How to enable and configure the OBIEE proxy (Act as) functionality

Post date: 31-Mar-2010 08:04:34

Principle

The “Act As” or Proxy functionality gives the opportunity to some users to run the dashboards, the reports, … as someone else. Once you are logged into OBIEE dashboards, you can “act as” a list of predefined users, this feature is useful to check credentials, move/configure “my dashboard”, delivers, … without having to ask/know every user password.

From the dashboard Menu : Settings >> Act As

As you can see I was logged as “administrator” and I’m now acting as Borkur Steingrimsson

How does it works

OBIEE need a source of information stored outside the BI server that can give the list of users under which the logged user can “act as”. Once selected the dashboard is reloaded like if you are that user (with same target user privileges or read only privileges).

The proxy table

In my environment I already have an Oracle schema called “OBIEE” that contains user credentials, groups, …So I’m going to add a table there in which I will defined for each user, their possible target user and the right (full or restricted)

CREATE TABLE OBIEE_PROXY_USER( PROXYID VARCHAR2(100) NOT NULL, TARGETID VARCHAR2(100) NOT NULL, PROXYLEVEL VARCHAR2(100) NOT NULL)

Insert some data :

Create Session Variables for Proxy Functionality (inside the repository)

Modify the instanceconfig.xml File for Proxy Functionality

Here comes the more tricky parts …

First locate your instanceconfig.xml and back-up it !

The default location is like …./OracleBIData/web/config/

open the file and add the following code just before the </ServerInstance>

<TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName>

</LogonParam>

LogonParamSQLTemplate is your new message name (you will have to re use the exact same name just after !)

100 is the max number of user you can “Act as”

NOTE from the Doc : The name that you specify in the <TemplateMessageName> element must match the name that you specify in the <WebMessage> element in the custom message file.

Creating a Custom Message Template for Proxy Functionality

You need to create a custom message template for the proxy functionality that contains the SQL to get the list of target users that a proxy user can act as. This list appears in the User box in the Act As dialog box.

In the custom message template, you place the SQL to retrieve this information in the following XML elements. So let’s create a custom webmessage.

The new XML file should be placed in SAROOTDIR\web\msgdb\customMessages folder, where SAROOTDIR is the installation directory

(For me … /OracleBI/web/msgdb/customMessages/)

Name your file according to what TemplateMessageName you define in the instance Config ! (what you just did before !)

For me “LogonParamSQLTemplate.xml”

Here is the content

<?xml version="1.0" encoding="utf-8" ?>

<XML>

<getValues>EXECUTE PHYSICAL CONNECTION POOL SystemUsers.OBIEE select targetId from OBIEE_PROXY_USER where proxyId='@{USERID}'</getValues>

<verifyValue>EXECUTE PHYSICAL CONNECTION POOL SystemUsers.OBIEE select targetId from OBIEE_PROXY_USER where proxyId ='@{USERID}' and targetId='@{VALUE}'</verifyValue>

<getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL

SystemUsers.OBIEE select proxyId, proxyLevel from OBIEE_PROXY_USER where targetId ='@{USERID}'</getDelegateUsers>

</logonParam>

</XML>

</WebMessage>

</WebMessageTable>

</WebMessageTables>

Enable “Act as” privilege

Search for proxy and set the thing according to your needs.

Restart & Test

Now Last but not least restart the BI server and the presentation Server.

For the presentation server you can just “Reload Files and Metadata” in the Administration

If that does not work …

Well check your logs

…/OracleBI/server/Log/

and … /OracleBIData/web/log/

Extra steps

Since in our project we are using LDAP authentication, I had to disable the “required for authentication” for the rpd init block that check the user credential inside the ldap.

The reason is probably that OBI does not know the password of the user you want to “act as”.

Some ideas

If your users and credentials are stored inside the Database, this feature can be used to test “group credentials”, since almost all the logic is implemented inside simple SQL … Great OBIEE !

