OBIEE Blog

OBI EE and Hyperion Workspace / Smartspace integration was only introduced in EPM 11.1.1 and OBI EE 10.1.3.4.

To be able to have a seemless integration (No OBI EE Login Screen) when navigating from Hyperion Workspace 9.3.1 to OBI EE 10.1.3.4 you have the following options which might meet your implementation requirement: -

1) Use the ‘&NQUser=uuu&NQPassword=ppp’ URL arguments.

These are detailed in the section ‘Incorporating Oracle Business Intelligence Results into External Portals or Applications Using the Go URL’ of the Presentation Server Guide.

2) Enable OBI EE to use SSO. We support any SSO Vendor (SiteMinder, ClearTrust, Oracle SSO, Java SSO, etc…) which supports either HTTP Headers, Server Variables or Cookies.

Please see Chapters 8 and 10 of the Deployment Guide for more information on this area of functionality.

Neither of these options have been designed specifically for Workspace, but they should give you a generic option to implement a solution where no login is required when navigating to OBI EE from Workspace.

3) Just create a custom Init Block and custom session variable. Make the session variable to be initialized with the password. The query for the password initialization would be

SELECT ‘:PASSWORD’ FROM DUAL

Now, go to answers and create a report which would generate the Smartcut link. To this link pass the username (through the USER system session variable) and the password (through the custom session variable above). This will enable seamless login.

4) Enable BI EE to use the Table Authentication method, where usernames and passwords are stored in a database table. Passwords would be stored in encrypted form using obfuscation packages provided with the database.

Then create a report which would generate the Smartcut link. To this link pass the username (through the USER system session variable) and the password (through EVALUATE and a reverse obfuscation package function which would return the password in clearcase) in the report.
Then just use this report in the dashboard for providing the link. This will provide a seamless login.

5) I believe Workspace supports Impersonation. Technical Support have not tested this but it should work if the impersonation is possible. Using the same report approach above pass the Administrator username and password in the URL (these would be static) and also pass the actual BI EE username as the impersonation user in the URL. Provider services and Essbase JAPI support impersonation. We assume Workspace should support that as well. But of course, if its not supported then this would not work. Please liaise with Hyperion Technical Support or a Consultancy Department like Expert Services to look into this option further.

The above options are only supplied as possible workarounds, but Technical Support highly recommends that you upgrade to Hyperion Workspace 11.1.1 so you can leverage the built-in integration functionality.

Sometimes, the challenges get to us from where we don’t expect them to come from. Imagine, your OBIEE application has been developed and tested – and you’re ready for production. And this is definitely the area that your biggest challenge might come into play. I’ve worked on numerous OBIEE projects where security was a paramount priority for production servers. Deploying OBIEE was a big pain for various reasons, such as:

1. Restrictive access (or no access at all) to production server for OBIEE team. This is definitely a killer issue, since it’s inviting so many things to go wrong. You might not be able to troubleshoor repository, check DB connections, run various OBIEE scripts, and a lot more. Also, you need to train the infrastructure team on being OBIEE server admins, which is a challenge (unless you have a dedicated OBIEE team). A big risk factor is timing – your work might get delayed, because your request for services restart takes a few days to complete.

2. OS / Software / Platform issues. Your application might work fine on your test and development servers, however, in most cases you loose any control leverage once you move to the production. OS patches, Database patches, restrictive firewall policies might cause many things to break (some of the things I can think of – LDAP Authentication, Ibots). Worst thing is that you might not even be aware of any changes if you’re not on the technical infrastructure priority list. Usually, the server people are overworked – having to provide support to hundreds of web applications in a large enterprise, so you might want to develop good working relationship from the start.

3. Network connectivity. This might happen at large projects, as well as small ones. Due to today’s networking complexities and proliferation of cloud computing, your related servers (authentication, data-sources) might be located in a different building / state / country (I’m not joking). As such, the network lagging issue might be affecting your OBIEE application in the worst ways possible. Always check this immediately after deploying and make sure that you don’t see any increases in ping times.

This is it for today. Please come and read again

While auditing our OBIEE security model We’ve stumbled into behavior that we think is a bug. If it’s not, then I hope it’s a feature that would be removed in the future. Here’s a description of how we get this particular Presentation services behavior:

1. Summary – Our goal is to be able to add new users in RPD in online mode, assign them to their respective repository security groups ( based on data-level and row-level security), and during their first login  have them automatically assigned to one of 2 appopriate Presentation catalog group (that is used for presentation security, such as prohibiting overwriting of shared reports). We use OS authentication model with Impersonator (OBIEE picks up and strips users’ OS username). However, the problem doesn’t seem to be SSO-related or OS-related.

These’re steps to reproduce:

a) create new user “test_user1″ in RPD “Business Intelligence” group (for Presentation group “Business Intelligence”). Check-in RPD and save it.

b)  login with the “test_user1″ first time to OBIEE

c) go to My Account. You can clearly see that “test_user1″ is a member of Presentation group “Business Intelligence” (which is good for us and correct at the same time)

d) log-out. close browser. clean cookies. log-in as an administrator (member of Presentation Services Admin). Go to Settings –> “Oracle BI Presentation Services Administration”–>”Manage Presentation Catalog Groups and Users”
Select Edit for the “Business Intelligence” group

as you can see – “test_user1″ isn’t there

e) If we click on “Add New Member”-> “Show Users and Groups” – there’ll be a red-stop symbol (padlock image)

We’ve filed an SR with Oracle Support, and still waiting for an answer. I personally think that in future OBIEE releases – the Presentation Services should be tied closer with BI server – maybe going as far as consolidating those 2 modules.

And have a nice work week!