The following interview questions answers based on the Real Scenarios.

1- A user generates adhoc analysis report with some columns which have object level security & user do not belong to authorized group. What will happen?

Ans – nQSError – 27005 will occur

    2- How to overcome nQSError – 27005 issue?

Ans – Edit nQSConfig.ini file Security section

Attribute: PROJECT_INACCESSIBLE_COLUMN_AS_NULL = YES;
You will be able to access report, but column with security restriction will appear with no data.

    3- User Report performance & Login slowness concern. What needs to be done?

Ans – Do Configurational Changes (NQSConfig.ini & instanceconfig.xml) to solve the issue.

    4- Users Report Performance Issue with all reports pertaining to specific Subject Area. What needs to be done?

Ans – Update Session & Repository Init Blocks to rectify the issue.

  5- Analytics Application login issue even after all components are up & running fine. What could be issue?

Ans – DB Password of Connection Pool may be changed. Updating them in console will solve the purpose.

6- Schedular component not coming up of opmn components? What can be the reason?

Ans – Repository schema password might be locked or expired. Enabling the same will solve the purpose.

    7- Graphs & Charts are not working & showing warning in OBIEE?

Ans – Restarting Javahost component will solve the issue if datatype settings are fine.

  8- While Executing report you get View Display Error – Cube Definition is invalid (Measure out of bounds). With Error Codes: GOA4AK7Z.
Ans – Issue due to Pivot Table view having no measure column. Either add measure column to measure segment or add Table View & remove pivot view if no measure column exists. Your issue will be resolved.

9 – Server component goes down from init state after some time & no information is added in nqserver log ?
Ans – It would be due to huge rpd size which required more time for server component to start. Changing timeout parameters from opmn.xml file will solve the purpose.

10 – Analytics showing error 404 however all java & opmn components are up. But while checking status from weblogic console, you found bi_server component to be in admin state.
Ans – You need to select bi_server component – goto control tab & apply resume button & select yes when prompted to set bi_server component to running state. Your issue will be solved then.

11- All java & opmn components are up & running fine, still you see status of all / some components in down status in Enterprise Manager Oracle Fusion Middleware.
Ans – Click Here For Solution

12- User unable to see Some Subject Area Tables or Columns.
Ans- Its Authorization issue. Setting Proper Permission for the object will resolve the issue.

13- Unable to Login to OBIEE Analytics Page, due to Error as : Failure of server APACHE bridge:
No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent. What action is required to resolve it?
Ans- AdminServer or Bi_Server would either be down or in warning ( hung ) state or Health is not ok. Bouncing it will solve the issue.

14- Many times you encounter the error due to connectivity issue with error as below:
[nQSError: 17014] Could not connect to Oracle database. [nQSError: 17001] Oracle Error code: 12154, message: ORA-12154: TNS:could not resolve the connect identifier specified.
What needs to be done to resolve this?
Ans- Validate Connection pool credentials, with tnsnames.ora entry & your DB credentials. Make them sync to each other & your issue will resolve.

15- OBIEE Analytics page is working fine. But you cannot login Fusion Middleware OEM & weblogic console. How to resolve such issue?
Ans- Click Here For Solution

The post OBIEE Administrators interview questions answers appeared first on Oracle for All.

1-      What are Alias tables? Why they are used?

Ans: Physical Table that inherits all properties of its parent table are Alias Tables. They are important in many aspects like:

1. a) For multiple use of physical table.

1. b) To avoid circular join.

2-      What settings you can do in physical layer to enhance end user query response time?

Ans: For Performance Enhancement, most of the settings are performed in connection pool.

Some of the important tasks handled by Connection pool are :

1. a) Updating Maximum Connection (default =10) based on : No. of concurrent users to No. of reports per dashboard. Eg. If a dashboard contains 5 reports per dashboard page & number of concurrent users are 100 then, Max. Connection will be

= 20% * (No. of concurrent users)*(No. of reports per dashboard page).
=.2*100*5 = 100

1. b) You must also use separate connection pool for Aggregate Tables / Initialization Blocks / Data Tables that effect execution time of other randomly used DB tables. This also enhances overall query response time.

3- How to perform time series calculations?

Ans : Time Series Calculations are performed with measure columns (Columns in fact table) with respect to time dimensional heirarchy (make sure time dimension heirarchy is configured properly, with chronological keys set at the levels). Time Series Functions are available in functions & can be configured in Business Model & Mapping Layer.
Type of Time Series calculations you can perform are :

Ago()
Todate()
periodrolling()

4-      What operations can be performed in Business Model & Mapping Layer, that cannot be performed from physical layer.

Ans: Business Model & Mapping (Semantic) Layer is the most important layer in Metadata Repository, that task performed includes:

1. a) Dimensional Hierarchy Creation.

1. b) Creating New Logical Columns (Based on certain calculations).

1. c) Updating Dimensional Modeling (to enhance performance).

1. d) Creating Level Based Metrics (Measures).

1. e) Aggregating Tables.

1. f) Time Series Calculations.

1. g) Fragmenting Data (Content Tab of LTS).

1. h) Filtering Data (Content Tab of LTS).

5-      What are the common tasks performed in Presentation Layer?
Ans:

1. a) Rename Tables / Columns.

1. b) Reordering Tables.

1. c) Nesting Tables.

1. d) Setting Object Level / Data Level Security.

1. e) Setting Variables (Session / Repository).

1. f) Authentication / Authorization Settings.

1. g) Manual Cache Management.

6-      What are common task performed in Analytics?

Ans: Task performed includes:

1. a) Adhoc Report Creation / Modification.

1. b) Dashboard Creation / Modification.

1. c) Publishing Reports.

1. d) Scheduling Reports.

1. e) Setting KPI.

1. f) Manage Web Catalog.

7-      Which utility you need to run to execute & generate Aggregate Tables in Database & Metadata Repository?

Ans:

nqCmd.exe Utility ( available in OracleBI\Server\Bin for 10g & OBIEE_Home\Oracle_BI1\bifoundation\server\bin folder for 11g ). However run the utility through command prompt.

8-      How to open a repository, without knowing its Password?

Ans: Update NQSConfig.ini file (available in OracleBI\Server\Config folder for 10g ) Security Section & unhash (remove # – sign) [AUTHENTICATION_TYPE = BYPASS_NQS; ]
Unfortunately – This feature is not available in 11g, however alternative option is there for changing password. Open Rpd in offline mode then File->Change Password.

9-      Which utility is used to run disconnected Analytics?

Ans:

sadis.exe available in OracleBI\Server\Bin folder.

10-    What a DBA needs to do, to enhance query response time (Performance Enhancement)?

Ans: Most of the time, it is Database which is responsible for  Query execution time. So DBA need to take corrective actions to enhance query performance. Most important task that a DBA can perform includes:

1. a) Bitmap Indexing (Fact Foreign Key / Bitmap Join Index)

1. b) Partitioning Dimensional Attributes (Eg. Time Key).

1. c) Compressing Data.

Frequently Asked Questions OBIEE (Reports / Dashboard)

Section-B (Reports / Dashboard)

1-      Other than Adhoc reporting & dashboards, what other features (for creating) are possible in recent version of obiee?

1. a) Published Reporting
2. b) Disconnected Analytics
3. c) Actionable Intelligence
4. d) Marketing

2-      For Performance Management you need to design?

1. a) Agents
2. b) KPI
3. c) Segment Tree
4. d) Data Model

3-      Default Layout of adhoc report in results tab is?

1. a) Title & Table View
2. b) Table View
3. c) Title & Pivot View
4. d) Chart Pivoted view

4-      You can assign Administration & management rights to users / groups for answers/ dashboards or more products from?

1. a) Manage Sessions
2. b) Manage Interactive Dashboard
3. c) Manage Privilege
4. d) Manage Presentation catalog group or users

5-      Which Filter Operator is not valid type?

1. a) Is blank
2. b) Contains any
3. c) Is in top
4. d) Is in bottom

6-      Default Dashboard is set from?

1. a) Administration
2. b) My Account
3. c) Dillivers
4. d) BI Publisher

7-      How you can display two separate reports in same section to appear parallel.

1. a) By Guided Navigation
2. b) By Arranging Horizontally
3. c) By Collapsible
4. d) By Formatting Section

8-      Which of the following is not Dashboard object?

1. a) BI Publisher Report
2. b) Briefing Book Nav. Link
3. c) Marketing
4. d) Embedded Content

9-      Which is not valid type of set operation for combine with similar request?

1. a) Union
2. b) Intersect
3. c) Minus
4. d) SubSet

10-   Invalid Report View Type?

1. a) Logical SQL
2. b) Guided Result
3. c) Create Segment
4. d) Create Target List

11-   Localization (Language Preferance Setting) of dashboard is possible by?

1. a) Administration
2. b) My Account
3. c) Login
4. d) Dashboard

12-   How can you show updated changes made to online rpd, without restarting BI Services?

