Implementing Security in OBIEE

Implementing Security in OBIEE

0

Hello guys, let's resume the subject security in OBIEE, specifically security  level  column and filter data.

 The column-level security or folder allows you to control its visibility, is implemented in the presentation layer, hiding the objects for a particular group of users.

 Have the filter data (Date Filter), have spoken of him in this blog, is implemented directly in the group associated with the user via a SQL clause.

 In our example the user group managers are allowed to see the total sales and total costs for city regions and geographical   sellers must now see only the total sales and the only city he represents.

 The user bieeuser1 that's associated with the profile managers built a report shows total sales and cost  variables  by geographic region and city and want to publish this report to all its vendors.

 The column cost  variables  "10 - Variable Costs" column and the Region "R50 Region" should not be viewed by the seller.

The user profile associated with this bieeuser2 Sellers and should only view the same report to the city he represents, Bueno Aires.

 The result presented below is for the manager:

The result will be presented below for the Seller:

Let's start by implementing the security filter data (Date Filter) in OBIEE:

 1 - To create a table that access control where you can define the user, user group, the size and value that will be filtered. This table structure makes it flexible for future inclusion filters data to other users and other dimensions.

 

 In our example the user will receive the filter bieeuser2 "Bueno Aires" for the dimension City.

 2 - In OBIEE, let's create a boot block looking for the value of this table where the group is the Vendors and the user will be equal to the user who is logged into the session.

 

 The user login is caught by  variable  USER session.

 3 - The variable is populated V_CIDADE values ​​returned by the initialization block that is marked to be always required for user authentication in the application.

The  idea  here is to use this variable in the data filters.

Save everything.

4 - Now we include the data filter in Group Sellers, accessing the Identity Manager and click on the scroll BI_Vendedores.

In our example the only user associated with this role is the  user  bieeuser2.

 Click on permissions.

 

 5 - Click on the "+" to add a new date and we will select the filter table presentation "Ship to Regions."

 

 Click on edit expression.

 

 The table will be filtered only to return to the city in the variable.

 

Well now let's implement column-level security, in our case Fields "10 - Variable Costs" and "R50 Region" should not be presented to the Sellers.

1 - Select the properties of the fields where it is necessary to apply access restrictions.

2 - Click on Permissions:

3 - For the group of sellers to mark the role BI_Vendedores without access.

4 - In the configuration file NQSConfig.ini PROJECT_INACCESSIBLE_COLUMN_AS_NULL change the parameter to YES, is under the security section. By default it is set to NO. Restart the services.

This parameter allows even lacking access the columns the user can view a report previously  built  with these column.

For the  user  that has restricted these columns  also  are hidden in the report

5 - The  user  bieeuser1 that this group of managers can view the field "10-Variable Costs" and "R50 Region" in the presentation layer and can use in any report loa. Besides  displaying  the data from all cities.

6 - Have you bieeuser2 that this group of sellers can not see the field "10-Variable Costs" and the "R50 Region" and accesses only the city he represents "Buenos Aires."

Therefore, the report is presented to the seller by hiding columns that he has access, beyond just seeing sales of city it represents.

Well folks, noting that this example is not exhaustive  security  in OBIEE, if only because each client is different and needs a scenario.

The version used here was of OBIEE 11.1.1.5.5

Starting and Stopping Informatica in linux

Starting and Stopping Informatica in linux

On Unix use below command line to start and shutdown informatica services.

Startup:

cd <InformaticaInstallDir>/tomcat/bin

Ex:cd /informatica/9.0.1/tomcat/bin

etlld8002:/informatica/9.0.1/tomcat/bin>infaservice
Usage: infaservice.sh [ startup | shutdown ]

Statup:

infaservice startup

Shutdown:

infaservice shutdown

Thanks

Start/Stop OBIEE 11g Services in Linux using script

Start/Stop OBIEE 11g Services in Linux using script

Hi,

Till few days back I had been struggling on obiee 11g services start/stop on Linux as if there is any development work and obiee has to be restarted then I have to stop the weblogic, bi server and bi presentation services in proper sequence and same applies for starting. I was looking some automated way, hence running a single stop command can stop the all bi services and a single start would do for all bi services to start.

