OBIEE Automation

OBIEE Automation User and Folder Security

Use Case 1 – Role & Folder Per Entity

Use Case 1:

Several entities (dept’s, org’s, etc)will use OBIEE, each needs their ownfolder in addition to users of each entityhaving their own folder.

Create User

User Exists?

Start

Role Exists?

Yes

Create Role

No

No

Add User to Role

Yes

Create Folder

Remove InheritedFolder

Permissions

Add Role to Folder

End

Use Case 1 – Create User Key Files

Create User Key Files:

Create a user configuration and associating key file to store encrypted authentication credentials.

Login to Web Logic with WLST and run:

storeUserConfig(userConfigFile, userKeyFile, [nm])

Argument Definition 

userConfigFileName of the file to store the user configuration. The filename can be absolute or relative to the directory from which you enter the command.

userKeyFile

Name of the file to store the key information that is associated with the user configuration file that you specify. The pathname can be absolute or relative to the directory from which you enter the command.

nm

Optional. Boolean value specifying whether to store the username and password for Node Manager or WebLogic Server. If set to true, the Node Manager username and password is stored. This argument default to false

Create User:

import sysimport socket

url = 't3://'+socket.gethostname()+':7001'user = sys.argv[1]user_pass = sys.argv[2]user_desc = sys.argv[3]

connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)

atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")

if atnr.userExists(user): exit()else: atnr.createUser(user, user_pass, user_desc) exit()

Call:

/path/to/wlst.sh /path/to/create_user.py user user_pass user_desc

Create User

User Exists?

Start

No

Use Case 1: Create User

Create User

User Exists?

Role Exists?

Yes

No

Use Case 1: Role Exists

Get Roles:

import sysimport socket

url = 't3://'+socket.gethostname()+':7001'

connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)

listAppRoles(appStripe=‘[replace with application stripe name]’)

Call:

/path/to/wlst.sh /path/to/list_roles.py >> roles.txt

Parse For ‘Principal Name’ Value:

grep 'Principal Name' roles.txt | awk -F':' '{print $3}' | awk -F',' '{print $1}'

Create User

User Exists?

Role Exists?

Yes

No

Use Case 1: Role Exists

Get Roles (use existing script):

/oracle/middleware/oracle_common/common/bin/wlst.sh /oracle/middleware/oracle_common/modules/oracle.jps_11.1.1/common/wlstscripts/listAppRoles.py -appStripe [replace with your app stripe name]

Use Case 1: Create Role

Role Exists?

Create Role

No

Create Role:

import sysimport socket

url = 't3://'+socket.gethostname()+':7001'

connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)

atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer("DefaultAuthenticator")

try: createAppRole(appStripe=‘[replace with application stripe name]', appRoleName=sys.argv[1])except: pass

exit()

Call:

/path/to/wlst.sh /path/to/script.py role_name

Role Exists?

Create Role

No

Add User to Role

Yes

Use Case 1: Add User to Role

Add User to Role:

import sysimport socket

url = 't3://'+socket.gethostname()+':7001'

connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)

try: grantAppRole(‘[replace with application stripe name]',sys.argv[1],"weblogic.security.principal.WLSUserImpl",sys.argv[2])except: pass

exit()

Call:

/path/to/wlst.sh /path/to/user_to_role.py role_name user_name

Use Case 1: Web Service Session

SAWSessionService.logon:

<soapenv:Envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns:v6='urn://oracle.bi.webservices/v6'><soapenv:Header/> <soapenv:Body> <v6:logon> <v6:name>{User}</v6:name> <v6:password>{Pass}</v6:password> </v6:logon> </soapenv:Body> </soapenv:Envelope>

Access WSDL at:

host:9704/analytics/saw.dll?wsdl

Add User to Role

Create Folder

Use Case 1: Create Folder

WebCatalogService.createFolder:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:createFolder> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:createIfNotExists>1</v6:createIfNotExists> <v6:createIntermediateDirs>0</v6:createIntermediateDirs> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:createFolder> </soapenv:Body></soapenv:Envelope>

Create Folder

Remove InheritedFolder

Permissions

Use Case 1: Remove Inherited Folder Perms

WebCatalogService.updateCatalogItemACL:

<v6:updateCatalogItemACL> <!--1 or more repetitions:--> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:acl> <!--Optional:--> <v6:dummy></v6:dummy> <!--Zero or more repetitions:--> <v6:accessControlTokens> <v6:account> <!--Optional:--> <v6:name>{Replace with Role Name}</v6:name> <v6:accountType>4</v6:accountType> <!--Optional:--> <v6:guid>{Replace with Role Name}</v6:guid> </v6:account> <v6:permissionMask></v6:permissionMask> </v6:accessControlTokens> </v6:acl> <v6:options> <v6:updateFlag>2</v6:updateFlag> <v6:recursive>0</v6:recursive> </v6:options> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:updateCatalogItemACL>

Use Case 1: Add Role to Folder

Remove InheritedFolder

Permissions

Add Role to Folder

End

WebCatalogService.updateCatalogItemACL:

