FYI: User able to log-in even with Invalid (or no) password in OBIEE 11g

With the release of Oracle Business Intelligence (OBIEE) 11g, the 'old' (read: OBIEE 10g) way of authenticating users has been deprecated, mainly - authenticating a user's credentials via the repository which i've outlined in this post . At its core, 10g authentication was accomplished using init blocks that populated the :USERS and :GROUPS session variables in the repository.

OBIEE 11g, on the other hand, authenticates via authenticators in weblogic such as Oracle Internet Directory. This guide actually covers OID authentication in OBIEE 11g .

The OBIEE 10g method for authentication still exists in 11g, and unfortunately it is still possible to configure 11g init blocks so that the query does not check the password of the user.
For example:

SELECT USER_ID FROM USERS WHERE USER_ID = ':USER'

would just check the user id and not the password was correct but not check the password. In a scenario where such an INIT block exists and is set to act as an authentication block, this can lead to users being able to log in with any (or no) password. It can also lead to some apparently odd/inconsistent behaviour. Consider the scenario where Users A and B both exist in OID which is set as the primary identity store. But User B also exists in a database which is referenced by an INIT block as described above. Both try to login using the wrong password. User A will simply fail. However, while User B will fail Authentication against OID, because the BI Server knows there is an Authentication INIT block set, it will then attempt to run that for each of them and in the case of User B, because their username is in the USER_ID column of the USERS table, they will be allowed in as the INIT block query apparently succeeds, even though it does not in fact correctly check the user’s password.

There is no 'fix' for this other than to force username validation for init blocks that use the :USER block or completely avoid using the :USER session variable.

Oracle has acknowledged this in security document 1359798.1

keywords: OBIEE 11g security, data level security, initialization blocks,  USER session variables, weblogic authenticators, 

FYI: Overview on Object Level Security, Application Roles, and Inheritance in OBIEE 11g

In Oracle Business Intelligence (OBIEE) 11g, Oracle has fundamentally changed how we map users to various security privileges.In OBIEE 10g, Object Level Security was enforced using the USER session variable, which mapped to a GROUP session variable. This created a list of possible 'groups', which a developer would then apply security restrictions to, in either Answers (Managed Privileges) and/or Security Managed in the repository.

A high level flow is outlined below:

In OBIEE 11g, security authentication is enforced in the Weblogic Admin Server, and a user's security privileges are tied to their corresponding Application Roles in Fusion Middleware as shown in the diagram below:

The key take away is that object level security is applied to application roles and not groups.  Why application roles? In Weblogic and Fusion Middleware, we can actually assign certain privileges to an application roles - we call these 'Application Policies'. For example,  we can grant a certain application role the ability to 'edit the repository', or 'act as another user'. This feature, not possible in OBIEE 10g, now allows us to not only control what objects are being viewed, but also gives us the capability to control who can execute certain actions within the BI environment. This topic will be discussed in much greater detail in another guide.

Now let's go over the basic rules of Object Level Security for Application Roles in OBIEE 11g:

• If a user is a direct member of an application role, they will have access to the reports allowed by that application role.
• If a user is not a member of an application role, they will not have access to the reports allowed by that application role.
• If a user is a direct member of two or more application roles with different security privileges for the same reports, the less restrictive security privilege is applied.
• unless the user is explicitly denied. Explicit denial supersedes all security privileges.
• If a user is a member of Application Role X, and Application Role X is a member of Application Role Y, the privileges in Application Role X supersede the privileges of Application Role Y

Let's cover each scenario in detail:

• If a user is a direct member of an application role, they will have access to the reports allowed by that application role.

 

In this example, I granted Application Role 'Test Role 1' full control to folder 'Folder 1'. I then logged in as 'testuser1' who is a member of Application Role 'Test Role 1'. And as expected, testuser1 can read/write/edit/delete the folder.

• If a user is not a member of an application role, they will not have access to the reports allowed by that application role.