1. a) Restart Java Host Services (Weblogic / oc4j)
2. b) Reload EPT
3. c) Reload Server Metadata
4. d) Refresh Display

13-   How can you merge two separate reports from different subject area.

1. a) Adding both reports in dashboard in same section.
2. b) Clubbing two reports by OR logic
3. c) By Combine with Similar Request Operation
4. d) By Updating Request XML of Advanced Tab.

14-   If you successfully update any report in development environment, how you can generate same report with similar properties easily?

1. a) By Pasting Request XML & SQL Issued from dev Advanced Tab to Prod / QA Advanced Tab.
2. b) By creating report & updating all required functions/ filters from criteria tab.
3. c) By Replacing prod / qa attribute files to dev atr files.
4. d) Simply copying Request XML data from Dev & pasting to prod / qa.

15-   If you want to create any column (in criteria tab) based on certain calculation, you should:

1. a) Use Filter option
2. b) Use Function Option
3. c) Use Column Format Option
4. d) Use Sorting Option

16-   If you want to limit / restrict data based on some dimension attribute, you should:

1. a) Use Filter option
2. b) Use Function Option
3. c) Use Column Format Option
4. d) Use Sorting Option

17-   How can you update your date type dimension column to custom format (format of your choice).

1. a) Use Filter option
2. b) Use Function Option
3. c) Use Column Properties Option
4. d) Use Sorting Option

18-   How can you hide your criteria column?

1. a) Use Filter option
2. b) Use Function Option
3. c) Use Column Properties Option
4. d) Use Sorting Option

19-   How can you groupby your column data:

1. a) Use Filter option
2. b) Use Function Option
3. c) Use Column Properties Option
4. d) Use Sorting Option

20-   Bins created in function are similar to:

1. a) Case Statement of Expression Function
2. b) Cast Statement of Conversion Function
3. c) Count Statement of Aggregate Function
4. d) RCount of Running Aggregate Function

21-   Which is not valid filter variable

1. a) Session
2. b) Repository
3. c) Presentation
4. d) Request

22-   You Can Customize Heading in Results Tab (edit mode) through:

1. a) Compound View
2. b) Pivot View
3. c) Title View
4. d) Chart View

23-   What is mandatory for creating pivot table?

1. a) Section
2. b) Columns
3. c) Measures
4. d) Pages

24-   Which Chart Type is used to compare many measure columns?

1. a) Bar Chart
2. b) Bubble Chart
3. c) Scatter Chart
4. d) All of the Above

25-   Which View Can Change Dimension Attribute of a table, according to our setting

1. a) Row Selector
2. b) View Selector
3. c) Legend
4. d) Column Selector
   ————————————————————————————————–Answers :

Section-B
1-(a): Through BIP
2-(b)
3-(a)
4-(c)
5-(a)
6-(b)
7-(b)
8-(c)
9-(d)
10-(b)
11-(b)
12-(c)
13-(c)
14-(a)
15-(b): Apply Function
16-(a)
17-(c): Column Properties – Data Format
18-(c): Column Format – Check Hide
19-(c): Column Format – Supress
20-(a): Case Statement are Expression Functions
21-(d)
22-(b): Only Possible through Pivot Table
23-(c)
24-(d)
25-(d)

Futher Question

1)      Tell me your experience in OBIEE, along with your roles & responsibility in projects?

Functional ( Based on your Exp. )

2)      What is the architecture of OBIEE?

Client < -> Presentation Server <-> BI Server <-> Data source

3)      What is the difference between Siebel Analytics, OBIEE 10.x & OBIEE 11.x

v  Difference of Siebel & OBIEE
a. In OBIEE, we can use Evaluate fn
b. Time series wizard s used in Siebel whereas ago & todate functions added in OBIEE
c. OCI call interface connection is available in OBIEE
d. Presentation variables are introduced
e. Meta data dictionary is there in obiee
f. Multi select feature ( contains any, begins with, ends with, wildcards like %) are available in obiee

v  Difference of OBIEE 10g and 11g
a. In 10g OC4J (Oracle container for java) . In 11g its Weblogic server
b. Security is managed by RPD in 10 g. In 11g the security is managed by the welogic server.
c. In 10g we had Foreign key join (physical layer) & complex key join (BMM). We only have a New Key Join in case of 11g , which is used at both the BMM & Physical layer.
d. 11g supports cross join hierarchies example we can move from customer dimension to product dimension during drilling down. Supports ragged hierarchies etc.
e. 11g also has column hierarchies available in the presentation services, which are created simply by dragging the dimension hierarchies from the BMM layer to the presentation layer in RPD. when column hierarchies are used to build an analyses the default view is Pivot table.
f. The time series functions Ago & ToDate which where only available in the RPD with 10g are now also available in the presentation services along with a new function RollingPeriod.
g. The analyses can now by reconstructed at run time, that means we can move column attribute from the x-axis to the y-axis and reverse as well.
h.KPI’s are available in the 11g along with KPI Watchlist on which they are deployed to be viewed by the end user. Key Performance indicators (metrics very essential for the business)
i. Concept of scorecards is available in 11g, which can measure the goal/mission by using KPI’s as the building blocks for the same
j. concept of Seletions is now available in the presentation services in 11g.
k. There is a single portal for the bi publisher/bi intelligence. The reports that are built in the BI Publisher are stored in the same catalog, as the analyses created using the bi intelligence.
l. 11g has Action Framework which can by used to invoke, existing analyses, html, java procedures.

4)      Have you worked in BI Publisher? if yes, tell me the process of generating published report?

Functional ( Based on your Exp. ).

5)      Have you scheduled reports? If yes tell me the process (from scratch) of creating scheduled reports.

Steps as mentioned below :

v  Login to Fusion Middleware ( EM )

v  Navigate to (Business Intelligence > coreapplication > Deployment>Scheduler & Mail

v  Do editing & save by activate changes.

v  Login to OBIEE Web (http://yourservername:7001/analytics)

v  Click New in the Global header and then select Agent and Actionable Intelligence

v  Navigate to Different Tabs & do relevant updates.

v  Save the agent and Run it.

6)      How do you migrate development environment changes to QA / production?

Rpd : Merging Changes & Migration & Webcat (files & folders movement)

7)      What are the types of Security, how do you implement them?

Security Types ( Object Level & Data Level ), implemented through Init Blocks & variables.

8)      If you forget administrator password to access your repository, what corrective actions you would be taking?

Edit NQSConfig.ini security section ( 3^rd Authentication type remove # ), bounce services, open offline rpd & change password.

9)      If your client addresses performance issue in some most prominent reports, accessed by many end users, what corrective actions you would be taking?

If query fetching ok at DB, then update connection pool settings or creating separate con pool for authentication / authorization, will solve the purpose to some extent. Cache Seeding or aggregation also solves the purpose.

10)   What is Authentication / Authorization? What process you follow to implement authentication for end users?

In short Authentication ( Login Access ) Authorization ( Access Rights ). Done by configuring Session Variable Initialization Blocks.

11)   What is Cache Management? How do you implement auto cache management?

Cache Management – Process to maintain cache for performance & update at certain duration. Auto Cache Mgmt can be attained by setting EPT ( event pooling table ).

12)   What was the most challenging task you handled in you obiee project. What action you took to overcome that?

Functional ( Based on your Exp. )

13)   How you implement dimensional Hierarchy?

In BMM Layer.

14)   Can you create calculated column in rpd. If yes tell me the process.

In BMM Layer done by Expression Editor.

15)   What you need to do to create trend based reports?

Implement Time Series Calculations in BMM Layer.

16)   How can you reorder & club multiple tables / columns, based on client requirements? (Nesting of Folders)

Done in Presentation Layer ( Prefix – [in 10g] / -> [in 11g] before table name)

17)   What types of dashboard objects you have worked. Give me the examples?

Types ( Section/ link or image/ folder/ embedded content/ guided navigation/etc.). Example ( Exp.)

18)   What type of views you have created, while generating reports?

Table / Pivot / Charts/ Narrative/ static text/ ticker/ filters/ title/ legend/ funnel/ gauge/ No Result/ etc.

19)   Tell me the process of merging Repository?

3 way merge process ( Original, Modified {latest}, current {older to be updated}.

20)   How to create dashboard?

Functional ( Based on your Exp. )

21)   How to restrict / grant access rights to various presentation services features.

(a) In Rpd Presentation Catalog –> Properties –> Permission & (b) In Analytics –> Administration –> Manage Dashboard (Set as per Roles & groups)

22)   How can you move dashboard report from one dashboard to other?

By Manage Catalog Feature

23)   How to apply web based object level security?

n Rpd Presentation Catalog –> Properties –> Permission

24)   Difference between Table / Pivot & Gauge View?

Table – First Row is heading, Pivot – Headings in Rows & columns (Cross Table) Measures within them. , Gauge – Graphical data view in form of Dial or bulb & measure fields have pointer / values associated to it.

25)   Difference between Narrative, Ticker & Static Teat?

