8 Replies Latest reply on Feb 2, 2018 8:01 AM by Robert Angel

OBIEE 12c Application Role Auditing

SJenkins Jan 31, 2018 5:41 PM

OBIEE 11g Catalog Groups have been migrated into OBIEE12c WebLogic Application Roles.. (fusion middleware control - security - application roles)

A: is there a way to grant users access to manage those without giving them full access to the rest of weblogic..

B: is there a way to audit who makes the change when a user is put in or taken out of an application role.. Preferably into a table that can be reported on in an OBIEE Subject area..

1. Re: OBIEE 12c Application Role Auditing

Thomas Dodds Jan 31, 2018 7:31 PM (in response to SJenkins)
On OBIEE 11g:
Oracle recommends that Oracle BI Presentation Catalog groups be used for backward compatibility only and that Application Roles be used instead for new installations.

Catalog Groups as a way of doing things went away a long time ago ... do you have a mix of them and application roles (due to moving from 10g in the past)?

You don't want end users managing your application roles ... you want a BI Administrator or at least one of your Oracle Fusion Middleware Admins doing it.
Like Show 0 Likes(0)

Actions
2. Re: OBIEE 12c Application Role Auditing

SJenkins Jan 31, 2018 8:18 PM (in response to Thomas Dodds)

yes, version 10 and 11 we used catalog groups. the Presentation Admins managed who was memebers of them via BI..

we are working on 12c migration and have converted the catalog groups to application roles.. and I have given the presentation admins access to fusion middleware control so they can continue to manage who is in the roles.. I was just wondering if there was a way to restrict them to only that task and not everything else in the console..

Management is also asking if there is any way to audit who is adding/removing users from the application roles..
Like Show 0 Likes(0)

Actions
3. Re: OBIEE 12c Application Role Auditing

Christian Berg Feb 1, 2018 8:34 AM (in response to SJenkins)

If you want a non-Enterprise manager way of handling this where people aren't weblogic admins then best move this out to a DB table where you then handle it via APEX for example and the read that table as a BISQLGroupProvider security provider in the WLS security realm.
1 person found this helpful
Like Show 2 Likes(2)

Actions
4. Re: OBIEE 12c Application Role Auditing

Robert Angel Feb 1, 2018 8:38 AM (in response to Christian Berg)

Amen - stick it in a database, then mass user account maintenance, auditing, addition, deletion becomes so much easier!
1 person found this helpful
Like Show 0 Likes(0)

Actions
5. Re: OBIEE 12c Application Role Auditing

Christian Berg Feb 1, 2018 9:04 AM (in response to Robert Angel)

Yeah. Managing named user rights in EM either through the GUI or through WLST is just awful.
1 person found this helpful
Like Show 0 Likes(0)

Actions
6. Re: OBIEE 12c Application Role Auditing

Gianni Ceresa Feb 1, 2018 9:41 AM (in response to SJenkins)

You got already some alternatives above on how to manage that need.

Staying on the "default" way to manage things you would have to collect and analyse detailed web logs of the Adminserver: the EM interface you use execute actions when you add/remove somebody from a role, so you would probably extract these actions from the webserver log etc.
But it's for sure not as easy and practical than using a DB table to map users into roles (and APEX on top).
Like Show 0 Likes(0)

Actions
7. Re: OBIEE 12c Application Role Auditing

Christian Berg Feb 1, 2018 7:15 PM (in response to SJenkins)

Not to make too fine a point but next time maybe check which answer arrived in which chronological order :-P
Like Show 0 Likes(0)

Actions
8. Re: OBIEE 12c Application Role Auditing

Robert Angel Feb 2, 2018 8:01 AM (in response to Christian Berg)

So it goes...

I said to Dude! on the ideas forum that sometimes the awarding of points is capricious and random Dude! this is the kind of thing I had in mind...
Like Show 0 Likes(0)

Actions

Go to original post

Join the world’s largest interactive community dedicated to Oracle technologies.