Presentation is loading. Please wait.

Presentation is loading. Please wait.

OBIEE Automation User and Folder Security

Published byPhillip Reed Modified over 9 years ago

Similar presentations

Presentation on theme: "OBIEE Automation User and Folder Security"— Presentation transcript:

1 OBIEE Automation User and Folder Security

2 Use Case 1 – Role & Folder Per Entity
Several entities (dept’s, org’s, etc) will use OBIEE, each needs their own folder in addition to users of each entity having their own folder.

3 Use Case 1 – Create User Key Files
Create a user configuration and associating key file to store encrypted authentication credentials. Login to Web Logic with WLST and run: storeUserConfig(userConfigFile, userKeyFile, [nm]) Argument Definition  userConfigFile Name of the file to store the user configuration. The filename can be absolute or relative to the directory from which you enter the command. userKeyFile Name of the file to store the key information that is associated with the user configuration file that you specify. The pathname can be absolute or relative to the directory from which you enter the command. nm Optional. Boolean value specifying whether to store the username and password for Node Manager or WebLogic Server. If set to true, the Node Manager username and password is stored. This argument default to false

4 Use Case 1: Create User Create User: Call: import sys import socket
url = 't3://'+socket.gethostname()+':7001' user = sys.argv[1] user_pass = sys.argv[2] user_desc = sys.argv[3] connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator") if atnr.userExists(user): exit() else: atnr.createUser(user, user_pass, user_desc) Call: /path/to/wlst.sh /path/to/create_user.py user user_pass user_desc

5 Use Case 1: Role Exists Get Roles: Call:
import sys import socket url = 't3://'+socket.gethostname()+':7001' connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) listAppRoles(appStripe=‘[replace with application stripe name]’) Call: /path/to/wlst.sh /path/to/list_roles.py >> roles.txt Parse For ‘Principal Name’ Value: grep 'Principal Name' roles.txt | awk -F':' '{print $3}' | awk -F',' '{print $1}'

6 Use Case 1: Role Exists Get Roles (use existing script):
/oracle/middleware/oracle_common/common/bin/wlst.sh /oracle/middleware/oracle_common/modules/oracle.jps_11.1.1/common/wlstscripts/listAppRoles.py -appStripe [replace with your app stripe name]

7 Use Case 1: Create Role Create Role: Call: import sys import socket
url = 't3://'+socket.gethostname()+':7001' connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer("DefaultAuthenticator") try: createAppRole(appStripe=‘[replace with application stripe name]', appRoleName=sys.argv[1]) except: pass exit() Call: /path/to/wlst.sh /path/to/script.py role_name

8 Use Case 1: Add User to Role
import sys import socket url = 't3://'+socket.gethostname()+':7001' connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) try: grantAppRole(‘[replace with application stripe name]',sys.argv[1],"weblogic.security.principal.WLSUserImpl",sys.argv[2]) except: pass exit() Call: /path/to/wlst.sh /path/to/user_to_role.py role_name user_name

9 Use Case 1: Web Service Session
SAWSessionService.logon: <soapenv:Envelope xmlns:soapenv=' xmlns:v6='urn://oracle.bi.webservices/v6'><soapenv:Header/> <soapenv:Body> <v6:logon> <v6:name>{User}</v6:name> <v6:password>{Pass}</v6:password> </v6:logon> </soapenv:Body> </soapenv:Envelope> Access WSDL at: host:9704/analytics/saw.dll?wsdl

10 Use Case 1: Create Folder
WebCatalogService.createFolder: <soapenv:Envelope xmlns:soapenv=" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:createFolder> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:createIfNotExists>1</v6:createIfNotExists> <v6:createIntermediateDirs>0</v6:createIntermediateDirs> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:createFolder> </soapenv:Body> </soapenv:Envelope>

11 Use Case 1: Remove Inherited Folder Perms
WebCatalogService.updateCatalogItemACL: <v6:updateCatalogItemACL> <!--1 or more repetitions:--> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:acl> <!--Optional:--> <v6:dummy></v6:dummy> <!--Zero or more repetitions:--> <v6:accessControlTokens> <v6:account> <v6:name>{Replace with Role Name}</v6:name> <v6:accountType>4</v6:accountType> <v6:guid>{Replace with Role Name}</v6:guid> </v6:account> <v6:permissionMask></v6:permissionMask> </v6:accessControlTokens> </v6:acl> <v6:options> <v6:updateFlag>2</v6:updateFlag> <v6:recursive>0</v6:recursive> </v6:options> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:updateCatalogItemACL>

12 Use Case 1: Add Role to Folder
WebCatalogService.updateCatalogItemACL: <v6:updateCatalogItemACL> <!--1 or more repetitions:--> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:acl> <!--Optional:--> <v6:dummy></v6:dummy> <!--Zero or more repetitions:--> <v6:accessControlTokens> <v6:account> <v6:name>{Replace with Role Name}</v6:name> <v6:accountType>4</v6:accountType> <v6:guid>{Replace with Role Name}</v6:guid> </v6:account> <v6:permissionMask>{ADD Permissions MASK}</v6:permissionMask> </v6:accessControlTokens> </v6:acl> <v6:options> <v6:updateFlag>1</v6:updateFlag> <v6:recursive>0</v6:recursive> </v6:options> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:updateCatalogItemACL>