I have found an interesting script on an Oracle Forum and its really very nicely written, using the below script we can start/stop/check status of bi services. I put this script file in linux runlevel, hence every time server reboots, it stops and starts the bi services automatically. And if required, we can manually stop and start the bi services with a single command.

Below is the script:

#!/bin/bash

# 

# File:    /etc/init.d/obiee

# Purpose: Start and stop Oracle Business Intelligence 11g components.

#

# chkconfig: 2345 99 10

# description: Manage OBIEE service.

#

 

# These values must be adapted to your environment.

 

ORACLE_OWNR=obi                  # Local Unix user running OBIEE

ORACLE_FMW=/MiddlewareHome        # Deployment root directory

                                   

BIEE_USER=weblogic                 # BIEE administrator name

BIEE_PASSWD=<put weblogic's password>               # BIEE administrator password               

BIEE_DOMAIN=bifoundation_domain           # Domain name

BIEE_INSTANCE=instance1            # Instance name

BIEE_SERVER=bi_server1               # Server name

BIEE_MANAGER_URL=x.x.x.x:port#     # Admin server URL (hostname:port)    

 

# These should require no change.

 

WL_PATH=$ORACLE_FMW/wlserver_10.3/server/bin

BIEE_PATH=$ORACLE_FMW/user_projects/domains/$BIEE_DOMAIN/bin

ORACLE_INSTANCE=$ORACLE_FMW/instances/$BIEE_INSTANCE

 

export ORACLE_INSTANCE

 

START_LOG=/var/log/obiee-start.log

STOP_LOG=/var/log/obiee-stop.log

SUBSYS=obiee

 

start() {

    echo "********************************************************************************"

    echo "Starting Admin Server on $(date)"

    echo "********************************************************************************"

    su $ORACLE_OWNR -c "$BIEE_PATH/startWebLogic.sh" &

    wait_for "Server started in RUNNING mode"

    

    echo "********************************************************************************"

    echo "Starting Node Manager on $(date)"

    echo "********************************************************************************"

    su $ORACLE_OWNR -c "$WL_PATH/startNodeManager.sh" &

    wait_for "socket listener started on port"

 

    echo "********************************************************************************"

    echo "Starting Managed Server $BIEE_SERVER on $(date)"

    echo "********************************************************************************"

    su $ORACLE_OWNR -c "$BIEE_PATH/startManagedWebLogic.sh $BIEE_SERVER http://$BIEE_MANAGER_URL" &

    wait_for "Server started in RUNNING mode"

 

    echo "********************************************************************************"

    echo "Starting BI components on $(date)"

    echo "********************************************************************************"

    su $ORACLE_OWNR -c "$ORACLE_INSTANCE/bin/opmnctl startall"

 

    echo "********************************************************************************"

    echo "OBIEE start sequence completed on $(date)"

    echo "********************************************************************************"

}

 

stop() {

    echo "********************************************************************************"

    echo "Stopping BI components on $(date)"

    echo "********************************************************************************"

    su $ORACLE_OWNR -c "$ORACLE_INSTANCE/bin/opmnctl stopall"

 

    echo "********************************************************************************"

    echo "Stopping Managed Server $BIEE_SERVER on $(date)"

    echo "********************************************************************************"

    su $ORACLE_OWNR -c "$BIEE_PATH/stopManagedWebLogic.sh $BIEE_SERVER t3://$BIEE_MANAGER_URL $BIEE_USER $BIEE_PASSWD"

 

    echo "********************************************************************************"

    echo "Stopping Node Manager on $(date)"

    echo "********************************************************************************"

    pkill -TERM -u $ORACLE_OWNR -f "weblogic\\.NodeManager"

    

    echo "********************************************************************************"

    echo "Stopping Admin Server on $(date)"

    echo "********************************************************************************"

    su $ORACLE_OWNR -c "$BIEE_PATH/stopWebLogic.sh"

    

    echo "********************************************************************************"

    echo "OBIEE stop sequence completed on $(date)"

    echo "********************************************************************************"

