26 Mar 2013 Real case scenario: Migration of the Web Catalog Security in OBIEE 11g
I’ve recently been assigned to a customer project where I was in charge of the BI System Administration. The project was in the user acceptance stage and changes to reports & dashboards happened very frequently.
One of my daily tasks involved moving the latest web catalog changes from a development instance (where the latest user requirements were covered) to the user testing environment.
To mention that security played a very important role during these migrations since the web catalog privileges had to remain untouched within the target environment.
As you can see in the image above, the following security restrictions had to be always kept in UAT for all the OBIEE catalog objects:
– XXX Procurement Dashboard users having access only to Procurement reports and dashboards.
– XXX Receivables Dashboard users having access only to Accounts receivables reports and dashboards.
My first thought was to use the Catalog manager for managing the presentation security but to my surprise, the application was not included within the Oracle BI 11g client tools. Furthermore, I had no administration privileges over the desktop so I couldn´t install it from fresh.
introduction
For each object in th
Web catalog security
e OBIEE Catalog there is the object itself, either a file or directory, and there is an associated ATR file. The ATR file is a binary file that defines the access control for the object.
ATR files
Let’s take a look at the web catalog security defined for our finance dashboards:
As an example, we can open the general ledger atr file with a hexadecimal editor:
The most important parts within the file are the application roles to whom the object security is defined and the permissions assigned to each one of the roles. The hexadecimal code for the object permissions can be the following:
– FF: Full Control
– 0F: Change Modify
– 03: Read
– 02: Traverse
Minding the previous relation, we can state that those users with a BI Administration role will have full control over the financial dashboards and reports. On the other hand, the XXX Receivables Dashboard users will only be able to read the financial dashboards and reports.
According to the ATR files content for Procurement, the privileges will be the following:
– XXX Procurement Dashboard users will be granted read access.
– BI Administration users will be given full control.
Migrating existing reports / dashboards
Taking into account that the web catalog security resides entirely on the atr files, it is clear now that they should not be overwritten when migrating existing versions of reports and dashboards into UAT/PROD environments. In my particular scenario, that could be achieved by running the following command in the server backend (Unix):
find . -not -name ‘*.atr’ | cpio -pu OBIEE_HOME/instances/uat_instance/bifoundation/OracleBIPresentationServicesComponent/core
application_obips1/catalog/EnterpriseBusinessAnalytics
Migrating new reports / dashboards
In this case, we will have to move both the object and the associated ATR file. The security for these new objects will be set afterwards at the catalog level.
Generally, the web catalog security is definitely a very sensitive aspect when moving reports and dashboards between environments, especially in instances where users are meant to test. In order to cope with these security issues the BI administrator has to take into account the different security migration approaches and carefully choose the one that meets the project requirements.
For any questions or comments that you might have feel free to leave them! We ´d like to know your feedback!