Tag: OBIEE Security

OBIEE Security (3) – 11g Dashboard Security

What?

Security can be applied also at a more granular object level, and used in customizing the same dashboard for different users groups, by securing sections and tabs.

When would you use this?  When you want to have users accessing the same dashboard but seeing different content:

– e.g. your management will also want to look at the overall team progress alongside the individual progress (new tab for team progress in same dashboard)

– your different regions or user groups will want to have different filtering criteria on same report – you can achieve this by applying the entire selection of filters with is prompted, while showing for each group a different prompt with only the selectors the user/group of users would want to see for each region/group/organization.

How?

Post will explain on a simplistic way how to achieve section and tab security. Applicability will depend on your business.

Tab Security

On the targeted dashboard go to Edit, and from Dashboard Options options select  Dashboard Properties.

dashboard options

You will see there a list of your existing pages in the Dashboard Pages section

hidden

on which you’ll have various options:

  1. Rename
    page options - explained
  2. Select a prompt to capture default filters and variables
  3. Permissions
  4. Delete Page
  5. Specify who can save Shared Customizations
  6. Specify who can assign Default Customizations
  7. Hide Page check-box
  8. Show Add To Briefing Book check box
  9. Change order of tabs

A hidden page, when run, will display dashboard name and content (no tabs nor page name are displayed)

hidden page run

Please note that My Dashboard will only have available options:

  • rename
  • select a prompt to capture default filters and variables
  • delete
  • hide page
  • Add To Briefing Book
  • Change order of tabs

Permission are set up similar to Folder permissions, with different levels of permissions:

page permissions

  • Full Control
  • Modify
  • Open
  • No Access
  • Custom

Section Security

Within a page, you have multiple sections.

dashboard

When clicking the Section Options, you will be able to:

  • make it conditional
  • change permissions
  • rename
  • change formatting
  • allow drill in place
  • allow collapse
  • show/hide section header/title

section options

Permission at section level are set up with Granted/Denied option. (you either allow a user/role/group to see/execute the section or not)

Section permissions

On my example, the a_test user will have restricted access, while Admins will see additional content.

test user access:

test user - dashboards test user - pages and sections

Administrator access:

weblogic - dashboards weblogic - pages and sections on welcome

Note: Please note this tests were done on OBIEE 11.1.1.7.1.
Advertisement

OBIEE Security (2) – 11g Catalog Objects & Access to Users Folders

What?

You would have been into the situation where you were requested to apply security on the OBIEE exposed objects.

First level of security that we are going to discuss now is folder level security (this implies granting access to both folders as well as dashboards) through managing catalog security.

How?

There are 2 main options to implement this security:

  • front end – from the presentation services
  • back end – from the catalog manager

OBIEE Front-End Security

Browse through your catalog until you reach your desired main folder/object on which you want to apply security.

Our example shows application on the OBIEE folder “Shared Folders/00. BI Insight – demos”.

Select the folder from the tree at the right side and then click Permission from the bottom of the right column. Second option is selecting parent Folder from Tree view column, then select folder from list view column, and click on “More” link. A Permissions option/link will appear.

Catalog - folder - permissions - links

You will notice you have various options now available:

  1. Apply effective permissions
  2. Replace with parent’s folder permissions
  3. Set parent folders permissions to “Traverse Folder”
  4. Add users/roles
  5. Apply permissions for selected users/roles
  6. Delete selected users/roles
  7. Applying permissions to sub-folders (selecting a number of group/role/users – button will display the list of available privileges and apply the selection to all selection)
  8. Applying permissions to all items within folder

When adding permissions (on click on the plus button), you will have options to add Application Roles, Catalog Groups or Users. Search list allows you to select by any of the above categories, or overall:Catalog - folder - permissions - add options

Write your search criteria (or leave blank when you want the full list) and click the Search button

Catalog - folder - permissions - add

then select the desired User/Role/Group and move to the right (Selected Members list):

Catalog - folder - permissions - permissions options

then select the type of Permissions you want to grant and click OK.

You can grant:

  • Full ControlCustom Permissions
  • Modify
  • Open
  • Traverse
  • No Access
  • Custom
  1. Custom permission allows any combination of the available rights on the right.
  2. Full Control – all rights from image;
  3. Modify – Read, Traverse, Write and Delete Permissions
  4. Open – Read & Traverse Rights (this is the typical right to be granted to a consumer of reports)
  5. Traverse – available only for folders – it allows users to access items within the folder, but not creating/adding additional information to the folder itself;
  6. No Access – denied access to the object

After getting your selections and rights in order, you can also set up the owner (by selecting the appropriate radio button – default is no selection if creator of report/current owner is not in the list). You can then apply your permissions on current folder only, or recursively on the sub-folders (child folder tree) and/or the items within the folder (analysis, dashboard, prompt, filter …) by checking the appropriate check-boxes at the bottom of the pop-up window:

Apply permission - subfolders and items

As a test, I’ve logged in with my test user a_test (member of OBIEE Top Management application role) and I can only see my selected folder in the Shared Reports folder.

a_test permission - validate:

OBIEE Back-End Security

The second option of implementing this type of security is using the Catalog Manager tool.

Open Catalog online, using Catalog manager

Catalog Manager - open

by specifying  the URL and using an Admin user (e.g. weblogic)

CM - Open

This will provide you with a Tree view

CM - Tree

and a Table view:

CM - Users Folder

You will be able to view:

  • system folders
  • shared folders
  • users folders

All under root.

Please note the view provided by the catalog manager or namings will depend on your version of OBIEE. However, principles explained in this blog will still apply.

When selecting a given folder you can access various options, like Copy, Cut, Rename, Smart Rename, Create, Permissions and Properties.

CM - right click

So Catalog manager will not only allow you to change permissions, but also properties (Applied recursively )

CM - Folder Properties

or managing your folders content.

The permissions screen is pretty much similar to the one on the OBIEE front end:CM - Permissions - edit

allowing adding permissions, changing them or removing them.

In the same way, you can add permissions on Application Roles and/or Catalog Groups and/or Users, with the same option types

CM - Permissions - list optionsCM - permissions - options

You can apply changes Recursively, however this will apply them to both Sub-folders and items within the folder. There is no distinction at this level between the two types.

You also have a Replace Option, as presented bellow:

CM - Permissions - applicability opions

The effect on both security implementation options (Catalog Manager/Front End) is similar for the end user.

Applicability

There are various test cases when you might choose using the Catalog Manager over the Front-End setup of security.

One of the most common issues experienced by users is linked to the user’s personal folders:

  • general unable to access (cannot see my folder)
  • unable to access saved selections
  • unable to create any more saved selection

In this type of scenario, Catalog Manger will allow you access to user’s folder. Solution is to re-grant the user Full Control to his own folder – applied recursively.

Note: Please note this tests were done on OBIEE 11.1.1.7.1.