Use Case 1 - Amazon S3

Report
OBIEE Automation
OBIEE Automation
User and Folder Security
Use Case 1 – Role & Folder Per Entity
Start
User
Exists?
Yes
No
Use Case 1:
Several entities (dept’s, org’s, etc)
will use OBIEE, each needs their own
folder in addition to users of each entity
having their own folder.
Create User
Role Exists?
Yes
No
Create Role
Add User to
Role
Create Folder
Remove
Inherited
Folder
Permissions
Add Role to
Folder
End
Use Case 1 – Create User Key Files
Create User Key Files:
Create a user configuration and associating key file to store encrypted authentication
credentials.
Login to Web Logic with WLST and run:
storeUserConfig(userConfigFile, userKeyFile, [nm])
Argument
Definition
userConfigFile
Name of the file to store the user configuration.
The filename can be absolute or relative to the
directory from which you enter the command.
userKeyFile
Name of the file to store the key information
that is associated with the user configuration
file that you specify. The pathname can be
absolute or relative to the directory from which
you enter the command.
nm
Optional. Boolean value specifying whether to
store the username and password for Node
Manager or WebLogic Server. If set to true, the
Node Manager username and password is
stored. This argument default to false
Use Case 1: Create User
Start
Create User:
import sys
import socket
url = 't3://'+socket.gethostname()+':7001'
user = sys.argv[1]
user_pass = sys.argv[2]
user_desc = sys.argv[3]
User
Exists?
No
Create User
connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
if atnr.userExists(user):
exit()
else:
atnr.createUser(user, user_pass, user_desc)
exit()
Call:
/path/to/wlst.sh /path/to/create_user.py user user_pass user_desc
Use Case 1: Role Exists
User
Exists?
Yes
Get Roles:
import sys
import socket
No
Create User
url = 't3://'+socket.gethostname()+':7001'
connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)
listAppRoles(appStripe=‘[replace with application stripe name]’)
Call:
/path/to/wlst.sh /path/to/list_roles.py >> roles.txt
Parse For ‘Principal Name’ Value:
grep 'Principal Name' roles.txt | awk -F':' '{print $3}' | awk -F',' '{print $1}'
Role Exists?
Use Case 1: Role Exists
User
Exists?
Yes
No
Create User
Role Exists?
Get Roles (use existing script):
/oracle/middleware/oracle_common/common/bin/wlst.sh
/oracle/middleware/oracle_common/modules/oracle.jps_11.1.1/common/wlstscripts/listAppRoles.py -appStripe [replace
with your app stripe name]
Use Case 1: Create Role
Role Exists?
Create Role:
No
import sys
import socket
Create Role
url = 't3://'+socket.gethostname()+':7001'
connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthorizer("DefaultAuthenticator")
try:
createAppRole(appStripe=‘[replace with application stripe name]', appRoleName=sys.argv[1])
except:
pass
exit()
Call:
/path/to/wlst.sh /path/to/script.py role_name
Use Case 1: Add User to Role
Role Exists?
