Impersonate Vs. Proxy Act As

Oracle Business Intelligence
OBIEE provides two types of impersonate functions.
  1. Impersonate authentication using saw url (use this to check permissions)
  2. Proxy Act As (use this for business function)

Setup Impersonate

Impersonate authentication using saw url is mainly used for checking user permission. The impersonate authentication requires two setup steps.

Login to Enterprise Manager:

http://server:port/em

OBIEE-Impersonate-Vs-Proxy-Act-As-026

Right click coreapplication under Business Intelligence and choose Security Policy under security.

OBIEE-Impersonate-Vs-Proxy-Act-As-025

Choose obi from Application Stripe and click >.

OBIEE-Impersonate-Vs-Proxy-Act-As-024

Click on BIAdministration and choose Edit.

OBIEE-Impersonate-Vs-Proxy-Act-As-023

Add Permission

OBIEE-Impersonate-Vs-Proxy-Act-As-022

oracle.bi.server.impersonateUser

OBIEE-Impersonate-Vs-Proxy-Act-As-021

OBIEE-Impersonate-Vs-Proxy-Act-As-020

OBIEE-Impersonate-Vs-Proxy-Act-As-019

oracle.bi.server.queryUserPopulation

OBIEE-Impersonate-Vs-Proxy-Act-As-018

OBIEE-Impersonate-Vs-Proxy-Act-As-017

OBIEE-Impersonate-Vs-Proxy-Act-As-016

Click OK after the two permissions have been added.

OBIEE-Impersonate-Vs-Proxy-Act-As-015

Once all permissions are set, you can now use impersonate without restarting.

First, login using impersonate function through saw url:

http://server:port/analytics/saw.dll?Logon&NQUser=username&NQPassword=password&Impersonate=TargetImpersonateUserName

OBIEE-Impersonate-Vs-Proxy-Act-As-014

You will get a blank screen afterwards if successful. If not successful, it’ll return to the login screen.

The next step is to modify the url to obiee home:

http://server:port/analytics/saw.dll?bieehome

OBIEE-Impersonate-Vs-Proxy-Act-As-013

You are now impersonated and acting as the target user as well as inheriting all target application roles and security.

Proxy Act As Setup

The main purpose of proxy act as is to authorize a user to act as another user when navigating in BI Presentation Services. There are two terms you should be familiar with

Proxy User – the user who acts as another user

Target User – another user

For example:

A manager wants to share some of his work to another department user. Then the department user will be the proxy user and the manager is the target user which means the department user is acting as the manager.

Another case would be an IT support staff wants to act as an end user to check an Answer report. So the IT support staff will be the proxy user and the end user will be the target.

To setup proxy act as. You will need to first create a table. I’ve created mine under BIPLATFORM.

CREATE
TABLE PROXY_ACTAS
(
PROXYID   VARCHAR2(30 BYTE) NOT NULL ,
TARGETID VARCHAR2(30 BYTE) NOT NULL ,
PROXYLEVEL     VARCHAR2(10 BYTE) NOT NULL ,
CONSTRAINT PROXY_ACTAS_PK PRIMARY KEY ( PROXYID , TARGETID )
ENABLE
) ;

OBIEE-Impersonate-Vs-Proxy-Act-As-012

Add a PROXYID and TARGETID as well as PROXYLEVEL. Note that PROXYLEVEL entries is case sensitive and must be either “full” or “restricted”.

OBIEE-Impersonate-Vs-Proxy-Act-As-011

  • Restricted — Permissions are read-only to the objects to which the target user has access. Privileges are determined by the proxy user’s account (not the target user’s account).

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannotaccess Answers.

  • Full — Permissions and privileges are inherited from the target user’s account.

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.

You must now import the physical table in the RPD physical layer. Save the RPD and update rows and view the table to make sure everything is working.

OBIEE-Impersonate-Vs-Proxy-Act-As-010

Then create a session variable.

