OBIEE Blog

The goal is to set session variables using url variables, but can you also do this for the user and password ?
url variable (&Upwd) is not passed to session variable USER_PWD.
The variable USER is correctly passed, the variable USER_PWD is not!

Solution

The steps to set an OBIS session variable via a URL call utilizing the
instanceconfig.xml tag should be as follows

1. Create a session init block that will act as a ‘placeholder’ for the
session variable to be set via the url call – the variable can be set to
anything.

2. Set the ‘Enable any user to set the value’ option for the variable.

3. Add the following tag block to the instanceconfig.xml file anywhere
between the <ServerInstance></ServerInstance> tags:

<Auth>
<UserIdPassword enabled=”true”>
<ParamList>
<Param name=”NQ_SESSION.TEST_VAR”
source=”url”
nameInSource=”SETVAR”/>
</ParamList>
</UserIdPassword>
</Auth>
“TEST_VAR” should match the session variable name (case sensitive).

4. The following option will need to be appended to the OBI url passed -
&SETVAR=’variable value to pass. So a full example would be:

http://localhost:9704/analytics/saw.dll?Dashboard&nqUser=USER001&nqPassword=US

ER001&SETVAR=SomeValue

However, note that you cannot set the value of any System Security Session variable (specifically USER, PROXY, GROUP and WEBGROUPS) using any source method (e.g.: url, cookie, httpHeader) by design. Having this ability would open possible security breaches.

If you attempt to set the USER variable with the following instanceconfig.xml setting:

<Param name=”NQ_SESSION.USER” source=”url” nameInSource=”nquser” />

You will get the following error when using the url: http://localhost:9704/analytics/saw.dll?Dashboard&nquser=user1&nqpassword=public :

nQSError: 10018: Access for the requested connection is refused
nQSError: 1315 You do not have the permission to set the value of the variable :USER

he question is – if you can mix LDAP and other type of authentication. In one word – yes and no.

Here’s what Oracle suggests:

1. You can have internal authentication and LDAP authentication. eg users in the rpd, and users in the LDAP.

For users not defined in the repository, the presence of a defined session system variable USER determines that external authentication is performed.
So using this method, you can have groups with internal users using the internal security, and groups with users that use the LDAP authentication.

But you cannot mix external table and LDAP authentication for example, as you cannot have different connection pools on same init block.

2. The best option would be to create your own authentication Dll (Custom authentication) so  you will have full control on what systems you will lookup for the user account.
You can write your own DLL in C++ , and have OBI Server invoke it. BI just pass the username/pwd received, and wait for an authenticated/no authenticated message from the dll.

This exists since 10.1.3.2.

We provide an example of such dll.
Location for the sample one: D:\OracleBI\server\SDK\CustomAuthenticatorSamples

I wonder if anyone tried it – I think that at this time, it’d be easier to work around the requirement by using standard methods. Let’s see what John Minkjan might say about it.

This has been bugging me for a while. Now, I know what the problem was.

When are Subject Areas and View Privileges visible in the Admin > Manage Privileges link?.

Solution

Definitions:

• “webserver service” refers to the Web Server Software being used for Siebel Analytics Web (i.e. IIS, iPlanet/Sun ONE or Tomcat)
• “webclient session” refers to a Siebel Analytics Web session

The functionality is as follows:

1. A Subject Area is stored in a webcat once a user has accessed it via Answers.

2. The Subject Area will be visible in the Admin >Manage Privileges link only if a user has accessed the Answers link.

3. Subject Areas will persist for the life of the webcat, but will not be accessible via the Admin > Manage Privileges link after the webserver services have been stopped and restarted. They will only be accessible once a user (any user) has accessed the Answers page in a webclient session.

4. The behavior described in Step 3 ensures that potentially archived, deleted or renamed subject areas are not visible for setting privileges.

5. The View privileges will also not be accessible via the Admin > Manage Privileges link after a webserver service recycle until and unless a user (any user) has accessed it in a webclient session.

a. When you run a request, the following privileges become visible in the Admin > Manage Privileges link
View Compound
View Filters
View Narrative
View Nested Request
View Pivot Table
View Logical SQL
View Table
View Ticker
View Title

b. When the user clicks on “Customize View”, the following privileges become visible:
View Create Segment
View Chart

c. When the user clicks on Views Tab, the following privileges become visible:
View Question
View Column Filter
View Global Filter
View Image

OBI EE and Hyperion Workspace / Smartspace integration was only introduced in EPM 11.1.1 and OBI EE 10.1.3.4.