Narrative – Use the narrative view to show the results as one or more paragraphs of text. You can type in a sentence with placeholders for each column in the results, and specify how rows should be separated.

Ticker – Use the ticker view to show the results of the request as a ticker or marquee, similar in style to the stock tickers that run across many financial and news sites on the Internet. You can control what information is presented and how it scrolls across the page.

Static Text – Use the static text view to include static text in the results. You can use HTML to add banners, tickers, ActiveX objects, Java applets, links, instructions, descriptions, graphics, and so on, in the results.

26)   How to customize no result data display?

From No Results View

27)   How to apply presentation Variables to Dashboards & Reports?

In Dashboards – From Prompts & in Reports from Filter –> Variables option.

28)   What is guided navigation used for, give me some practical example you implemented guided navigation?

Guided Navigation – Certain data display based on specific condition of report. Example, based on your experience.

29)   What is the scope of bins, how you implement them?

Bins – Available in Filter dialog & are used to fragment data as per business requirement.

30)   What is the process of merging multiple physical tables to single logical table?

To remove complexity or converting physical snowflake to star business model schema.

31)   How do you create Aggregate Tables?

Click Here

32)   How do you Implement Usage Tracking?

wait i will upload, detail answer

33)   If you want to aggregate your data (Product Revenue based) on monthly basis & display data w.r.t fiscal years & country. How you will generate report?

See similar process as in 31 Click Here

34)   What is Slowly Changing Dimension? How do you implement them?

Tracking changes in dimension with respect to time is referred as slowly changing dimensions.

35)   What is conformed dimension?

Confirmed Dimension – Dimension directly linked to multiple fact tables.

36)   Have you worked in Time Series Function, Give me the practical example?

Click Here http://www.oracleforall.com/time-series-functions-in-obiee/

37)   How to implement level based measure?

Level Based Measures – Measure columns associated to certain levels of dimensional hierarchy. (Settings done in LTS)

38)   What is Logical Table Source used for?

Logical Table Source – It’s one of the most important part of BMM designing & is used for Joining multiple tables, fragmentation, aggregation, formulation, filtration of data, etc.

39)   How do you localize your dashboard settings?

Set Language Preference settings from My Account

40)   How to implement implicit fact column. Why it is required?

Implicit Fact Column – From Rpd  Presentation Catalog –> Properties –> Set (Implicit Fact Column). Used to increase query response time for dimension only queries.

41)   What is Alias Table & why it is used?

42)   How to implement MUDE (Multi User Development Environment)?

43)   What types of Dimensional Hierarchy are there? How you implement them?

44)   What is gauge view? Where it is used?

45)   How to you implement partitioning in presentation layer? (Bins)

46)   How to implement Fragmentation from rpd? (LTS, Fragmentation in content tab)

47)   How do you calculate number of elements at any level of hierarchy?

48)   How to implement non system session Variable?

49)   Can you specify expression in complex join? If yes how?

50)   How to design time dim. Hierarchy. What are mandatory constraints?

51)   How do you build Data Template?

52)   How to build RTF Template?

53)   How to configure Dillivers

54)   How to configure Scheduler

The post OBIEE INTERVIEW QUESTIONS ANSWERS Part 2 appeared first on Oracle for All.

1. Create all Dimension Tables, Fact Tables & Hierarchies, which are required to be aggregated.
2. Go to Tools, Utilities (from Administration tool menu bar), a dialog box will pop up with all available utilities.
3. Select Aggregate Persistence Wizard, and then click Execute Button. (See Figure Below).

4. Now Select appropriate path where you need to generate Aggregate Table SQL.

Note : Click Generate DDL file for first time generation of Aggregate Table. (See Figure Below)

1. Click Next, to move to next page (Select Business Model & Measure Page)
2. In Select Business Model & Measure Page, Select Appropriate Business Model & then select associated Fact / Measure.(See Figure Below).

7.       Click next, to move to next page (Select Dimensions & Levels).

1. Select appropriate level of dimension & check Use Surrogate Key.

9. Click next, to move to next page (Select output Connection Pool, Container & Name).

1. Click next, to move to next page (Aggregate Definition).
2. Select I am Done (Radio Button).
3. Click Next.

1. Then Click Finish. Your Aggregate Table is Created Now & available at the path you specified in “Select File Location” Page.
2. To view generated script move to – C:\Agg\
3. Select The Aggregate Table Created & View the Code. Code for above process is mentioned below:

delete aggregates; /* Required only first time, so that any further aggregates can be deleted */

/*However if you create other Aggregate, you dont need it. */ 

1. Now the script is ready, we run it using the “nqcmd.exe” utility in the /OracleBI/server/bin directory.

Steps for running Aggregate Script are mentioned below:

After getting successful aggregate script execution, you need to restart all BI Services.

Now Open your metadata Repository & you will see that new aggregate tables created and registered, and shown in red to show they’re aggregates.

Note : No change in presentation layer, as data is executed from logical table & physical table, so presentation layer remains unaffected.

The post Creating Aggregate Tables in OBIEE appeared first on Oracle for All.

Time series functions operate on time-oriented dimensions. The time series functions calculate AGO, TODATE, and PERIODROLLING functions based on user supplied calendar tables, not on standard SQL date manipulation functions.
These functions let you use Expression Builder to call a logical function to perform time series calculations instead of aliasing physical tables and modeling logically.

To use time series functions on a particular dimension, you must designate the dimension as a Time dimension and set one or more keys at one or more levels as chronological keys.

Functions include:

1. AGO
2. PERIODROLLING
3. TODATE

AGO

This function is a time series aggregation function that calculates the aggregated value from the current time back to a specified time period. For example, AGO can produce sales for every month of the current quarter and the corresponding quarter-ago sales.

Time series functions operate on members of time dimensions which are at or below the level of the function. Because of this, one or more columns that uniquely identify members at or below the given level must be projected in the query. Alternatively, you can apply a filter to the query that specifies a single member at or below the given level.

If unsupported metrics are requested, NULL values are returned and a warning entry is written to the nqquery.log file when the logging level equals three or above.

Multiple AGO functions can be nested if all the AGO functions have the same level argument. You can nest exactly one TODATE and multiple AGO functions if they each have the same level argument.

Syntax

AGO(expr, [time_level], offset)

Where:

expr is an expression that references at least one measure column.

time_level is an optional argument that specifies the type of time period, such as quarter, month, or year.

In the Administration Tool, specify a logical level for time_level.

offset is an integer literal that represents the time shift amount.

Example

The following example returns last year’s sales:

SELECT Year_ID, AGO(sales, year, 1)

About the AGO Function Level

It is recommended that you explicitly specify the level of the AGO function using the [time_level] argument.

If you do not explicitly specify the[time_level] argument, the default level is determined as follows:

• If the measure used in the expression is a level-based measure in the time dimension (as set in the Administration Tool), then that same level is considered the default AGO level.

• Otherwise, the grain of the measure used in the expression, as determined by the BY clause of the measure shown in the logical request, is the default Ago level.

For example, the result of the query:

SELECT year, AGO(sales, 1) WHERE quarter=1 is the same as:

SELECT year, AGO(sales, year_level, 1) WHERE quarter=1

You can see the default AGO level for a given query in the Logical Request section of the query log.

PERIODROLLING
This function computes the aggregate of a measure over the period starting x units of time and ending y units of time from the current time. For example, you can use PERIODROLLING to compute sales for a period that starts at a certain quarter before and ends at a certain quarter after the current quarter.

Time series functions operate on members of time dimensions which are at or below the level of the function. Because of this, one or more columns that uniquely identify members at or below the given level must be projected in the query. Alternatively, you can apply a filter to the query that specifies a single member at or below the given level.

You cannot nest AGO and TODATE functions within a PERIODROLLING function. Also, you cannot nest PERIODROLLING, FIRST, and LAST functions.

If you embed other aggregate functions (like RANK, TOPN, PERCENTILE, FILTER, or RSUM) inside PERIODROLLING, the PERIODROLLING function is pushed inward. For example, PERIODROLLING(TOPN(measure)) is executed as TOPN(PERIODROLLING(measure)).
Syntax

PERIODROLLING(measure, x ,y [,hierarchy])
Where:
measure is the name of a measure column.
x is an integer that specifies the offset from the current time. Precede the integer with a minus sign (-) to indicate an offset into the past.
y specifies the number of time units over which the function will compute. To specify the current time, enter 0.

hierarchy is an optional argument that specifies the name of a hierarchy in a time dimension, such as yr, mon, day, that you want to use to compute the time window. This option is useful when there are multiple hierarchies in a time dimension, or when you want to distinguish between multiple time dimensions.

If you want to roll back or forward the maximum possible amount, use the keyword UNBOUND. For example, the function PERIODROLLING (measure, -UNBOUND, 0) sums over the period starting from the beginning of time until now.

