OBIEE 10G/11G - Act as (Proxy user) Functionality

> Reporting and Data Access Tools > Oracle Business Intelligence (OBIEE/Siebel Analytics) > OBIEE - BI Presentation Service (SAW/OBIPS)

1 - About

The act as functionality is a proxy authentication functionality which authorises a user to act as an other user when navigating in BI Presentation Service.

When a user (called the proxy user) acts as another (called the target user), the proxy user can access the objects in the catalog for which the target user has permission.

Enabling a user to act for another is useful, for example:

  • when a manager wants to delegate some of his work to one of his direct reports
  • when IT support staff wants to troubleshoot problems with another user's objects.

You can also impersonate a user just by setting the impersonate variable in the saw url. The below configuration is just needed to use the impersonate facility (ie list of impersonate user and so on)

Advertising

3 - Configuration Steps

3.1 - Defining the Association Between Proxy Users and Target Users

You define the association between proxy users and target users in the database by identifying, for each proxy user/target user association, the:

  • ID of the proxy user
  • ID of the target user
  • Proxy level (either full or restricted). A Restricted level gives you only a read access. Proxylevel value is case sensitive and must be all lowercase.

For example, you might create a table called OBIEE_PROXY in the database:

CREATE
  TABLE OBIEE_PROXY
  (
    PROXY_USER_ID   VARCHAR2(30 BYTE) NOT NULL ,
    PROXY_TARGET_ID VARCHAR2(30 BYTE) NOT NULL ,
    PROXY_LEVEL     VARCHAR2(10 BYTE) NOT NULL ,
    CONSTRAINT OBIEE_PROXY_PK PRIMARY KEY ( PROXY_USER_ID , PROXY_TARGET_ID )
    ENABLE
  ) 

that looks like this:

PROXY_USER_ID PROXY_TARGET_ID PROXY_LEVEL
Ronald Edward full
Timothy Tracy restricted
Jeanne Natalie full
William Kelly restricted
Gail Michael restricted

After you define the association between proxy users and target users, you need to import the schema to the physical layer of the Oracle BI Server.

Advertising

3.2 - Creating Session Variables for Proxy Functionality

There are two system session variables along with their associated initialization blocks that you create to authenticate proxy users

3.2.1 - PROXY

PROXY

SELECT
  PROXY_TARGET_ID
FROM
  OBIEE_PROXY
WHERE
  PROXY_USER_ID     = ':USER'
AND PROXY_TARGET_ID = 'VALUEOF(NQ_SESSION.RUNAS)'

You can see the proxy value in the target session user:

3.2.2 - PROXYLEVEL

PROXYLEVEL (optional) If you do not create PROXYLEVEL, restricted access is assumed.

SELECT
  PROXY_LEVEL
FROM
  OBIEE_PROXY
WHERE
  PROXY_USER_ID     = ':USER'
AND PROXY_TARGET_ID = 'VALUEOF(NQ_SESSION.RUNAS)'

You can check the proxy level in the “My Account” of the proxy target user. Then go to the Delegate Users tab.

Advertising
3.2.2.1 - Restricted

Permissions are read-only to the objects to which the target user has access. Privileges are determined by the proxy user's account (not the target user's account).

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers.

3.2.2.2 - Full

Permissions and privileges are inherited from the target user's account.

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.

3.3 - Creating a Custom Message Template for Proxy Functionality

You need to create a custom message template for the proxy functionality that contains the SQL to:

  • Get the list of target users that a proxy user can act as. This list appears in the User box in the Act As dialog box.
  • Verify whether the proxy user can act as the target user.
  • Get the list of proxy users that can act as the target user. This list appears on the target user's My Account screen.

In the custom message template, you place the SQL to retrieve this information in the following XML elements: Elements

  • the <getValues> node : Specifies the SQL to return the list of target users and corresponding proxy levels. The SQL must return either one or two columns, where the First column returns the IDs of the target users and (Optional) the second column returns the names of the target users
  • the <verifyValue>: Specifies the SQL to verify if the current user can act as the specified target user. The SQL must return at least one row if the target user is valid or an empty table if the target user is invalid.
  • the <getDelegateUsers> node: Specifies the SQL to get the list of proxy users that can act as the current user and their corresponding proxy levels. The SQL must return either one or two columns, where the first column returns the names of the proxy users and (Optional) the second column returns the corresponding proxy levels

The statement “EXECUTE PHYSICAL CONNECTION POOL” permit you to execute select statement but als DDL (alter, create,….).

The following entry is an example:

<?xml version="1.0" encoding="utf-8" ?>
<WebMessageTables xmlns:sawm="com.siebel.analytics.web.messageSystem"> 
 <WebMessageTable system="SecurityTemplates" table="Messages"> 
   <WebMessage name="LogonParamSQLTemplate"> 
      <XML>
       <logonParam name="RUNAS"> 
       <!-- for EXECUTE PHYSICAL CONNECTION POOL, SQL_Paint.SQL_Paint =  -->
       <!-- SAS Repository physical_dbname.conn_pool_name --> 
         <getValues>EXECUTE PHYSICAL CONNECTION POOL "SQL Paint"."SQL Paint" 
                  select PROXY_TARGET_ID from OBIEE_PROXY where PROXY_USER_ID='@{USERID}'
         </getValues>
         <verifyValue> EXECUTE PHYSICAL CONNECTION POOL "SQL Paint"."SQL Paint"
                  select PROXY_TARGET_ID from OBIEE_PROXY where PROXY_USER_ID='@{USERID}' and PROXY_TARGET_ID='@{VALUE}'
         </verifyValue> 
         <getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL "SQL Paint"."SQL Paint"
                  select PROXY_USER_ID, PROXY_LEVEL from OBIEE_PROXY where PROXY_TARGET_ID='@{USERID}'
         </getDelegateUsers> 
       </logonParam>
    </XML>
  </WebMessage>
 </WebMessageTable>
</WebMessageTables>

3.4 - Modifying the instanceconfig.xml File for Proxy Functionality

You can modify the Oracle BI Presentation Services configuration file (instanceconfig.xml) to specify the following information for proxy functionality:

  • in the <TemplateMessageName> elements: The name of the custom message template in the Custom Messages folder (The default name is LogonParamSQLTemplate)
  • in the <MaxValues> elements: The maximum number of target users to be listed in the User box in the Act As dialog box. If the number of target users for a proxy user exceeds this value, an edit box, where the proxy user can type the ID of a target user, is rendered rather than a drop-down list of target users. The default is 200.

For example between the <ServerInstance> node, you can insert:

<LogonParam>
  <TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName>
  <MaxValues>100</MaxValues>
</LogonParam>

The name that you specify in the <TemplateMessageName> element must match the name that you specify in the <WebMessage> element in the custom message file.

3.5 - Assigning the privilege and restarting the BI Presentation Service

For each user whom you want to authorize as a proxy user or for each Presentation Services group whose members you want to authorize as proxy users, you need to assign the Proxy privilege.

And then to load the custom message and the configuration file changes, you must restart the BI Presentation Service .

4 - How to

4.1 - See the proxy level

You can check the proxy level in the “My Account” > Delegate Users tab.

5 - Support

5.1 - Unable to sign-in

Check the nqserver.log. You may find this kind of error:

[2012-09-24T16:43:27.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] 
[ecid: ae920880d33cb0ac:-1efbec60:139e4853ab6:-8000-000000000000dea0] 
[tid: 4587e940]  
[nQSError: 13022] There is no init block for PROXY session variable.

See creating session variables for proxy functionality

6 - Documentation / Reference