I'm very interested on how use DRM in a Business Intelligence
environment,

has anyone faced this before?

Thanks,
S.

Hi,

I was trying to setup object level visibility for the users based on their roles in PeopleSoft. I am using OBIA 7.9.6.3.

I have setup the application roles and the LDAP authentication in WebLogic. LDAP admin does not want to maintain user groups that are specific to OBIA.
I do see that the roles set up in WebLogic show up in the rpd while I open it in online mode. I thought I would use the same process that we used to in OBIEE 10g i.e., set up an row-wise Authorization init block in rpd with a SQL similar to:
select 'ROLES', p.rolename from p roles_table  where p.user=':USER'
whereby the user would get the OBIA specific roles setup in PeopleSoft.  In turn I'll setup the object level visibility and privileges by role in OBIEE and thus will enforce the object visibility in OBIEE. But this mechanism don't seem to work in OBIEE 11g. I have also tried the init block SQL with the GROUP session variable but no luck.

Does this process of associating roles to users not work in 11g? Is it mandatory to associate the roles to the user in LDAP? If the LDAP admin doesn't want to maintain OBIA specific roles in LDAP what other options I have without having to maintain the roles and users associating explicitly in WL (potentially hundreds of users and to maintain their association explicitly in WL would be a big admin headache)?

Thanks.

Are you using 11.1.1.3, or 11.1.1.5?

Stewart Bryson
US Managing Director
Rittman Mead
O: 888.631.1410
M: 770.823.7409
F: 888.631.1410
E: stewart.bry...@rittmanmead.com
<stewart.bry...@rittmanmead.com>www.rittmanmead.com

Hello,

Before I say anything, I want to correct your statement, which is roles in
weblogic.  There is are roles in weblogic.  There are users and groups, and
user to group association in weblogic.  Application roles for OBIEE 11g are
in Enterprise Manager.  There is bug in OBIEE 11.1.1.3.0 where you will not
be able to use the ROLES session variable in during row-wise
initialization.  Please refer to the below article in oracle support:

*Obiee 11g: Roles Session variable not set in initialization block [ID
1275268.1]

The above bug has actually been fixed in the new release (11.1.1.5.0).
Assuming you are using the .3 release, you will need to associate the user
to roles manually in the enterprise manager.  I know its a lot of hectic
work, we are going through the same process right now as the client want to
wait few more months to upgrade to 11.1.1.5.0.

Regards,
-Amith.
*

11.1.1.3 for now but will soon migrate to 11.1.15. Is there a difference on this aspect?

Date: Thu, 14 Jul 2011 10:50:50 -0400
Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
From: stewartbry...@gmail.com
To: obiee-enterprise-methodology@googlegroups.com

Are you using 11.1.1.3, or 11.1.1.5?

Stewart Bryson
US Managing Director
Rittman Mead
O: 888.631.1410
M: 770.823.7409
F: 888.631.1410
E: stewart.bry...@rittmanmead.com
www.rittmanmead.com

I was trying to setup object level visibility for the users based on their roles in PeopleSoft. I am using OBIA 7.9.6.3.

I have setup the application roles and the LDAP authentication in WebLogic. LDAP admin does not want to maintain user groups that are specific to OBIA.

I do see that the roles set up in WebLogic show up in the rpd while I open it in online mode. I thought I would use the same process that we used to in OBIEE 10g i.e., set up an row-wise Authorization init block in rpd with a SQL similar to:

select 'ROLES', p.rolename from p roles_table  where p.user=':USER'
whereby the user would get the OBIA specific roles setup in PeopleSoft.  In turn I'll setup the object level visibility and privileges by role in OBIEE and thus will enforce the object visibility in OBIEE. But this mechanism don't seem to work in OBIEE 11g. I have also tried the init block SQL with the GROUP session variable but no luck.

Does this process of associating roles to users not work in 11g? Is it mandatory to associate the roles to the user in LDAP? If the LDAP admin doesn't want to maintain OBIA specific roles in LDAP what other options I have without having to maintain the roles and users associating explicitly in WL (potentially hundreds of users and to maintain their association explicitly in WL would be a big admin headache)?

Thanks.

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

Yes... this behavior should be corrected in 11.1.1.5. You set the GROUPS
variable row-wise as before in 10g, and the ROLES variable will be populated
with the GROUPS variable.

This was not working in 11.1.1.3.

Stewart

You can set the roles session variable by way of a semi colon delimited
string which may help if the issue is just row-wise initialisation (eg
'BIAdministrator;BIAuthor'). You'll need to create a function that returns
this string based on your roles table.