You can combine PERIODROLLING and AGGREGATE AT functions to specify the level of the PERIODROLLING function explicitly. For example, if the query level is day but you want to find the sum of the previous and current months, use the following:

SELECT year, month, day, PERIODROLLING(AGGREGATE(sales AT month), -1)

Examples

SELECT Month_ID, PERIODROLLING(monthly_sales, -1, 1)

SELECT Month_ID, PERIODROLLING(monthly_sales, -UNBOUND, 2)

SELECT Month_ID, PERIODROLLING(monthly_sales, -UNBOUND, UNBOUND)

Determining the Level Used by the PERIODROLLING Function

The unit of time (offset) used in the PERIODROLLING function is called the level of the function. This value is determined by the measure level of the measures in its first argument and the query level of the query to which the function belongs. The measure level for the measure can be set in the Administration Tool. If a measure level has been set for the measure used in the function, the measure level is used as the level of the function. The measure level is also called the storage grain of the function.

If a measure level has not been set in the Administration Tool, then the query level is used. The query level is also called the query grain of the function. In the following example, the query level is month, and the PERIODROLLING function computes the sum of the last, current, and next month for each city for the months of March and April:

SELECT year, month, country, city, PERIODROLLING(sales, -1, 1)
WHERE month in (‘Mar’, ‘Apr’) AND city = ‘New York’

When there are multiple hierarchies in the time dimension, you must specify the hierarchy argument in the PERIODROLLING function.

For example:

SELECT year, fiscal_year, month, PERIODROLLING(sales, -1, 1, “fiscal_time_hierarchy”)

In this example, the level of thePERIODROLLING function is fiscal_year.
TODATE

This function is a time series aggregation function that aggregates a measure from the beginning of a specified time period to the currently displayed time. For example, this function can calculate Year to Date sales.

Time series functions operate on members of time dimensions which are at or below the level specified in the function. Because of this, one or more columns that uniquely identify members at or below the given level must be projected in the query. Alternatively, you can apply a filter to the query that specifies a single member at or below the given level.

If unsupported metrics are requested, NULL values are returned and a warning entry is written to the nqquery.log file when the logging level equals three or above.

A TODATE function may not be nested within another TODATE function. You can nest exactly one TODATE and multiple AGO functions if they each have the same level argument.

TODATE is different from the TO_DATE SQL function supported by some databases. Do not use TO_DATE to change to a DATE data type. Instead, use the CAST function.

Syntax

TODATE(expr, time_level)

Where: expr is an expression that references at least one measure column.

time_level is the type of time period, such as quarter, month, or year.

Example

The following example returns the year-to-month sales:

SELECT Year_ID, Month_ID, TODATE(sales, year)

The post Time Series Functions in OBIEE appeared first on Oracle for All.

There are many science, research and development functions which are not much explored or used in business intelligence. Most of such functions belong to Math Functions. I am listing below all Math Functions.

Math Functions are below

Abs, Acos, Asin, Atan, Atan2, Ceiling, Cos, Cot, Degrees, Exp, Floor, Log, Log10, Mod, Pi, Power, Radians, Rand, RandFromSeed, Round, Sign, Sin, Sqrt, Tan, Truncate

As I am not working in any scientific or research & development project, so I decided to manually create such functions, to describe math functions. I then thought to randomly select some of trigonometric functions & test result through their graph, so I choose sin, cos and tan. But for trigonometric function I had to further make use of pi (you may use degrees as well).

The functions applied in my case for different functions is as below:

Sin – SIN((RCOUNT(1)-1)*PI()/4)

Cos – COS((RCOUNT(1)-1)*PI()/4)

Tan – TAN((RCOUNT(1)-1)*PI()/4)

Angle in Degree – CEILING(DEGREES((RCOUNT(1)-1)*PI()/4))

Where RCOUNT(1)-1 gives numeric value starting from zero & 1 in RCOUNT(1) is numeric symbolizing first column with distinct data & PI()/4 is used to multiply each count to pi/4 ( quarter of semicircle).

So as verifying from the graph & tabular value, it is clear to make use of them, leaving tan pi/2 as an exception of giving a finite value. However still aviating, some more scientific calculus functions, which will make obiee full package to be used in scientific research & development projects.

The post Math Functions in OBIEE appeared first on Oracle for All.

For Getting Age between two dates we use SQL Query as :
datediff(d, startdate, enddate) as Age

However default date format in OBIEE is Timestamp. So you need timestamp function (Available under Calendar/Date Function Heading) to get required result.
Syntax:

TIMESTAMPDIFF(interval, timestamp1, timestamp2)

Where:
interval is the specified interval. Valid values are:

SQL_TSI_SECOND

SQL_TSI_MINUTE

SQL_TSI_HOUR

SQL_TSI_DAY

SQL_TSI_WEEK

SQL_TSI_MONTH

SQL_TSI_QUARTER

SQL_TSI_YEAR

timestamp1 and timestamp2 are any valid timestamps.

Example
For Number of Days between two days:
TimestampDiff(SQL_TSI_DAY, “FROM_DATE_COLUMN”, “TO_DATE_COLUMN”)

For Number of Days till current date:
TimestampDiff(SQL_TSI_DAY, “FROM_DATE_COLUMN”, CURRENT_DATE)

*You can also use this function for getting age difference for other time dimension attributes as week, quarter, month or year. All you need to do is change first attribute i.e ‘interval’ & other attribute’s accordingly.

The post To Get Age between two Days in OBIEE Report appeared first on Oracle for All.

Expressions are building blocks for creating conditional expressions that convert a value from one form to another. Expressions include:

• CASE (Switch)

• CASE (If)

CASE (Switch)

This form of the CASE statement is also referred to as the CASE(Lookup) form. The value of expr1 is examined, then the WHEN expressions. If expr1matches any WHEN expression, it assigns the value in the corresponding THEN expression.
If none of the WHEN expressions match, it assigns the default value specified in the ELSE expression. If no ELSE expression is specified, the system automatically adds an ELSE NULL.
If expr1 matches an expression in multiple WHEN clauses, only the expression following the first match is assigned.

Syntax

CASE expr1     WHEN expr2 THEN expr3     {WHEN expr… THEN expr…}     ELSE exprEND
Where:

CASE starts the CASE statement. Must be followed by an expression and one or more WHEN and THEN statements, an optional ELSE statement, and the END keyword.

WHEN specifies the condition to be satisfied.

THEN specifies the value to assign if the corresponding WHEN expression is satisfied.

ELSE specifies the value to assign if none of the WHEN conditions are satisfied. If omitted, ELSE NULL is assumed.
END ends the CASE statement.

Example

CASE “TableHeading”.”Column Name” WHEN ‘Col_Val1’ THEN ‘Val1’ WHEN ‘Col_Val2’ THEN ‘Val2’ WHEN ‘Col_Val3’ THEN ‘Val3’ ELSE “TableHeading”.”Column Name” END
In this example, the WHEN statements must reflect a strict equality.

CASE (If)

This form of the CASE statement evaluates each WHEN condition and if satisfied, assigns the value in the corresponding THEN expression.
If none of the WHEN conditions are satisfied, it assigns the default value specified in the ELSE expression. If no ELSE expression is specified, the system automatically adds an ELSE NULL.

Syntax

CASE      WHEN request_condition1 THEN expr1     {WHEN request_condition2 THEN expr2}     {WHEN request_condition… THEN expr…}     ELSE exprEND
Where:
CASE starts the CASE statement. Must be followed by one or more WHEN and THEN statements, an optional ELSE statement, and the END keyword.

WHEN specifies the condition to be satisfied.

THEN specifies the value to assign if the corresponding WHEN expression is satisfied.

ELSE specifies the value to assign if none of the WHEN conditions are satisfied. If omitted, ELSE NULL is assumed.

END ends the CASE statement.

Example

CASE WHEN (“TableHeading”.”ColumnName1″=’Val_A’ AND “TableHeading”.”ColumnName”=’Value1′) THEN ‘Val1′ WHEN (“TableHeading”.”ColumnName2″=’Val_B’ AND “TableHeading1”.”ColumnName2″=’Value2′) THEN ‘Val2′ WHEN “TableHeading”.”Column Name”=’Value3’ THEN ‘Val3’ ELSE “TableHeading”.”Column Name” END
Note :

Unlike the case-switch form, the WHEN statements in the case-if form allow comparison operators in a CASE statement, AND has precedence over OR.

The post OBIEE Conditional Expressions Function appeared first on Oracle for All.

Users and administrators can create requests by directly calling database functions from either Oracle BI Answers, or by using a logical column (in the logical table source) within the metadata repository. Key uses for these functions include the ability to pass through expressions to get advanced calculations, as well as the ability to access custom written functions or procedures on the underlying database.

Support for database functions does not currently extend across all multidimensional sources. Also, you cannot use these functions with XML data sources.

By default, support for the EVALUATE family of database functions is disabled. You must change the EVALUATE_SUPPORT_LEVEL parameter in NQSConfig.INI to enable support for the EVALUATE* functions. See Oracle Fusion Middleware System Administrator’s Guide for Oracle Business Intelligence Enterprise Edition for more information.