}

 

wait_for() {

    res=0

    while [[ ! $res -gt 0 ]]

    do

        res=$(tail -5 "$START_LOG" | fgrep -c "$1")

        sleep 5

    done

}

 

case "$1" in

    start)

        echo "********************************************************************************"

        echo "Starting Oracle Business Intelligence on $(date)"

        echo "Logs are sent to $START_LOG"

        echo "********************************************************************************"

        start &> $START_LOG &

        touch /var/lock/subsys/$SUBSYS

    ;;

    stop)

        echo "********************************************************************************"

        echo "Stopping Oracle Business Intelligence on $(date)"

        echo "Logs are sent to $STOP_LOG"

        echo "********************************************************************************"

        stop &> $STOP_LOG

        rm -f /var/lock/subsys/$SUBSYS

    ;;

    status)

        echo "********************************************************************************"

        echo "Oracle BIEE components status...."

        echo "********************************************************************************"

        su $ORACLE_OWNR -c "$ORACLE_INSTANCE/bin/opmnctl status"

    ;;

    restart)

        $0 stop

        $0 start

    ;;

    *)

        echo "Usage: $(basename $0) start|stop|restart|status"

        exit 1

esac

 

exit 0

Deployment Steps:

In order for the procedure to go through smoothly, you need to provide the admin credentials (username/password, defaulting to weblogic/weblogic) in three different places:

1. In configuration file <FMW_HOME>/user_projects/domains/<domain name>/servers/AdminServer/security/boot.properties for the administration server;

If boot.properties file is not available then create a new one with the below entries:

username=[your user, usually weblogic]

pasword=[password for account above]

The next time you start weblogic, it will encrypt the file.

2. In script <FMW_HOME>/user_projects/domains/<domain name>/bin/startManagedWebLogic.sh (variables WLS_USER and WLS_PW) for the managed server;

3. In the startup script itself (variables BIEE_USER and BIEE_PASSWD) for shutting down the managed server.

Complete logs are available in /var/log/obiee-start (-stop).log files.

To Start OBIEE:

 /etc/init.d/./obiee start 

To Stop OBIEE:

 /etc/init.d/./obiee stop

To Check the Status of OBIEE:

 /etc/init.d/./obiee status

I think, it will really help the readers of this blog and at the same time I would like to thank to Chris (On Oracle Forum) for sharing such a nice script.

Installation informatica 9.0.1 for Linux

Installation Informatica Powercenter 9.0.1 on Oracle Enterprise Linux 5.6

Posted on June 20, 2011 By John van der Kooij

10 Comments

Ingredients:

Program	Version	Filename
Oracle Express 11G	11.2.0	oracle-xe-11.2.0-0.5.x86_64.rpm
SQL Developer	3.0	sqldeveloper-3.0.04.34-1.noarch.rpm
Informatica Powercenter	9.0.1	901HF2_Server_Installer_linux-x64.tar
Oracle Enterprise Linux	5.6	Enterprise-R5-U6-Server-x86_64-dvd.iso

For this demonstration Oracle Enterprise Linux (a.k.a. “Unbreakable Linux”) was used. Installed in a virtual environment with 1,5GB RAM and a 25GB harddisk.

In order to get Informatica Powercenter up and running on a server, you would typically need a database first. Otherwise it would be hard for the application to store it’s meta-data anywhere. Since this is an example, a not so large database was used; Oracle Express 11G.

Installation Oracle Express 11G
It’s important to check the free space in our memory first. Oracle XE needs around 4GB of swap memory for its installation. So let’s open a command line and check the memory using the command free

[root@fusionapps install]# free
total used free shared buffers cached
Mem: 1531688 1441668 90020 0 16128 1175480
-/+ buffers/cache: 250060 1281628
Swap: 2064376 0 2064376

Installation of the Operating System was with almost all default settings. This also means the amount of swap memory wasn’t changed. This needs to be raised before starting the installer package.