In this example, I created 'Folder 2', only accessible by members of the 'BIAdministrator Application Role'. I then log in as a 'testuser1', which is not a member of the 'BIAdministrator Application Role'

As BIAdministrator:

As testuser1:

Note that in the above scenario, 'denying' the application role access accomplishes the same thing as taking no action onto the application role role (i.e. ignoring it completely)

• If a user is a direct member of two or more application roles with different security privileges for the same reports, the less restrictive security privilege is applied.

In this example, I created Folder 3, which grants 'read' access to Test Role 1 and 'modify' access to 'Test Role 2'. 'Testuser1' is a member of both 'Test Role 1' and 'Test Role 2'.

 

 

As expected, Testuser1 has modify rights to Folder 3 (noted by 'X', ability to delete), despite being a member of Test Role 1 which only grants the user read access

• If a user is a direct member of two or more application roles with different security privileges for the same reports, the less restrictive security privilege is applied.
• unless the role is explicitly denied

In this example, TestUser1 is a member of Test Role 1 and Test Role 2 and Test Role 3. Test Role 1 grants testuser1 open rights, Test Role 2 grants testuser1 modify rights and Test Role 3 is explicitly denied.

As expected, testuser1 does not have access to Folder 4 because of Test Role 3

• If a user is a member of Application Role X, and Application Role X is a member of Application Role Y, the privileges in Application Role X supersede the privileges of Application Role Y

 

In this example, testuser1 is a member of application role 'Test Role 4'. Application role 'Test Role 5' is a member of application Role 'Test Role 4'. Test Role 4 grants 'open' privileges to Folder 5 and Test Role 5 grants 'full control' to Folder 5.

 

As expected, testuser1 only has read/open access to Folder 5 even though Application Role 'Test Role 5' grants full control. This is because direct inheritance overrides indirect inheritance

Even if the inherited role explicitly denies access to folder 5, the user will still be able to access folder 5 because the direct role grants read/open access:

Note how testuser1 has modify access to Folder 5 (noted by the 'X') , despite inheriting a role that is denied access to the same folder.

These basic rules can be applied to any hierarchy, no matter how complex. Think you've mastered these 4 basic rules? Identify the final privileges for User 1 in the scenario below:

* example courtesy of Oracle - found in Oracle Business Intelligence Fusion Middleware Security Guide

Result:

• User is a direct member of Role 1 and 2 and indirect member of Role 3, Role 4 and Role 5
• User has no access to Dashboard A
• User has open access to Dashboard B
• User has full control of Dashboard C
• User has no access to Dashboard E
• User has open access to Dashboard D

keywords : object level security, obiee security, obiee application roles, obiee 11g security, weblogic application roles, obiee inheritance

How-to: Impersonate or Act As Other Users (e.g. End Users) in OBIEE 11g

In a typical Oracle Business Intelligence (OBIEE) 11g environment, potential defects or data discrepancies arise that will require the production support team to investigate or research the potential issue. A useful way to research the issue is by having the developer 'act as' the specific end user who is encountering the defect, usually by logging in as their account or an account with similar security rights.

For security reasons, the developer or support team is usually never given the end users login credentials so unless they re-create an account with the same privileges, they're unable to 'see what the end user sees'.

In OBIEE 11g Oracle outlines a detailed method for acting as another user through a 'proxy', outlined here .
This process requires pre-configuration and deployment of key tables to facilitate acting as another user, and is not set up 'out of the box'.

