Application Roles on OBIEE 12

Question

Hi evryone,

I'm currently working on OBIEE 12. I've seen that much has changed in application roles management.

I'm a little bit confused about the function inside Administration tool that let us manage identities.

When I create a new application role inside EM do I have to create it also inside Admin tool? (using same name)

Ho do I manage i.e. direct SQL autorizations if not inside RPD?

Am I supposed to find new application roles created inside EM automatically inside my RPD? This is not happening...

thanks in advance for help,

kind regards,

Marco

marcobalduini · Answer

Grazie Gianni!

This explain perfectly the situation!

Kind regards,

Marco

Gianni Ceresa · Answer

Just to be clear, you are both correct about the Direct Database Request (DDR) : it's in the RPD and in the front-end in manage privileges. It is simply 2 different kind of management !

In the RPD you set which connection pool accept DDR globally (the setting in the physical DB object) or by role (the permissions in "query limits" tab). In the "Manage privileges" in the front-end you define who can see the "new DDR" link in the front-end to create a DDR, but doesn't manage which connection pool they are allowed to use or not.

You are also both right for the application roles (the magic of the doc):

Application roles are created and managed in the policy store using the Oracle WebLogic Administration Console and Fusion Middleware Control. These application roles are displayed in the Administration Tool in online mode so that you can use them to set data filters, object permissions, and query limits for particular roles. The application roles in the policy store are retrieved by the Oracle BI Server when it starts.In some cases, you may want to proceed with setting up data access security in your repository for application roles that have not yet been defined in the policy store. You can do this by creating placeholder application roles in the Administration Tool, then proceeding with setting up data access security in the repository.If you create placeholder application roles in the Administration Tool, you must eventually add them to the policy store. Run a consistency check in online mode to identify application roles that have been defined in the Administration Tool, but that have not yet been added to the policy store. Be sure to use the same name in the policy store that you used for the placeholder role in the Administration Tool.

So real application roles are defined in Enterprise Manager, in the RPD you can add them as "reference" to define permissions and other things, but they aren't going to be created for real in the system. As the doc says it is a placeholder.

Syedsalmancs110 · Answer

What is your OBIEE 12c exact version is it 12.2.1.0.X, 12.2.1.1.X or 12.2.1.2.X, X is either base version of a particular release or patch level.

To sync application roles within RPD with EM try and follow below steps:

Open RPD in Online mode, then Go to > Manage > Identity and then Action > Click on Synchronize Application Roles

Please also note that there are known issues relating to same in OBIEE 12c

OBIEE 12c : Newly Created Application Roles Are Not Reflecting In RPD (Doc ID 2206883.1)

I can recall that on OBIEE 12.2.1.2.0 version of OBIEE 12c were this issue is said to be fixed it still doesn't work as intended after clicking on "Synchronize Application Roles" within RPD in Online Mode it takes sometime to reflect newly created roles in EM but it eventually syncs.