1 Reply Latest reply on Jul 10, 2015 4:55 PM by Gianni Ceresa

    OBIEE Admin Subject Area Permissions

    BenS

      I am trying to accomplish two things related to subject area security.  I am not able to accomplish either with the OBIEE Admin tool like I believe it should work but have found a lengthy work around for one using the Administration Manage Privileges in Answers.  Here are the two challenges:

       

      (1) Cannot create table based security within OBIEE Admin tools that functions when deployed to OBIEE server:

       

      Situation:  In OBIEE admin tool I have:

      • Subject Area "GRA" which has the following permissions:
        • Authenticated User (Set as Read do not have Default as an option)
        • GRA Analytics (Set as Read/Write)
        • GRA Secure Analytics (Set as Read/Write)
        • All other Responsibilities are set to Default
      • Within GRA subject area I have a table named "Global" with the following Permissions:
        • Authenticated User (Set as Read do not have Default as an option)
        • GRA Analytics (Set as Default)
        • GRA Secure Analytics (Set as Read/Write)
        • All other Responsibilities are set to Default
      • I have a user setup with the "GRA Analytics" responsibility but NOT the GRA Secure Analytics responsibility
      • The User is authenticated using LDAP through Siebel (where the responsibilities are assigned

       

      Desire:

      • When the User logs into Answers and opens the GRA subject area they would see all tables EXCEPT the Global table

       

      Undesired Result:

      • User is able to see the GRA subject area but also sees the Global table
      • I view the users Roles/Catalog Groups and they DO NOT have the GRA Secure Analytics role (DO have the GRA Analytics role.

       

      Note:  My second issue which I'm including below directly impacts the top issue.

       

      (2) Cannot create subject based security within OBIEE Admin tools that functions when deployed to OBIEE server:

       

      Situation:  In OBIEE admin tool I have:

      • Subject Area "GRA" which has the following permissions:
        • Authenticated User (Set as Read do not have Default as an option)
        • GRA Analytics (Set as Read/Write)
        • GRA Secure Analytics (Set as Read/Write)
        • All other Responsibilities are set to Default
      • I have a user setup with the "GRA Analytics" responsibility but NOT the GRA Secure Analytics responsibility
      • The User is authenticated using LDAP through Siebel (where the responsibilities are assigned


      Desire:

      • When the User logs into Answers only Users with the GRA Analytics or the GRA Secure Analytics responsibility would see the GRA subject area


      Undesired Result:

      • Any User that logs into Answers sees the GRA subject area

       

      Work Around:

      • If I log into Answers with my Admin User Account I can select Administration->Manage Privileges
      • Find the subject area GRA and then assign the GRA Analytics and GRA Secure Analytics responsibility permissions as "Granted"
      • When the User logs into Answers with either the GRA Analytics or the GRA Secure Analytics responsibility they see the GRA subject area but if they do not have the responsibility they do not see it.

       

      Issues with Work Around:

      • Makes the assignment of Permissions in OBIEE Admin Tool Obsolete
      • Cannot assign table level Permissions here and thus cannot solve the first issue listed
      • Still not sure why setting Permissions in OBIEE Admin Tool are being ignored

       

      If you could help me find a solution that gets the Permissions from the OBIEE Admin tool working it would be greatly appreciated.

       

      Thanks...

        • 1. Re: OBIEE Admin Subject Area Permissions
          Gianni Ceresa

          Hi Ben,

          I have the feeling you didn't get exactly how these things works.

           

          In the permission in Admin tool "Authenticated User" means every single user passing the login step.

          "Read" is enough to see and use (run analysis on) an object.

          "Read/write" is if you want to do updates to your data via OBIEE.

           

          For (2) only members of app roles GRA Analytics & GRA Secure Analytics must be able to see these subject area: "see" means hiding or displaying it in the front end, that's something you manage (like you did in the Manage privileges in the front end. If you want to forbid the user to use the subject area (that's what the Admin tool permission does) you have to set "Authenticated User" to "No Access", all others roles to "Default" (= "No Access") except for your 2 app roles GRA Analytics and GRA Secure Analytics for which you set the "Read" permission.

           

          For (1) just use the same "recipe" as (2) : "Authenticated User" to "No Access", GRA Analytics also on "No Access" and only GRA Secure Analytics on "Read".

           

          Give it a try.

           

          Just keep in mind that Manage privileges works in a different way than the Admin tool permissions. In Manage privileges the "deny" is the strongest permission. If an app role has "deny" and another has "allow" and you are member of both you will have the "deny" applied to you.

          In the Admin tool it's the opposite: if one app role has "no access" and another has "read" and you are member of both you will have the "read" permission.