Wednesday, October 8, 2014

OBIEE11g Security

Why do we need security in OBIEE?
OBIEE is a reporting tool wherein multiple users belonging to multiple groups create multiple reports and dashboards. Reports created by a particular group of users should be visible to that particular group only or some specific data should be visible to only a specific set of people. So, to achieve this we need to have some sort of security thereby we can protect reports belonging to a group of users from the users of other groups.
Users and Groups in OBIEE?
End users who make use of OBIEE for reporting need to be defined somewhere. These users can be defined either in the OBIEE RPD, External database tables, LDAP Servers or in Active directories with their respective passwords.
The users belonging to same business unit can be clubbed and Groups can be created for them. Its not always necessary to create users in the RPD  but its necessary to create the groups in the RPD. Infact, creating several users in the RPD can be a cumbersome job and it will also increase the size of the RPD, so, according to the best practice create the users and groups on the DB(or add in AD/LDAP) and associate them with the RPD groups by creating groups of the same name on the RPD as in DB.
Types of Security in OBIEE?
Security in Oracle BI can be classified broadly into the following three types.
1. Object Level security/authorization
2. Data Level security/authorization
3. User Authentication / User Level Security
Authentication and Authorization?
Authentication means validating the user while logging in the OBIEE application. When a user logs in the OBIEE application a request is sent to the BI Server asking that whether this user is a valid user or not. When BI Server validates the user,then only the user is able to login in the application.
Authorization means a user is authorized to view what all objects. Example, User A might be authorized to view only particular set of reports and dashboards based on the security applied.
Now we can understand these terms in detail.
1.Object Level Security
As the name states, Object level security refers to restricting access to OBIEE objects between different users and groups. The access to following objects can be restricted using object level security: Presentation tables, Presentation table columns, Subject Areas, Reports, Dashboards, Project Specific shared folders.
Object-level security controls the visibility to business logical objects based on a user’s role.
You can set up object-level security for –
Repository level: In Presentation layer of Administration Tool, we can set Repository level security by giving permission or deny permission to users/groups to see particular table or column.
Web level: This provides security for objects stored in the Presentation Catalog, such as dashboards, dashboards pages, folder and reports. You can only view the objects for which you are authorized. For example, a mid level manager may not be granted access to a dashboard containing summary information for an entire department.
2.Data Level Security
Data Level Security is basically securing the data. Users belonging to particular group should see a certain set a data whereas users outside that groups shouldn’t see that data. Example: Users belonging to Asia group should see only the data for Asia region whereas users belonging to US region should see data for US region.
Data-level security controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI Answers, and so on) based on the user’s association to data in the transactional system.
This controls the type and amount of data that you can see in a report. When multiple users run the same report, the results that are returned to each depend on their access rights and roles in the organization. For example, a sales vice president sees results for all regions, while a sales representative for a particular region sees only data for that region.
Example
Here we will look at creating and using a session variable and how to implement row level security. This is mainly used to restrict data based on the user rights. The row level security will be useful in situations like: 1. Allowing user to see data that she has access to.
2. Showing data based on current date.
3. A sales manager can be shown data in his region only. A CEO can be shown data for all regions.
In this post we look at showing units ordered in the current month. we use a security filter to filter data for the current month.
Steps;
1. The first step is to create the session variable for the current month. To do so
a. In the Administration window, click on Action – > New -> Session ->Variable.Give CURRENT_MONTH as the name of the variable. Click on ‘New’ near the initialization block.
b. Give CURRENT_MONTH_INIT as the name of the initialization block. Click on Edit Data Source.
c. A new window opens. Select the connection pool by using the browse button.
d. Use database as the data source type.
e. Type in the following query:” select month(curdate()); ” in the default initialization string.
f. Click Ok to close the dialog.
g. In the Session variable initialization block, click on edit data target.
h. select the CURRENT_MONTH variable. Click on Ok.
i. Click on ok to create the session variable.
2. The next step is to use this session variable to filter the result for this month.
a. In the Administration tool. click on Manage -> Security.
b. Create a new User called MonthlyUser.
c. Create a new group called MonthlyUserGroup. Assign MonthlyUser to this group.
d. Open the MonthlyUserGroup dialog and click on Permissions.
e. Click the tab that says filters. Click on ‘Add’
f. In the name of the filter select the name of the table that you want to apply the filter on.
g. Click on the ellipsis in the business model filter column. Apply the filter
h. The group is now created. 

