Friday, March 29, 2013

[OBIEE 10g] View Selector, Forcing A Selection





OBIEE View Selector, forcing a selection




The dashboard with a view selector by default OBIEE will executed the first request from the selector when a dashboard page becomes "active". 

Especially if have several "heavy" requests will really slow down dashboard.

To make a user selection of a view here as follows




Add an extra title view to your report and give this the title "make a selection"







Add this extra title view to your view selector and rename it "make a selection". Be sure it's on top of the list.










This way the dashboard is forced to wait on the selection of the user:








Thursday, March 28, 2013

[OBIEE 11g] Overview On Object Level Security, Application Roles, And Inheritance


 



Overview on Object Level Security, Application Roles, and Inheritance






In Oracle Business Intelligence (OBIEE) 11g, Oracle has fundamentally changed how we map users to various security privileges.In OBIEE 10g, Object Level Security was enforced using the USER session variable, which mapped to a GROUP session variable. This created a list of possible 'groups', which a developer would then apply security restrictions to, in either Answers (Managed Privileges) and/or Security Managed in the repository.

 
A high level flow is outlined below:




In OBIEE 11g, security authentication is enforced in the Weblogic Admin Server, and a user's security privileges are tied to their corresponding Application Roles in Fusion Middleware as shown in the diagram below:








The key take away is that object level security is applied to application roles and not groups.  Why application roles? In Weblogic and Fusion Middleware, we can actually assign certain privileges to an application roles - we call these 'Application Policies'. For example,  we can grant a certain application role the ability to 'edit the repository', or 'act as another user'. This feature, not possible in OBIEE 10g, now allows us to not only control what objects are being viewed, but also gives us the capability to control who can execute certain actions within the BI environment. This topic will be discussed in much greater detail in another guide.






Now let's go over the basic rules of Object Level Security for Application Roles in OBIEE 11g:


  • If a user is a direct member of an application role, they will have access to the reports allowed by that application role.
  • If a user is not a member of an application role, they will not have access to the reports allowed by that application role.
  • If a user is a direct member of two or more application roles with different security privileges for the same reports, the less restrictive security privilege is applied.
    • unless the user is explicitly denied. Explicit denial supersedes all security privileges.
  • If a user is a member of Application Role X, and Application Role X is a member of Application Role Y, the privileges in Application Role X supersede the privileges of Application Role Y




Let's cover each scenario in detail:



  • If a user is a direct member of an application role, they will have access to the reports allowed by that application role.
In this example, I granted Application Role 'Test Role 1' full control to folder 'Folder 1'. I then logged in as 'testuser1' who is a member of Application Role 'Test Role 1'. And as expected, testuser1 can read/write/edit/delete the folder.





  • If a user is not a member of an application role, they will not have access to the reports allowed by that application role.


In this example, I created 'Folder 2', only accessible by members of the 'BIAdministrator Application Role'. I then log in as a 'testuser1', which is not a member of the 'BIAdministrator Application Role'




As BIAdministrator:







As testuser1:








Note that in the above scenario, 'denying' the application role access accomplishes the same thing as taking no action onto the application role role (i.e. ignoring it completely)


  • If a user is a direct member of two or more application roles with different security privileges for the same reports, the less restrictive security privilege is applied.

In this example, I created Folder 3, which grants 'read' access to Test Role 1 and 'modify' access to 'Test Role 2'. 'Testuser1' is a member of both 'Test Role 1' and 'Test Role 2'.






 
As expected, Testuser1 has modify rights to Folder 3 (noted by 'X', ability to delete), despite being a member of Test Role 1 which only grants the user read access






  • If a user is a direct member of two or more application roles with different security privileges for the same reports, the less restrictive security privilege is applied.
    •  unless the role is explicitly denied



In this example, TestUser1 is a member of Test Role 1 and Test Role 2 and Test Role 3. Test Role 1 grants testuser1 open rights, Test Role 2 grants testuser1 modify rights and Test Role 3 is explicitly denied.






As expected, testuser1 does not have access to Folder 4 because of Test Role 3








  • If a user is a member of Application Role X, and Application Role X is a member of Application Role Y, the privileges in Application Role X supersede the privileges of Application Role Y








In this example, testuser1 is a member of application role 'Test Role 4'. Application role 'Test Role 5' is a member of application Role 'Test Role 4'. Test Role 4 grants 'open' privileges to Folder 5 and Test Role 5 grants 'full control' to Folder 5.