Although there is value in setting up the Act As / Proxy functionality (for example, a supervisor wants to delegate some of his work to his direct report), from a development and troubleshooting perspective, impersonation can be achieved with the HTTP header and and the following parameters:

• NQUser
• NQPassword
• Impersonate

For example:

http://hostname:9704/analytics/saw.dll?Logon&NQUser=Administrator&NQPassword=Administrator&Impersonate=usernametoimpersonate

Before you can use this feature, the appropriate privilege must be added to your Administrator role (usually BIAdministrator Application Role):

• oracle.bi.server.impersonateUser
• oracle.bi.server.queryUserPopulation

Step 1: Navigate to Application Policies in Fusion Middleware (:7001/em/)

Farm_BIFoundation_domain -> Business Intelligence -> coreapplication -> security -> Application Roles

Step 2: Add required roles to Administrator's Application Policies

In the obi_ strip, click the edit button for the Administration Application Policies and search for

• oracle.bi.server.impersonateUser
• oracle.bi.server.queryUserPopulation

No restart is required. You can now use:

 http://hostname:9704/analytics/saw.dll?Logon&NQUser=Administrator&NQPassword=Administrator&Impersonate=usernametoimpersonate

to act as other end users. You will inherit all application roles as if you were the actual user.

keywords: obiee impersonate, obiee act as, obiee 11g security, obiee 11g answer

FYI: Maximizing Your Oracle Support and Oracle Documentation for OBIEE 11g

When most OBIEE Architects and Developers encounter a problem or road block, their first solution (assuming they don't know how to resolve the issue) is to use google to search for error codes, potential solutions, or at least other developers to commiserate with!

An exceptional resource for OBIEE 10g/11g issues that I often see underused or completely ignored is Oracle's Support web site - http://support.oracle.com  . Yes, we all use Oracle Support to create trouble tickets but the Support site offers much more than just the ability to raise defects.

Here are key documents that all Oracle Business Intelligence Architects should follow if they want to stay current with the latest patches,  news, quarterly updates, and official Oracle announcements (like Oracle officially dropping Premier support of OBIEE 10g 10.1.3.4!)

• Information Center: Business Analytics Index (EPM/BI) [ID 1378677.2]
• Why: This is the central 'home page' for all of Oracle's Analytics products. You'll have access to the Quarterly BI News Letter, Oracle OBIEE Community, and more.

( Make sure you are book marking all of these using the star icon !)

• Oracle Business Intelligence Enterprise Edition (OBIEE) Product Information Center (PIC) [ID 1267009.1]
• Why: This is the starting point for all official Oracle Business Intelligence guides including : Troubleshooting, patching, and white papers
• Information Center: Oracle Business Intelligence Enterprise Edition (OBIEE) Release 10g and Later [ID 1349983.2]
• Why:  This  document aggregates posts from Oracle's OBIEE community, new features and processes,  and highlights new articles
• The Official Oracle Business Intelligence Enterprise Edition Community - https://communities.oracle.com/portal/server.pt/community/obiee/475
• Why: This is similar to Oracle's freebie forum http://forums.oracle.com with the exception that there are dedicated Oracle OBIEE Architects who reply to your posts - definitely worth the bookmark!

I also recommend subscribing to Oracle's Hot Topics email for OBIEE as it's another way for you to stay current with OBIEE news if you don't have the time to review the above web sites. You can subscribe as follows:

Navigate to My Oracle Support -> Settings -> Hot Topics E-mail

Then specify the products of your interest. I recommend: Business Intelligence Interactive Dashboard,  Business Intelligence Server Administrator, Oracle Business Intelligence Applications Foundation, Oracle Business Intelligence Server Enterprise Edition, Oracle Business Intelligence Suite Enterprise Edition

Of course, the Official Oracle Documentation is another must have:

• Oracle Fusion Middleware 11g (11.1.1.6) Documentation Library
• Business Intelligence Documentation for Oracle Fusion Middleware 11g (11.1.1.6)

How-to: OBIEE 11g Javascript Integration using Action Framework (Browser Script)

One of the powerful features of Oracle's Business Intelligence 11g platform is a concept called 'Action Framework' or 'Actionable Intelligence'. It's useful because for the first time in OBIEE you can integrate external applications, functions or code and invoke it using the front end user interface (Answers).

