Category Archives: Security

Strange Presentation Services behavior

While auditing our OBIEE security model We’ve stumbled into behavior that we think is a bug. If it’s not, then I hope it’s a feature that would be removed in the future. Here’s a description of how we get this particular Presentation services behavior:

1. Summary – Our goal is to be able to add new users in RPD in online mode, assign them to their respective repository security groups ( based on data-level and row-level security), and during their first login  have them automatically assigned to one of 2 appopriate Presentation catalog group (that is used for presentation security, such as prohibiting overwriting of shared reports). We use OS authentication model with Impersonator (OBIEE picks up and strips users’ OS username). However, the problem doesn’t seem to be SSO-related or OS-related.

These’re steps to reproduce:

a) create new user “test_user1″ in RPD “Business Intelligence” group (for Presentation group “Business Intelligence”). Check-in RPD and save it.

b)  login with the “test_user1″ first time to OBIEE

c) go to My Account. You can clearly see that “test_user1″ is a member of Presentation group “Business Intelligence” (which is good for us and correct at the same time)

d) log-out. close browser. clean cookies. log-in as an administrator (member of Presentation Services Admin). Go to Settings –> “Oracle BI Presentation Services Administration”–>”Manage Presentation Catalog Groups and Users”
Select Edit for the “Business Intelligence” group

as you can see – “test_user1″ isn’t there

e) If we click on “Add New Member”-> “Show Users and Groups” – there’ll be a red-stop symbol (padlock image)

We’ve filed an SR with Oracle Support, and still waiting for an answer. I personally think that in future OBIEE releases – the Presentation Services should be tied closer with BI server – maybe going as far as consolidating those 2 modules.

And have a nice work week!

Oracle BI Scheduler Error: [nQSError: 68019] Authentication Failed

I’ve seen the following situation. Ibot running perfectly fine on the development server, however, it started to fail the production with the above-mentioned error 68019. The security nature of it made me look into the instanceconfig.xml and cryptotools – since I’ve figured that this was the case. It seems as I was right as something got corrupted on the security side. After re-running cryptotools – everything went back to normal. Also, you can view these Oracle links in this in case you meet this problem:

http://forums.oracle.com/forums/thread.jspa?threadID=499157&tstart=0


OBIEE and session cookies, and Google Chrome rambling

I was wondering about different behavior while using OBIEE in different browsers – by the way, Answers isn’t working in Google Chrome, I’ve created an enhancement request – but I don’t think it’s a critical issue as of right now. Reason for my amusement was that Chrome is supposedly very good and robust at handling Java scripts. However, in Answers, it’s not rendering left frame at all. I’ve not checked it thoroughly, but I think, it’s because of the way the Java-Script is produced on the server.

But to keep us on track here, I read about the following question.

Why is this happening?

1. User logs into dashboard .
2. After the dashboard is shown the user opens another browser instance and selects the link from the dashboard login window.
3. After that the dashboard is shown without asking for the login/pwd.

Why its not asking for the login/pwd again when another browser instance is opened?

They also noticed that this happens when they used tabs in the same window. But when they open a new window and put the link it shows the log in page first. They want to know why this is so?

Answer.

This is happening because the Presentation Server is probably using the same cookie. If you connect and have a cookie that hasn’t expired, then it will assume you’re the same user. Check the URL – does it have a sessionid?

One test you could do is to log in first and than open the session viewer and note how many sessions are open (the top half lists the sessions with their unique sessionID’s). Now open another browser window and copy the dashboard link….check your session viewer again do you have a new session? If not than you will need to check your browser settings to make sure the cookie is not being saved.

Regarding the last question “when they open a new window and put the link it shows the log in page first” this is normal – the tabs are sharing the same cookie session file. If they close the window, they loose the active session. The cookie is keeping track of the browser session in use. That’s why when they open a new browser window, they still have to login.

That’s it for now. Have a great week