Application Roles on OBIEE 12 — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Application Roles on OBIEE 12

Received Response
55
Views
5
Comments
marcobalduini
marcobalduini Rank 4 - Community Specialist

Hi evryone,

I'm currently working on OBIEE 12. I've seen that much has changed in application roles management.

I'm a little bit confused about the function inside Administration tool that let us manage identities.

When I create a new application role inside EM do I have to create it also inside Admin tool? (using same name)

Ho do I manage i.e. direct SQL autorizations if not inside RPD?

Am I supposed to find new application roles created inside EM automatically inside my RPD? This is not happening...

thanks in advance for help,

kind regards,

Marco

Answers

  • Sherry George
    Sherry George Rank 7 - Analytics Coach

    The "Application Roles" will appear when you are connected in online mode. See documentation below.

    https://docs.oracle.com/middleware/1221/biee/BIEMG/dataaccess.htm#BIEMG1436

    Direct Database permissions are managed in Answers under Administration->Manage Privileges.

  • marcobalduini
    marcobalduini Rank 4 - Community Specialist

    Hi George thanks for your answer,

    what you say is partially correct;

    - I'm not seeing Application Roles automatically when I create them on EM, dunno why..

    - Direct database request are managed mandatory in Admin Tool, what if I need to give access to a specific DB?

         I use to set the following property:

    pastedImage_0.png

    that's why it looks to me that managing application role is a task that have to be performed both in EM and Admin tool...

    M

  • Syedsalmancs110
    Syedsalmancs110 Rank 6 - Analytics Lead

    What is your OBIEE 12c exact version is it 12.2.1.0.X, 12.2.1.1.X or 12.2.1.2.X, X is either base version of a particular release or patch level.

    To sync application roles within RPD with EM try and follow below steps:


    Open RPD in Online mode, then Go to > Manage > Identity and then Action > Click on Synchronize Application Roles

    Please also note that there are known issues relating to same in OBIEE 12c

    OBIEE 12c : Newly Created Application Roles Are Not Reflecting In RPD (Doc ID 2206883.1)

    I can recall that on OBIEE 12.2.1.2.0 version of OBIEE 12c were this issue is said to be fixed it still doesn't work as intended after clicking on "Synchronize Application Roles" within RPD in Online Mode it takes sometime to reflect newly created roles in EM but it eventually syncs.

  • Just to be clear, you are both correct about the Direct Database Request (DDR) : it's in the RPD and in the front-end in manage privileges. It is simply 2 different kind of management !

    In the RPD you set which connection pool accept DDR globally (the setting in the physical DB object) or by role (the permissions in "query limits" tab). In the "Manage privileges" in the front-end you define who can see the "new DDR" link in the front-end to create a DDR, but doesn't manage which connection pool they are allowed to use or not.

    You are also both right for the application roles (the magic of the doc):

    Application roles are created and managed in the policy store using the Oracle WebLogic Administration Console and Fusion Middleware Control. These application roles are displayed in the Administration Tool in online mode so that you can use them to set data filters, object permissions, and query limits for particular roles. The application roles in the policy store are retrieved by the Oracle BI Server when it starts.In some cases, you may want to proceed with setting up data access security in your repository for application roles that have not yet been defined in the policy store. You can do this by creating placeholder application roles in the Administration Tool, then proceeding with setting up data access security in the repository.If you create placeholder application roles in the Administration Tool, you must eventually add them to the policy store. Run a consistency check in online mode to identify application roles that have been defined in the Administration Tool, but that have not yet been added to the policy store. Be sure to use the same name in the policy store that you used for the placeholder role in the Administration Tool.

    So real application roles are defined in Enterprise Manager, in the RPD you can add them as "reference" to define permissions and other things, but they aren't going to be created for real in the system. As the doc says it is a placeholder.

  • marcobalduini
    marcobalduini Rank 4 - Community Specialist

    Grazie Gianni!

    This explain perfectly the situation!

    Kind regards,

    Marco