<http://www.sqlsnippets.com/en/topic-11591.html>I'd probably test this with
a few hardcoded examples first though - it works on 11.1.1.5 but can't vouch
for 11.1.1.3. Regards,

Robert

On Thu, Jul 14, 2011 at 4:56 PM, Stewart Bryson <stewartbry...@gmail.com>wrote:

Amit,

Thanks for the clarification. Since GROUP gets mapped to ROLES session variable as per Robert, is it better to use the row-wise Authorization init block sql as something like in 11.1.1.5:
select 'ROLES', p.rolename from p roles_table  where p.user=':USER'

instead of using the GROUP session variable in the above sql like we used to in 10g?

Date: Thu, 14 Jul 2011 10:58:15 -0400
Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
From: yenigallaam...@gmail.com
To: obiee-enterprise-methodology@googlegroups.com

Hello,

Before I say anything, I want to correct your statement, which is roles in weblogic.  There is are roles in weblogic.  There are users and groups, and user to group association in weblogic.  Application roles for OBIEE 11g are in Enterprise Manager.  There is bug in OBIEE 11.1.1.3.0 where you will not be able to use the ROLES session variable in during row-wise initialization.  Please refer to the below article in oracle support:

Obiee 11g: Roles Session variable not set in initialization block [ID 1275268.1]

The above bug has actually been fixed in the new release (11.1.1.5.0).  Assuming you are using the .3 release, you will need to associate the user to roles manually in the enterprise manager.  I know its a lot of hectic work, we are going through the same process right now as the client want to wait few more months to upgrade to 11.1.1.5.0.

Regards,
-Amith.  

I was trying to setup object level visibility for the users based on their roles in PeopleSoft. I am using OBIA 7.9.6.3.

I have setup the application roles and the LDAP authentication in WebLogic. LDAP admin does not want to maintain user groups that are specific to OBIA.

I do see that the roles set up in WebLogic show up in the rpd while I open it in online mode. I thought I would use the same process that we used to in OBIEE 10g i.e., set up an row-wise Authorization init block in rpd with a SQL similar to:

select 'ROLES', p.rolename from p roles_table  where p.user=':USER'
whereby the user would get the OBIA specific roles setup in PeopleSoft.  In turn I'll setup the object level visibility and privileges by role in OBIEE and thus will enforce the object visibility in OBIEE. But this mechanism don't seem to work in OBIEE 11g. I have also tried the init block SQL with the GROUP session variable but no luck.

Does this process of associating roles to users not work in 11g? Is it mandatory to associate the roles to the user in LDAP? If the LDAP admin doesn't want to maintain OBIA specific roles in LDAP what other options I have without having to maintain the roles and users associating explicitly in WL (potentially hundreds of users and to maintain their association explicitly in WL would be a big admin headache)?

Thanks.

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

Is it possible to associate the users to the Groups setup in WLC via the rpd Authorization init block (sql with GROUP session variable) after I associate the Application Roles to the Groups in EM which I think should associate the user the application role by its membership to the parent groups determined through the authorization init block?

But then the Groups don't show up in rpd and so I'm not sure if OBIEE can associate the user to the group...

Is there any difference if I'm to associate the user to the application role via init block versus associating the user to the group via init block and then groups mapped to application roles? I read somewhere in the event I try to manually associate the user to the application role in EM that requires a re-start of the BI server... does this issue have any implication when I associate the user directly to role via rpd session init block by using ROLES session variable?

Thanks!

Date: Thu, 14 Jul 2011 10:58:15 -0400
Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
From: yenigallaam...@gmail.com
To: obiee-enterprise-methodology@googlegroups.com

Hello,

Before I say anything, I want to correct your statement, which is roles in weblogic.  There is are roles in weblogic.  There are users and groups, and user to group association in weblogic.  Application roles for OBIEE 11g are in Enterprise Manager.  There is bug in OBIEE 11.1.1.3.0 where you will not be able to use the ROLES session variable in during row-wise initialization.  Please refer to the below article in oracle support:

Obiee 11g: Roles Session variable not set in initialization block [ID 1275268.1]

The above bug has actually been fixed in the new release (11.1.1.5.0).  Assuming you are using the .3 release, you will need to associate the user to roles manually in the enterprise manager.  I know its a lot of hectic work, we are going through the same process right now as the client want to wait few more months to upgrade to 11.1.1.5.0.

Regards,
-Amith.  

I was trying to setup object level visibility for the users based on their roles in PeopleSoft. I am using OBIA 7.9.6.3.

I have setup the application roles and the LDAP authentication in WebLogic. LDAP admin does not want to maintain user groups that are specific to OBIA.

