Tag Archives: obiee security

Few interesting Q&As from Oracle

Good evening,

I’ve located some more interesting items from Oracle:

Q:How to remove the empty space between sections in dashboards?

A:To remove the spaces between the reports try the following:

You have to modify the css of the style you apply to the dashboard. In particular to modify the space under the answers you have to modify the portalcontent.css and the views.css

Try to modify the .EmbeddedItem class in the portalcontent.css , and the .ResultsTable in the view.css
You can find this .css in the s_STYLENAME/b_mozilla_4/ folder of you BIEE deploy.

Try to Add or modify to this class:
margin:0px;
padding:0px;

Suggest you to create a new style (the s_ ans sk_).

Q:How to Remove [nQSError: 22047] “The Dimension used in AGO function..”

A: To remove the following error :

Steps to reproduce the error:

1. Create an Answer Request based on (Year, Chg AGO metric)
2. For table view, set Report-Based Total.

The error can be reproduced on any calculation of AGO metric, not only Chg
AGO, for example, AGO Metric + 1.

The error will be gone if we put ANY filter on the Date dimension, for
example Year > 2000.

Detailed error msg:
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A
general error has occurred. [nQSError: 22047] The Dimension used in AGO
function must be referenced in the query.

1.Look for instanceconfig.xml under the following path :

* Windows Operating Systems: OracleBIData_HOME\web\config
* Linux Operating Systems: OracleBIData_HOME/web/config

2. Add the following in instanceconfig.xml , restart BIEE instance and re-test :

<ReportAggregateEnabled>true</ReportAggregateEnabled>

Q: How to display session variables in static text View ?

A: Correct syntax in Static View is

@{biServer.variables['NQ_SESSION.variablename']}
Q: How to Sort a date column of varchar type as if it was a date datatype in answers.

A:1. Create another logical column in the Dim-Date table in the business layer based on the logical column ” Month ”

Note : Dim-Date table is the logical table in business layer which has the “Month ” column of varchar data type but has date values.

2. Give the expression for the new column as

CAST (Core.”Dim – Date”.”Month Name” AS DATE )

This would cast the original Month column to date datatype.

3. Use this column in the report thorugh answers and change its format as needed .

shown below are the steps to display the date as “MMMM – yyyy”

a. click on column properties.

b. Navigate to Data format tab.

c. Select Date Format – Custom

d. Give the Custom Date Format – MMMM – yyyy

4. See that this new column now gives the date format as needed and sort this column on the dashboard date wise not alphabetically.

How To Setup Session Timeout In Oracle BIEE

Thanks to the Oracle’s support I was able to find answer to my problem. How to make OBIEE more secure and log users off automatically to show users this page:

Here’s what I found:

List the three parameters which affects session timeout for BIEE user.

There are three types of timeout settings controls the user session :

BI                   Presentation                      User
Server -  (Link 1)   ->   Server    ->  (Link 2)   ->   Browser

Link 1:

The time of connection between the OracleBI Presentation Server and OracleBI Services can be configured using the following steps:
1. Edit the file instanceconfig.xml
2. Add the following line in the block

<ConnectionExpireMinutes>3</ConnectionExpireMinutes>

3. Restart services OracleBI Presentation Services
Notes:
1. The value of default is 3 minutes.
2. The connection between the OracleBI Server and OracleBI Presentation Services is closed and removed.
3. This setting does not affect the connection established between the OracleBI Presentation Services and the WebBrowser, which remains intact pending an activity from the user.

Link 2:

The time of connection between the OracleBI Presentation Services and the WebBrowser can be configured using the following steps:
1. Edit the file instanceconfig.xml
2. Add the following line in the block ServerInstance) ((/) ServerInstance

<ClientSessionExpireMinutes> 1440</ClientSessionExpireMinutes>

3. Restart services OracleBI Presentation Services
Notes:
1. The internal default value is 1440 minutes (24 hours).
2. The connection between the OracleBI Presentation Services and the WebBrowser is closed and removed.
3. This configuration forces logoff user outside the application, which should make logging into an application to work again.
4. All information and statements in it are lost.

Log User Off:

Then we can set the property to force the user out of the Logoff OracleBI Presentation Services.
This setting only applies to users who have not selected the option “remember my ID and password.
1. Edit the file instanceconfig.xml
2. Add the following line in the block

<LogOnExpireMinutes>180</LogOnExpireMinutes>

3. Restart services OracleBI Presentation Services
Notes:
1. The internal default value is 180 minutes (3 hours).
2. To disable this feature using a value larger than the value of ClientSessionExpireMinutes

Few recent Knowledge-based updates

I’ve found the following items to be very interesting as I’m very much interested in running OBIEE in a cloud.
Question someone asked on OS:
Q:How to cluster OBIEE that is installed on two virtual machines?
And their response was:
A:It is not currently possible to use Virtual machine names for OBIEE within a Cluster. The following Enhancement Request exists:
BUG#7576055
VIRTUAL MACHINE NAME FOR CLUSTERED OBI SERVER

This one is interesting, because it’s not just applicable to headers, but to some other elements that may contain HTML:
Q:Is it possible to add HTML code into a Column Header in OBIEE?

A:In order to render HTML in OBIEE (i.e. Answers, Dashboards, etc) please ensure you have set the following parameter “HardenXSS” to FALSE in the instanceconfig.xml file.

Example:


[ServerInstance]
[HardenXSS]false[/HardenXSS]
[/ServerInstance]

Last one is related to using external methods to get in to OBIEE.

