OBIEE Automation User and Folder Security

Use Case 1 – Role & Folder Per Entity Several entities (dept’s, org’s, etc) will use OBIEE, each needs their own folder in addition to users of each entity having their own folder.

Use Case 1 – Create User Key Files Create a user configuration and associating key file to store encrypted authentication credentials. Login to Web Logic with WLST and run: storeUserConfig(userConfigFile, userKeyFile, [nm]) Argument Definition  userConfigFile Name of the file to store the user configuration. The filename can be absolute or relative to the directory from which you enter the command. userKeyFile Name of the file to store the key information that is associated with the user configuration file that you specify. The pathname can be absolute or relative to the directory from which you enter the command. nm Optional. Boolean value specifying whether to store the username and password for Node Manager or WebLogic Server. If set to true, the Node Manager username and password is stored. This argument default to false

Use Case 1: Create User Create User: Call: import sys import socket url = 't3://'+socket.gethostname()+':7001' user = sys.argv[1] user_pass = sys.argv[2] user_desc = sys.argv[3] connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator") if atnr.userExists(user): exit() else: atnr.createUser(user, user_pass, user_desc) Call: /path/to/wlst.sh /path/to/create_user.py user user_pass user_desc

Use Case 1: Role Exists Get Roles: Call: import sys import socket url = 't3://'+socket.gethostname()+':7001' connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) listAppRoles(appStripe=‘[replace with application stripe name]’) Call: /path/to/wlst.sh /path/to/list_roles.py >> roles.txt Parse For ‘Principal Name’ Value: grep 'Principal Name' roles.txt | awk -F':' '{print $3}' | awk -F',' '{print $1}'

Use Case 1: Role Exists Get Roles (use existing script): /oracle/middleware/oracle_common/common/bin/wlst.sh /oracle/middleware/oracle_common/modules/oracle.jps_11.1.1/common/wlstscripts/listAppRoles.py -appStripe [replace with your app stripe name]

Use Case 1: Create Role Create Role: Call: import sys import socket url = 't3://'+socket.gethostname()+':7001' connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer("DefaultAuthenticator") try: createAppRole(appStripe=‘[replace with application stripe name]', appRoleName=sys.argv[1]) except: pass exit() Call: /path/to/wlst.sh /path/to/script.py role_name

Use Case 1: Add User to Role import sys import socket url = 't3://'+socket.gethostname()+':7001' connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) try: grantAppRole(‘[replace with application stripe name]',sys.argv[1],"weblogic.security.principal.WLSUserImpl",sys.argv[2]) except: pass exit() Call: /path/to/wlst.sh /path/to/user_to_role.py role_name user_name

Use Case 1: Web Service Session SAWSessionService.logon: <soapenv:Envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns:v6='urn://oracle.bi.webservices/v6'><soapenv:Header/> <soapenv:Body> <v6:logon> <v6:name>{User}</v6:name> <v6:password>{Pass}</v6:password> </v6:logon> </soapenv:Body> </soapenv:Envelope> Access WSDL at: host:9704/analytics/saw.dll?wsdl

Use Case 1: Create Folder WebCatalogService.createFolder: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:createFolder> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:createIfNotExists>1</v6:createIfNotExists> <v6:createIntermediateDirs>0</v6:createIntermediateDirs> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:createFolder> </soapenv:Body> </soapenv:Envelope>

Use Case 1: Remove Inherited Folder Perms WebCatalogService.updateCatalogItemACL: <v6:updateCatalogItemACL> <!--1 or more repetitions:--> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:acl> <!--Optional:--> <v6:dummy></v6:dummy> <!--Zero or more repetitions:--> <v6:accessControlTokens> <v6:account> <v6:name>{Replace with Role Name}</v6:name> <v6:accountType>4</v6:accountType> <v6:guid>{Replace with Role Name}</v6:guid> </v6:account> <v6:permissionMask></v6:permissionMask> </v6:accessControlTokens> </v6:acl> <v6:options> <v6:updateFlag>2</v6:updateFlag> <v6:recursive>0</v6:recursive> </v6:options> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:updateCatalogItemACL>

Use Case 1: Add Role to Folder WebCatalogService.updateCatalogItemACL: <v6:updateCatalogItemACL> <!--1 or more repetitions:--> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:acl> <!--Optional:--> <v6:dummy></v6:dummy> <!--Zero or more repetitions:--> <v6:accessControlTokens> <v6:account> <v6:name>{Replace with Role Name}</v6:name> <v6:accountType>4</v6:accountType> <v6:guid>{Replace with Role Name}</v6:guid> </v6:account> <v6:permissionMask>{ADD Permissions MASK}</v6:permissionMask> </v6:accessControlTokens> </v6:acl> <v6:options> <v6:updateFlag>1</v6:updateFlag> <v6:recursive>0</v6:recursive> </v6:options> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:updateCatalogItemACL>

