OBIEE Security (2) – 11g Catalog Objects & Access to Users Folders

What?

You would have been into the situation where you were requested to apply security on the OBIEE exposed objects.

First level of security that we are going to discuss now is folder level security (this implies granting access to both folders as well as dashboards) through managing catalog security.

How?

There are 2 main options to implement this security:

  • front end – from the presentation services
  • back end – from the catalog manager

OBIEE Front-End Security

Browse through your catalog until you reach your desired main folder/object on which you want to apply security.

Our example shows application on the OBIEE folder “Shared Folders/00. BI Insight – demos”.

Select the folder from the tree at the right side and then click Permission from the bottom of the right column. Second option is selecting parent Folder from Tree view column, then select folder from list view column, and click on “More” link. A Permissions option/link will appear.

Catalog - folder - permissions - links

You will notice you have various options now available:

  1. Apply effective permissions
  2. Replace with parent’s folder permissions
  3. Set parent folders permissions to “Traverse Folder”
  4. Add users/roles
  5. Apply permissions for selected users/roles
  6. Delete selected users/roles
  7. Applying permissions to sub-folders (selecting a number of group/role/users – button will display the list of available privileges and apply the selection to all selection)
  8. Applying permissions to all items within folder

When adding permissions (on click on the plus button), you will have options to add Application Roles, Catalog Groups or Users. Search list allows you to select by any of the above categories, or overall:Catalog - folder - permissions - add options

Write your search criteria (or leave blank when you want the full list) and click the Search button

Catalog - folder - permissions - add

then select the desired User/Role/Group and move to the right (Selected Members list):

Catalog - folder - permissions - permissions options

then select the type of Permissions you want to grant and click OK.

You can grant:

  • Full ControlCustom Permissions
  • Modify
  • Open
  • Traverse
  • No Access
  • Custom
  1. Custom permission allows any combination of the available rights on the right.
  2. Full Control – all rights from image;
  3. Modify – Read, Traverse, Write and Delete Permissions
  4. Open – Read & Traverse Rights (this is the typical right to be granted to a consumer of reports)
  5. Traverse – available only for folders – it allows users to access items within the folder, but not creating/adding additional information to the folder itself;
  6. No Access – denied access to the object

After getting your selections and rights in order, you can also set up the owner (by selecting the appropriate radio button – default is no selection if creator of report/current owner is not in the list). You can then apply your permissions on current folder only, or recursively on the sub-folders (child folder tree) and/or the items within the folder (analysis, dashboard, prompt, filter …) by checking the appropriate check-boxes at the bottom of the pop-up window:

Apply permission - subfolders and items

As a test, I’ve logged in with my test user a_test (member of OBIEE Top Management application role) and I can only see my selected folder in the Shared Reports folder.

a_test permission  - validate:

OBIEE Back-End Security

The second option of implementing this type of security is using the Catalog Manager tool.

Open Catalog online, using Catalog manager

Catalog Manager - open

by specifying  the URL and using an Admin user (e.g. weblogic)

CM - Open

This will provide you with a Tree view

CM - Tree

and a Table view:

CM - Users Folder

You will be able to view:

  • system folders
  • shared folders
  • users folders

All under root.

Please note the view provided by the catalog manager or namings will depend on your version of OBIEE. However, principles explained in this blog will still apply.

When selecting a given folder you can access various options, like Copy, Cut, Rename, Smart Rename, Create, Permissions and Properties.

CM - right click

So Catalog manager will not only allow you to change permissions, but also properties (Applied recursively )

CM - Folder Properties

or managing your folders content.

The permissions screen is pretty much similar to the one on the OBIEE front end:CM - Permissions - edit

allowing adding permissions, changing them or removing them.

In the same way, you can add permissions on Application Roles and/or Catalog Groups and/or Users, with the same option types

CM - Permissions - list optionsCM - permissions - options

You can apply changes Recursively, however this will apply them to both Sub-folders and items within the folder. There is no distinction at this level between the two types.

You also have a Replace Option, as presented bellow:

CM - Permissions - applicability opions

The effect on both security implementation options (Catalog Manager/Front End) is similar for the end user.

Applicability

There are various test cases when you might choose using the Catalog Manager over the Front-End setup of security.

One of the most common issues experienced by users is linked to the user’s personal folders:

  • general unable to access (cannot see my folder)
  • unable to access saved selections
  • unable to create any more saved selection

In this type of scenario, Catalog Manger will allow you access to user’s folder. Solution is to re-grant the user Full Control to his own folder – applied recursively.

Note: Please note this tests were done on OBIEE 11.1.1.7.1.