Yes
Add User to Role:
No
import sys
import socket
Create Role
Add User to
Role
url = 't3://'+socket.gethostname()+':7001'
connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)
try:
grantAppRole(‘[replace with application stripe name]',sys.argv[1],"weblogic.security.principal.WLSUserImpl",sys.argv[2])
except:
pass
exit()
Call:
/path/to/wlst.sh /path/to/user_to_role.py role_name user_name
Use Case 1: Web Service Session
SAWSessionService.logon:
<soapenv:Envelope
xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:v6='urn://oracle.bi.webservices/v6'><soapenv:Header/>
<soapenv:Body>
<v6:logon>
<v6:name>{User}</v6:name>
<v6:password>{Pass}</v6:password>
</v6:logon>
</soapenv:Body>
</soapenv:Envelope>
Access WSDL at:
host:9704/analytics/saw.dll?wsdl
Use Case 1: Create Folder
Add User to
Role
WebCatalogService.createFolder:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:v6="urn://oracle.bi.webservices/v6">
<soapenv:Header/>
<soapenv:Body>
<v6:createFolder>
<v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path>
<v6:createIfNotExists>1</v6:createIfNotExists>
<v6:createIntermediateDirs>0</v6:createIntermediateDirs>
<v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID>
</v6:createFolder>
</soapenv:Body>
</soapenv:Envelope>
Create Folder
Use Case 1: Remove Inherited Folder Perms
WebCatalogService.updateCatalogItemACL:
Create Folder
<v6:updateCatalogItemACL>
<!--1 or more repetitions:-->
<v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path>
<v6:acl>
<!--Optional:-->
<v6:dummy></v6:dummy>
<!--Zero or more repetitions:-->
<v6:accessControlTokens>
<v6:account>
<!--Optional:-->
<v6:name>{Replace with Role Name}</v6:name>
<v6:accountType>4</v6:accountType>
<!--Optional:-->
<v6:guid>{Replace with Role Name}</v6:guid>
</v6:account>
<v6:permissionMask></v6:permissionMask>
</v6:accessControlTokens>
</v6:acl>
<v6:options>
<v6:updateFlag>2</v6:updateFlag>
<v6:recursive>0</v6:recursive>
</v6:options>
<v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID>
</v6:updateCatalogItemACL>
Remove
Inherited
Folder
Permissions
Use Case 1: Add Role to Folder
WebCatalogService.updateCatalogItemACL:
<v6:updateCatalogItemACL>
<!--1 or more repetitions:-->
<v6:path>/shared/{REPLACE W/NAME OF FOLDER}</v6:path>
<v6:acl>
<!--Optional:-->
<v6:dummy></v6:dummy>
<!--Zero or more repetitions:-->
<v6:accessControlTokens>
<v6:account>
<!--Optional:-->
<v6:name>{Replace with Role Name}</v6:name>
<v6:accountType>4</v6:accountType>
<!--Optional:-->
<v6:guid>{Replace with Role Name}</v6:guid>
</v6:account>
<v6:permissionMask>{ADD Permissions MASK}</v6:permissionMask>
</v6:accessControlTokens>
</v6:acl>
<v6:options>
<v6:updateFlag>1</v6:updateFlag>
<v6:recursive>0</v6:recursive>
</v6:options>
<v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID>
</v6:updateCatalogItemACL>
Remove
Inherited
Folder
Permissions
Add Role to
Folder
End
Use Case 1: Add Role to Folder
WebCatalogService.updateCatalogItemACL:
<v6:accountType>4</v6:accountType>
<v6:permissionMask>{ADD Permissions MASK*}</v6:permissionMask>
<v6:updateFlag>1</v6:updateFlag>
Remove
Inherited
Folder
Permissions
Add Role to
Folder
From the WSDL:
permissionMask field value is combination of the following flags: 1 permission
to read items content 2 permission to traverse directory 4 permission to change
items content 8 permission to delete an item 16 permission to assign permissions
to others 32 can take ownership of the item 2048 permission to run a publisher
report live 4096 permission to schedule a publisher report 8192 permission to view
output of a publisher report
Invalid ACL update flag. Valid values are:
0 - replace ACL
1 - replace privileges only for mentioned accounts
2 - delete mentioned accounts from item's ACL
accountType values: 0 - user 1 - group 4 - role
End
Use Case 2 – Training Users
Start
User
Exists?
Use Case 2:
Training department needs 50 training
users for each business day of the week.
Passwords for each user needs to be
reset after one week.
Yes
No
Create User
Add User to
Role
Users
Expired?
Yes
Update
Passwords
No
End
Clear User
Folder
End
Use Case 2: User Exists Alternative
Start
SecurityService.getAccounts:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:v6="urn://oracle.bi.webservices/v6">
<soapenv:Header/>
<soapenv:Body>
<v6:getAccounts>
<!--1 or more repetitions:-->
<v6:account>
<!--Optional:-->
<v6:name>*Training*</v6:name>
<v6:accountType>0</v6:accountType>
<!--Optional:-->
<v6:guid></v6:guid>
</v6:account>
<v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID>
</v6:getAccounts>
</soapenv:Body>
</soapenv:Envelope>
Compare results with users you want to add.
