Working with Users and Groups in the Embedded LDAP Server..!

When you install OBIEE, the installer asks you to enter the username and password for an administrative user, which we use it to log in to Fusion Middleware Control.

To add new users to your system and assign them to groups (ex LDAP groups, AD groups) , you use the web based Oracle WebLogic  Administration Console, which contains features for managing the embedded LDAP server.

Example of Creating New Users and adding them to Groups  

01.   Log in to Oracle WebLogic  Administration Console(http://:7001/console) from the user having administrative privileges (example weblogic/welcome1)
02.  When the home page appears, click on Security Realms

03.    When Summary of Security Realms page appears, click on “myrealm”. ”myrealm” is the default container for security settings.
04.    Once you click on “myrealm” it will take you to the next page. Click on “Users and Groups” tab to start creating new users.

05.    Click on New button and enter the details for new users.”DefaultAuthenticator” refers to your embedded LDAP server ,which is default provider for authentication for newly configured system.Click “OK” to create the user.

 

06.    To add the user to one of the LDAP group in your LDAP directory , therefore to grant the user to a application role , click the user (“mayank”), it will take you to the another  page , Go to groups.

07.    Select the LDAP group/s and from the left pane and click “save” to complete the process.

Working with Application Roles and Policies

The user is created and added him/her in BIAuthors LDAP group, this group must be linked to BIAuthor application role .This role is granted to “BIAuthors” LDAP group in OPSS policy store as part of default security configuration.
To check how Application Roles and Policies are administrated in using Fusion Middleware Control
01.    Login to Enterprise Manager using url (http://:7001/em) using administrative user.
02.    When the home page is displayed, Go to Business Intelligence --> coreapplication. Right click “coreapplication”. Security --> Application Policies/Role will get displayed.

03.    Click on Application Roles. Locate on BIAuthor Application Role  and click on it.

04.    You can see in the bottom pane, two other objects have been granted this role.One is the BIAuthors LDAP group and other is the BIAdministrator  application role.This means this very object “BIAuthor” inherits the permission and privileges of BIAdministrator  application role.

Creating and Managing Application Roles

01.    Create an application role using the Fusion Middleware Control(em)
02.    Create a matching LDAP group using the Oracle Weblogic Admin Console or identify in FMW which existing LDAP group you want to map it to the application role.
03.    In FMW(em), grant the role to LDAP group.
04.    Using Admin Console, add user to relevant LDAP groups.
05.    Launch the Oracle BI Administrator tool and refresh its view of the current application roles in your Policy Store.
Example:
01.    Create an application role as shown above by logging into (http://:7001/em)
Name: FINANCE Manager
Description: Financial Analytics Manager

02.    Create the corresponding LDAP group and assign it to the required user to the group. For doing this log in to Oracle WebLogic  Administration Console(http://:7001/console)  from the user having administrative privileges (example weblogic/welcome1)
Name: FINANCE Managers
03.    Finally add the required user to this LDAP group.
04.    Log in back to the Fusion Middleware Control (em) and launch the application role page again. Click on the application role “FINANCE Manager”. Click on the Edit button.

05. To grant this new application role to the corresponding LDAP group, in the Member section Click add button and then select the LDAP group from the searched principal group.

Creating and Managing Application Policies

Application Policies like application role are created and held in a policy store and administrated and accessed by OPSS. You can access the existing by logging into Enterprise Manager using url (http://:7001/em) using administrative user. When the home page is displayed, Go to Business Intelligence --> coreapplication. Right click “coreapplication”. Security --> Application Policies/Role will get displayed.

Application Policies are basically set of JAVA permissions associated with a principle. For Example: The BI Author application policy allow you to develop reports and other perform other report authoring task.

Few application policies which are granted to the application role BIAuthor as below :-
oracle.bi.publisher.developReport
oracle.bi.publisher.developDataModel
EPM_Essbase_Administrator
EPM_Essbase_Calculate
EPM_Calc_Manager_Designer
oracle.epm.financialreporting.editBatch   
oracle.epm.financialreporting.editBook
oracle.epm.financialreporting.editReport
oracle.epm.financialreporting.scheduleBatch
oracle.epm.essbasestudio.cpadmi

The above are set of JAVA permissions associated with a principle. Oracle BI ship all possible combination of policies under the application role BIAdministrator, BISystem, BIConsumer, BIAuthor.
Therefore if you created an application role which is linked to a LDAP group and finally to an user, you just need to assign the any of the four application role to inherit their policies.

If you freshly want to create an application policy which is not among the available policies under the given four application role, you need to write the JAVA program for the same and then deploy it into the weblogic.
Always remember BIConsumer is by default assigned to user once you create it.