[root@fusionapps install]# dd if=/dev/zero of=/swapfile bs=1024 count=2048000
2048000+0 records in
2048000+0 records out
2097152000 bytes (2.1 GB) copied, 28.0329 seconds, 74.8 MB/s

[root@fusionapps install]# /sbin/mkswap /swapfile
Setting up swapspace version 1, size = 2097147 kB
[root@fusionapps install]# /sbin/swapon /swapfile
[root@fusionapps install]# free
total used free shared buffers cached
Mem: 1531688 1441404 90284 0 16416 1174944
-/+ buffers/cache: 250044 1281644
Swap: 4112368 0 4112368

This should do it, now onto the installation of the database itself. Locate the package and run it withrpm -i oracle-xe-11.2.0-0.5.x86_64.rpm. This should result into the following:

[root@fusionapps install]# rpm -i oracle-xe-11.2.0-0.5.x86_64.rpm
Executing post-install steps…

You must run ‘/etc/init.d/oracle-xe configure’ as the root user to configure the database.

Fine, looks alright even though you can’t see what it has done. Basically your database software is ready to be used, yet no database yet. So let’s do what the package told us to do, execute the command /etc/init.d/oracle-xe configure.

[root@fusionapps admin]# /etc/init.d/oracle-xe configure

Oracle Database 11g Express Edition Configuration
————————————————-
This will configure on-boot properties of Oracle Database 11g Express Edition. The following questions will determine whether the database should be starting upon system boot, the ports it will use, and the passwords that will be used for database accounts. Press to accept the defaults.
Ctrl-C will abort.

Specify the HTTP port that will be used for Oracle Application Express [8080]:

Specify a port that will be used for the database listener [1521]:

Specify a password to be used for database accounts. Note that the same
password will be used for SYS and SYSTEM. Oracle recommends the use of
different passwords for each database account. This can be done after
initial configuration:
Confirm the password:

Do you want Oracle Database 11g Express Edition to be started on boot (y/n) [y]:

Starting Oracle Net Listener…Done
Configuring database…Done
Starting Oracle Database 11g Express Edition instance…Done
Installation completed successfully.

At each question the answer is to hit the enter button so that the default values stay as they are. Only exception to this is where you need to enter a password for your database.
Now to test if a connection can be made to the database. Look at the top left menu and selectApplications > Oracle Database 11g Express Edition > Run SQL Command Line and review the following:

SQL> connect system/xe@xe
Connected.

SQL> select name from v$database;
NAME
—-
XE

SQL>

This looks right, the database is up and running. The installation of SQLDeveloper can begin. Note that this is not really needed, but some people prefer a more graphical way of doing their queries and other database tasks.

Installation SQLDeveloper
This installation is pretty straight forward. Look up the package and run the following from the command line: rpm –i sqldeveloper-3.0.04.34-1.noarch.rpm
This should give you:

[root@fusionapps install]# rpm -i sqldeveloper-3.0.04.34-1.noarch.rpm
[root@fusionapps install]#

Now when you look in the Applications menu, there should be a menu item called SQL Developer under the Programming submenu.

Installation Powercenter 9.0.1
In order to begin the installation of Powercenter there are some prerequisites that need to be met first:

Going through these ingredients one by one;

1. 4GB disk space, check
2. We have an Oracle database, check
3. Database user account is not there yet, to do
4. Valid license key, Oracle provides one with the download from eDelivery. This isn’t meant for production purposes, but it’s very useful when trying installations like these, check
5. Database user for domain configuration can be the same as point 4, to do
6. Port numbers is useful to align for yourself, but since this is a totally new system we’ll use the default ports Powercenter issues (i.e. 6005-6007 and some others). 4GB RAM, not needed at all. For this installation a virtual machine was used with 1,5GB of RAM and it had no problem installing Powercenter at all, so check

Conclusion of the ingredients list is one more task that isn’t done yet, create a database user that Powercenter can use to do its work.

SQL> create user informatica identified by password;
User created.

SQL> grant all privileges to informatica;
Grant succeeded.

SQL>

With above statements this final task is complete as well. So with all the boxes checked the installation of Powercenter can begin.
Lookup your downloaded Powercenter installation file (901HF2_Server_Installer_linux-x64.tar) and untar it at a destination of your choice. Then it’s just a case of starting the install.sh file.

