Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
12c How do you Modify an Agent When you Are Not the Agent Creator?
In a nutshell, I need to know how to set OBIEE up to allow a user to modify an agent that he/she did not create. Here is how we have things set up currently:
I have a user who is a member of the BI Author Role group. Here are the settings we have for Delivers:
This user, test51, also has full control to the Training Folder inside the Shared Folders:
And to the Other folder within the Training folder:
And to the TestAgent:
Notice that the BI Author Role is the Owner of this object, and remember that test51 is a member of the BI Author Role group.
test51 also has full control permission for the report that is being delivered by this agent (and to the parent and grandparent folders that the report is in):
But when I sign in as test51 and attempt to edit the agent, I get the following message when I try to save:
This issue exists for all agents. If anyone other than an Admin user tries to edit an agent which he or she did not create, they receive the error, regardless of any permissions settings that we have been able to find.
Please advise us on the EXACT conditions that need to be set to allow users to edit an agent which they did not create.
Answers
-
How is Run As setup for this agent?
Please also refer to doc 2069473.1
0 -
It is set up as Use Agent Owner's credentials. We almost always have our agents set up to deliver to email addresses, and you can't use the Recipient option with email addresses. Is that where the issue is? (I can't read the document you linked to - I'm not the official support person at my company so I don't have access to our valid support identifier.)
0 -
We have created shared 'Agent User' accounts for that as a workaround.
0 -
Agent owner is specified as admin? If so, only an Admin can change it. Specify the agent owner at a lower group and all users belonging to that group are able to adjust this agent.
0 -
We use single sign-on and are unable to create accounts like that.
0 -
This does not work. Even if a user of the BI Author group creates the agent, and then an admin specifies the BI Author group as the owner and gives full control to that group, still only the person who created the agent is able to make changes to it. Even if an admin changes the owner to a single user and gives that user Full Control in permissions, if that person did not create the agent, he/she is not able to make changes to it.
0 -
The issue you see is expected if you think at the agent from a security point of view: your agent is running as a specified user (which is referenced inside the agent itself), so OBIEE "login" as that user and execute the agent (run the analysis) and send the result by email to a list of random addresses you added.
If you allow other users than the owner / current "run as" user to edit the agent you actually created a "act as" thing : you can have a user execute OBIEE content as somebody else (maybe with more privileges) and send the result to random recipients.
That's why OBIEE is really strict on who can change the agent, just because of the security impact of that decision. If your agents would be "run as recipient" it would be different as there wouldn't be any security issue (and I'm not saying you have to change this, just explaining the point on security).
If you look once at the XML code of the agent you will see the GUID/username of the user used to execute it is really hardcoded there, and that's one of the reasons why it's so difficult to edit agents other users created when you aren't an admin.
0 -
Thanks Gianni (and everyone else who replied). This makes sense.
0
