Saturday, January 19, 2013

[OBIEE11g] - Setting up Access Permissions to Reports and Dashboards


Putting into one sentence, we would need to create a user, then put him into a group then put that group into an application role.
Then we can use this application role created in above step to give users access to our reports or dashboard pages.
By looking at the permissions on the “Quarterly Revenue” report, we can observe that “BI Administrator Role” and “BI Consumer Role” are assigned by default when a report is created by the “weblogic” administrator user.
I will be creating two users(Jerry, Justin) and two groups(Toons, Music) and put each user into each of the different groups.
Then create two Application Roles(ToonViewer, MusicMaker) with “Create Like…” with “BI Consumer Role” and put each of the above groups into these newly created Application Roles.
Then allot the “Quarterly Revenue” report these Application Roles to experience how each of these users will be able to access the report.
I will start creating both the users, groups and Application Roles.
  1. Open the http://localhsot:7001/console and login with admin user “weblogic”
  2. Go to the “Domain Structure” Pane on the left and select “Security Realms”, on the right pane select “myrealm” in the “Realms” section.
  3. Select the “Users and Groups” tab and click the “New” button to create a new user.
  4. Then enter “Jerry” for the “Name:”, “Jerry Mouse” for “Description”, select “DefaultAuthenticator” for the “Provider:”, enter “jerry123″ for the “Password:” and “Confirm Password:” as show in below screenshot.
  5. Click “OK” button.
  6. create another user with same process and then enter “Justin” for the “Name:”, “Justin Trevor” for “Description”, select “DefaultAuthenticator” for the “Provider:”, enter “justin123″ for the “Password:” and “Confirm Password:”.
  7. Click “OK” button.
  8. Now click on the “Groups” tab, click on the “New” button to create a new group.
  9. Enter “Toons” for the “Name”, enter “Toons group” for the “Description” and select “DefaultAuthenticator” for the “Provider” as show in below screenshot.
  10. Click the “OK” button.
  11. With the same process above create another group by entering “Music” for the “Name”, enter “Music lovers” for the “Description” and select “DefaultAuthenticator” for the “Provider” as show in below screenshot.
  12. Click the “OK” button.
  13. Now on to creation of the Application Roles(ToonViewer, MusicMaker).
  14. Open the URL: http://localhost:7001/em and login with the admin user “weblogic”.
  15. In the left pane select the “Farm_bifoundation_domain” -> “Weblogic Domain” -> “bifoundation_domain”, right click on bifoundation_domain and select “Security” -> “Application Roles”.
  16. Under the “Search” section select “obi” for the “Application Stripe” and click on the blue arrow button to list the Application Roles.
  17. Select the “BIConsumer” Role and click on the “Create Like…” link , enter “ToonViewer” for the “Role Name” and “Toon Viewer Role” for the “Display Name” field.
  18. Click the “OK” button.
  19. With the above mentioned procedure create another Application Role and select the “BIConsumer” Role and click on the “Create Like…” link , enter “MusicMaker” for the “Role Name” and “Music Maker Role” for the “Display Name” field.
  20. Click the “OK” button.
  21. Now on to linking of the our of the Application Roles(ToonViewer, MusicMaker) to Application Policies(like BIConsumer and like BIAuthor) respectively.
  22. Open the URL: http://localhost:7001/em and login with the admin user “weblogic”.
  23. In the left pane select the “Farm_bifoundation_domain” -> “Weblogic Domain” -> “bifoundation_domain”, right click on bifoundation_domain and select “Security” -> “Application Policies”.
  24. Select “obi” for the “Application Stripe” field, select “Application Role” for the “Principal Type” field then click on the blue button to list the Principals.
  25. Select the “BIConsumer” and click the “Create Like…” link.
  26. On the “Grantee” section click the “Add” icon to open the “Add Principal” window.
  27. In the “Add Principal” window under the “Search” section, select “Application Role” for the “Type” field and click the blue button to list the Application Roles.