[admin@fusionappsIPC901]$ . install.sh
OS detected is Linux
unjar task is in progress………….
unjar of ESD completed…..
Do you want to continue installation (y/n) ?

Unjarring the files will take a while, obviously depending on your system specifications. When the installer asks to continue, the answer is y for yes.

Starting installation …

\***************************************************************************
\* Welcome to the Informatica 9.0.1 HotFix 2 Server Installer. *
\***************************************************************************

To verify whether a machine meets the system requirements for an Informatica installation, run the Pre-Installation System Check Tool (i9Pi) before you start the installation process. You can find the i9Pi tool in the following directory: /i9Pi

Before you continue, read the 9.0.1 HotFix 2 Installation Guide and Release Notes.
You can find the 9.0.1 HotFix 2 documentation in the Documentation Center at http://my.informatica.com Configure the LANG and LC_ALL variables to generate appropriate code pages and create and connect to repositories and Repository Services.
Do you want to continue? (Y/N)

A lot of information, so it’s wise to read them before continuing. At the end it says not to forget to set some variables. This is wise to check with the export command. When all is well, we can move on by typing y for yes again.

Installer requires operating system Linux version 2.6 and later.
Current operating system Linux version 2.6.
Current operating system meets minimum requirements.

Select a choice :
1. Install Informatica 9.0.1 with Hot Fix 2 or Upgrade from a previous version of Informatica to Informatica 9.0.1 with Hot Fix 2
2. Apply Informatica 9.0.1 Hot Fix 2 to existing 9.0.1 install.
Enter the choice(1 or 2):

Now we need to choose the installation that we want. In this case option 1 is the way to go, nothing is installed yet so no need to apply just a hotfix.

———————————————————–
Checking for existing 9.0.1 HotFix 2 product installation.
Select (G)UI mode (needs X Window support) or (C)onsole mode (G/C):

Next question is the type of installer that we want to use. Let’s be lazy and use a graphical interface (ideal for cheering up this bunch of text with some screenshots).
Launching installer in GUI mode …
Preparing to install…
Extracting the JRE from the installer archive…
Unpacking the JRE…
Extracting the installation resources from the installer archive…
Configuring the installer for this system’s environment…

Launching installer…

Preparing SILENT Mode Installation…

===========================================================================
Informatica 9.0.1 Services HotFix2 (created with InstallAnywhere)
—————————————————————————

After choosing G for GUI mode the installer will start it up with the above information. After this is done, a window opens and the graphical installer is launched.

First window let’s you choose the type of installation. Funny enough we already gave an answer to this question, but there’s no harm in answering again.

The list of prerequisites is next. You’ve seen this list before (scroll up if you missed it) and all should be good at this point. So onto the next one.

This is where we actually need to do something; showing the installer where our license key is located and where Powercenter should be installed.

The installer then gives you a small summary of what was chosen. If this looks good then the actual installation can begin by pressing the Install button.

Configuration is the next task the installer wants to do. For this fresh installation we’ll be making a brand new domain. If for any reason there is a need to join an already existing domain then the second option is the way to go.

As per default the HTTPS option is enabled. No reason to untick it if you don’t have or don’t want to add a legitimate certificate. The installer can make a dummy one for you. Not only in this case, but also with a production machine this would be harmless. Simple reason is that Powercenter is installed based on the hostname. So if you’re not on that hostname, you can’t login to the administration console. This basically means that by default you can’t use the administration console outside of the server. This can be configured however, so when you decide to do that, it would be wise to install legitimate certificates.

Next the installer wants to know where to install all its information. This is where the database user informatica comes in. And since the database is on the same machine as Powercenter will be, it’s no problem using localhost as the address for the database.

By using the button Test connection the installer enables you to check if you didn’t make any typo’s:

Final window before the Powercenter installation is properly configured is where information is requested on the domain that needs to be created.

And if all goes well, the last screen you’ll see is the one below stating this installation was a success.

And there you go, a freshly installed Informatica Powercenter 9.0.1. Ready to be decorated with repositories and to be used with (for example) Oracle Fusion Applications feeding Oracle BI components.