Functions include:

• EVALUATE
• EVALUATE_ANALYTIC
• EVALUATE_AGGR
• EVALUATE_PREDICATE

EVALUATE
This function passes the specified database function with optional referenced columns as parameters to the back-end data source for evaluation. This function is intended for scalar calculations, and is useful when you want to use a specialized database function that is not supported by the Oracle BI Server, but that is understood by the underlying data source.

The embedded database function may require one or more columns. These columns are referenced by %1 … %N within the function. The actual columns must be listed after the function.

The ability to use EVALUATE is disabled by default. To enable support for this function, change the EVALUATE_SUPPORT_LEVEL parameter in NQSConfig.INI. See Oracle Fusion Middleware System Administrator’s Guide for Oracle Business Intelligence Enterprise Edition for more information.

Syntax

EVALUATE(‘db_function(%1…%N)’ [AS data_type] [, column1, columnN])
Where:

db_function is any valid database function understood by the underlying data source.

data_type is an optional parameter that specifies the data type of the return result. Use this parameter whenever the return data type cannot be reliably predicted from the input arguments. However, do not use this parameter for type casting; if the function needs to return a particular data type, add an explicit cast. You can typically omit this parameter when the database-specific function has a return type not supported by the Oracle BI Server, but is used to generate an intermediate result that does not need to be returned to the Oracle BI Server.

column1 through columnN is an optional, comma-delimited list of columns.

Examples

This example shows an embedded database function.

SELECT EVALUATE(‘instr(%1, %2)’, address, ‘Foster City’) FROM employees

Examples Using EVALUATE_AGGREGATE and EVALUATE to Leverage Unique Essbase Functions
The following examples use the EVALUATE_AGGREGATE and EVALUATE functions. Note that expressions are applied to columns in the logical table source that refers to the physical cube.Use EVALUATE_AGGREGATE to implement custom aggregations. For example, you may want to compare overall regional profit to profits for the top three products in the region. You can define a new measure to represent the profits for top three products resulting in the Logical SQL statement:

SELECT Region, Profit, EVALUATE_AGGREGATE(‘SUM(TopCount(%1.members, 3, %2), %3)’,Products, Profit, Profit) Top_3_prod_Profit FROM SampleBasic
The Oracle BI Server generates the following expression for the custom aggregation:

member [Measures].[MS1] AS ‘SUM(Topcount([Product].Generations(6).members,3,[Measures].[Profit]),[Measures].[Profit])’
Use the EVALUATE function on projected dimensions to implement scalar functions that are computed post-aggregation. EVALUATE may change the grain of the query, if its definition makes explicit references to dimensions (or attributes) that are not in the query.

For example, if you would like to see the Profits for the top five products ranked by Sales sold in a Region, after creating the applicable measure, the resulting Logical SQL statement is as follows

SELECT Region, EVALUATE(‘TopCount(%1.members, 5, %2)’ as VARCHAR(20), Products, Sales), Profits FROM SampleBasic
The Oracle BI Server generates the following expression to retrieve the top five products:

set [Evaluate0] as ‘{Topcount([Product].Generations(6).members,5,[Measures].[Sales]) }’

EVALUATE_ANALYTIC

This function passes the specified database analytic function with optional referenced columns as parameters to the back-end data source for evaluation.

The embedded database function may require one or more columns. These columns are referenced by %1 … %N within the function. The actual columns must be listed after the function.

The ability to use EVALUATE_ANALYTIC is disabled by default. To enable support for this function, change the EVALUATE_SUPPORT_LEVEL parameter in NQSConfig.INI. See Oracle Fusion Middleware System Administrator’s Guide for Oracle Business Intelligence Enterprise Edition for more information.

Syntax
EVALUATE_ANALYTIC(‘db_function(%1…%N)’ [AS data_type] [, column1, columnN])
Where:

db_function is any valid database analytic function understood by the underlying data source.

data_type is an optional parameter that specifies the data type of the return result. Use this parameter whenever the return data type cannot be reliably predicted from the input arguments. However, do not use this parameter for type casting; if the function needs to return a particular data type, add an explicit cast. You can typically omit this parameter when the database-specific analytic function has a return type not supported by the Oracle BI Server, but is used to generate an intermediate result that does not need to be returned to the Oracle BI Server.

column1 through columnN is an optional, comma-delimited list of columns.

Examples
This example shows an embedded database analytic function.

EVALUATE_ANALYTIC(‘dense_rank() over(order by %1 )’ AS INT,sales.revenue)
If the preceding example needs to return a double, then an explicit cast should be added, as follows:

CAST(EVALUATE_ANALYTIC(‘Rank(%1.dimension.currentmember, %2.members)’,“Foodmart93″.”Time”.”Month” as Double)
EVALUATE_AGGR
This function passes the specified database function with optional referenced columns as parameters to the back-end data source for evaluation. This function is intended for aggregate functions with a GROUP BY clause.

The embedded database function may require one or more columns. These columns are referenced by %1 … %N within the function. The actual columns must be listed after the function.

The ability to use EVALUATE_AGGR is disabled by default. To enable support for this function, change the EVALUATE_SUPPORT_LEVEL parameter in NQSConfig.INI. See Oracle Fusion Middleware System Administrator’s Guide for Oracle Business Intelligence Enterprise Edition for more information.

Syntax
EVALUATE_AGGR(‘db_agg_function(%1…%N)’ [AS data_type] [, column1, columnN)
Where:

db_agg_function is any valid aggregate database function understood by the underlying data source.

data_type is an optional parameter that specifies the data type of the return result. Use this parameter whenever the return data type cannot be reliably predicted from the input arguments. However, do not use this parameter for type casting; if the function needs to return a particular data type, add an explicit cast. You can typically omit this parameter when the database-specific function has a return type not supported by the Oracle BI Server, but is used to generate an intermediate result that does not need to be returned to the Oracle BI Server.

column1 through columnN is an optional, comma-delimited list of columns.

Example

EVALUATE_AGGR(‘REGR_SLOPE(%1, %2)’, sales.quantity, market.marketkey)

EVALUATE_PREDICATE
This function passes the specified database function with optional referenced columns as parameters to the back-end data source for evaluation. This function is intended for functions with a return type of Boolean.

The embedded database function may require one or more columns. These columns are referenced by %1 … %N within the function. The actual columns must be listed after the function.

Note that EVALUATE_PREDICATE is not supported for use with Essbase data sources.

The ability to use EVALUATE_PREDICATE is disabled by default. To enable support for this function, change the EVALUATE_SUPPORT_LEVEL parameter in NQSConfig.INI. See Oracle Fusion Middleware System Administrator’s Guide for Oracle Business Intelligence Enterprise Edition for more information.

Syntax

EVALUATE_PREDICATE(‘db_function(%1…%N)’, [, column1, columnN)
Where:

db_function is any valid database function with a return type of Boolean that is understood by the underlying data source.

column1 through columnN is an optional, comma-delimited list of columns.

If you want to model a database function for comparison purposes, you should not use EVALUATE_PREDICATE. Instead, use EVALUATE and put the comparison outside the function. For example, do not use EVALUATE_PREDICATE as follows:

EVALUATE_PREDICATE(‘dense_rank() over (order by 1% ) < 5’, sales.revenue)
Instead, use EVALUATE, as follows:

EVALUATE(‘dense_rank() over (order by 1% ) ‘, sales.revenue) < 5
Example

SELECT year, Sales AS DOUBLE,CAST(EVALUATE(‘OLAP_EXPRESSION(%1,”LAG(units_cube_sales, 1, time, time LEVELREL time_levelrel)”)’, OLAP_CALC) AS DOUBLE) FROM “Global”.Time, “Global”.”Facts – sales” WHERE EVALUATE_PREDICATE(‘OLAP_CONDITION(%1, ”LIMIT time KEEP ””1””, ””2””, ””3””, ””4”” ”)=1′, OLAP_CALC) ORDER BY year;

The post OBIEE Database Evaluate Function appeared first on Oracle for All.

“Protect filter” basically “hard-codes” a filter so that it won’t be overwritten.

The feature was already there from OBIEE 10g versions. We need to take some extra precautions before applying this in request filters which can be adopted as best practice in report development.

This ensures that the filter used in the request is not lost or overwritten by another filter or dashboard prompt that may supersede the request.
This option is only available if a value has been specified in the filter. If the filter item is set to “is prompted” then the Protect Filter option if not available.

To apply it as the filter in the Answers Request:

 Select Filter Options  button> Check the Protect Filter option as seen in the screen below…

And The filter is looks like the this. With the “key” icon on the filter icon to lock the values to restrict the change.

An other Example

Say ,I have created a report with filters on “Prod Category” Column

I created a dashboard with prompt on “Prod Category” and placed the created report.

selected “Peripherals and accessories” values  from the prompt and results are as follows

I applied other filters(“Electronics” ,”Hardware”) as well but those were overwritten because filters are not protected.

