Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12c repository permissions

Received Response
51
Views
8
Comments
Rank 6 - Analytics Lead

Hi,

I'm trying to figure out how the repository permission works.  I have a folder, "RRE" under my subject area.  I am trying to revoke access to the user, "gli_author" be setting it to "No Access" explicitly.  I bounced the servers and the user still can access the RRE folder.  Any suggestions?

ScreenShot092.jpg

Welcome!

It looks like you're new here. Sign in or register to get started.

Answers

  • Rank 5 - Community Champion

    Data Filters and Permissions Defined At the User Level In The Repository Do Not Take Effect in OBIEE 12c (12.2.1) (Doc ID 2087268.1)

    The cause of the behavior is not known and is tracked via BUG 22149539 - USER OBJECT PERMISSIONS AND DATA FILTERS NOT GETTING APPLIED IN 12C

    Download and apply Patch 22149539 to resolve this issue.

    The workaround is to define the data filter and object permissions at the application role level instead of at the user level.

    Application role permissions  are preferred.

    HTH-

    Jasmine

  • Rank 10 - Analytics Guru

    Because default for Authenticated User is "Read" and in the RPD an ALLOW wins over a DENY.

  • Rank 10 - Analytics Guru

    Not really. Far easier. Read the other comment.

    Or read more in detail here: OBIEE Security: It’s a Jungle Out There

  • Rank 6 - Analytics Lead

    Hi Jasmine,

    Thanks!  That explains it.  So I tried using the default roles and have a question.  Does inheritance also play into RPD permissions?  In my roles, BIServiceAdministrator inherits from BIContentAuthor, which inherits from BIConsumer.  The standard inheritance.  I created 3 users (test_consumer, test_author, test_admin) and assigned each user to its corresponding role.

    ScreenShot093.jpg

    When I log in as test_consumer, I don't see RRE folder.

    When I log in as test_author, I don't see RRE folder.

    When I log in as test_admin, I see RRE folder.

    I don't understand why test_author cannot see the RRE folder, but the test_admin can.   Any ideas?

  • Rank 6 - Analytics Lead

    Hi Christian,

    Thanks for sharing, somehow our company blocked the link you provided.  I'll try to access it at home and get a better understanding..

  • Hi @3310714 ,

    Please do not go and apply any random patch posted by @Jasmine Pauline, what you saw is the expected behaviour and works like that since OBIEE exists (ok, at least 5-6 years for sure, seems to be more enough to not be a bug!).

    No luck you can't see the link (a nice company blocking slideshare.net where you find tons of slides of people presentations, maybe send a note to your network admin they can also deserve to read some of these slides ).

    To make it short: "no access" there where you are setting it, in the presentation layer, is the weaker permission. A "read" and your "no access" is ignored.

    Inheritance in application roles is totally valid there!

    So @Christian Berg told you why you still have access: all your users are member of "authenticated user", so if this one as a "read" it will override any "no access" you set. You can't do nothing to avoid that other than setting "no access" to "authenticated user" first.

    Also pay attention to the "default" behaviour, it's a bit strange as it means 2 things: on the top-level, the subject area, "default" means same permission as "authenticated user". On any other object "default" means same permission as the parent object.

    So if you want to secure a subject area start on the top, on the subject area itself, but setting "no access" to "authenticated user", in this way you start by defining a global "no access". Then you start adding "read" to your app roles, if it's a full access to the subject area just add a read on it and everything else underneath will inherit the "read" as they will be set on "default".

    The key element to remember is: "no access" is weaker than "read" and "default" means 2 different things based on the object you refer to.

  • Rank 6 - Analytics Lead

    Hi Gianni,


    Thanks for your insights.  I tried to create scenarios with your tips and something didn't add up.  I think there is something wrong with my version, 12.2.1.0.0.  I made permission changes using the online mode.  For my subject area, EDW, I set the BIContentAuthor role to Read, saved, and closed Admin Tool. 

    ScreenShot101.jpg

    I immediately re-opened the repository in online mode and noticed the access for BIContentAuthor got changed to Default.  I had noticed the permissions changing by itself earlier, but I thought it was my mistake.  Now I realize it updates by itself!?   Is that possible?

    ScreenShot102.jpg

    With the above permissions, gli_consumer (member of BIConsumer) and gli_author (member of BIContentAuthor) cannot see the EDW subject area.  But gli_admin (member of BIServiceAdministrator) still can!  I'd expected no users can see EDW subject area. 

  • Rank 10 - Analytics Guru

    How is that the "correct answer"?!

    Read what Gianni wrote. Read what I posted (we wrote that presentation together) and without getting what's in there you won't get your problem.

Welcome!

It looks like you're new here. Sign in or register to get started.