Tag Archives: RPD

OBIEE 10g and 11g: Comparing Repository And Catalog Security Models And Changes With Upgrade

Applies to:

Business Intelligence Suite Enterprise Edition – Version: 10.1.3.2 to 11.1.1.5.0 [1308] – Release: 10g to 11g
Business Intelligence Suite Enterprise Edition – Version: 10.1.3.2 to 11.1.1.5.0 [1308]   [Release: 10g to 11g]
Information in this document applies to any platform.

Purpose

This document highlights the security features in Oracle Business Intelligence Enterprise Edition (OBIEE) and compares and contrasts features found in OBIEE 10g and 11g.

Questions and Answers

What documentation describes the security model for the Repository (RPD) and Catalog in OBIEE 10g?

OBIEE 10g security and repository access control are described in the Oracle Business Intelligence Server Administration Guide.

Web Catalog security and access control is described in the Oracle Business Intelligence Presentation Services Administration Guide.

What documentation describes the security model for the RPD and catalog  in OBIEE 11g?

OBIEE 11g security is described primarily in two places:

How are security settings enabled / controlled in OBIEE 10g and 11g?

In OBIEE 10g, security is controlled at the following points: permissions on the OBIEE Presentation catalog, via the repository (users and passwords) and optionally via an external LDAP, or external tables.

In OBIEE 11g, the security policy is split across the OBIEE presentation catalog, repository and default 11g identity store (embedded WLS LDAP), or external LDAP (i.e. OID or other if used).


What are the primary differences between the OBIEE 10g and 11g security models and what happens during upgrade?

Security Task/Object OBIEE 10g OBIEE 11g What happens during 10g upgrade to 11g?
Define Users and Groups in RPD file using OBIEE Admin Tool Default N/A. By default, users are defined in embedded WLS LDAP via FMW EM Console, or alternatively, in external LDAP. By default, existing users and groups migrated to embedded WLS LDAP. Existing groups are automatically mapped to an Application role.
Defining security policies Policies in the catalog and repository can be defined to reference groups within a directory Policies are defined in terms of application roles, which map to users and groups in a directory. 10g catalog groups are automatically migrated in the upgraded catalog and assigned the same privileges, access, and membership.
“Administrator” user Unique user with full administrative privileges No single user named for full administrative privileges. Administration can be performed by any user who is member of BIAdministrators group. “Administrator” user automatically added as member of “BIAdministrators” group in embedded WLS LDAP and granted Administrator role. The user specified during OBIEE 11g installation (i.e. “weblogic”, “biadmin”) is also a member of the BIAdministrators group.
Repository encryption Available on sensitive elements only – i.e. user passwords, connection pool passwords, etc. Entire RPD encrypted via a password. Prompted to set a repository password while running the upgrade assistant. Do not lose this password as there is no feature to recover a lost password.
External Authentication and OBIEE Initialization (Init) Blocks Init blocks are required for external LDAP or external table authentication. Init blocks not required for WLS embedded LDAP. Init blocks are required for external LDAP or external table authentication. Upgraded RPD will continue to point to 10g LDAP or external tables. Initblocks may need to be modified to ensure that deprecated, or reserved word, variable names are renamed.
NOTE: If you intend to use another LDAP server, such as Oracle Identity Management (OID), then you must upgrade to the embedded LDAP server first, then
migrate to the production LDAP server. Please see Upgrade Guide for further details.
Catalog Groups Defined in Presentation Server Administration link Available for backward compatibility. Use of Application Roles in FMW EM Console recommended. Existing groups will be migrated. Recommendation is to use application roles instead. Privileges on catalog objects may be granted to an application role via BI Presentation server Administration link.
SA System Subject Area Optional Available for backward compatibility and requires init blocks and external tables. Use of Embedded LDAP is recommended. Upgraded 10g RPD will point to external tables. Initblocks may need to be modified to ensure that deprecated, or reserved word, variable names are renamed.
“Everyone” Presentation Server Group Default Replaced with AuthenticatedUser role “Everyone” group migrated to AuthenticatedUser role.

Show Related Information Related

Admintool Check-in changes: Internal Assertion Error Condition

If you’re running OBIEE under 64-bit Solaris – this might be of use. I just want to add from myself – that it’s not a good idea to change repository in online mode.