To be able to have a seemless integration (No OBI EE Login Screen) when navigating from Hyperion Workspace 9.3.1 to OBI EE 10.1.3.4 you have the following options which might meet your implementation requirement: -

1) Use the ‘&NQUser=uuu&NQPassword=ppp’ URL arguments.

These are detailed in the section ‘Incorporating Oracle Business Intelligence Results into External Portals or Applications Using the Go URL’ of the Presentation Server Guide.

2) Enable OBI EE to use SSO. We support any SSO Vendor (SiteMinder, ClearTrust, Oracle SSO, Java SSO, etc…) which supports either HTTP Headers, Server Variables or Cookies.

Please see Chapters 8 and 10 of the Deployment Guide for more information on this area of functionality.

Neither of these options have been designed specifically for Workspace, but they should give you a generic option to implement a solution where no login is required when navigating to OBI EE from Workspace.

3) Just create a custom Init Block and custom session variable. Make the session variable to be initialized with the password. The query for the password initialization would be

SELECT ‘:PASSWORD’ FROM DUAL

Now, go to answers and create a report which would generate the Smartcut link. To this link pass the username (through the USER system session variable) and the password (through the custom session variable above). This will enable seamless login.

4) Enable BI EE to use the Table Authentication method, where usernames and passwords are stored in a database table. Passwords would be stored in encrypted form using obfuscation packages provided with the database.

Then create a report which would generate the Smartcut link. To this link pass the username (through the USER system session variable) and the password (through EVALUATE and a reverse obfuscation package function which would return the password in clearcase) in the report.
Then just use this report in the dashboard for providing the link. This will provide a seamless login.

5) I believe Workspace supports Impersonation. Technical Support have not tested this but it should work if the impersonation is possible. Using the same report approach above pass the Administrator username and password in the URL (these would be static) and also pass the actual BI EE username as the impersonation user in the URL. Provider services and Essbase JAPI support impersonation. We assume Workspace should support that as well. But of course, if its not supported then this would not work. Please liaise with Hyperion Technical Support or a Consultancy Department like Expert Services to look into this option further.

The above options are only supplied as possible workarounds, but Technical Support highly recommends that you upgrade to Hyperion Workspace 11.1.1 so you can leverage the built-in integration functionality.

While auditing our OBIEE security model We’ve stumbled into behavior that we think is a bug. If it’s not, then I hope it’s a feature that would be removed in the future. Here’s a description of how we get this particular Presentation services behavior:

1. Summary – Our goal is to be able to add new users in RPD in online mode, assign them to their respective repository security groups ( based on data-level and row-level security), and during their first login  have them automatically assigned to one of 2 appopriate Presentation catalog group (that is used for presentation security, such as prohibiting overwriting of shared reports). We use OS authentication model with Impersonator (OBIEE picks up and strips users’ OS username). However, the problem doesn’t seem to be SSO-related or OS-related.

These’re steps to reproduce:

a) create new user “test_user1″ in RPD “Business Intelligence” group (for Presentation group “Business Intelligence”). Check-in RPD and save it.

b)  login with the “test_user1″ first time to OBIEE

c) go to My Account. You can clearly see that “test_user1″ is a member of Presentation group “Business Intelligence” (which is good for us and correct at the same time)

d) log-out. close browser. clean cookies. log-in as an administrator (member of Presentation Services Admin). Go to Settings –> “Oracle BI Presentation Services Administration”–>”Manage Presentation Catalog Groups and Users”
Select Edit for the “Business Intelligence” group

as you can see – “test_user1″ isn’t there

e) If we click on “Add New Member”-> “Show Users and Groups” – there’ll be a red-stop symbol (padlock image)

We’ve filed an SR with Oracle Support, and still waiting for an answer. I personally think that in future OBIEE releases – the Presentation Services should be tied closer with BI server – maybe going as far as consolidating those 2 modules.

And have a nice work week!