<v6:updateCatalogItemACL> <!--1 or more repetitions:--> <v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path> <v6:acl> <!--Optional:--> <v6:dummy></v6:dummy> <!--Zero or more repetitions:--> <v6:accessControlTokens> <v6:account> <!--Optional:--> <v6:name>{Replace with Role Name}</v6:name> <v6:accountType>4</v6:accountType> <!--Optional:--> <v6:guid>{Replace with Role Name}</v6:guid> </v6:account> <v6:permissionMask>{ADD Permissions MASK}</v6:permissionMask> </v6:accessControlTokens> </v6:acl> <v6:options> <v6:updateFlag>1</v6:updateFlag> <v6:recursive>0</v6:recursive> </v6:options> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:updateCatalogItemACL>

Use Case 1: Add Role to Folder

Remove InheritedFolder

Permissions

Add Role to Folder

End

WebCatalogService.updateCatalogItemACL:

<v6:accountType>4</v6:accountType><v6:permissionMask>{ADD Permissions MASK*}</v6:permissionMask><v6:updateFlag>1</v6:updateFlag>

From the WSDL:

permissionMask field value is combination of the following flags: 1 permission to read items content 2 permission to traverse directory 4 permission to change items content 8 permission to delete an item 16 permission to assign permissions to others 32 can take ownership of the item 2048 permission to run a publisher report live 4096 permission to schedule a publisher report 8192 permission to view output of a publisher report

Invalid ACL update flag. Valid values are:0 - replace ACL1 - replace privileges only for mentioned accounts2 - delete mentioned accounts from item's ACL

accountType values: 0 - user 1 - group 4 - role

Add User to Role

Create User

User Exists?

Start

Yes

No

Update Passwords

Clear User Folder

End

Users Expired?

End

No

Yes

Use Case 2:

Training department needs 50 trainingusers for each business day of the week.Passwords for each user needs to bereset after one week.

Use Case 2 – Training Users

Use Case 2: User Exists Alternative

User Exists?

Start

SecurityService.getAccounts:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:getAccounts> <!--1 or more repetitions:--> <v6:account> <!--Optional:--> <v6:name>*Training*</v6:name> <v6:accountType>0</v6:accountType> <!--Optional:--> <v6:guid></v6:guid> </v6:account> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:getAccounts> </soapenv:Body></soapenv:Envelope>

Compare results with users you want to add.

Update Passwords

Clear User Folder

End

Users Expired?

End

No

Yes

Use Case 2: Reset Users

User Expired:

Use Regular Expression to compare user day on username with dayfrom date object or sysdate.

For example: ^([0-9]{1,2})(Training[0-9]{1,2})

Compare first part of regex (1,2,3,4,5) to the day of the week from date object.

Change Password:

import sysimport socket

url = 't3://'+socket.gethostname()+':7001'new_pass = sys.argv[3]old_pass = sys.argv[2]user_number = sys.argv[1]

connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)

atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")atnr.changeUserPassword(user_number, old_pass, new_pass)exit()

Clear User Folder:

rm -rf /path/to/OracleBIPresentationServicesComponent/coreapplication_obips1/catalog/root/users/user/*

Use Case 3:

To improve product quality, the QA or Dev teamwant to have repeatable automated tests ranper RPD release.

Tests need to be added per iteration to account forchanges or additions. Previously built tests will be ranin the automated suite of tests to validate unchanged objects still contain proper logic.

Get DB and RPD Output

Create report with RPD logic in good state

Start

Fail

DB == RPD?

Pass

No Yes

Use Case 3: RPD QA

XmlViewService.executeXMLQuery:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v6="urn://oracle.bi.webservices/v6"> <soapenv:Header/> <soapenv:Body> <v6:executeXMLQuery> <v6:report> <v6:reportPath>/path/to/folder name/report name</v6:reportPath> </v6:report> <v6:outputFormat>SAW_ROWSET_SCHEMA_AND_DATA</v6:outputFormat> <v6:executionOptions> <v6:async>false</v6:async> <v6:maxRowsPerPage>10</v6:maxRowsPerPage> <v6:refresh>true</v6:refresh> <v6:presentationInfo>false</v6:presentationInfo> </v6:executionOptions> <v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID> </v6:executeXMLQuery> </soapenv:Body></soapenv:Envelope>

Get DB and RPD Output

Use Case 3: RPD Output

Returned XML:

To get this data we have gone through all logic in the RPD we’d go through when requesting through a URL (initialization blocks, identity manager, session variables, BMM layer logic, etc).

<sawsoap:rowset xsi:type="xsd:string"><![CDATA[<rowset xmlns="urn:schemas-microsoft-com:xml-analysis:rowset"><Row>

<Column0>Baz</Column0></Row><Row>

<Column0>Bar</Column0></Row><Row>

<Column0>Foo</Column0></Row>

</rowset>]]></sawsoap:rowset>

Use XML parser to get just values or transform returned values from database into XML.

Get DB and RPD Output

Use Case 3: RPD Output

References

WLST Commands: http://docs.oracle.com/cd/E13222_01/wls/docs92/config_scripting/quick_ref.html

WebLogic Server API Reference:http://docs.oracle.com/cd/E29542_01/apirefs.1111/e13941/toc.htm

Example of SecurityConfigurationMBean:http://docs.oracle.com/cd/E11035_01/wls100/javadocs_mhome/weblogic/management/configuration/SecurityConfigurationMBean.html

MBean Reference:http://docs.oracle.com/cd/E28280_01/apirefs.1111/e13951/core/

Web Service Structures:http://docs.oracle.com/cd/E21764_01/bi.1111/e16364/structures.htm

Evaluate this sessionhttps://www.surveymonkey.com/s/UTOUGSessions

Session Evaluation Number: 7