So, Now I protected the filters(“Electronics”, “Hardware”)  ,as shown in below image, and saved it.

Now, when I selected the value “Peripherals and accessories” from the prompt ,I can see the protected filter values as well as prompt filter values because filters are protected now.

The post What is Protect Filter in OBIEE appeared first on Oracle for All.

Deadly earthquake rocks Afghanistan and Pakistan

Tremors from the magnitude-7.5 quake were also felt in northern India and Tajikistan.

At least 12 of the victims were Afghan schoolgirls killed in a crush as they tried to get out of their building.

The earthquake was centred in the mountainous Hindu Kush region, 76km (45 miles) south of Faizabad, the US Geological Survey reported.

Buildings have been evacuated and communications disrupted in many areas.

Live updates

Sunnatullah Timour, a spokesman for the governor of the Afghan province of Takhar, told the BBC that as well as the fatalities at the girls’ school, another 25 students were injured in the stampede.

Deaths and injuries have also been reported in the Afghan provinces of Nangarhar, Badakhshan and Kunar, with at least 35 killed in total.

In Pakistan, the military has said 123 people have been confirmed dead in the north of the country.

Most of those fatalities were in the Malakand region of Khyber Pakhtunkhwa province.

Image copyrightEPA

Image copyrightReuters

Image copyrightEPA

In the city of Karimabad, in Gilgit-Baltistan, a witness who gave his name as Anas told the BBC that the quake had sent a landslide crashing into the Hunza river.

“At first it was as if someone was shaking us. There were about 20 of us and we just held on to each other,” he said.

“Right after that we saw a major landslide. Some people say it was a glacier that came down, some people say it was a hill. It fell right in front of our eyes.”

Media captionThe moment the earthquake struck in Kabul was shown on the Ariana TV Network

The USGS estimated that the quake happened at a depth of 212km. The magnitude was initially put at 7.7 but later downgraded.

An aftershock measured at 4.8 magnitude struck shortly afterwards.

Analysis by Jonathan Webb, BBC News science reporter

Even at its revised magnitude of 7.5, this was a powerful tremor. Around the world only about 20 quakes each year, on average, measure greater than 7.0.

But its focus was deep – much further below the surface than the 7.8 quake which brought widespread destruction to eastern Nepal in April. That event was only 8km deep and was followed in early May by an aftershock with magnitude 7.3.

Similarly, the devastating 2005 Kashmir earthquake was magnitude 7.6 and just 26km deep. Today’s quake, at a depth of more than 200km, appears to have caused widespread but less severe ground shaking.

---

People in the Indian capital Delhi ran into the streets after the tremor struck, and schools and offices were evacuated. The Delhi metro was also briefly halted.

Indian Prime Minister Narendra Modi tweeted that he had ordered an urgent assessment of any damage.

“We stand ready for assistance where required, including Afghanistan and Pakistan,” he said.

Catherine Bhatti, from Durham in the UK, was visiting relatives in Sarghoda, Pakistan, when the quake struck.

“It came out of the blue, everything started to move slightly then it became stronger. We made our way downstairs and gathered outside on the lawn,” she told the BBC.

“My in-laws, who have lived here all their lives, say they have never experienced anything like this before.”

Image copyrightAP

Image copyrightBBC Afghan

Buildings in the Tajik capital Dushanbe were damaged by the tremors.

Local media report that a staircase at a school in Tajikistan’s Yavan district collapsed, injuring 14 children.

There are also reports of injuries in a stampede at Khorog state university in Tajikistan, as a building was evacuated.

The region has a history of powerful earthquakes caused by the northward collision of India with central Asia.

In 2005, a magnitude 7.6 quake in Pakistan-administered Kashmir left more than 75,000 people dead.

In April this year, Nepal suffered its worst earthquake on record with 9,000 people killed and about 900,000 homes damaged or destroyed.

The post Deadly earthquake rocks Afghanistan and Pakistan appeared first on Oracle for All.

In yesterdays blog post on OBIEE 11g security, we looked at OBIEE 11g’s security architecture, and what’s called the “Default Security Configuration”. We looked at how new users were created and assigned to existing LDAP groups and application roles, and then left with three tasks that OBIEE 11g administrators would want to perform with this default configuration:

• Creating new application roles, and assigning users and LDAP groups to them
• Altering and creating new application policies (and understanding exactly what these are for)
• Bundling up and migrating security settings across environments

Let’s start with creating new application roles. In the second posting in this series, we looked at a couple of new application roles, QA Manager and HR Manager, that we then used to control access to subject areas within the catalog. These types of application roles, unlike the BIAdministrator, BIAuthor and BIConsumer application roles that come by default with OBIEE 11g, don’t in themselves have privileges assigned to them, but we use them to grant access to subject areas, or do things like display sections of dashboards or provide access to catalog objects. To create such an application role, you’d need to:

1. Create the application role itself, using Enterprise Manager
2. Create the matching LDAP group, or identify which existing LDAP groups you want to map it the application role
3. Go back into Enterprise Manager and grant the role to these groups
4. Ensure your users are added to the relevant LDAP groups, and then
5. Go into the Oracle BI Administration tool, and refresh it’s view of the current application roles in use.

So in this example, we’ll create the two application roles that were used in the second posting, on subject-area and functional application security. The first role, QA Manager, will map back to a single LDAP group that we’ll need to create for this purpose; the second role, HR Manager, will map to three separate existing HR manager LDAP groups that each will have this application role granted. This example was created using OBIEE 11.1.1.6, though the approach should work for all OBIEE 11g versions.

1. Using Enterprise Manager (http://[machine_name]:7001/em), log in as an administrative user, and then selectBusiness Intelligence > coreapplication from the navigation tree menu.
2. With coreapplication selected, right-click on it and select Security > Application Roles
3. You are now presented with a list of application roles. To create a new application role called QA Manager, press the Create… button.
4. The Create Application Role page will then be displayed. Enter a name and description for the application role, using the singular for the name (e.g. QA Manager) and then press OK to create it.
5. Now you can create the corresponding LDAP group, and assign any required users to the group. Navigate using your Web browser to the WebLogic Server Administration Console (http://[machine_name]:7001/console), log in as an administration user, and select Security Realms >myrealm from the application menu.
6. When the Settings for myrealm page is displayed, click on the Users and Groups tab, and then select theGroups sub-tab when it is displayed. Then, create the new group using the plural version of the application role name you used earlier, i.e. QA Managers. Finally, add any required users to this LDAP group, and then exit the WebLogic Server Admin Console.
7. Now log back into Enterprise Manager and bring up the Application Roles page again. Click on the new QA Manager application role, and press the Edit button. To grant this new application role to its corresponding LDAP group, within the Members section press the Add button, and then select the LDAP group from theSearched Principals group. Once complete, you should see the LDAP group listed as one of the members granted this application role.
8. Finally, to make this new application role available within the Oracle BI Administration tool, close Enterprise Manager and then log into the administration tool, opening your repository online.Now, select Manage > Identity… to open the Identity Manager, and then select Action > Synchronize Application Roles. You should now see this new application role listed under the Application Roles tab in the Identity Manager dialog.

At this point, you could now repeat the process to create other, similar application roles which could, for example, map more than one LDAP group into the role. An example of this might be where a single application role, HR Manager, has three LDAP groups; Northern HR Managers, Western HR Managers and Central HR Managers, mapped to it within its Members listing. For now though, let’s look at another situation, where we wish to add a new application role to add to the existing BIConsumer, BIAuthor and BIAdministrator default application roles.

By default, OBIEE 11g ships with three application roles that you assign to users of your system:

• BIConsumer, the base-level role that grants the user access to existing analyses, dashboards and agents, allows them to run or schedule existing BI Publisher reports, but not create any new ones
• BIAuthor, a role that is also recursively granted the BIConsumer role, that also allows users to create new analyses, dashboards and other BI objects
• BIAdministrator, recursively granted the BIAuthor (and therefore BIConsumer) roles, that allows the user to administer all parts of the system, including modifying catalog permissions and privileges

In some cases, you might want to add another role to this list, to fit between the BIConsumer and BIAuthorroles; one called BIAnalyst, that allows users to create and edit analyses, but not create new dashboards.