Use Case 1: Add Role to Folder WebCatalogService.updateCatalogItemACL: <v6:accountType>4</v6:accountType> <v6:permissionMask>{ADD Permissions MASK*}</v6:permissionMask> <v6:updateFlag>1</v6:updateFlag> From the WSDL: permissionMask field value is combination of the following flags: 1 permission to read items content 2 permission to traverse directory 4 permission to change items content 8 permission to delete an item 16 permission to assign permissions to others 32 can take ownership of the item 2048 permission to run a publisher report live 4096 permission to schedule a publisher report 8192 permission to view output of a publisher report Invalid ACL update flag. Valid values are: 0 - replace ACL 1 - replace privileges only for mentioned accounts 2 - delete mentioned accounts from item's ACL accountType values: 0 - user 1 - group 4 - role

Use Case 2 – Training Users Training department needs 50 training users for each business day of the week. Passwords for each user needs to be reset after one week.

Use Case 2: User Exists Alternative SecurityService.getAccounts: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:getAccounts> <!--1 or more repetitions:--> <v6:account> <!--Optional:--> <v6:name>*Training*</v6:name> <v6:accountType>0</v6:accountType> <v6:guid></v6:guid> </v6:account> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:getAccounts> </soapenv:Body> </soapenv:Envelope> Compare results with users you want to add.

Use Case 2: Reset Users User Expired: Change Password: Use Regular Expression to compare user day on username with day from date object or sysdate. For example: ^([0-9]{1,2})(Training[0-9]{1,2}) Compare first part of regex (1,2,3,4,5) to the day of the week from date object. Change Password: import sys import socket url = 't3://'+socket.gethostname()+':7001' new_pass = sys.argv[3] old_pass = sys.argv[2] user_number = sys.argv[1] connect(userConfigFile='user_config',userKeyFile='keyfile',url=url) atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator") atnr.changeUserPassword(user_number, old_pass, new_pass) exit() Clear User Folder: rm -rf /path/to/OracleBIPresentationServicesComponent/coreapplication_obips1/catalog/root/users/user/*

Use Case 3: RPD QA Use Case 3: To improve product quality, the QA or Dev team want to have repeatable automated tests ran per RPD release. Tests need to be added per iteration to account for changes or additions. Previously built tests will be ran in the automated suite of tests to validate unchanged objects still contain proper logic.

Use Case 3: RPD Output XmlViewService.executeXMLQuery: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:executeXMLQuery> <v6:report> <v6:reportPath>/path/to/folder name/report name</v6:reportPath> </v6:report> <v6:outputFormat>SAW_ROWSET_SCHEMA_AND_DATA</v6:outputFormat> <v6:executionOptions> <v6:async>false</v6:async> <v6:maxRowsPerPage>10</v6:maxRowsPerPage> <v6:refresh>true</v6:refresh> <v6:presentationInfo>false</v6:presentationInfo> </v6:executionOptions> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:executeXMLQuery> </soapenv:Body> </soapenv:Envelope>

Use Case 3: RPD Output Returned XML: To get this data we have gone through all logic in the RPD we’d go through when requesting through a URL (initialization blocks, identity manager, session variables, BMM layer logic, etc). <sawsoap:rowset xsi:type="xsd:string"><![CDATA[<rowset xmlns="urn:schemas-microsoft-com:xml-analysis:rowset"> <Row> <Column0>Baz</Column0> </Row> <Column0>Bar</Column0> <Column0>Foo</Column0> </rowset>]]></sawsoap:rowset> Use XML parser to get just values or transform returned values from database into XML.

References WLST Commands: http://docs.oracle.com/cd/E13222_01/wls/docs92/config_scripting/quick_ref.html WebLogic Server API Reference: http://docs.oracle.com/cd/E29542_01/apirefs.1111/e13941/toc.htm Example of SecurityConfigurationMBean: http://docs.oracle.com/cd/E11035_01/wls100/javadocs_mhome/weblogic/management/configuration/SecurityConfigurationMBean.html MBean Reference: http://docs.oracle.com/cd/E28280_01/apirefs.1111/e13951/core/ Web Service Structures: http://docs.oracle.com/cd/E21764_01/bi.1111/e16364/structures.htm

Evaluate this session https://www.surveymonkey.com/s/UTOUGSessions Session Evaluation Number: 7