Can't you add new app roles for your offices and map your LDAP offices directly to these new app roles?
So you can then add the new app roles in your catalog.
Can you give me an example using users , offices and roles on?
What I should add LDAP and EM ??
You say you already have the users in the LDAP group for their Office, so create Application Roles in EM to match and member them with the LDAP Groups. Then use those BI Appl Roles to secure your shared folders.
there are no groups "Office" on LDAP.
I know which is the office of the user by OU attribute.
Suppose we have LDAP-production:
- User1 belongs to the Office1 and belongs to Role1 (enabled Dashboard1 and Dashboard2)
- User2 belongs to the Office1 and belongs to Role2 (enabled Dashboard2)
- User3 belongs to the Office2 and belongs to Role2 (enabled Dashboard2)
- User4 belongs to the Office2 and belongs to Role3 (enabled Dashboard3)
You posted this, so for us User1 is member of a "Office1" group in your LDAP and also member of a "Role1" group.
I explained bad!! I know which is the office of the user by OU attribute.
But the groups are defined on ldap are only for Role!
1 person found this helpful
Explore the ldap utilities in Oracle DB ... perhaps you can read your users into a table and parse out their office into another column ... then you could use the 'deprecated'-but-still-exists option of having an initblock read the office value for a logged in user into the System Security WEBGROUPS session variable ... that is exposed in the Presentation Services and you could lock the folders that way.
Ok Thomas, I suppose that the session variable WEBGROUPS read the office value for a logged user.
Now where I can lock the folder passing the session variable?
I think from Answers -> Catalog -> SharedFolder -> Permissions -> but I can select only ApplicationRoles, Groups and Users!!
Set up WEBGROUPS system session variable in your RPD (default it to a hardcoded value as a quick test)... then akin to the 10g approach ... Administration -> Manage Catagog Groups (just above Manage Privileges) ... see OBIEE - Catalog Group [Gerardnico] for an overview.
Here's Oracle's Docs on it ... http://docs.oracle.com/cd/E14571_01/bi.1111/e10541/mgrgrpsusers.htm#BIESG1593
Again it's deprecated ... your BEST approach is to do the LDAP admin work and put users in AD groups that 'map' to their offices.