DRM applied to BI

1,081 views
Skip to first unread message

Sergi

unread,
Jul 13, 2011, 8:56:35 AM7/13/11
to OBIEE Enterprise Methodology Group
Hi,

I'm very interested on how use DRM in a Business Intelligence
environment,

has anyone faced this before?

Thanks,
S.

Jit Dutta

unread,
Jul 14, 2011, 7:08:15 AM7/14/11
to obiee-enterpri...@googlegroups.com
Hi,

I was trying to setup object level visibility for the users based on their roles in PeopleSoft. I am using OBIA 7.9.6.3.

I have setup the application roles and the LDAP authentication in WebLogic. LDAP admin does not want to maintain user groups that are specific to OBIA.
I do see that the roles set up in WebLogic show up in the rpd while I open it in online mode. I thought I would use the same process that we used to in OBIEE 10g i.e., set up an row-wise Authorization init block in rpd with a SQL similar to:
select 'ROLES', p.rolename from p roles_table  where p.user=':USER'
whereby the user would get the OBIA specific roles setup in PeopleSoft.  In turn I'll setup the object level visibility and privileges by role in OBIEE and thus will enforce the object visibility in OBIEE. But this mechanism don't seem to work in OBIEE 11g. I have also tried the init block SQL with the GROUP session variable but no luck.

Does this process of associating roles to users not work in 11g? Is it mandatory to associate the roles to the user in LDAP? If the LDAP admin doesn't want to maintain OBIA specific roles in LDAP what other options I have without having to maintain the roles and users associating explicitly in WL (potentially hundreds of users and to maintain their association explicitly in WL would be a big admin headache)?

Thanks.

Stewart Bryson

unread,
Jul 14, 2011, 10:50:50 AM7/14/11
to obiee-enterpri...@googlegroups.com
Are you using 11.1.1.3, or 11.1.1.5?

Stewart Bryson
US Managing Director
Rittman Mead
O: 888.631.1410
M: 770.823.7409
F: 888.631.1410
E: stewart...@rittmanmead.com

--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to
obiee-enterpri...@googlegroups.com
To unsubscribe from this group, send email to
obiee-enterprise-met...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

Amith Yenigalla

unread,
Jul 14, 2011, 10:58:15 AM7/14/11
to obiee-enterpri...@googlegroups.com
Hello,

Before I say anything, I want to correct your statement, which is roles in weblogic.  There is are roles in weblogic.  There are users and groups, and user to group association in weblogic.  Application roles for OBIEE 11g are in Enterprise Manager.  There is bug in OBIEE 11.1.1.3.0 where you will not be able to use the ROLES session variable in during row-wise initialization.  Please refer to the below article in oracle support:

Obiee 11g: Roles Session variable not set in initialization block [ID 1275268.1]

The above bug has actually been fixed in the new release (11.1.1.5.0).  Assuming you are using the .3 release, you will need to associate the user to roles manually in the enterprise manager.  I know its a lot of hectic work, we are going through the same process right now as the client want to wait few more months to upgrade to 11.1.1.5.0.

Regards,
-Amith. 

On Thu, Jul 14, 2011 at 7:08 AM, Jit Dutta <jdut...@hotmail.com> wrote:
--

Jit Dutta

unread,
Jul 14, 2011, 11:45:07 AM7/14/11
to obiee-enterpri...@googlegroups.com
11.1.1.3 for now but will soon migrate to 11.1.15. Is there a difference on this aspect?


Date: Thu, 14 Jul 2011 10:50:50 -0400
Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
From: stewar...@gmail.com
To: obiee-enterpri...@googlegroups.com

Stewart Bryson

unread,
Jul 14, 2011, 11:56:55 AM7/14/11
to obiee-enterpri...@googlegroups.com
Yes... this behavior should be corrected in 11.1.1.5. You set the GROUPS variable row-wise as before in 10g, and the ROLES variable will be populated with the GROUPS variable.

This was not working in 11.1.1.3.

Stewart

Robert Tooker

unread,
Jul 14, 2011, 12:21:04 PM7/14/11
to obiee-enterpri...@googlegroups.com
You can set the roles session variable by way of a semi colon delimited string which may help if the issue is just row-wise initialisation (eg 'BIAdministrator;BIAuthor'). You'll need to create a function that returns this string based on your roles table.

I'd probably test this with a few hardcoded examples first though - it works on 11.1.1.5 but can't vouch for 11.1.1.3. Regards,

Robert    

Jit Dutta

unread,
Jul 14, 2011, 1:50:26 PM7/14/11
to obiee-enterpri...@googlegroups.com
Amit,

Thanks for the clarification. Since GROUP gets mapped to ROLES session variable as per Robert, is it better to use the row-wise Authorization init block sql as something like in 11.1.1.5:

select 'ROLES', p.rolename from p roles_table  where p.user=':USER'

instead of using the GROUP session variable in the above sql like we used to in 10g?




Date: Thu, 14 Jul 2011 10:58:15 -0400

Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g

Jit Dutta

unread,
Jul 14, 2011, 3:18:52 PM7/14/11
to obiee-enterpri...@googlegroups.com
Is it possible to associate the users to the Groups setup in WLC via the rpd Authorization init block (sql with GROUP session variable) after I associate the Application Roles to the Groups in EM which I think should associate the user the application role by its membership to the parent groups determined through the authorization init block?

But then the Groups don't show up in rpd and so I'm not sure if OBIEE can associate the user to the group...

Is there any difference if I'm to associate the user to the application role via init block versus associating the user to the group via init block and then groups mapped to application roles? I read somewhere in the event I try to manually associate the user to the application role in EM that requires a re-start of the BI server... does this issue have any implication when I associate the user directly to role via rpd session init block by using ROLES session variable?

Thanks!


Date: Thu, 14 Jul 2011 10:58:15 -0400
Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
From: yenigal...@gmail.com
To: obiee-enterpri...@googlegroups.com

Robert Tooker

unread,
Jul 14, 2011, 3:39:56 PM7/14/11
to obiee-enterpri...@googlegroups.com
Hi Jit,

You can not assign users to WL groups using initialisation blocks. The GROUP repository variable is there for backwards compatibility / legacy reasons.

If you want to apply your authorisation in the repository, you can use either the GROUP variable or the ROLES variable, but they both map to EM roles and function exactly the same. Since it doesn't sound like you're migrating from 10g, you should be using ROLES to avoid confusion.

Regards,

Robert

Jit Dutta

unread,
Aug 2, 2011, 11:45:50 AM8/2/11
to obiee-enterpri...@googlegroups.com
The authorization init block seem to work as expected in 11.1.1.5 although it seems to be buggy in 11.1.1.3. Additionally I also found that the data security filter functionality (using 11g roles similar to using group based data security filters in 10g) doesn't work right in 11.1.1.3. For instance applying a session variable based data security filter on logical fact table produced inconsistent results in 11.1.1.3 but seem to produce correct ones in 11.1.1.5.

Thanks.


Date: Thu, 14 Jul 2011 20:39:56 +0100

Subject: Re: [OBIEE EMG] Authorization in OBIEE 11g
Reply all
Reply to author
Forward
0 new messages