3. Login to BI answers using the MonthlyUser user. Select the columns from the store database. view results. You will notice that the results show data for the current month only.If you login by a user from the administrators group, data for all months will be visible.

3.User Authentication in OBIEE
The goal of the authentication configuration is to get a confirmation of the identity of a user based on the credentials provided.
In OBIEE, the credentials provided are hold in this two variables:
  • USER 
  • PASSWORD
The authentication process in OBIEE is managed by the BI Server.
OBIEE Support four types of authentication
  1. LDAP Authentication : Users are authenticated based on credentials stored in LDAP.This is the BEST method to do authentication in OBIEE and it supports company’s Single Sign On (SSO) philosophy as well.
  2. External Table Authentication : you can maintain lists of users and their passwords in an external database table and use this table for authentication purposes.
  3. Database Authentication : The Oracle BI Server can authenticates user based on database logins. If a user has read permission on a specific database. Oracle BI Presentation Services authenticates those users.
  4. Oracle BI Server User Authentication: You can maintain lists of users and their passwords in the Oracle BI repository using the Administration Tool. The Oracle BI Server will attempt to authenticate users against this list when they log on.
Log on to web logic server(WLS) console (URL http://localhost_ip:7001/console) 

This is the home page of WLS console

Click on Security Realms
In Security realms page click on “myrealm”

Go to “Users and Groups” tab>”Groups”>New and add a new WLS group called DieselModelViewers_WLS
Go to “Users and Groups” tab>”User”>New and add a new user called diesel_user

Associate the diesel_user to DieselModelViewers_WLS group
Next log on to Enterprise Manager (URL http://localhost_ip:7001/em)




Object and Data Security Setup


Log in to the rpd and click Manage>Identity

Go to the Application Roles tab, check that the newly created Application role “DieselModelViewer” is visible

Click on Permissions button

We can now define a new data filter for the DieselModelViewers group, click on 
Define a new security filter for the above application role as shown above.
Data security is done, next lets see object security.

We want to hide the presentation table WB_TEST from members of DieselModelViewers application role, like diesel_user. Double click on WB_TEST table and the above window opens up, click on permissions Deny permission to DieselModelViewers by clickingNoAccess.This will restrict diesel_user from seeing WB_TEST table in his subject area.
Next log in to Answers/Analysis page.
Lets check a report that has all fuel types, since an admin user can see all fuel types we will choose to see it from weblogic user







Tuesday, October 7, 2014

OBIEE - Web Services API (SOAP, WSDL)

Web services are open standard ( XML, SOAP, HTTP etc.) based Web applications that interact with other web applications for the purpose of exchanging data.Web Services can convert your existing applications into Web-applications.
Web services are XML-based information exchange systems that use the Internet for direct application-to-application interaction. These systems can include programs, objects, messages, or documents.
The Web Services Description Language (WSDL, pronounced 'wiz-dÉ™l' or spelled out, 'W-S-D-L') is an XML-based language that provides a model for describing the functions of Web services.

Need to make SOAP calls to OBIEE WSDL endpoint:
Obiee provides several webservices that can be reach with their own Url.
The URL has this form:

SOAP

SOAP was originally part of the specification that included the Web Services Description Language (WSDL) and Universal Description, Discovery, and Integration (UDDI). It is used now without WSDL and UDDI. Instead of the discovery process described in the History of the Web Services Specification section below, SOAP messages are hard-coded or genereated without the use of a repository. The interaction is illustrated in the figure below. More on SOAP.




