Categories
"Upgrading" from OAM/OID to IAM problem with administrators in OAS.
We are on OAS 2024 and have swapped out OAM/OID to IAM. This has worked pretty well, but our administrative users have effectively lost their powers. This is due to faults that happen unless OID is running (which is our current solution).
For example, I am unable to create a dataset, run data flows or create connections as myself because the system cannot find objects. We suspect that the KRISTIAN user from OID creates problems when the kristian user from IAM attempts to do things and that there is an issue there.
Even when attempting to create a dataset from scratch, it fails in the profiling step as if I lose my read access even if I own the object, giving faults that points to 404 - Not found. If I do this with OID running, suddenly everything works. We've done config settings as per Oracle documentation. In our UAT-environment we have installed a clean marketplace and imported a snapshot without roles to try to get it to work, but it does not. If a new IAM user that is non-existant in OID, everything works.
We have opened a SR with Oracle, but it takes forever. They answer after a business day and do a single test after 10 minutes and then we wait a business day (or two, or 5) again for another reply, even after escalation.
Have anyone else come across this issue or have suggestions on how to solve it? Being dependant on OID is not really a situation that is very ideal.
Best,
Kristian
Best Answer
-
The issue now seems to be solved.
Migrating a snapshot without OID provider seemed to do the trick together with creating an empty administrator role to inherit BIAdminrole (2024 admin role) as BI Service Administrator did not seem sufficient.
There were no additional configs that we had to do, other than what was in official Oracle support documents.
We also found out that if Azure AD delivers uppercase and lowercase users, it seems to be problematic.
Thank you for all suggestions!
0
Answers
-
Have you / How have you, confirmed that when logged in via IAM - KRISTIAN has the predefined role: BI Service Administrator ?
Is it via group or direct membership?
1 -
Also, one other thing that comes to mind, when you map groups to roles in Enterprise Manager → biinstance → Security → Application Roles, even if the group name is the exact same in the new auth provider as the old, it will not work.
You must re-map the NEW group after you are migrated to the new auth provider. If the group name in the new and old system are the same, IT WILL NOT WORK.
Its sort of the same issue as if you stub in a group before its created in the auth source, then in OID if its created after that, it wont work properly. You have to go back into the /em and delete out the group to role membership, and re-add it.
0 -
Yes, it is via group membership. Nothing is given directly (permissions/roles).
We will definitely check the solution you have outlined, Thank you!
We're currently in the process of attempting to change all object ownerships from source environment to an IAM user and then migrating the snapshot to see if that works (tests if object ownership in snapshot matters - It should not as per documentation but worth a shot).
0 -
Another suggestion is to go to console > content management link and verify the owner of these objects. You could do change ownership and explicitly pick the IAM user so all objects ownership setup correctly. Somewhere there seems to be conflict with the object ownership based on username (because if you check inspect of dataset and copy object id, it will show username.datasetname. So if for some reason ownership is getting set as oid user instead of IAM user, it could cause issues.
0 -
We have now attempted to both set ownership of all objects to an IAM-adminuser2 that does not have a corresponding OID-USER in content manager and then export the snapshot. This yields the same results. IAM-adminuser2 has all privileges, where adminuser1 lacks some of them.
Another attempt was deleting the OID provider completely from the environment and then restarting the service. This got us closer as the OID-adminuser1 that previously existed as OID-ADMINUSER1 can now read datasets and run data flows without errors (or OID running, which was the case previously).
A weird result of this is that if adminuser1 (lowercase, previously existed in OID) runs a dataflow the dataflow succeeds but changes ownership of the target dataset to ADMINUSER (uppercase). If adminuser2 (who never existed in OID) does the same, it changes ownership to adminuser2 (lowercase)
This does not make sense to us since the provider is deleted.
The current situation is that adminuser1 is unable create datasets from scratch (datasets does not profile, cannot reload datasets unless they are very small) and create or edit connections. adminuser2 is able to do everything.
The only difference between adminuser1 and adminuser2 is that adminuser1 had a corresponding ADMINUSER1 in OID and adminuser2 does not.
0 -
Do you have 'Use Retrieved User Name as Principal' enabled for the provider?
If no, you should enable it, then restart, then perform the actions mentioned by BrendanH on 15-May
0 -
Thank you for your response!
We have not found this option. The one that most closely resembled it is "Client As User Principal Enabled" - Is this the same?
0 -
Hi Kristian,
Check here:
1. Log in to WebLogic console and go to Security Realms -> select your Realm (default= myrealm)
2. Then, select Providers tab.
3. Select your provider from the list, and select the Configuration . Provider Specific subtab.
I don't have IAM configured to compare, but check if it is an option there.0