As expected, testuser1 only has read/open access to Folder 5 even though Application Role 'Test Role 5' grants full control. This is because direct inheritance overrides indirect inheritance







Even if the inherited role explicitly denies access to folder 5, the user will still be able to access folder 5 because the direct role grants read/open access:








Note how testuser1 has modify access to Folder 5 (noted by the 'X') , despite inheriting a role that is denied access to the same folder.







These basic rules can be applied to any hierarchy, no matter how complex. Think you've mastered these 4 basic rules? Identify the final privileges for User 1 in the scenario below:











Result:

  • User is a direct member of Role 1 and 2 and indirect member of Role 3, Role 4 and Role 5
  • User has no access to Dashboard A
  • User has open access to Dashboard B
  • User has full control of Dashboard C
  • User has no access to Dashboard E
  • User has open access to Dashboard D





[OBIEE 11g] Automatic Repository Deployment and Promotion Process





Automatic Repository Deployment and Promotion Process





A typical deployment process an OBIEE 11g repository will follow in most production environments resembles the following:






The development zone represents a series of developer machines modifying a repository either by:

  • Multi User Directory Environment Configuration (MUDE)
  • Local development machines where each developer migrates their changes to a centralized OBIEE 11g dev/unit test box


 
We're going to focus on the 'Production Deployment Path' that takes the repository from the Dev/Unit test machine and migrates it through the deployment path from Assembly Test through Production.

 
This production path is critical because it's at this point where the repository leaves the 'safe haven' of the developer environment and goes through various stages of testing, usually performed by another team. Each testing team will have their own BI Server and database that the repository must connect to for testing.

 
Usually, the repository remains the same through all environments except for:

  • Connection Pools
  • Environment specific server variables


 
We're going to perform the assembly test to production deployment process in a completely automated fashion by:

  • Generating an XUDML file that connections connection pool information
  • Generating a new system test repository by applying the System test XUDML to the assembly test repository
  • Using WLST to upload the RPD to the specif iced environment




Step 1: Generate the XUDML file for the assembly, system, staging and production environments


We're going to create an eXtensible Universal Database Markup Language (XUDML for short) that contains connection pools specific for each environment. This file is generated by biserverxmlgen and is basically the repository exported to XML. The way to accomplish this in OBIEE 10g was using UDML which has seen been deprecated and is not supported by Oracle - see Oracle Note 1068266.1.




Step 1.1 - Set Variables via bi-init.sh


. /export/obiee/11g/instances/instance1/bifoundation/OracleBIApplication/coreapplication/setup/bi-init.sh


Note the space between the '.' and the '/' . This is required for the i-init.sh script to propagate through all folders



Step 1.2 - Generate XUDML file


Navigate to export/obiee/11g/Oracle_BI1/bifoundation/server/bin/ and run:

biserverxmlgen -R C:\testconnpool\base.rpd -P Admin123 -O c:\testconnpool\test.xml -8



  • Replace base.rpd with your source RPD - i.e. if you want to generate connection pool information for assembly test, base.rpd should represent your assembly test repository.
  • -O generates the output XML file
  • -8 represents the UTF-8 formatting for the XML file
  • -P represents the password of the base repository


If fail to set your session variables will you encounter the following error:


"libnqsclusterapi64.so: open failed: No Such file or directory"




If you are successful, your output should be as follows:








Step 1.3 Remove inapplicable entries



For connection pool migrations, your script should only include:



<?xml version="1.0" encoding="UTF-8" ?>

<Repository xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DECLARE>
<Connection Pool ......>
</ConnectionPool>
</DECLARE>
</Repository>



You will only need to re-generate this file if you change your connection pool information. This XUDML file will be used to update connection pools of your target environment.



