vanilla BAR file would not give him access back to Admin Console and Enterprise Manager, will it?
Isn't it just going to get him back Default Application Roles along with SampleAppLite RPD and Catalog.
0 -
Syed Hamd Salman wrote:...from OBIEE 12c OPSS(Oracle Platform Security Services) are database based and it is still unknown(at least to me) where application role and group assignment are stored in OBIEE 12c onward
There are a bunch of tables in one of the schemas created by the RCU, but it's isn't a simple relational model where you easily find who is part of which group etc.
All these things are stored into a LDAP (the Weblogic embedded LDAP) which is stored in the database, so the format is more than weird and by hand it isn't really manageable directly at the DB level (better to stay away).
0 -
sigh
Ok what do you expect? That I tell him which OPSS.CT_xyz table to hack? No. Definitely no. You're not supposed to touch these tables. EVER.
0 -
Carsten,
Can you access either Weblogic enterprise manager . (normally <host>:<port>/em)?
or Weblogic Server Administration Console (Normally <host>:port/console) ?
0 -
I do not have access to enterprise manager and also not to weblogic server administration console using the weblogic admin user.
I just found out that there still exists one default Oracle role called "Admin". Unfortunately this role is not linked to any using within our system.
Do you think it is worth it to use one of our database backups which contains our repository?
0 -
Hi Carsten,
Could you try below steps and see if it helps you to gain back access to Admin Console and Enterprise Manager.
a) Stop your OBIEE Stack i.e. Admin Server, Managed Server and BIEE Services by running below command from following location <DOMAIN _HOME>\bitools\bin
./stop.sh (FOR UNIX)
stop.cmd (FOR WINDOWS)
b) On your OBIEE Server at following location <DOMAIN _HOME>\servers\AdminServer rename your "data" folder to "data_backup"
Don't worry this folder(data) would be recreated during Admin Server startup.c) Now just bring back UP your Admin Server by running below command from following location <DOMAIN _HOME>\bitools\bin
./start.sh -i AdminServer (FOR UNIX)
start.cmd -i AdminServer (FOR WINDOWS)
Now what I am hoping from above step is this will overwrite your Embedded LDAP security and Weblogic user would be assigned back to Administrator Group giving back you access to Weblogic Console and Enterprise Manager and if steps are successful and you get back the access to Console and EM then you can import 12C default BAR file to get back your default Application Roles too as suggested by Christian Berg in previous post, but that could only done once you have have your admin user back, right now you have your Admin User(weblogic) but it is not part of Administrator group hence will not be able to run WLST commands I guess.
But be aware that these steps if successful will not recover your newly created Users and Groups which doesn't come by default with OBIEE 12c.
Thanks and Regards,
Syed Hamd Salman
0