This requirement often comes up when there is a need for users to be able to create new analyses, but someone else then publishes those to dashboards. To create and configure this application role, after first creating a matching LDAP group that you’ll map to it, you’ll need to do to three things:

• Create the role, and reconfigure the inheritance hierarchy in the policy store so that it inherits the permissions of the BIConsumer role, and the BIAuthor role in turn inherits its permissions
• Re-configure Presentation Server catalog privileges so that the new BIAnalyst role becomes the lowest-level role that can access the analysis editor, with the existing BIAuthor role then inheriting this privilege

To create this additional role, you can either create a new role from scratch, or base it on an existing one such asBIAuthor, as we’ll do now:

1. Using Enterprise Manager, log on as an administrative user and select Business Intelligence >coreapplication > Security > Application Roles.
2. When the list of Application Roles is displayed, select the BIAuthor role and press the Create Like… button. When the Create Application Role Like page is displayed, enter the details for the new role, calling itBIAnalyst and entering a suitable description.
3. Within the Members section, remove the existing BIAuthors group from the member list, and replace it with the LDAP group that you created to map to this role, i.e. BIAnalysts. Then, remove the BIAdministrator role from the Members list, and replace it with the BIAuthor role, so that the correct role in the hierarchy inherits this new role’s permissions and privileges.
   Press OK to close the dialog and create the new application role.
4. Now, edit the BIConsumer application role, remove the BIAuthor role from its list of members, and replace it with the new BIAnalyst role. This action now places the new BIAnalyst role mid-way between theBIConsumer and BIAuthor roles, so that each role is granted the correct roles under it in the role hierarchy shown in the diagram before, which is important for when we come to assign catalog privileges in the next step.
5. At the moment, catalog privileges in Oracle BI Presentation Services are configured such that only user granted the BIAuthor role can create analyses. To alter this so that users granted this new BIAnalyst role can also create analyses, log on to the Oracle Business Intelligence website (http://[machine_name:9704/analytics, typically) as an administrative user, and click on the Administration link, and then the Manage Privileges link within the Administration page.Then, within the Access category, locate the Access to Answers item, and click on the BI Author Role link next to it. When the Privilege : Access to Answers dialog is shown, remove the BI Author role that is currently listed and replace it with BI Analyst, which you should assign the Granted Permission.

   
   Now, this new role has the right to use Answers (the legacy name for the analysis editor), and as theBIAuthor role inherits (has been granted) the BIAnalyst role, it gains this privilege as well.

6. Now you can test out the new role, by creating a user and assigning it to an LDAP group corresponding to theBIAnalyst role, and then logging in as that user. You should see that this user can now create new analyses, but cannot create dashboards or any other BI content.

So that takes us through looking at creating and working with application roles, but what about application polices, the other entry under the Security menu that you see when you right-click on coreapplication in Enterprise Manager, What are they?

You can access the existing list of application policies by logging into Enterprise Manager and selecting Business Intelligence > coreapplication, then right-clicking on it and selecting Security > Application Policies. After selecting obi as the application stripe and pressing the Search Application Security Grants button, you should see a list of the existing application policies in your policy store. Each one will, by default, be named after the application role to which they apply.

So what is an application policy? Select the BIAuthor principal and press the Edit… button to take a look.

Application policies are sets of java permissions that are associated with a principal, in this case an application role. The BIAuthor application policy, for example, allows the user to develop reports and data models with BI Publisher, access Essbase administration and calculation functions, and perform other report-authoring tasks. What application policy permission classes explicitly don’t cover, though, is privileges such as being able to access the analysis editor, create dashboards, or use other areas of repository or Presentation Server functionality that are controlled by permissions set in the Oracle BI Administration tool, or the Administrationpage in Presentation Services.

As such then, functional area privileges and permissions in OBIEE 11g are controlled in two places:

• For applications written in Java, such as BI Publisher, Financial Reporting and Real-Time Decisions, you control their use by using application policies, whilst
• For the C++ “legacy” components such as the BI Server and BI Presentation Server, you control them by their own in-built privileges and permissions

So when do you use application policies? If truth be told, in all the years I’ve worked with OBIEE11g, I’ve never had to alter or create an application policy, as the permissions they work with are outside of the usual catalog and repository permissions, but one example might be where you want the BIAnalyst role that we created a moment ago to have the permissions to create BI Publisher reports and data models, but not have any of the Essbase permissions that would normally be associated with the BIAuthor role on which it was based. To set this up, you’d need to:

• Create an application policy based on the BIAuthor one, and grant it to the BIAnalyst role
• Remove the permission classes from this new application policy that relate to Essbase

To do this, follow these steps:

1. With the Application Policies page open in Enterprise Manager, select the BIAuthor principal and press theCreate Like… button
2. On the Create Application Grant Like Grant To : BIAuthor page, press Add button within the Granteesection, and select the BIAnalyst role.
3. Within the Permissions area, select the following permission classes by Resource Name and press the Delete… button to remove them from this application policy:EPM_Essbase_Administrator
   EPM_Essbase_Calculate
   EPM_Calc_Manager_Designer
   oracle.epm.financialreporting.editBatch
   oracle.epm.financialreporting.editBook
   oracle.epm.financialreporting.editReport
   oracle.epm.essbasestudio.cpadmin

   Once complete, your application policy should look as in the screenshot below:

   
   Press OK once you have finished.

Now, when users with this corresponding application role try to make use of Essbase administrative or authoring features, their use will be denied as per the application policy that you have assigned to this role.

So to wrap up this posting; what do you do with these settings, contained in your policy store, if you wish to migrate them, along with any LDAP user and group settings and provider configurations, to a new server?

To migrate security settings from one environment (server) to another, you’ve got to migrate across three main sets of configuration settings:

1. The Identity Store settings (users and groups in the WLS LDAP server)
2. The Policy Store settings (application roles and policies)
3. The Credential Store (containing all of the stored usernames and passwords used by the BI Server, and system accounts)

The post OBIEE 11g Managing Security Migrations and Deployments appeared first on Oracle for All.

In this final posting in the OBIEE 11g Security Week, we’re going to look at two common tasks that an OBIEE 11g administrator might have to perform:

• Connecting the system to Microsoft Active Directory, so users can log-into the dashboard using their Windows Active Directory username and password, and retrieve group membership, and
• Connecting the system to an external set of database tables that contain the group membership for users authenticated through Active Directory

Whilst OBIEE 11g comes with the embedded WebLogic LDAP server to hold users and groups, the license for this is restricted such that you can’t just move all your other user details from other applications into the LDAP server. Realistically, you wouldn’t want to do that anyway as it’s likely you’ve got a corporate directory somewhere that you want to leave user and group details in, with OBIEE instead just connecting to it as an authentication and authorisation source. Luckily, now that OBIEE 11g uses WebLogic and Fusion Middleware’s Oracle Platform Security Services framework, connecting to external directories such as Active Directory is pretty straightforward, especially with recent versions of OBIEE such as 11.1.1.6 that do this all a lot smoother now.

So in this example, we’ve got an Active Directory server running on the host pdc.gcbc.com, that contains three users:

• ADBISystemUser, which will be used as the principal that OBIEE uses to connect to the Active Directory server
• Anne Administrator, a user on Active Directory who wants to have administration rights in the Presentation Server and BI Server
• AD User, another user that just wants to be able to create analyses and dashboards

These users are organised into three groups in the AD server:

• ADBIAdministrators, analogous to the BIAdministrators group in the WLS LDAP server
• ADBIAuthors, ditto
• ADBIConsumers, ditto again

Now if you search the internet and Oracle docs for instructions on how to integrate OBIEE 11g with Active Directory, there seems to be about as many different ways to do it as there are sets of instructions. A lot of this is because Active Directory is highly-configurable, and a lot depends on how much you want to replace, or just work alongside, the existing WLS LDAP server. In this example, our objective is to keep the WLS LDAP server and the user accounts within it (including the biadmin administrator account), but then make it possible for Active Directory users to also log in, and be assigned to the standard application roles that the WLS LDAP users have. Keeping the WLS LDAP users and administration account considerably simplifies the configuration process, though you might still want to go the full way if you intend to completely replace WLS LDAP with Active Directory. For now though, we’ll have the two running alongside each other.

Looking at the Active Directory Users and Configuration utility, we can see the three users we’re interested in:

And the three groups:

The groups have just got those users as members, and the users are just regular AD users, including theADBISystemUser account. Internally, the domain is called gcbc.com, with the users held in the Users directory and groups in the Builtin directory – fairly standard stuff.

So let’s go into the WebLogic Server Administration Console (http://[machine_name]:7001/console) and start configuring the system for Active Directory integration.

1. Log into the WebLogic Server Administration Console as an administration user, for example biadmin/welcome1
2. When the Admin Console homepage is displayed, click on the Security Realms menu item on the left-hand side, and then then on myrealm when the link is shown.
3. You are now going to alter the domain configuration, so press the Lock and Edit button. Then, click on the Providers tab in the Settings for my realm page.
4. Active Directory integration is achieved through registering a new authentication provider, using the Active Directory provider type. To register this, press the New button just under the Authentication Providers label.
5. The Create a New Authentication Provider page will be displayed. Give the provider a name (for example,ADProvider) and select ActiveDirectoryAuthenticator as the Type.
6. Now click on this new authentication provider in the list, and then when the Settings for ADProvider page is shown, set the Control Flag to SUFFICIENT, and press Save.
7. Then, click on the Provider Specific tab, and enter the following details for your Active Directory installation, amending the settings as appropriate for your AD server.Host :  pdc.gcbc.com
   Port : 389
   Principal : CN=ADBISystemUser, CN=Users, DC=gcbc, DC=com
   Credential : Welcome1
   Confirm Credential : Welcome1
   User Base DN : CN=Users,DC=gcbc, DC=com
   User Name Attribute : cn
   User Object Class : user
   Group Base DN : CN=Builtin, DC=gcbc, DC=com
   GUID Attribute : objectguid

   
   Then, press Save to save and close the page.