Source and biography

Oracle/Siebel documentation

Oracle OBIEE Doc details : Oracle® Business Intelligence Presentation Services Administration Guide >> Managing Oracle BI Presentation Services Security>> Process of Authorizing Users to Act for Others

Ref: http://www.rittmanmead.com/2007/10/04/how-to-enable-and-configure-the-obiee-proxy-act-as-functionality/

Configuring OBIEE Proxy(Act As) Functionality

As an OBIEE Developer we always want to be able to login as the Business Users in order to validate the security development. This can be done without the need to know the Business user's logon credentials by simply configuring the 'Act As' feature in OBIEE.

Below are the steps involved in enabling this feature.

1.The Script below will create a Proxy table and insert three records so that the developer 'shiv' can login(proxy) as 'business_user1' and 'business_user2' and validate the security requirement is as expected.Also the 'Administrator' can proxy the user 'shiv'.

CREATE TABLE OBIEE_ACT_AS_USERS

(PROXY_ID VARCHAR2(50),

TARGET_ID VARCHAR2(50),

PROXY_LEVEL VARCHAR2(50));

INSERT INTO OBIEE_ACT_AS_USERS(PROXY_ID,TARGET_ID,PROXY_LEVEL) VALUES('Administrator','shiv','full');

INSERT INTO OBIEE_ACT_AS_USERS(PROXY_ID,TARGET_ID,PROXY_LEVEL) VALUES('shiv','business_user1','full');

INSERT INTO OBIEE_ACT_AS_USERS(PROXY_ID,TARGET_ID,PROXY_LEVEL) VALUES('shiv','business_user2','full');

COMMIT;

2.Import the table OBIEE_ACT_AS_USERS into the Physical Layer and Name the Database and Connection Pool as Act_As_Users , CP_Act_As_Users.

3. We now need to create three Session Initialization Blocks Set_RUNAS(Variable:RUNAS),ProxyLevel(Variable:PROXYLEVEL) and ProxyBlock(Variable:PROXY).

4.Initialization Block:Set_RUNAS

Default Initialization String:

Select 'dummy' from dual

5.Initialization Block:ProxyBlock

Default Initialization String:

Seleselect target_id from obiee_act_as_users where 'VALUEOF(NQ_SESSION.RUNAS)'=target_id and ':USER'=proxy_Id

6.Initialization Block:ProxyLevel

Default Initialization String:

select proxy_level from obiee_act_as_users where 'VALUEOF(NQ_SESSION.RUNAS)'=target_id and ':USER'=proxy_Id

7.Navigate to /OracleBIData/web/config/ and modify the file instanceconfig.xml to add the below tag before the </ServerInstance>

<TemplateMessageName>Act_As_Logon_Template</TemplateMessageName>

</LogonParam>

8.Navigate to /OracleBI/web/msgdb/customMessages/ and create a new XML file Act_As_Logon_Template.xml containing the below script.

<?xml version="1.0" encoding="utf-8" ?>

<XML>

<getValues>EXECUTE PHYSICAL CONNECTION POOL Act_As_Users.CP_Act_As_Users select target_Id from OBIEE_ACT_AS_USERS where proxy_Id='@{USERID}'</getValues>

<verifyValue>EXECUTE PHYSICAL CONNECTION POOL Act_As_Users.CP_Act_As_Users select target_Id from OBIEE_ACT_AS_USERS where proxy_Id ='@{USERID}' and target_Id='@{VALUE}'</verifyValue>

<getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL

Act_As_Users.CP_Act_As_Users select proxy_Id, proxy_Level from OBIEE_ACT_AS_USERS where target_Id ='@{USERID}'</getDelegateUsers>

</logonParam>

</XML>

</WebMessage>

</WebMessageTable>

</WebMessageTables>

9. Within OBIEE Security add three new Users 'shiv','business_user1' and 'business_user2' as shown below.

10.Create a new Web group Act_As_Users_Group and add the user 'shiv' to this group.

11.Cotinue to be logged on as an Administrator and Navigate to Settings&gtAdministration&gtManage Privileges and add 'Act_As_Users_Group to Proxy .

12. Restart the Oracle BI Server and Oracle BI Presentation Server.

13. Login in as 'shiv' and then navigate to settings&gtAct as&gtbusiness_user1

Compiled from: http://shivbharti.blogspot.com/2009/11/configuring-obiee-proxyact-as.html