13 Use Case 1: Add Role to Folder
WebCatalogService.updateCatalogItemACL: <v6:accountType>4</v6:accountType> <v6:permissionMask>{ADD Permissions MASK*}</v6:permissionMask> <v6:updateFlag>1</v6:updateFlag> From the WSDL: permissionMask field value is combination of the following flags: 1 permission to read items content 2 permission to traverse directory 4 permission to change items content 8 permission to delete an item 16 permission to assign permissions to others 32 can take ownership of the item 2048 permission to run a publisher report live 4096 permission to schedule a publisher report 8192 permission to view output of a publisher report Invalid ACL update flag. Valid values are: 0 - replace ACL 1 - replace privileges only for mentioned accounts 2 - delete mentioned accounts from item's ACL accountType values: 0 - user 1 - group 4 - role

14 Use Case 2 – Training Users
Training department needs 50 training users for each business day of the week. Passwords for each user needs to be reset after one week.

15 Use Case 2: User Exists Alternative
SecurityService.getAccounts: <soapenv:Envelope xmlns:soapenv=" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:getAccounts> <!--1 or more repetitions:--> <v6:account> <!--Optional:--> <v6:name>*Training*</v6:name> <v6:accountType>0</v6:accountType> <v6:guid></v6:guid> </v6:account> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:getAccounts> </soapenv:Body> </soapenv:Envelope> Compare results with users you want to add.

16 Use Case 2: Reset Users User Expired: Change Password:
Use Regular Expression to compare user day on username with day from date object or sysdate. For example: ^([0-9]{1,2})(Training[0-9]{1,2}) Compare first part of regex (1,2,3,4,5) to the day of the week from date object. Change Password: import sys import socket url = 't3://'+socket.gethostname()+':7001' new_pass = sys.argv[3] old_pass = sys.argv[2] user_number = sys.argv[1] connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator") atnr.changeUserPassword(user_number, old_pass, new_pass) exit() Clear User Folder: rm -rf /path/to/OracleBIPresentationServicesComponent/coreapplication_obips1/catalog/root/users/user/*

17 Use Case 3: RPD QA Use Case 3:
To improve product quality, the QA or Dev team want to have repeatable automated tests ran per RPD release. Tests need to be added per iteration to account for changes or additions. Previously built tests will be ran in the automated suite of tests to validate unchanged objects still contain proper logic.

18 Use Case 3: RPD Output XmlViewService.executeXMLQuery:
<soapenv:Envelope xmlns:soapenv=" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:executeXMLQuery> <v6:report> <v6:reportPath>/path/to/folder name/report name</v6:reportPath> </v6:report> <v6:outputFormat>SAW_ROWSET_SCHEMA_AND_DATA</v6:outputFormat> <v6:executionOptions> <v6:async>false</v6:async> <v6:maxRowsPerPage>10</v6:maxRowsPerPage> <v6:refresh>true</v6:refresh> <v6:presentationInfo>false</v6:presentationInfo> </v6:executionOptions> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:executeXMLQuery> </soapenv:Body> </soapenv:Envelope>

19 Use Case 3: RPD Output Returned XML:
To get this data we have gone through all logic in the RPD we’d go through when requesting through a URL (initialization blocks, identity manager, session variables, BMM layer logic, etc). <sawsoap:rowset xsi:type="xsd:string"><![CDATA[<rowset xmlns="urn:schemas-microsoft-com:xml-analysis:rowset"> <Row> <Column0>Baz</Column0> </Row> <Column0>Bar</Column0> <Column0>Foo</Column0> </rowset>]]></sawsoap:rowset> Use XML parser to get just values or transform returned values from database into XML.

20 References WLST Commands:
WebLogic Server API Reference: Example of SecurityConfigurationMBean: MBean Reference: Web Service Structures:

21 Evaluate this session Session Evaluation Number: 7

Download ppt "OBIEE Automation User and Folder Security"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
T UTORIAL OF U NIX C OMMAND & SHELL SCRIPT S 5027 Professor: Dr. Shu-Ching Chen TA: Samira Pouyanfar Spring 2015.

T UTORIAL OF U NIX C OMMAND & SHELL SCRIPT S 5027 Professor: Dr. Shu-Ching Chen TA: Samira Pouyanfar Spring 2015.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone.

December 5, OBIEE Technical Conference Security Overview Dan Malone.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
WebFOCUS 8: Best Practices for Migration

WebFOCUS 8: Best Practices for Migration
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.

Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
Va-scanCopyright 2002, Marchany Unit 6 – Solaris File Security Randy Marchany VA Tech Computing Center.

Va-scanCopyright 2002, Marchany Unit 6 – Solaris File Security Randy Marchany VA Tech Computing Center.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
MARC 10.5 Update John Harvey. MARC 10.5 Changes  Backup Scripts restructured  Added a script to generate scripts outside of MARC  Generate Scripts.

MARC 10.5 Update John Harvey. MARC 10.5 Changes  Backup Scripts restructured  Added a script to generate scripts outside of MARC  Generate Scripts.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

Similar presentations

Ads by Google