  28. Select the “ToonViewer” and click “OK” button and verify as show in below screenshot.
  29. Click “OK” button on the “Create Application Grant Like Grant To : BIConsumer” screen.
  30. The “ToonViewer” Application Role is now linked to a new Application Policy and is show in the list of Prinicipals.
  31. Similarly link the “MusicMaker” Application Role to a “BIAuthor” like Application Policy and show be listed in the list of Principals as shown below.
  32. Once our users, groups, application roles and application policies are setup, we go back and make the remaining links to complete our permissions setup.
  33. Open the URL: http://localhost:7001/em and login with the admin user “weblogic”.
  34. In the left pane select the “Farm_bifoundation_domain” -> “Weblogic Domain” -> “bifoundation_domain”, right click on bifoundation_domain and select “Security” -> “Application Roles”.
  35. Under the “Search” section select “obi” for the “Application Stripe” and click on the blue arrow button to list the Application Roles.
  36. Select the “ToonViewer” Application Role and click the “Edit” link.
  37. Click the “Add” icon and select “Group” for the “Type” field and click the blue button to list all the groups.
  38. Select the “Toons” group and click the “OK” button to add the group the the “Members” section as shown below,
  39. Select the “BIConsumers” and click the “Delete” icon to delete the group from the “Members” section.
  40. Click “OK” button on the “Edit Application Role : ToonViewer” window.
  41. Select the “MusicMaker” Application Role and click the “Edit” link.
  42. Click the “Add” icon and select “Group” for the “Type” field and click the blue button to list all the groups.
  43. Select the “Music” group and click the “OK” button to add the group the the “Members” section as shown below,
  44. Click “OK” button on the “Edit Application Role : MusicMaker” window.
  45. Verify that the below is the list of Application Roles show:
  46. Go to the URL : http://localhost:7001/console and login as admin user “weblogic”.
  47. Open the “Security Realms” on the left pane and on the right pane select “myrealm”, then select the “Users and Groups” tab.
  48. Then select the “Users” tab, click on the user “Jerry” to open the “Setting for Jerry” window.
  49. Select the “Groups” tab for “Jerry”.
  50. Goto the “Parent Groups” and select “Toons” and move it to the “Choosen:” section.
  51. Click the “Save” button.
  52. Now the same has to be done for user “Justin”.
  53. Goto the “Users” tab and select the user “Justin”.
  54. Select the “Groups” tab for “Justin”.
  55. Goto the “Parents Groups” and select “Music” and move it to the “Choosen” section.
  56. Click the “Save” button.
  57. Now onto testing our Application Roles with the “Quarterly Revenue” Report.
  58. Open the URL : http://localhost:9704/analytics and login as admin user “weblogic”
  59. Select “More” -> “Permissions” for the “Quarterly Revenue” Report.
  60. Delete the “BI Consumer Role”.
  61. Add the “Music Maker Role” using “Full Control” permission.
  62. Click “OK” button to close the “Permission” window.
  63. Logout of the analytics web page and login with the user: Jerry/jerry123.
  64. Select “Catalog” on the menu and scroll on the left pane “Folder” -> “Shared Folders” -> “Sample Lite”.
  65. On the right pane scroll down to see “Quarterly Revenue” and click “Open”.
  66. You should be able to see the results.
  67. Now login as user: Jerry/jerry123
  68. Select “Catalog” on the menu and scroll on the left pane “Folder” -> “Shared Folders” -> “Sample Lite”
  69. Observe that “Quarterly Revenue” is not show here.
  70. Now login as user: Justin/justin123
  71. Select “Catalog” on the menu and scroll on the left pane “Folder” -> “Shared Folders” -> “Sample Lite”
  72. Observe that “Quarterly Revenue” report can be open here.
Summary:
In order achieve the Reprot and Dashboard permission controls, we first go ahead creating the user, the group and then the Application Role. Once those are created we come in the reverse order Assigning an Application Policy to the Application Role, then the group to the Application Role, then assign a group to the user.
Once above is done we can go into the Reports and Dashboards and start using these Application Roles to guard our Objects(reports and dashboards).
Posted by at
Labels: