I am not following why this is a problem?
What you are describing is 'how it works'....
Actually I need Sales user under sales application role only, not under cost appication role
Hi guess by default "authenticated user" (the application role representing all the users successfully authenticated) is member of "BI Consumer", so by adding "BI Consumer" to your 2 roles you are actually adding these 2 roles to everybody because of the inheritance between "BI Consumer" and "authenticated users".
Thanks alot for your reply. But if i remove it from the members of the group, Will i get login to BI?
1 person found this helpful
Well, depends on your whole security model.
Do not believe OBIEE security is just few clicks adding people here or there, you have to plan it and design it based on your business needs.
So the answer can be Yes or No depending on how does your full security model looks like.
I personally always remove 'authenticated user' from BI Consumer (or the role acting as such) and never set permissions or privileges on 'authenticated user' as much as possible (for example: if you use a corporate LDAP/AD for logins everybody in the company could potentially be an 'authenticated user' if you didn't set a strict filter on the branch containing the OBIEE users in your LDAP/AD).
Maybe worth to have a look at a presentation we did some time ago with Christian Berg about security. Some models are covered including the "authenticated user" possible issues. https://speakerdeck.com/gianniceresa/obiee-security-its-a-jungle-out-there
Fixed it by removing BI Consumer from the roles under it and created a identical Application policy from BIConsumer and added the users in it.
Can you close the thread by marking answers as required? So far it's still This question is Not Answered.