User
Exists?
Use Case 2: Reset Users
User Expired:
Use Regular Expression to compare user day on username with day
from date object or sysdate.
Users
Expired?
Yes
Update
Passwords
No
For example: ^([0-9]{1,2})(Training[0-9]{1,2})
Compare first part of regex (1,2,3,4,5) to the day of the week from date object.
End
Clear User
Folder
Change Password:
End
import sys
import socket
url = 't3://'+socket.gethostname()+':7001'
new_pass = sys.argv[3]
old_pass = sys.argv[2]
user_number = sys.argv[1]
connect(userConfigFile='user_config',userKeyFile='keyfile',url=url)
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
atnr.changeUserPassword(user_number, old_pass, new_pass)
exit()
Clear User Folder:
rm -rf /path/to/OracleBIPresentationServicesComponent/coreapplication_obips1/catalog/root/users/user/*
Use Case 3: RPD QA
Start
Use Case 3:
Create report
with RPD logic
in good state
To improve product quality, the QA or Dev team
want to have repeatable automated tests ran
per RPD release.
Tests need to be added per iteration to account for
changes or additions. Previously built tests will be ran
in the automated suite of tests to validate unchanged
objects still contain proper logic.
Get DB and
RPD Output
DB ==
RPD?
No
Yes
Fail
Pass
Use Case 3: RPD Output
Get DB and
RPD Output
XmlViewService.executeXMLQuery:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:v6="urn://oracle.bi.webservices/v6">
<soapenv:Header/>
<soapenv:Body>
<v6:executeXMLQuery>
<v6:report>
<v6:reportPath>/path/to/folder name/report name</v6:reportPath>
</v6:report>
<v6:outputFormat>SAW_ROWSET_SCHEMA_AND_DATA</v6:outputFormat>
<v6:executionOptions>
<v6:async>false</v6:async>
<v6:maxRowsPerPage>10</v6:maxRowsPerPage>
<v6:refresh>true</v6:refresh>
<v6:presentationInfo>false</v6:presentationInfo>
</v6:executionOptions>
<v6:sessionID>{REPLACE WITH SESSION ID}</v6:sessionID>
</v6:executeXMLQuery>
</soapenv:Body>
</soapenv:Envelope>
Use Case 3: RPD Output
Get DB and
RPD Output
Returned XML:
To get this data we have gone through all logic in the RPD we’d go through when
requesting through a URL (initialization blocks, identity manager, session variables, BMM layer logic, etc).
<sawsoap:rowset xsi:type="xsd:string"><![CDATA[<rowset xmlns="urn:schemas-microsoft-com:xml-analysis:rowset">
<Row>
<Column0>Baz</Column0>
</Row>
<Row>
<Column0>Bar</Column0>
</Row>
<Row>
<Column0>Foo</Column0>
</Row>
</rowset>]]></sawsoap:rowset>
Use XML parser to get just values or transform returned values from database into XML.
References
WLST Commands:
http://docs.oracle.com/cd/E13222_01/wls/docs92/config_scripting/quick_ref.html
WebLogic Server API Reference:
http://docs.oracle.com/cd/E29542_01/apirefs.1111/e13941/toc.htm
Example of SecurityConfigurationMBean:
http://docs.oracle.com/cd/E11035_01/wls100/javadocs_mhome/weblogic/management/configuration/SecurityConfigurationMBean.html
MBean Reference:
http://docs.oracle.com/cd/E28280_01/apirefs.1111/e13951/core/
Web Service Structures:
http://docs.oracle.com/cd/E21764_01/bi.1111/e16364/structures.htm
Evaluate this session
https://www.surveymonkey.com/s/UTOUGSessions
Session Evaluation Number: 7

similar documents