Admintool Check-in changes: Internal Assertion Error Condition FALSE , file server/Utility/Generci/NQThreads/SUGThread.cpp, line 515 [ID 820803.1]

When checking in changes in Admintool, you are getting the error:

nQSError:28019 Near line 230: In the metadata expression … the following error occured nQSError 46036 Internal Assertion Error Condition FALSE , file server/Utility/Generci/NQThreads/SUGThread.cpp, line 515
Cause

This is a defect:
Bug 6652490: PSR:FUNC:ESSBASE: OBSERVED THE ERROR WHILE CHECK-IN OR SAVING RPD IN ONLINE MODE ?

Bug was logged for 10.1.3.3.2 with OBI server on Solaris 64 bits

Although the abstract mentions Essbase the bug is reproducible against any database.
But only when OBI is on 64 bits solaris platform.
It applies to all versions from OBI 10.1.3.3.1 and later.

Test case:
From Admin tool created the new rpd (i.e. physical layer) and Drag-Drop
the db to Business model & Presentation layer then tried to Check In / Save
form Admin tool in Online mode but I observed the below error form Admin tool
window as well as NQServer.log
Error Message:
[46036] Internal Assertion: Condition FALSE, file server/Utility/Generic/NQ
Threads/SUGThread.cpp, line 515.
2007-11-27 04:44:12
[46036] Internal Assertion: Condition FALSE, file
server/Utility/Generic/NQ
Threads/SUGThread.cpp, line 515

Off line mode able to check-in or saved sucessfully.

Also we only had the error on a Business Model that had been dragged and dropped from the physical.
Solution
The workaround is to modify the NQSConfig.INI file.
Change the “SERVER_THREAD_STACK_SIZE = 0;”
with “SERVER_THREAD_STACK_SIZE = 512 KB;”

and restart the OBI server

Increasing thread stack size (by setting SERVER_THREAD_STACK_SIZE to a bigger number) is the solution to this issue in all versions including 10.1.3.4.

Increasing thread stack size requires more memory from the server machine.
That is the only impact it should have. But increasing from 256k (default) to 512k is a minor change

This defect will be fixed in the next main release

The following Expression always return 0.00% in a custom OBI EE Repor

Something else, I’ve found. I suggest always adding 1.00* when working with non-integers, just for sake of convenience.

(Customers.”Total Customers” / sum(Customers.”Total Customers”)) * 100
Cause
The problem was caused because that Integer Data Type values are involved in the calculation. If the calculation is performed on Integer values, then the correct answer is ‘0’.

When a Grand Total is specified, then the Data Type is promoted to Double Precision. If the operation is performed on a Double Precision field, then non-zero values will be returned.

Solution

The solution to this issue and to ensure that non-zero values can always be returned in an OBI EE Report is by modifying the formula expression as follows: –

e.g. (1.0*Customers.”Total Customers” / sum(Customers.”Total Customers”)) * 100 or 1000*Customers.”Total Customers” / sum(Customers.”Total Customers”)

Check box “data is dense”

When viewing the properties of a fact column in OBIEE, there is a check box “data is dense” when aggregating by dimension is chosen. What does this check box do? I’m not sure if this only applies to multi-dimensional sources or not.

Solution

This is generally used for FIRST/LAST aggregation rules where data is dense across the time dimension, e.g. inventory values for every period. SQL generation is optimized in this case.

Hierarchy – order of displaying lowest level attributes

There was a problem in drill down in one of the hierarchy with the order it displays the lowest level attributes.

When drilling down on a certain category – “Organization”, Answers always shows columns in the following order:
Organization Name,Department Name, Sub-Department Category, Org Detail Number, Org Detail Name

The desired order is:
Organization Name,Department Name, Sub-Department Category, Org Detail Name, Org Detail Number

The hierarchy was defined as following in the RPD (please note that Org Detail Name and Org Detail Number are at the same lowest level defined as keys):

Organization Name
Department Name
Sub-Department Category
Org Detail Name | Org Detail Number

It has been found that it doesn’t sort alphabetically.

With Oracle’s OBIEE support and help – the solution has been found:

1. Use the Query Repository feature under Tools menu in the RPd to do a search of these 2 columns in the RPD.
2. In the Query Repository window note down the IDs for these 2 columns. Please check which one is bigger than the other.
3. The logical table, delete the 2 columns (Org Detail Name and Org Detail Number) and add them again in the desired order. Make sure you add them in the correct order. Query for the columns again, the IDs should be in the reverse order as step 2.
4. Add them in the hierarchy again
5. Change the order of level keys in Dimension hierarchy
6. Save the changes and test again.

After RPD re-deployment – it was working.

There must be an easier way to change order of composite key (complex key) columns.