OBIEE Security - Default BI/Application Roles

Default BI Role:

Authenticate User : BI Administrative/Administration User

Default Application Roles

An application role defines a set of permissions granted to a user or group.Default application roles have corresponding default system user groups used in assigning catalog permissions and system privileges.

The Following are the Default Application Roles:

• The BIAdministrator role grants administrative permissions necessary to configure and manage the Oracle Business Intelligence installation. Any member of the BIAdministrators group is explicitly granted this role and implicitly granted the BIAuthor and BIConsumer roles.

• The BIAuthor role grants permissions necessary to create and edit content for other users to use, or to consume. Any member of the BIAuthors group is explicitly granted this role and implicitly granted the BIConsumer role.

• The BIConsumer role grants permissions necessary to use, or to consume, content created by other users. By default, every Oracle Business Intelligence authenticated user is part of the BIConsumers group and does not need to be explicitly added to the group or role

Sharing Schemas Required by Oracle Business Intelligence

The Repository Creation Utility (RCU) creates the BIPLATFORM and MDS schemas that are used when you install OBIEE 11g.

Now if you run a multi-node system what do you do, can you use the same RCU created schemas, or do you have to create parallel ones?

This extract from the Oracle OBIEE documentation (http://docs.oracle.com/cd/E23943_01/bi.1111/e10539/c3_requrmnts.htm#BABBICDA) provides the answer, which states that:

If you scale out a system from a primary node, the new nodes share the same RCU schemas as the primary.
A new OBIEE system needs separate RCU schemas.

------------------- extract ---------------------
If your organization has an MDS schema installed in a supported database, you do not need to install the MDS schema again with the RCU. You can use the existing MDS schema for your Oracle Business Intelligence installation. For this option, deselect the Metadata Services schema in the Select Components screen of the RCU. Then, when you install Oracle Business Intelligence, specify the details for the existing MDS schema in the MDS Schema screen.

However, each Oracle Business Intelligence system (BI domain) requires its own BIPLATFORM schema. Two or more systems cannot share the same BIPLATFORM schema, although they can share the same database. Therefore, you must run the RCU and install the BIPLATFORM schema and the MDS schema (if no MDS schema exists) before installing each distinct Oracle Business Intelligence system (BI domain). For example, if you plan to install two Oracle Business Intelligence systems, you must run the RCU and install the required schemas twice, or once for each system.

This requirement does not apply when you scale out an Oracle Business Intelligence system. In a scaled-out (clustered) system, you only run the RCU and install the database schemas once, before installing the primary node of the Oracle Business Intelligence cluster (the BI domain for the cluster is created at that time). Additional Oracle Business Intelligence nodes that you install during the scale-out process become members of that domain and, therefore, use the same set of schemas.

OBIEE: Handy hint - Pagination using RCOUNT

Pagination.

How many rows are returned by my query.

Add a column already in the query and edit the Formula max(rcount(1))

Now assuming each 'page' of output is 25 lines, how many pages of output are there: once again
Add a column already in the query and edit the Formula CEILING(max(rcount(1))/25)

We are busy paging through our report and want to know how many pages in we are:
Add a column already in the query and edit the Formula CEILING((rcount(1)-1)/25)+1

Remember you can cast the output as INTEGER and that will ensure that the output is integer and not double (doesn't show the .00).

OBIEE 11.1.1 - How to turn off EM centralized control

Note: This is not for the faint hearted and is not recommended, but is available in emergencies.

There is a flag in the central config file which can be used to turn off all of the EM central configuration. Edit the biee-domain.xml file from location ORACLE_HOME\user_projects\domains\bifoundation_domain\config\fmwconfig.  The flag is near the top; it says: centralConfigurationEnabled="true" . If you change this to "false", then none of the config files will be modified centrally.

(You will need to restart the managed server and BI System Components)

So what happens: In OBIEE 11G, The instanceconfig.xml file stores the OBI Presentation Server configuration settings. Many configuration settings are available in Enterprise Manager and those should be set within EM only. If any particular setting is not available in EM then we make changes directly in the instanceconfig.xml file. Like changing the default value of the maximum number of rows in a pivot table.

If you change any of the settings directly under EM control, as soon as you restart the BI components you will find the original values returned and your settings overridden. Setting centralConfigurationEnabled="false" will disable the EM settings overwriting any new values.

Important Note: Turning off EM centralized control for managing BI config files is NOT recommended.

