Sunday, January 25, 2015

OBIEE 11g: Implement Act As/Proxy


What is "Act As" Functionality?


One user can be enabled to act for another user in Oracle BI Presentation Services. When a user (called the Proxy User) acts as another (called the Target user), the proxy user can access the objects in the catalog for which target user has permission.
This functionality is useful for IT Support to troubleshoot object access problems reported by OBI users.

Levels of "Act As" Functionality


    Each Proxy User is assigned an Authority level, also called Proxy Level. This determines privileges and permissions granted to the proxy user when accessing target user's objects.

Restricted Proxy Level

  • Proxy user only has Read-Only permissions to target user's objects.
  • Proxy user are restricted by their own Privileges, and do not inherit Target users privileges.

Full Proxy Level

  • Permissions and Privileges are inherited from Target user's account.

How to verify if "Act As" Functionality is enabled

    A user enabled to be a proxy user would see the Act As option in the global header in Answers, provided the Act As Proxy privilege has been set.
A target user, can view the proxy users with permission to act as them on the "Delegate Users" tab. Navigate to My Account dialog from the global header in Answers, and an extra tab called "Delegate Users" is available for target users.

 


 

Implementing "Act As Functionality

    In order to enable "Act As" functionality, following steps need to be performed:
  • Define Association Between Proxy Users and Target Users
  • Create Session Variables for Proxy Functionality
  • Modify Presentation Services Configuration file
  • Create Custom Message Template File
  • Assigning the Proxy Privilege

Define Association between Proxy and Target Users


 

    The association between proxy and target users is defined in the database. This is done by creating a database table with the following structure:
  • PxoxyUserId
  • TargetUserID
  • ProxyLevel

Create Session Variables for Proxy Functionality

To authenticate proxy users, you must create the following two session variables along with their associated initialization blocks.
PROXY — Use this variable to store the name of the proxy user.
Create initialization block named Proxy Block and include code:
SELECT TARGETID
FROM OBIEE_PROXY_USER
WHERE UPPER(PROXYID) = UPPER(':USER')
AND UPPER(TARGETID) = UPPER('VALUEOF(NQ_SESSION.RUNAS)')
PROXYLEVEL — Use this optional variable to store the proxy level, either Restricted or Full. If you do not create the PROXYLEVEL variable, then the restricted level is assumed.
Create initialization block named Proxy Level, and include code:
SELECT PROXYLEVEL
FROM OBIEE_PROXY_USER
WHERE UPPER(TARGETID) = UPPER('VALUEOF(NQ_SESSION.RUNAS)')
AND UPPER(PROXYID)= UPPER('VALUEOF(NQ_SESSION.RUNASORIGUSER)')

Modify Presentation Services Configuration file

    Update the instanceConfig.xml file to configure the proxy functionality by including the following xml segment:
<LogonParam>
<TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName>
<MaxValues>100</MaxValues>
</LogonParam>

 

TemplateMessageName: Specifies the name of the custom message template in the Custom Messages folder that contains the SQL statement to perform tasks related to displaying proxy and target users. The default name is LogonParamSQLTemplate.
MaxValues: Specifies the maximum number of target users to be listed in the User box in the Act As dialog box. If the number of target users for a proxy user exceeds this value, then an edit box, where the proxy user can enter the ID of a target user, is shown rather than a list of target users. The default is 200.
Please restart the BI Services after making the above update.

Create Custom Message Template File

You must create a custom message template for the proxy functionality that contains the SQL statement to perform the following tasks:
  • Obtain the list of target users that a proxy user can act as. This list is displayed in the User box in the Act As dialog box.
  • Verify whether the proxy user can act as the target user.
  • Obtain the list of proxy users that can act as the target user. This list is displayed on the target user's My Account screen.
The Custom message Template File must be placed in the following Directory:
middleware/instances/instance1/bifoundation/OracleBIPresentationServicesComponent
/coreapplication_obips1/msgdb/

Assigning the Proxy Privilege

For each user whom you want to enable as a proxy user or for each application role or Catalog group whose members you want to enable as proxy users, you must grant the "Act As" Proxy privilege from the Administration option in the Presentation Services.


 

No comments:

Post a Comment