Name: PROXYBLOCK

Variable Target: PROXY

OBIEE-Impersonate-Vs-Proxy-Act-As-009

Edit Datasource. Set Default initialization string:

SELECT TARGETID
FROM PROXY_ACTAS
WHERE 'VALUEOF(NQ_SESSION.RUNAS)'=TARGETID and ':USER'= PROXYID

Choose connection in the physical layer that connects to the table.

OBIEE-Impersonate-Vs-Proxy-Act-As-008

Create another session Variable

Name: PROXYLEVEL

Variable Target: PROXYLEVEL

OBIEE-Impersonate-Vs-Proxy-Act-As-007

Edit Datasource. Set Default initialization string:

SELECT
PROXYLEVEL
FROM
PROXY_ACTAS
WHERE ‘VALUEOF(NQ_SESSION.RUNAS)’ = TARGETID and ‘:USER’ = PROXYID

Choose connection in the physical layer that connects to the table.

OBIEE-Impersonate-Vs-Proxy-Act-As-006

Save the RPD.

Now create the following xml file, modify where needed and save it as “LogonParamSQLTemplate.xml”. Then put it into custom messages D:\Oracle\instances\instance1\bifoundation\OracleBIPresentationServicesComponent\coreapplication_obips1\msgdb\l_en\customMessages

<?xml version="1.0" encoding="utf-8"?>
<WebMessageTables xmlns:sawm="com.siebel.analytics.web.messageSystem">
<WebMessageTable system="SecurityTemplates" table="Messages">
<WebMessage name="LogonParamSQLTemplate">
<XML>
<logonParam name="RUNAS">
<getValues>

EXECUTE PHYSICAL CONNECTION POOL "orcl"."PROXY"

SELECT TARGETID from PROXY_ACTAS where PROXYID ='@{USERID}'

</getValues>

<verifyValue>

EXECUTE PHYSICAL CONNECTION POOL "orcl"."PROXY"

SELECT TARGETID from PROXY_ACTAS where PROXYID ='@{USERID}' and TARGETID ='@{VALUE}'

</verifyValue>

<getDelegateUsers>

EXECUTE PHYSICAL CONNECTION POOL "orcl"."PROXY"

SELECT PROXYID, PROXYLEVEL from PROXY_ACTAS where TARGETID ='@{USERID}'

</getDelegateUsers>

</logonParam>

</XML>

</WebMessage>
</WebMessageTable>
</WebMessageTables>

OBIEE-Impersonate-Vs-Proxy-Act-As-005

Now you will have to modify instanceconfig.xml and add the following. Instanceconfig.xml is located at D:\Oracle\instances\instance1\config\OracleBIPresentationServicesComponent\coreapplication_obips1

Add the following before </ServerInstance> </WebConfig> which should be 2 lines above the end of the file.

<LogonParam>
<TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName>
<MaxValues>100</MaxValues>
</LogonParam>

OBIEE-Impersonate-Vs-Proxy-Act-As-004

Login to OBIEE and go to Administration then Manage Privileges. Make sure you have your user name that has Proxy authentication.

OBIEE-Impersonate-Vs-Proxy-Act-As-027

OBIEE-Impersonate-Vs-Proxy-Act-As-028

OBIEE-Impersonate-Vs-Proxy-Act-As-029

Save and restart your services.

Test your connection by logging in OBIEE using TARGETID to login first. Open a dashboard then logout. It is required that the TARGETID has logged in and used a dashboard once before being used as ACT AS account. Now login using your admin.

OBIEE-Impersonate-Vs-Proxy-Act-As-003

OBIEE-Impersonate-Vs-Proxy-Act-As-002

OBIEE-Impersonate-Vs-Proxy-Act-As-001

Advertisements

Author: Steve Yeung

Being in the EPM & BI field for more than 8 years, it's about time I contribute to newcomers! As a founder of MondayBI.com I wish to give you all the help I can. Feel free to give any suggestions or questions. Hope you will all enjoy this blog! William Wong Essbase Certified Specialist OBIEE Certified Specialist

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s