OBIEE provides two types of impersonate functions.
-
Impersonate authentication using saw url (use this to check permissions)
-
Proxy Act As (use this for business function)
Setup Impersonate
Impersonate authentication using saw url is mainly used for checking user permission. The impersonate authentication requires two setup steps.
Login to Enterprise Manager:
Right click coreapplication under Business Intelligence and choose Security Policy under security.
Choose obi from Application Stripe and click >.
Click on BIAdministration and choose Edit.
Add Permission
oracle.bi.server.impersonateUser
oracle.bi.server.queryUserPopulation
Click OK after the two permissions have been added.
Once all permissions are set, you can now use impersonate without restarting.
First, login using impersonate function through saw url:
http://server:port/analytics/saw.dll?Logon&NQUser=username&NQPassword=password&Impersonate=TargetImpersonateUserName
You will get a blank screen afterwards if successful. If not successful, it’ll return to the login screen.
The next step is to modify the url to obiee home:
http://server:port/analytics/saw.dll?bieehome
You are now impersonated and acting as the target user as well as inheriting all target application roles and security.
Proxy Act As Setup
The main purpose of proxy act as is to authorize a user to act as another user when navigating in BI Presentation Services. There are two terms you should be familiar with
Proxy User – the user who acts as another user
Target User – another user
For example:
A manager wants to share some of his work to another department user. Then the department user will be the proxy user and the manager is the target user which means the department user is acting as the manager.
Another case would be an IT support staff wants to act as an end user to check an Answer report. So the IT support staff will be the proxy user and the end user will be the target.
To setup proxy act as. You will need to first create a table. I’ve created mine under BIPLATFORM.
CREATE TABLE PROXY_ACTAS ( PROXYID VARCHAR2(30 BYTE) NOT NULL , TARGETID VARCHAR2(30 BYTE) NOT NULL , PROXYLEVEL VARCHAR2(10 BYTE) NOT NULL , CONSTRAINT PROXY_ACTAS_PK PRIMARY KEY ( PROXYID , TARGETID ) ENABLE ) ;
Add a PROXYID and TARGETID as well as PROXYLEVEL. Note that PROXYLEVEL entries is case sensitive and must be either “full” or “restricted”.
- Restricted — Permissions are read-only to the objects to which the target user has access. Privileges are determined by the proxy user’s account (not the target user’s account).
For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannotaccess Answers.
- Full — Permissions and privileges are inherited from the target user’s account.
For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.
You must now import the physical table in the RPD physical layer. Save the RPD and update rows and view the table to make sure everything is working.
Then create a session variable.
Name: PROXYBLOCK
Variable Target: PROXY
Edit Datasource. Set Default initialization string:
SELECT TARGETID FROM PROXY_ACTAS WHERE 'VALUEOF(NQ_SESSION.RUNAS)'=TARGETID and ':USER'= PROXYID
Choose connection in the physical layer that connects to the table.
Create another session Variable
Name: PROXYLEVEL
Variable Target: PROXYLEVEL
Edit Datasource. Set Default initialization string:
SELECT
PROXYLEVEL
FROM
PROXY_ACTAS
WHERE ‘VALUEOF(NQ_SESSION.RUNAS)’ = TARGETID and ‘:USER’ = PROXYID
Choose connection in the physical layer that connects to the table.
Save the RPD.
Now create the following xml file, modify where needed and save it as “LogonParamSQLTemplate.xml”. Then put it into custom messages D:\Oracle\instances\instance1\bifoundation\OracleBIPresentationServicesComponent\coreapplication_obips1\msgdb\l_en\customMessages
<?xml version="1.0" encoding="utf-8"?>
<WebMessageTables xmlns:sawm="com.siebel.analytics.web.messageSystem">
<WebMessageTable system="SecurityTemplates" table="Messages">
<WebMessage name="LogonParamSQLTemplate">
<XML>
<logonParam name="RUNAS">
<getValues>
EXECUTE PHYSICAL CONNECTION POOL "orcl"."PROXY"
SELECT TARGETID from PROXY_ACTAS where PROXYID ='@{USERID}'
</getValues>
<verifyValue>
EXECUTE PHYSICAL CONNECTION POOL "orcl"."PROXY"
SELECT TARGETID from PROXY_ACTAS where PROXYID ='@{USERID}' and TARGETID ='@{VALUE}'
</verifyValue>
<getDelegateUsers>
EXECUTE PHYSICAL CONNECTION POOL "orcl"."PROXY"
SELECT PROXYID, PROXYLEVEL from PROXY_ACTAS where TARGETID ='@{USERID}'
</getDelegateUsers>
</logonParam>
</XML>
</WebMessage>
</WebMessageTable>
</WebMessageTables>
Now you will have to modify instanceconfig.xml and add the following. Instanceconfig.xml is located at D:\Oracle\instances\instance1\config\OracleBIPresentationServicesComponent\coreapplication_obips1
Add the following before </ServerInstance> </WebConfig> which should be 2 lines above the end of the file.
<LogonParam> <TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName> <MaxValues>100</MaxValues> </LogonParam>
Login to OBIEE and go to Administration then Manage Privileges. Make sure you have your user name that has Proxy authentication.
Save and restart your services.
Test your connection by logging in OBIEE using TARGETID to login first. Open a dashboard then logout. It is required that the TARGETID has logged in and used a dashboard once before being used as ACT AS account. Now login using your admin.
mondaybi.com 