Goal
1) Customer has a JSP and java application running on web sphere application server which uses OAM for single-sign-on.
2) In the same JSP application they have embeded a report which gets the data from OBIEE webservices. The actual report is deployed on OBIEE presentation server and uses OAM for authentication. When the user logs in to java application and clicks on the page which invokes a report from OBIEE customer doesn’t want to prompt for authentication again.
3) Customer does not see any OBIEE login webservices which takes as input parameter the authentication token or cookie generated in JSP application.
A:
There is currently no mechanism within the OBI Web Services to use Single Sign-on (SSO).

There are some methods that may assist further with customer requirement (i.e. impersonate() Method and impersonateex() Method). These methods should allow the users to logon and impersonate another user when customer only have the Administrators Login and Password.

However, these methods are not SSO as customer would still need to provide a username and password for the SOAP client (i.e. Administrator/Administrator) from within their J2EE application.

In order to overcome the fact the OBI Web Services does not use SSO, customer may want to install a new Presentation Server. The dedicated Presentation Server can then have the SSO disabled and can be used solely for the WEB Services application and nothing else.

I wonder what are security implications of such arrangement.

Have a good day!

error “access denied for user to path”

I just had a terrible catalog security situation, and while looking for solution stumbled into this bug. I think it’s important, because the error message is confusing and it’s really hard to troubleshoot this sort of problem.

Catalog Manager copy/paste removes correct permissions on Users subfolders, causes error “access denied for user to path..” at OBI login

Applies to:
Business Intelligence Server Administrator – Version: 10.1.3.2 to 10.1.3.4.0 [1900] – Release: 10g to 10g

In OBIEE 10.1.3.4, users are copied from one web catalog A (TEST environment) to another web catalog B (PRODUCTION Environment), using the Catalog Manager. After loading the new web catalog B, users are unable to login into OBI and see the following error:

access denied for user to path /users/…/_portal/dashboard layout.
Error Details
Error Codes: O9XNZMXB

Cause

In the Catalog Manager, when copying users in the catalog manager, permissions are not copied. The users are part of the system folder (i.e Catalog Manager > Users > Properties > Owner Account = System Account) , which is why Catalog Manager does not transfer the permissions.

The behavior was reproduced with 2 copies of Paint web catalog A and B.
Note: Before copying from Web Catalog A, here are the privileges for

a) Users folder – Owner – System Account
Explicit Permission – Presentation server Administrator(full), Everyone(Traverse)

b) Users > Paint Folder – Owner – System Account
Explicit Permission – Paint (change/delete)

c). Users > Paint > _portal folder – Owner – paint
Explicit Permission – paint (change/delete)

After pasting user folder in web catalog B, here are the permissions:
Note how the properties and permissions changed after pasting the user to the following:

a) Users > Paint Folder – Owner – System Account
Explicit Permission – Presentation server Administrator(full), Everyone(Traverse)

b). Users > Paint Folder – Owner – System Account
Explicit Permission – Presentation server Administrator(full), Everyone(Traverse)

Solution
The following has been raised to address a product enhancement request:

BUG 8316638 COPY AND PASTE USERS IN CATALOG MANAGER DOES NOT COPY PERMISSIONS

The current workarounds are:

a). Manually change the permissions on the user_id, _portal and other subfolders in the target web catalog so that they are the same as the source web catalog.

b). Use SAWREPA utility to promote the changes from TEST to PRODUCTION instead. The process works online, so you do not lose any up-time, and it should promote the users permissions correctly too.

Information about SAWREPA is documented in the following:

Oracle Business Intelligence Presentation Services Administration Guide > Administering the Oracle BI Presentation Catalog > Replicating Presentation Catalogs

Please note that SAWREPA requires that both the PROD and TEST webcatalog were originally developed from the same web catalog. If the PROD webcatalog was created from scratch, it could cause problems with SAWREPA since it relies upon common attributes in both catalogs.

How to set session variables using url variables

The goal is to set session variables using url variables, but can you also do this for the user and password ?
url variable (&Upwd) is not passed to session variable USER_PWD.
The variable USER is correctly passed, the variable USER_PWD is not!

Solution

The steps to set an OBIS session variable via a URL call utilizing the
instanceconfig.xml tag should be as follows

1. Create a session init block that will act as a ‘placeholder’ for the
session variable to be set via the url call – the variable can be set to
anything.

2. Set the ‘Enable any user to set the value’ option for the variable.

3. Add the following tag block to the instanceconfig.xml file anywhere
between the <ServerInstance></ServerInstance> tags:

<Auth>
<UserIdPassword enabled=”true”>
<ParamList>
<Param name=”NQ_SESSION.TEST_VAR”
source=”url”
nameInSource=”SETVAR”/>
</ParamList>
</UserIdPassword>
</Auth>
“TEST_VAR” should match the session variable name (case sensitive).

4. The following option will need to be appended to the OBI url passed –
&SETVAR=’variable value to pass. So a full example would be:
http://localhost:9704/analytics/saw.dll?Dashboard&nqUser=USER001&nqPassword=US
ER001&SETVAR=SomeValue

However, note that you cannot set the value of any System Security Session variable (specifically USER, PROXY, GROUP and WEBGROUPS) using any source method (e.g.: url, cookie, httpHeader) by design. Having this ability would open possible security breaches.

If you attempt to set the USER variable with the following instanceconfig.xml setting:

<Param name=”NQ_SESSION.USER” source=”url” nameInSource=”nquser” />

You will get the following error when using the url: http://localhost:9704/analytics/saw.dll?Dashboard&nquser=user1&nqpassword=public :

nQSError: 10018: Access for the requested connection is refused
nQSError: 1315 You do not have the permission to set the value of the variable :USER