OBIEE Online Virtual Box 11.1.1.7.1

Well, colour me excited, no more download of the SampleApp to peek at the new features. Actually I probably will continue to download, but this a a fascinating first for Oracle. Making the sample dashboard available online - wow.

The Sample Application (SampleApp) for Oracle Business Intelligence Suite Enterprise Edition is a comprehensive collection of examples designed to demonstrate Oracle BI capabilities and design best practices. It brings together several integrated Oracle BI products & technologies and illustrates how they can seamlessly work together in solving functional problems. These examples include latest OBIEE functionalities and OBIEE architecture examples (Semantic layer modeling, Multi-source federation, Integration with Essbase, ORE, TimesTen and more).


http://www.oracle.com/technetwork/middleware/bi-foundation/obiee-samples-167534.html

What’s New in OBIEE Sample App 309

http://www.youtube.com/user/OracleBITechDemos

OBIEE Link: http://slc02okm.oracle.com:7780/analytics/

UserName: Prodney
Password: Admin123

OBIEE How to reset the lost Weblogic Admin User password?

You installed OBIEE 11G and you did not write down the Weblogic Domain admin password, or you’ve had it installed for a while and can’t remember what the password is to get into the WebLogic Admin console to make a change. There is a (technical and tricky) way to reset this password.

1. Make sure all the services are down
2. change directory to <Middleware_Home>\user_projects\domains\bifoundation_domain\bin
cd <Middleware_Home>\user_projects\domains\bifoundation_domain\bin
3. Source the setDomainEnv.cmd(Windows) / setDomainEnv.sh (Linux) script so we can get all the WebLogic variables set correctly
In windows: setDomainEnv.cmd
In Linux: . setDomainEnv.sh
4. Now change the directory to security directory in your instance.
cd <Middleware_Home>\user_projects\domains\bifoundation_domain\security
5. Move the DefaultAuthenticatorInit.ldift to a backup file
In Windows:
mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit_old.ldift
In Linux:
mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit_old.ldift
6. Run the “java weblogic.security.utils.AdminAccount newuser newpassword .” to generate a new DefaultAuthenticatorInit.ldift with a new user with the assigned password within the security directory
eg: java weblogic.security.utils.AdminAccount weblogic weblogic123 .
Note: replace newuser and newpassword with a user and password of your choosing. Ensure the password is a minimum of 8 characters and contains at least one numeric character. Also, don’t forget the period “.” at the end of the above command, it is required.
7. Change directory to <Middleware_Home>\user_projects\domains\bifoundation_domain\servers\AdminServer\security
cd <Middleware_Home>\user_projects\domains\bifoundation_domain\servers\AdminServer\security\
8. Edit the boot.properties file and replace newpassword and newusername with the user and password you defined in step 6. Do this for all the servers in the domain.
password=newpassword
username=newusername
The boot.properties will get encrypted once the admin server starts up
9. Rename or remove directory <Middleware_Home>\user_projects\domains\bifoundation_domain\servers\AdminServer\data\ldap as it will get recreated once the WebLogic Admin server starts.
e.g:
rename <Middleware_Home>\user_projects\domains\bifoundation_domain\servers\AdminServer\data\ldap <Middleware_Home>\user_projects\domains\bifoundation_domain\servers\AdminServer\data\ldap_OLD
10. Change directory to <Middleware_Home>\user_projects\domains\bifoundation_domain\bin and start the Weblogic Admin Server
In Windows: startWebLogic.cmd
In Linux:  ./ startWebLogic.sh
11. Once the weblogic server is up, you’ll be able to login to Console with the new weblogic Admin user and password.

OBIEE Security log Debug Switch

Very simple configuration but import if you want to debug the Security which plays a vital role everywhere.

Perform the following steps in order to switch the debug setting on/off

1) Log in to WebLogic Server
2) Navigate over left pane and expand the Environment node->select Servers.
3) Select the desired server from the available servers.
4) Click on Debug tab and expand Weblogic option available in Debug Scopes and Attributes table
5) Expand the security->atn and check DebugSecurityAtn option.
6) Click on Enable/Disable button at the top or bottom of the table.

Remember with all changes on the Weblogic Administration Console you will need to "Lock & Edit", make your change and then "Activate Change" once complete. The buttons to do so are at the top left of the console.

The output allows us to debug LDAP connections, see the groups and users, which allows us to check what filters we are applying.