Although I have seen 'javascript or jquery integration' in OBIEE 10g, the implementation was always 'hacked' together, and of course, was never supported or endorsed by Oracle. In this guide we'll show how you can take any javascript or jquery function and by using Oracle's supported 'external systems framework', integrate it seamlessly with OBIEE 11g.

Consider the scenario where your source data warehouse or ERP stores employee numbers in an encoded format of base 64. For example, employee number '123456789' is 'MTIzNDU2Nzg5' in base 64.  The requirement you have is to display the decoded employee number in a report. How do we implement this requirement?

Luckily, base 64 encode/decode functions are easily accessible via the internet, so we'll use the code from Stackoverflow.com

The encode function will ultimately end up in the UserScripts.js file located at:

• <middleware home>/user_projects/domains/bifoundation_domain/servers/bi_server1/tmp/_WL_user/analytics_11.1.1.2.0/<installation dependent folder>/war/res/b_mozilla/actions/UserScripts.js

But we can't just copy & paste, so let's get started.

Step 1: Understand how OBIEE 11g uses action framework to invoke custom javascript functions

OBIEE 11g stores custom javascript functions in Userscripts.js. In order to integrate a javascript function into userscript.js your function  must have:

• a USERSCRIPT.publish function which is required to pass the parameters to the target javascript function
• a USERSCRIPT.parameter function out of the box function which is used by the Action Framework to define parameters in custom JavaScript functions for use when creating an action to Invoke a Browser Script. Each parameter object includes a name, a prompt value holding the text to be displayed against the parameter when creating an action, and a default value.
• a USERSCRIPT.encode function - the actual function we're going to implement

Step 2: Create USERSCRIPT.encode.publish function


As described above, the userscript.encode.publish function needs to take the parameters from the USERSCRIPT.parameter file and create a new encode object:

USERSCRIPT.encode.publish=
{
 parameters:
 [
  new USERSCRIPT.parameter("employeenumber","Employee Number","")
 ]
}

 Step 3: Create the actual encode functions

The encode function from stackoverflow is actually comprised of two functions: 1) the public method for encoding and 2) the private method used for UTF8 encoding

USERSCRIPT.encode function:

USERSCRIPT.encode=function(b)
{
var cz="";
for(args in b)
 { // this for function is needed to store the 3rd value in the array - the actual employee number
 var d=args;
 var a=b[d];
 cz = a;
 }
 var output = "";  
 var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
 var i = 0;
 var _keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
 var input = USERSCRIPT.UTF8Encode(cz);

 while (i < input.length)
 {

  chr1 = input.charCodeAt(i++);
  chr2 = input.charCodeAt(i++);
  chr3 = input.charCodeAt(i++);

  enc1 = chr1 >> 2;
  enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
  enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
  enc4 = chr3 & 63;

  if (isNaN(chr2)) {
   enc3 = enc4 = 64;
  } else if (isNaN(chr3)) {
   enc4 = 64;
  }


  output = output +
  _keyStr.charAt(enc1) + _keyStr.charAt(enc2) +
  _keyStr.charAt(enc3) + _keyStr.charAt(enc4);
 }

alert(output)
}
;

USERSCRIPT.UTF8ENCODE function

USERSCRIPT.UTF8Encode=function(b)
{   
 var str = b.replace(/\r\n/g,"\n");   
 var str = b;

 var utftext = "";
 for (var n = 0; n < str.length; n++) {
  var c = str.charCodeAt(n);
  if (c < 128)
  {
   utftext += String.fromCharCode(c);
  } else if((c > 127) && (c < 2048)) {
   utftext += String.fromCharCode((c >> 6) | 192);
   utftext += String.fromCharCode((c & 63) | 128);
  } else {
   utftext += String.fromCharCode((c >> 12) | 224);
   utftext += String.fromCharCode(((c >> 6) & 63) | 128);
   utftext += String.fromCharCode((c & 63) | 128);
  }
 }

 return utftext;
 };

After this, make sure to restart Admin Service, Managed Server and OPMN prior to creating the Action in Answers

Step 4: Create the Action in Answers

In Answers, navigate to New -> Actionable Intelligence -> Action -> Invoke -> Invoke a Browser Script

1) 2)

Click browse and select the USERSCRIPT.encode function:

Since the USERSCRIPT.parameter function specified 3 parameters, we will need to populate the three fields  as follows: Object Name, prompt value, and default value.

