Categories
- All Categories
- 89 Oracle Analytics News
- 7 Oracle Analytics Videos
- 14.2K Oracle Analytics Forums
- 5.3K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 52 Oracle Analytics Trainings
- 59 Oracle Analytics Data Visualizations Gallery
- 2 Oracle Analytics Data Visualizations Challenge
- 4 Oracle Analytics Career
- 4 Oracle Analytics Industry
- Find Partners
- For Partners
OBIEE 12c repository permissions
Hi,
I'm trying to figure out how the repository permission works. I have a folder, "RRE" under my subject area. I am trying to revoke access to the user, "gli_author" be setting it to "No Access" explicitly. I bounced the servers and the user still can access the RRE folder. Any suggestions?
Answers
-
Data Filters and Permissions Defined At the User Level In The Repository Do Not Take Effect in OBIEE 12c (12.2.1) (Doc ID 2087268.1)
The cause of the behavior is not known and is tracked via BUG 22149539 - USER OBJECT PERMISSIONS AND DATA FILTERS NOT GETTING APPLIED IN 12C
Download and apply Patch 22149539 to resolve this issue.
The workaround is to define the data filter and object permissions at the application role level instead of at the user level.
Application role permissions are preferred.
HTH-
Jasmine
0 -
Because default for Authenticated User is "Read" and in the RPD an ALLOW wins over a DENY.
0 -
Not really. Far easier. Read the other comment.
Or read more in detail here: OBIEE Security: It’s a Jungle Out There
0 -
Hi Jasmine,
Thanks! That explains it. So I tried using the default roles and have a question. Does inheritance also play into RPD permissions? In my roles, BIServiceAdministrator inherits from BIContentAuthor, which inherits from BIConsumer. The standard inheritance. I created 3 users (test_consumer, test_author, test_admin) and assigned each user to its corresponding role.
When I log in as test_consumer, I don't see RRE folder.
When I log in as test_author, I don't see RRE folder.
When I log in as test_admin, I see RRE folder.
I don't understand why test_author cannot see the RRE folder, but the test_admin can. Any ideas?
0 -
Hi Christian,
Thanks for sharing, somehow our company blocked the link you provided. I'll try to access it at home and get a better understanding..
0 -
Hi @3310714 ,
Please do not go and apply any random patch posted by @Jasmine Pauline, what you saw is the expected behaviour and works like that since OBIEE exists (ok, at least 5-6 years for sure, seems to be more enough to not be a bug!).
No luck you can't see the link (a nice company blocking slideshare.net where you find tons of slides of people presentations, maybe send a note to your network admin they can also deserve to read some of these slides ).
To make it short: "no access" there where you are setting it, in the presentation layer, is the weaker permission. A "read" and your "no access" is ignored.
Inheritance in application roles is totally valid there!
So @Christian Berg told you why you still have access: all your users are member of "authenticated user", so if this one as a "read" it will override any "no access" you set. You can't do nothing to avoid that other than setting "no access" to "authenticated user" first.
Also pay attention to the "default" behaviour, it's a bit strange as it means 2 things: on the top-level, the subject area, "default" means same permission as "authenticated user". On any other object "default" means same permission as the parent object.
So if you want to secure a subject area start on the top, on the subject area itself, but setting "no access" to "authenticated user", in this way you start by defining a global "no access". Then you start adding "read" to your app roles, if it's a full access to the subject area just add a read on it and everything else underneath will inherit the "read" as they will be set on "default".
The key element to remember is: "no access" is weaker than "read" and "default" means 2 different things based on the object you refer to.
0 -
Hi Gianni,
Thanks for your insights. I tried to create scenarios with your tips and something didn't add up. I think there is something wrong with my version, 12.2.1.0.0. I made permission changes using the online mode. For my subject area, EDW, I set the BIContentAuthor role to Read, saved, and closed Admin Tool.I immediately re-opened the repository in online mode and noticed the access for BIContentAuthor got changed to Default. I had noticed the permissions changing by itself earlier, but I thought it was my mistake. Now I realize it updates by itself!? Is that possible?
With the above permissions, gli_consumer (member of BIConsumer) and gli_author (member of BIContentAuthor) cannot see the EDW subject area. But gli_admin (member of BIServiceAdministrator) still can! I'd expected no users can see EDW subject area.
0 -
How is that the "correct answer"?!
Read what Gianni wrote. Read what I posted (we wrote that presentation together) and without getting what's in there you won't get your problem.
0