2 Replies Latest reply on Feb 4, 2015 6:39 AM by user953988

    How to disable MAD for certain usergroups / application roles?

    user953988

      Hi All,

       

      does anybody know how to revoke the privileges of building mobile apps with MAD from an application role?

       

      Thank you in advance,

      Stefan

        • 1. Re: How to disable MAD for certain usergroups / application roles?
          Gianni Ceresa

          Hi Stefan,

          Nice question, I just suspect you will be disappointed by the answer ... (at least my answer)

          Not sure if you can really do it ...

          MAD is Publisher, so if you remove access to publisher you also probably lose permissions on BIMAD.

          BIMAD "new" URL: /analytics/saw.dll?bipublisherEntry&Action=new&itemType=.xma

          Publisher report "new" URL: /analytics/saw.dll?bipublisherEntry&Action=new&itemType=.xdo

          I also had a look at the doc on how to deploy BIMAD to see if there are some references at security and there is a part named "4.2 Task 2: Update Security Configuration for Oracle BI Mobile App Designer" (here), they say to run a WLST script to "update your system JAZN file (system-jazn-data.xml) with the security grants required for BI Mobile App Designer", so I thought I would find the real answer there!

          The script content is a little disappointing:

                  grantPermission(codeBaseURL="file:${oracle.deployed.app.dir}/bimad_11.1.1${oracle.deployed.app.ext}", permTarget="IdentityAssertion", permClass="oracle.security.jps.JpsPermission", permActions="*")

                  grantPermission(codeBaseURL="file:${oracle.deployed.app.dir}/bimad_11.1.1${oracle.deployed.app.ext}", permTarget="context=SYSTEM,mapName=oracle.bi.system,keyName=system.user", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission", permActions="read")

                  grantPermission(codeBaseURL="file:${oracle.deployed.app.dir}/bimad_11.1.1${oracle.deployed.app.ext}", permTarget="context=SYSTEM,mapName=oracle.bi.publisher,keyName=*", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission", permActions="*")

                  grantPermission(codeBaseURL="file:${oracle.deployed.app.dir}/bimad_11.1.1${oracle.deployed.app.ext}", permTarget="context=APPLICATION,name=obi", permClass="oracle.security.jps.service.policystore.PolicyStoreAccessPermission", permActions="getApplicationPolicy")

                  grantPermission(codeBaseURL="file:${oracle.deployed.app.dir}/bimad_11.1.1${oracle.deployed.app.ext}", permTarget="AppSecurityContext.setApplicationID.*", permClass="oracle.security.jps.JpsPermission", permActions="*")

                  grantPermission(codeBaseURL="file:${oracle.deployed.app.dir}/bimad_11.1.1${oracle.deployed.app.ext}", permTarget="context=SYSTEM,mapName=oracle.bi.enterprise,keyName=*", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission", permActions="read")

                  grantPermission(codeBaseURL="file:${oracle.deployed.app.dir}/bimad_11.1.1${oracle.deployed.app.ext}", permTarget="context=SYSTEM,mapName=oracle.wsm.security,keyName=*", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission", permActions="read")

                  createResource(appStripe="obi",name="oracle.bi.publisher.developLightDataModel",type="oracle.bi.publisher.permission",displayName="Develop Light Data Model",description="Develop Light Data Model")

                  grantPermission(appStripe="obi",principalClass="oracle.security.jps.service.policystore.ApplicationRole",principalName="BIAuthor",permClass="oracle.security.jps.ResourcePermission",permTarget="resourceType=oracle.bi.publisher.permission,resourceName=oracle.bi.publisher.developLightDataModel",permActions="_all_")

          Most of the rows are not interesting except the last 2 commands: a resource named "Develop Light Data Model" of type "oracle.bi.publisher.permission is created.

          And the last command grant permission to BIAuthor on that newly created resource "oracle.bi.publisher.developLightDataModel" is probably the most interesting.

          It deserves to be tested (no luck my test environment crashed just before I could test it).

           

          You can try to revoke that permission from BiAuthor (using "revokePermission") and to grant it only to another (smaller) app role and see if it does what you try to achieve.

          1 person found this helpful
          • 2. Re: How to disable MAD for certain usergroups / application roles?
            user953988

            Hi Gianni,

             

            thank you very much for your answer. That was the solution. I have now an apllication role BIAuthor with MAD access and BISEO without MAD access.

             

            Kind Regards,

            Stefan