After saving the action, execute it and populate it with a number, or leave it as default 123456789.

And as expected, the encoded base 64 number 123456789 is - 'MTIzNDU2Nzg5'

This example only scratches the surface of what's possible with Action Framework and OBIEE 11g. Correctly implemented, you can invoke 3rd party applications or functions (*cough* ETL on demand *cough*), pass data to the ERP source system, integrate a data set with Google Maps, or all of the above.

In future guides we will explain the advanced functionality of Action Framework.

keywords: action framework,  obiee action framework, obiee javascript, obiee actions,  actionable intelligence

How-to: Apply OBIEE 11g Bundle Patch Set (11.1.1.6.6)

Late last year (December 2012) Oracle gave us the pleasure of releasing their newest OBIEE 11g patchset - OBIEE 11.1.1.6.6 and just when you finished got comfortable with version 11.1.1.6.4!

The guide below will outline how to apply the new OBIEE 11g 11.1.1.6.6 patchset assuming your starting point is a prior version on the 11.1.1.6.x platform.

As a reminder, note that the OBIEE 11g patchsets are cumulative - meaning the 11.1.1.6.6 patchset includes all patches from 6.5, 6.4 and down.

Step 1) Make sure you have the latest OPatch installed on your machine

Oracle uses the Opatch tool to apply patches to OBIEE 11g, and if you attempt to apply a patch with an outdated Opatch version, you get the following error:

 "The OUI version is not applicable for current OPatch Version":

You can download the latest version of Opatch by searching http://support.oracle.com for 'How To Download And Install The Latest OPatch Version [ID 274526.1]' or by clicking here

Step 1.1) Extract the opatch folder to your FMW_HOME/Oracle_BI1 folder. There is most likely an Opatch folder already in there - that is the old version. Archive it then remove it from the Oracle_BI1 folder and replace it with the Opatch folder you just downloaded.


Step 2) Back Up Critical Folders

Make sure to save the following folders in the event of a failure when applying the patch set:

• The ORACLE_HOME\bifoundation\server directory
• The ORACLE_INSTANCE\bifoundation\OracleBIServerComponent\coreapplication_obis1\repository
• The ORACLE_BI_HOME\bifoundation\jee\mapviewer.ear\web.war\WEB_INF\conf\mapViewerConfig.xml, if you have modified it

 Step 3) Shutdown Admin Server, Node Manager, Managed Server and OPMN

The entire weblogic domain must be shut down prior to applying the patch set


Step 4) Confirm Key Environment Variables are Set

On Windows: If the Oracle BI Home directory is C:\prod_mwhome\Oracle_BI1, then set the environment variables by entering the following:

• set ORACLE_HOME=C:\prod_mwhome\Oracle_BI1
• set PATH=%ORACLE_HOME%\bin;%PATH%
• set JAVA_HOME=%ORACLE_HOME%\jdk
• set PATH=%JAVA_HOME%\bin;%PATH%
• set PATH=%ORACLE_HOME%\OPatch;%PATH%

Step 5) Download 11.1.1.6.6 Patch Set

The quickest way to do this is by navigating to the 'Patches & Updates' tab on support.oracle.com and using the 'Product or Family (advanced)' search feature to download the patch set for your specific OS:

Make sure you check 'Include all products in a family'!