Step 2: Apply XUDML file to base repository 


Let's say you have an assembly test repository and a system test XUDML file. The biserverxmlexec.sh script will take your assembly test repository, system test XUDML file and generate a 'system test repository' using the following command located in export/obiee/11g/Oracle_BI1/bifoundation/server/bin/



biserverxmlexec -I input_file_pathname [-B base_repository_pathname] [-P password]
-O output_repository_pathname



Where:

  • input_file_pathname is the name and location of the XML input file you want to execute base_repository_pathname is the existing repository file you want to modify using the XML input file (optional). Do not specify this argument if you want to generate a new repository file from the XML input file.password is the repository password.
  • If you specified a base repository, enter the repository password for the base repository. If you did not specify a base repository, enter the password you want to use for the new repository.
  • The password argument is optional. If you do not provide a password argument, you are prompted to enter a password when you run the command. To minimize the risk of security breaches, Oracle recommends that you do not provide a password argument either on the command line or in scripts. Note that the password argument is supported for backward compatibility only, and will be removed in a future release.
  • output_repository_pathname is the name and location of the RPD output file you want to generate


 
Example:

biserverxmlexec -I testxudml.txt -B rp1.rpd -O rp2.rpd
Give password: my_rpd_password


You now have a system test repository that you can upload to your applicable environment.



Step 3: Upload Repository to BI Server via WLST


Many web sites show how to upload the repository via the FMW Enterprise Manager, but that is generally alot slower and not as efficient as scripting it.

The uploadRPD.py script below performs five tasks:

  • Connects to WLST
  • Locks the System
  • Uploads the RPD
  • Commits Changes
  • Restarts BI Services


Copy the code below and save it as a python script (.py)

connect('user','pass','server')


user = ''
password = ''
host = ''
port = ''
rpdpath = '/path/path2/repository.rpd'
rpdPassword = ''

# Be sure we are in the root
cd("..\..")

print(host + ": Connecting to Domain ...")
try:
domainCustom()
except:
print(host + ": Already in domainCustom")

print(host + ": Go to biee admin domain")
cd("oracle.biee.admin")

# go to the server configuration
print(host + ": Go to BIDomain.BIInstance.ServerConfiguration MBean")

cd ('oracle.biee.admin:type=BIDomain,group=Service')
biinstances = get('BIInstances')
biinstance = biinstances[0]


# Lock the System
print(host + ": Calling lock ...")
cd("..")
cd("oracle.biee.admin:type=BIDomain,group=Service")
objs = jarray.array([], java.lang.Object)
strs = jarray.array([], java.lang.String)
try:
invoke("lock", objs, strs)
except:
print(host + ": System already locked")

cd("..")

# Upload the RPD
cd (biinstance.toString())
print(host + ": Uploading RPD")
biserver = get('ServerConfiguration')
cd('..')
cd(biserver.toString())
ls()
argtypes = jarray.array(['java.lang.String','java.lang.String'],java.lang.String)
argvalues = jarray.array([rpdpath,rpdPassword],java.lang.Object)

invoke('uploadRepository',argvalues,argtypes)

# Commit the system
print(host + ": Commiting Changes")


cd('..')
cd('oracle.biee.admin:type=BIDomain,group=Service')
objs = jarray.array([],java.lang.Object)
strs = jarray.array([],java.lang.String)
invoke('commit',objs,strs)


# Restart the system
print(host + ": Restarting OBIEE processes")

cd("..\..")
cd("oracle.biee.admin")
cd("oracle.biee.admin:type=BIDomain.BIInstance,biInstance=coreapplication,group=Service")

print(host + ": Stopping the BI instance")
params = jarray.array([], java.lang.Object)
signs = jarray.array([], java.lang.String)
invoke("stop", params, signs)

BIServiceStatus = get("ServiceStatus")
print(host + ": BI ServiceStatus " + BIServiceStatus)

print(host + ": Starting the BI instance")
params = jarray.array([], java.lang.Object)
signs = jarray.array([], java.lang.String)
invoke("start", params, signs)

BIServerStatus = get("ServiceStatus")
print(host + ": BI ServerStatus " + BIServerStatus)


The aforementioned code works on scaled out (clustered) environments since there is only one active admin server. The code will connect to the active admin server located in your first node, and WLST will propagate changes to each node. You can validate this by navigating to the local repository folder of each node.

To run the script, load wlst located at :

 /export/obiee/11g/oracle_common/common/bin/wlst.sh


and perform the execfile command as follows:


execfile(‘/path/path1/path2/uploadRPD.py’)


In conclusion, the entire repository deployment process can be executed by the following two scripts:

  • biserverxmlexec (provided by Oracle)
  • uploadRpd.py (see above)