Web Services Description Language
The Web Services Description Language (WSDL) forms the basis for the original Web Services specification. The following figure illustrates the use of WSDL. At the left is a service provider. At the right is a service consumer. The steps involved in providing and consuming a service are:
1.       A service provider describes its service using WSDL. This definition is published to a repository of services. The repository could use Universal Description, Discovery, and Integration (UDDI). Other forms of directories could also be used.
2.       A service consumer issues one or more queries to the repository to locate a service and determine how to communicate with that service. 
3.       Part of the WSDL provided by the service provider is passed to the service consumer. This tells the service consumer what the requests and responses are for the service provider.
4.       The service consumer uses the WSDL to send a request to the service provider.


5.       The service provider provides the expected response to the service consumer.





Security Service: -            This service helps in identifying the user privileges. One can assign,  
                                          revoke privileges using Security Services.      
Ibot Service: -                   As the name suggests, this is a service for invoking Ibots. 
Web Catalog Service:-       This service is for managing the web catalog.
Replication Service:-          This service is used for replication. Export/Import of catalogs can be
                                           done using this. 
Metadata Service: -           This is for managing the BI Server metadata. 
Report Editing Service: -    This service is used to merge arguments and Oracle BI Web Services
                                            data to create and return the results. 

HTMLView Service:-           This service is used to embed Oracle BI HTML results in third-party        dynamic Web pages, such as Active Server Pages (ASP) or JavaServer Pages (JSP), and portal frameworks. The embed process merges Oracle BI Web Services content with the content of third-party Web pages. 
XMLView Service:                  This is used for retrieving the data from Oracle BI EE Server in the form of XML. 
SAWSession Service:  This is the service that would enable users to login, logout and maintain sessions. Now lets see how we can go about using these services from within Jdeveloper to create a sample custom report. 


USE of SoapUI :-
We can use web services of OBIEE to accomplish any task that we do in OBIEE like folder creation, report creation, setting permissions etc.
I used the web services to generate a session, executeSqlQuery, executeXmlQuery and so on. Below are the steps for the same:
Step1:-
To access and understand the structure of webservices I used a tool called SoapUI. It can be downloaded from the following link: http://www.soapui.org/. Download the tool and install it.


Step 2:-

Open the SoapUI and create a project in it using OBIEE’s webservices URL  

http://URL:port/analytics/saw.dll/wsdl/v7

Click Ok.










Following are the URLs that you would have to use for each service:-
XMLViewService –


WebCatalogService –


JobManagementService -







Generate a session ID :-

    1) In SoapUI, navigate to SAWSessionService>getSessionVariable>Request1 under the newly created     Project.
     2) Right click to open the request editor to alter the xml.
     3) Add the Login Id and password in the xml as shown below.

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v7="urn://oracle.bi.webservices/v7">
   <soapenv:Header/>
   <soapenv:Body>
      <v7:logon>
         <v7:name>test</v7:name>
         <v7:password>*******</v7:password>
      </v7:logon>
   </soapenv:Body>
</soapenv:Envelope>

4) Submit the request after adding the parameters (user, pwd) as shown in above script. This will generate the resulting xml with a session_ID as shown below:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:sawsoap="urn://oracle.bi.webservices/v7">
   <soap:Body>
      <sawsoap:logonResult>
         <sawsoap:sessionID xsi:type="xsd:string">pfec2ujndlfvchtthr2shpfoisi2kei85tbi2ei</sawsoap:sessionID>
      </sawsoap:logonResult>
   </soap:Body>
</soap:Envelope>



Use of XMLQuery:- (Read a obiee report) create a new folder test  at the following path  /sharad/Users/test
     1) In SoapUI, navigate to XMLViewServices  >executeXMLQuery>Request1
     2) Right click to open the request editor to alter the xml.
     3) Add the reportPath  and sessionID  in the xml as shown below







Use of IbotServices:-  create a new ibot   at the following  any path of OBIEE

    In my case created a IBot TEST12 /users/weblogic/test12
     1) In SoapUI, navigate to IBotServices>executeIBotNow>Request1
     2) Right click to open the request editor to alter the xml.
     3) Add the reportPath and sessionID  in the xml as shown below.



    




Now Check IBot Destination mail.


Actionable Intelligence
Now Click On New->Actionable Intelligence ->Action







Data engineering Interview Questions

1)  What all challenges you have faced and how did you overcome from it? Ans:- Challenges Faced and Overcome As a hypothetical Spark develop...