Step 6) Unzip the patch set into  your $FMW_HOME/Oracle_BI1 folder

There should be 7 folders - one for each patch:

Patch	Abstract
15844023	Patch 11.1.1.6.6 (1 of 7) Oracle Business Intelligence Installer
15844066	Patch 11.1.1.6.6 (2 of 7) Oracle Real Time Decisions
14800665	Patch 11.1.1.6.6 (3 of 7) Oracle Business Intelligence Publisher
15843961	Patch 11.1.1.6.6 (4 of 7) Oracle Business Intelligence ADF Components
15844096	Patch 11.1.1.6.6 (5 of 7) Enterprise Performance Management Components Installed from BI Installer 11.1.1.6.x
14791926	Patch 11.1.1.6.6 (6 of 7) Oracle Business Intelligence
15839347	Patch 11.1.1.6.6 (7 of 7) Oracle Business Intelligence Platform Client Installers and MapViewer

Step 7) Remove Catalog Manager Cache Files (if they exist)

•  On Linux, AIX, or Solaris: If the Oracle BI Home directory is prod_mwhome/Oracle_BI1, then go to the following directory:prod_mwhome/Oracle_BI1/bifoundation/web/catalogmanager/configuration/
• On Windows: If the Oracle Home directory is C:\prod_mwhome\Oracle_BI1, then go to the following directory: c:\prod_mwhome\Oracle_BI1\bifoundation\web\catalogmanager\configuration\

and remove the following files:

org.eclipse.osgi
org.eclipse.equinox.app

Step 8) Apply the 7 patches in the 11.1.1.6.6 patch set

It is important that you apply the patches in the following order:

Patch	Abstract
15844023	Patch 11.1.1.6.6 (1 of 7) Oracle Business Intelligence Installer
15844066	Patch 11.1.1.6.6 (2 of 7) Oracle Real Time Decisions
14800665	Patch 11.1.1.6.6 (3 of 7) Oracle Business Intelligence Publisher
15843961	Patch 11.1.1.6.6 (4 of 7) Oracle Business Intelligence ADF Components
15844096	Patch 11.1.1.6.6 (5 of 7) Enterprise Performance Management Components Installed from BI Installer 11.1.1.6.x
14791926	Patch 11.1.1.6.6 (6 of 7) Oracle Business Intelligence
15839347	Patch 11.1.1.6.6 (7 of 7) Oracle Business Intelligence Platform Client Installers and MapViewer

Navigate into each folder and run the following command : opatch apply  . The command should execute without error as shown below:

Step 9) Download the JDeveloper Patch

The  Oracle Reference Document '[ID 1488475.1] OBIEE 11g Required and Recommended Patch Sets' on http://support.oracle.com indicates that for 11.1.1.6.6 patch set you need to download and apply JDeveloper patch 13952743 which is not included in the core 7 patches.  Make sure to download 13952743 and unzip it to your $FMW_HOME/Oracle_BI1 folder as well.

Step 10) Update Environment Variables for the JDeveloper Patch

You'll need to change your environment variables for this patch as follows:

$ORACLE_HOME = FMW_HOME/oracle_common

Step 11) Apply the JDeveloper Patch

Using the same opatch apply command. Make sure you navigate to the 13952743 folder first!

Step 12) Validate all patches have been applied

Execute the following command: opatch lsinventory . All 8 patches should be listed.

Step 13) Validate Version in Answers

After starting your Admin Server, Node Manager, Managed Server and OPMN services. Navigate to your Administration tab in Answers to view the new version:

Potential Issue: Conflict with previous patches

In my earlier post I outlined how to apply an individual patch to resolve bug 1467168.1 (multiple pie charts error) by applying patch 14003822 .
If you've applied any individual patch and then later try to apply a bundle patch you'll get the following error:

 

indicating there is a conflict between the original patch and the 11.1.1.6.6 bundle patch. Go ahead and override the original patch with the new 11.1.1.6.6 patch set. This new patch set also includes any one off patches you've applied so it's safe to override.


keywords: obiee 11g upgrade, obiee upgrade, upgrade assistant, opatch, 11.1.1.6.6, how to install obiee 11g