Oracle BI EE has a nice feature, called Act As.
Setting this up and applying is a techy trick, where (as usual) the devil is in the details and (as usual) the Oracle Documentation has room for improvement.
This document describes it to the letter.
1. Oracle BI EE
JDE Cadran – Accelerate
Act As
Date: 25-11-2015
Author: Rick Brobbel
Last Edited: Rick Brobbel
Cadran Consultancy b.v.
Project: Oracle BI EE
Subject: Act As
Version: v98
2. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 2 of 13
Subject : Act As Date : 25-11-15
1
Table of Contents
1 Act As.....................................................................................................................................32
1.1 Implementation .......................................................................................................................33
1.2 Temporary Delegation...........................................................................................................124
5
3. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 3 of 13
Subject : Act As Date : 25-11-15
Oracle BI EE - JDE Cadran - Accelerate – Act As
1 Act As
Act As is used for impersonating users for reviewing and testing permissions and privileges and can be used for (temporary) delegates (i.e.1
during holidays) or for smaller organizations that want to enforce pure segregation of duties.2
Reference to the Oracle Documentation that was used for this: Oracle Docs.3
For this configuration the devil is in the details. Follow below instructions to the minute letter.
4
1.1 Implementation
Step Print Remarks
Create a
database
table with the
information
Proxy Level must be small caps. User IDs are case sensitive.
When you enable a user to be a proxy user, you also
assign an authority level (called the proxy level). The
proxy level determines the privileges and permissions
granted to the proxy user when accessing the catalog
objects of the target user. The following list describes
the proxy levels:
· restricted — Permissions are read-only to the
objects to which the target user has access.
Privileges are determined by the proxy user's
account (not the target user's account).
For example, suppose a proxy user has not been
assigned the Access to Answers privilege, and the
target user has. When the proxy user is acting as the
target user, the target user cannot access Answers.
· full — Permissions and privileges are inherited
from the target user's account.
For example, suppose a proxy user has not been
assigned the Access to Answers privilege, and the
target user has. When the proxy user is acting as the
target user, the target user can access Answers.
4. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 4 of 13
Subject : Act As Date : 25-11-15
Step Print Remarks
The data in this table is case sensitive, so
beware that
· users are entered exactly as they are stored
in WLS or MSAD
· levels must be small caps
· dates must be numeric as type date does not
work
Repository
Metadata
Physical
Layer
When setting up and changing setup make sure this
table is not cacheable.
Repository
Session
Variables
See details below
5. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 5 of 13
Subject : Act As Date : 25-11-15
Step Print Remarks
Create
Repository
Session
Variable
called Proxy
to be
populated by
Initialization
Block called
ProxyBlock
This Initialization Block sets the value of the variable
ProxyBlock, which selects the Target User that can
then be used in the Web Catalog.
SELECT TARGETID
FROM VALUEOF(OBI_REPOS_USER).ACTAS
WHERE UPPER(PROXYID) = UPPER(':USER')
AND UPPER(TARGETID) =
UPPER('VALUEOF(NQ_SESSION.RUNAS)')
AND
TO_NUMBER(TO_CHAR(SYSDATE,'YYYYMMDD'))
BETWEEN DATEFROM AND DATETHRU
The content of these SQL statement is not in
line with the documentation. They were the
outcome on the support by Oracle in
assistance with SR 3-9403695961 (see known
issues below) - Solved
The effective period can be used for temporary
delegates. See next paragraph.
6. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 6 of 13
Subject : Act As Date : 25-11-15
Step Print Remarks
Create
Repository
Session
Variable
ProxyLevel
This Initialization Block sets the value of the variable
ProxyLevel, which selects the level that the delegate
user can act on (Full or Restricted).
SELECT PROXYLEVEL
FROM VALUEOF(OBI_REPOS_USER).ACTAS
WHERE UPPER(TARGETID) =
UPPER('VALUEOF(NQ_SESSION.RUNAS)')
AND UPPER(PROXYID) =
UPPER('VALUEOF(NQ_SESSION.RUNASORIGUSE
R)')
The content of these SQL statement is not in
line with the documentation. They were the
outcome on the support by Oracle in
assistance with SR 3-9403695961 (see known
issues below) - Solved
This statement does not require the effective
period. This is only needed in the Proxy Block.
7. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 7 of 13
Subject : Act As Date : 25-11-15
Step Print Remarks
Edit the
instanceconfi
g.xml
Add code:
<LogonParam>
<TemplateMessageName>LogonParamSQLTemp
late</TemplateMessageName>
<MaxValues>100</MaxValues>
</LogonParam>
Save and Restart the Services
Create the
correct folder
structure
Directory:
/app/oracle/obiee11117/instances/instance1/bifounda
tion/OracleBIPresentationServicesComponent/coreap
plication_obips1/msgdb/l_en/customMessages
FileName: LogonParamSQLTemplate.xml
Create the
XML file
<?xml version="1.0" encoding="utf-8"
?>
<WebMessageTables
xmlns:sawm="com.siebel.analytics.web.m
essageSystem">
<WebMessageTable
system="SecurityTemplates"
table="Messages">
<WebMessage
name="LogonParamSQLTemplate">
<XML>
<logonParam
name="RUNAS">
<!--
for EXECUTE PHYSICAL CONNECTION POOL,
SQL_Paint.SQL_Paint = -->
<!--
SAS Repository
physical_dbname.conn_pool_name -->
8. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 8 of 13
Subject : Act As Date : 25-11-15
Step Print Remarks
<getValues>EXECUTE PHYSICAL
CONNECTION POOL
"BIRepository"."BIRepositoryConnPool"
select TARGETID from ACTAS where
PROXYID='@{USERID}'</getValues>
<verifyValue>EXECUTE PHYSICAL
CONNECTION POOL
"BIRepository"."BIRepositoryConnPool"
select TARGETID from ACTAS where
PROXYID='@{USERID}' and
TARGETID='@{VALUE}'</verifyValue>
<getDelegateUsers>EXECUTE
PHYSICAL CONNECTION POOL
"BIRepository"."BIRepositoryConnPool"
select PROXYID, PROXYLEVEL from ACTAS
where
TARGETID='@{USERID}'</getDelegateUsers
>
</logonParam>
</XML>
</WebMessage>
</WebMessageTable>
</WebMessageTables>
9. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 9 of 13
Subject : Act As Date : 25-11-15
Step Print Remarks
Grant
Privilege to
access this
function
For each user or role you want to allow this option,
make sure the privileges are set correctly.
Act As button
shows under
user ID
Note that for instance the option Administration is
there and the the options under New are fully open to
that what a BI Administrator can do.
The user
biadmin can
select from
the users he
can
impersonate
for.
10. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 10 of 13
Subject : Act As Date : 25-11-15
Step Print Remarks
User is now
acting as
other user
Note that for instance the option Administration is
gone and the the options under New are limited to
that what a BI Consumer can do.
Logon as
TRADER
The delegated user can see users who can take over
how in their Account Profile settings.
1
TIPS
· Before a proxy user can act as a target user, the target user must have signed into Presentation Services at least once and accessed a
dashboard.
· Changes in restrictions or privileges may not be directly visible but are executed and may require restart of the BI Services.
2
3
11. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 11 of 13
Subject : Act As Date : 25-11-15
1
KNOWN ISSUES
SR Description Situation Entered Status Date Resolution
SR 3-
8744510391
OBIEE - Can't get
ActAs functionality to
work
Act As setup according to the
letter of the documentation.
Button appears, but drop down
with choice list containing users
remains empty.
28 Mar
2014
RESOLVED 28 Jul
2014
Changing the user IDs in the ActAs-table to case
sensitive.
Also proxy level full or restricted is and must be
small caps.
SR 3-
9403695961
OBIEE - Act As
Permission
Inheritance
The permissions (full or
restricted) are not inherited
properly.
And also not reset correctly
when stopping act as.
28 Jul
2014
RESOLVED 09 Oct
2014
Bug 18695152 : OBIEE 11G: PRIVILEGES NOT
APPLIED TO PROXY (ACT-AS) USERS
Full works. Restricted not.
Different behavior in my setup compared to the
case with Oracle resulted in slightly different SQL
statements for the session variable init blocks.
SR 3-
9403695961
OBIEE - Act As
Permission
Inheritance
Level Restricted not working
properly
03 Sep
2014
RESOLVED 21 Oct
2014
With new setup instructions it now works.
SR 3-
9761586135
Act As - Effective
Dates
Attempt to work with effective
dates
21 Oct
2014
RESOLVED 26 Nov
2014
When the effective dates are set up as format
NUMBER and not DATE it starts to work with the
additional instructions from Oracle.
2
3
12. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 12 of 13
Subject : Act As Date : 25-11-15
1.2 Temporary Delegation
Act As can also be used for temporary delegations, such as holiday or sick leave replacements. Thus an employee can impersonate a1
colleague, take over that person's restrictions and work with his authentication, still taking segregation of duty into account.2
This is where the Date From and the Date Thru in the Act As table come in. The logged user can still see and select the Act As user, but when3
selected outside of the effective period it will return a sign in error:4
5
6
7
8
13. ã Cadran Consultancy b.v.
Author : Rick Brobbel Date printed : 25-11-15
Project : Oracle BI EE Page : 13 of 13
Subject : Act As Date : 25-11-15
1
When another effective date is required simply alter the DateFrom and the DateThru in the ActAs table in the database.2
When a specific ActAs is no longer applicable simply remove the record from the ActAs table in the database.3
4
5