I'm using WLS Authentication with External Table Authorization. The authentication/authorization is working just fine. I've added an entry called President into the GROUPS external table, and I've added a user into the GROUPMEMBERS table, assigning him to the President group. I then went into FMC and assigned the President role as a member of the BIAdministrators role in FMC. When I log in to Analytics, the new user has all of the rights of a BIAdministrator. So far so good.
But now our rules have changed, and we've decided that we don't want members of the President group to be assigned into the BIAdministrator Role. In FMC, I navigate to the BIAdministrator role, highlight the President line, and click the Delete icon. The President row disappears from the screen.
Now I click the OK button to close the screen. A popup dialog appears saying: The search for role President failed._
The only option on that popup is to click OK. The BIAdministrator role cannot be saved. I can only Cancel, and thus leave President as a group member of the BIAdministrator role.
So to summarize, a group defined in the external table and added as a member of a role cannot subsequently be removed from that role.
And I just discovered that the problem is even a little larger. The BIAdministrators group is also a member of the BIAdministrator role. When I try to remove the BIAdministrators group as a member of the BIAdministrator role, I get the same behavior. The Delete appears to work, but clicking OK fails with the message The search for role BIAdministrators failed._ So it appears that the problem might not be limited to just groups defined in the external table.
I'm running 184.108.40.206.6 on Windows 2008 Server 32-bit.
Edited by: Mark T. on Jan 24, 2013 6:35 AM
Well it appears to be a bug. I found this: Error Deleting Role or Group From BISQLGroupProvider in OBIEE 11g [ID 1456674.1]
According to that doc, the solution is to delete, then recreate, the BISQLGroupProvider adapter. Lovely.
DAMMIT, ORACLE, DOES THE WORD TESTING* MEAN ANYTHING TO YOU???? Pathetic. Truly pathetic. You did NOT test this very simple situation.
Here's something else that I find absolutely inexcusable. The instructions for configuring the WLS LDAP authentication with External Table authorization are contained in the downloadable file TechNote_LDAP_Auth_Groups_V3-2.pdf. That pdf has bad instructions in it, instructions that cause the problem that has to be fixed by deleting the adapter that is created by those very instructions.
SO WHY NOT FIX THAT PDF FILE so that everyone who downloads it in the future isn't bitten by this same bug? Oracle is providing us with information in document "A" that tells us how to install a buggy product, and another document "B" that tells us how to fix the bug caused by following the instructions in document "A". It isn't rocket science people -- FIX DOCUMENT "A"!!