I do see that the roles set up in WebLogic show up in the rpd while I open it in online mode. I thought I would use the same process that we used to in OBIEE 10g i.e., set up an row-wise Authorization init block in rpd with a SQL similar to:

select 'ROLES', p.rolename from p roles_table  where p.user=':USER'
whereby the user would get the OBIA specific roles setup in PeopleSoft.  In turn I'll setup the object level visibility and privileges by role in OBIEE and thus will enforce the object visibility in OBIEE. But this mechanism don't seem to work in OBIEE 11g. I have also tried the init block SQL with the GROUP session variable but no luck.

Does this process of associating roles to users not work in 11g? Is it mandatory to associate the roles to the user in LDAP? If the LDAP admin doesn't want to maintain OBIA specific roles in LDAP what other options I have without having to maintain the roles and users associating explicitly in WL (potentially hundreds of users and to maintain their association explicitly in WL would be a big admin headache)?

Thanks.

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

Hi Jit,

You can not assign users to WL groups using initialisation blocks. The GROUP
repository variable is there for backwards compatibility / legacy reasons.

If you want to apply your authorisation in the repository, you can use
either the GROUP variable or the ROLES variable, but they both map to EM
roles and function exactly the same. Since it doesn't sound like you're
migrating from 10g, you should be using ROLES to avoid confusion.

Regards,

Robert

The authorization init block seem to work as expected in 11.1.1.5 although it seems to be buggy in 11.1.1.3. Additionally I also found that the data security filter functionality (using 11g roles similar to using group based data security filters in 10g) doesn't work right in 11.1.1.3. For instance applying a session variable based data security filter on logical fact table produced inconsistent results in 11.1.1.3 but seem to produce correct ones in 11.1.1.5.

Thanks.

Date: Thu, 14 Jul 2011 20:39:56 +0100
Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
From: robert.too...@gmail.com
To: obiee-enterprise-methodology@googlegroups.com

Hi Jit,

You can not assign users to WL groups using initialisation blocks. The GROUP repository variable is there for backwards compatibility / legacy reasons.

If you want to apply your authorisation in the repository, you can use either the GROUP variable or the ROLES variable, but they both map to EM roles and function exactly the same. Since it doesn't sound like you're migrating from 10g, you should be using ROLES to avoid confusion.

Regards,

Robert

But then the Groups don't show up in rpd and so I'm not sure if OBIEE can associate the user to the group...

Is there any difference if I'm to associate the user to the application role via init block versus associating the user to the group via init block and then groups mapped to application roles? I read somewhere in the event I try to manually associate the user to the application role in EM that requires a re-start of the BI server... does this issue have any implication when I associate the user directly to role via rpd session init block by using ROLES session variable?

Thanks!

Date: Thu, 14 Jul 2011 10:58:15 -0400
Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
From: yenigallaam...@gmail.com

To: obiee-enterprise-methodology@googlegroups.com

Hello,

Before I say anything, I want to correct your statement, which is roles in weblogic.  There is are roles in weblogic.  There are users and groups, and user to group association in weblogic.  Application roles for OBIEE 11g are in Enterprise Manager.  There is bug in OBIEE 11.1.1.3.0 where you will not be able to use the ROLES session variable in during row-wise initialization.  Please refer to the below article in oracle support:

Obiee 11g: Roles Session variable not set in initialization block [ID 1275268.1]

The above bug has actually been fixed in the new release (11.1.1.5.0).  Assuming you are using the .3 release, you will need to associate the user to roles manually in the enterprise manager.  I know its a lot of hectic work, we are going through the same process right now as the client want to wait few more months to upgrade to 11.1.1.5.0.

Regards,
-Amith.  

I was trying to setup object level visibility for the users based on their roles in PeopleSoft. I am using OBIA 7.9.6.3.

I have setup the application roles and the LDAP authentication in WebLogic. LDAP admin does not want to maintain user groups that are specific to OBIA.

I do see that the roles set up in WebLogic show up in the rpd while I open it in online mode. I thought I would use the same process that we used to in OBIEE 10g i.e., set up an row-wise Authorization init block in rpd with a SQL similar to:

select 'ROLES', p.rolename from p roles_table  where p.user=':USER'
whereby the user would get the OBIA specific roles setup in PeopleSoft.  In turn I'll setup the object level visibility and privileges by role in OBIEE and thus will enforce the object visibility in OBIEE. But this mechanism don't seem to work in OBIEE 11g. I have also tried the init block SQL with the GROUP session variable but no luck.

Does this process of associating roles to users not work in 11g? Is it mandatory to associate the roles to the user in LDAP? If the LDAP admin doesn't want to maintain OBIA specific roles in LDAP what other options I have without having to maintain the roles and users associating explicitly in WL (potentially hundreds of users and to maintain their association explicitly in WL would be a big admin headache)?

Thanks.

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--

You received this message because you are subscribed to the Google

Groups "OBIEE Enterprise Methodology Group" group.

To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsubscribe@googlegroups.com

For more options, visit this group at

http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).