8. Now go back to the list of providers, and click on the DefaultAuthenticator one. With the Configuration >Common sub-tab selected, set the Control Flag to OPTIONAL, and press Save.
9. Then, again with the list of authentication providers displayed, press the Reorder button and then change the order of the providers so that ADProvider is first, followed by DefaultAuthenticator andDefaultIdentityAsserter.
10. You’re now at the point where you can restart your BI domain and see the new users and groups within the WebLogic Admin Console. To do this, restart the BI Domain (the Admin and Managed Servers), and once complete, log in again into the WebLogic Admin Console and select Security Realms > myrealm > Users and Groups > Groups. You should then see the Active Directory users listed alongside the WLS LDAP ones.
    Similarly, you should see your AD groups under the Groups tab. Note that you can’t edit these AD users and groups from within the WebLogic Admin Console, nor can you create new AD users here – to do that, you’d need to use Active Directory’s own console and tools.
11. Next we will switch over to Enterprise Manager, first to configure Fusion Middleware’s Oracle Platform Security Services to accept users and groups from both WLS LDAP and Active Directory when logging into the dashboard, and then we’ll map the Active Directory groups to their equivalent application roles.Log into Enterprise Manager, and select the WebLogic Domain > bifoundation_domain menu item on the left. Right-click on it and select Security > Security Provider Configuration. When the Security Provider Configuration page is displayed, expand the Identity Store Provider area and press the Configure…button.

    
    The Identity Store Configuration page will then be displayed. Press the Add button next to the Custom Properties area, and add a new custom property with these settings :

    Property Name : virtualize
    Value : true

    Press OK to close the page.

12. Now right-click on the Business Intelligence > coreapplication entry in the left-hand side menu, and selectSecurity > Application Roles. As you may have done with the application role settings in yesterday’s postings, edit the BIAdministrator, BIAuthor and BIConsumer application roles so that the new Active Directory groups are listed as members.
    Doing this ensures that the Active Directory users get the same type of Presentation Server and repository privileges as WLS LDAP users, but they won’t have administration access to WebLogic or Enterprise Manager.

    You can, if you want, grant these users the same sorts of domain administrator rights as the WLS LDAP users, and you can indeed remove all of the WLS LDAP users and groups and move over to Active Directory entirely. But in most cases I see, this level of integration is sufficient, as it still allows the OBIEE administrators to control their own user accounts and privileges.

13. You should now be able to log in as one of the Active Directory users. In the screenshot below, the AD User user has logged in, and has been granted the BIAuthor role through their membership of the ADBIAuthors Active Directory group. If Anne Administrator, an Active Directory user assigned to the ADBIAdministrator group, logs in she will be able to administer the Presentation Server permissions and privileges, but she won’t be able to log into Enterprise Manager to change the repository, for example.

So what we’ve seen here so far is OBIEE 11g connecting to Active Directory, to retrieve in addition to the existing WLS LDAP users and groups, users and groups from this directory. But what if the groups in Active Directory bear no resemblance to the groups and application roles that you’d like to organise users into? Because you can map LDAP groups to roles in Enterprise Manager, it’s possible to “reshape” group membership to fit your BI requirements, but often organisations will solve this problem by creating a couple of database tables on a spare database, and use those to define which users belong to which group.

Now this is something that was done a lot in OBIEE 10g – using Active Directory to authenticate someone, then retrieve their group membership through a separate database table lookup – but you’re not supposed to mix WLS provider-based authentication with old-style init block authorisation, so how will this work, if, for example we’ve got a couple of tables called GROUPS and GROUPMEMBERS that detail which user belongs to which group:

To handle this type of situation, OBIEE 11.1.1.5 (through the patch associated with Bug 11667221 / ARU 14523400) and OBIEE 11.1.1.6 (by default, though you need to copy the BISecurityProviders.jar file from [middleware_home]/Oracle_BI1/bifoundation/security/providers to[middleware_home]/wlserver_10.3/server/lib/mbeantypes, and then restart the Admin Server before it’s available), has a new authenticator called BISQLGroupProvider that can do this for you.

To use this new authenticator with either OBIEE 11.1.1.5 or 11.1.1.6, you’ll need to perform the following tasks:

1. Configure a data source within WebLogic that the provider will use to connect to the schema and tables described above
2. Configure a BISQLGroupProvider with the SQL SELECT statements required to access these tables
3. Re-order your authentication providers, and if you’ve not done so already, enable the virtualised identity store adapter (we did this infact in the previous example)
4. Configure a database adapter so that the Identity Store APIs can map your groups into application roles.

Full details of this new authenticator are in a document on My Oracle Support, Doc. ID. 1428008.1. So, with some new users added to my Active Directory server and corresponding entries in the two database tables, so that these users are assigned to groups such as QA Managers, HR Managers and SF Managers, let’s get this set up.

1. If you’ve not done so already, apply the above patch to OBIEE 11.1.1.5 if that’s the version you’re running, and then copy the BISecurityProviders.jar file as directed above (this applies to 11.1.1.6 as well, which already has the file without needing the patch applied). Once done, restart the WebLogic Admin Server.
2. Now you will configure the data source and BISQLGroupProvider. To do so, use your Web browser to navigate to the WebLogic admin console (http://[machine_name]:7001/console), and then press the Lock and Edit button.From the left-hand menu select Services > Data Sources. Then, from the Data Sources list, press New >Generic Data Source.

   Then, on the Create a New JDBC Data Source page, enter or select the following details:

   Name : BIDatabaseGroupsDS
   JNDI Name : jdbc/BIDatabaseGroupsDS
   Database Type : Oracle (for example)

   On the following page, select the Database Driver, and then at the Connection Properties page, enter the connection details to your schema and database, for example:

   Database Name : orcl
   Host Name : obisrv1c
   Port : 1521
   Database User Name : gcbc_bi_groups
   Password : password
   Confirm Password : password

   Once entered, test the connection on the next page, on the next page deploy the datasource to all of your WebLogic servers, then press Finish, and then press the Activate Changes button.

3. Next you will create a BISQLGroupProvider against this JDBC data source. The SQL that’s in the SELECT statements below is particular to the tables that I diagrammed earlier, and you’d need to change it if your table structure was different.Start by pressing the Lock & Edit button, to start editing the domain configuration. Then, select Security Realm > myrealm > Providers from the menus and tabs.

   With the Providers tab selected, press the New button to create a new authentication provider. When prompted, enter MySQLGroupProvider as the Name, and select BISQLGroupProvider as the Type.

   
   Then, press OK to close the page, and then click on the new MySQLGroupProvider authentication provide to display its settings page. Select the Provider Specific tab, and then type in the name of the JDBC datasource that you created earlier, i.e. jdbc/BIDatabaseGroupDS.

   If you used the same table and column names as in the diagram before, the SQL settings for this provider will not need to be changed. If you did alter the table or column names though, update the SQL commands to reflect your actual database structure.

   
   Once complete, press Save.

4. Now go back to the list of providers, and Reorder them so that the new MySQLGroupProvider is at the top of the list.
5. If you have not done so already, set the virtualized=true flag in the Identity Store Provider settings in Enterprise Manager  – see the steps earlier in this posting for details on how to do this.Once you’ve done this, press the Activate Changes button and then stop, and then start your entire BI system, so that all WebLogic and OBIEE components restart.
6. Next, you are going to create an XML file that will be an adapter template for the database adapter, and will be used by the Identity Store APIs to map groups to application roles. Use a text editor and call the file bi_sql_groups_adapter_template.xml, and substitute your own LDAP details into the<param name=”ReplaceAttribute”value=”uniquemember={cn=%uniquemember%,cn=Users,dc=gcbc,dc=com}”/>

   section, and also the:

   <objectClass name=”groupofuniquenames” rdn=”cn“>

   section. In addition, if you have used different database table names and columns, you’ll need to adjust the SQL statements in the XML file accordingly.

   ?

   <?xml version = '1.0' encoding = 'UTF-8'?> <adapters schvers="303" version="1" xmlns="http://www.octetstring.com/schemas/Adapters" xmlns:adapters="http://www.w3.org/2001/XMLSchema-instance">     <dataBase id="directoryType" version="0">       <root>%ROOT%</root>       <active>true</active>       <serverType>directoryType</serverType>       <routing>          <critical>true</critical>          <priority>50</priority>          <inclusionFilter/>          <exclusionFilter/>          <plugin/>          <retrieve/>          <store/>          <visible>Yes</visible>          <levels>-1</levels>          <bind>true</bind>          <bind-adapters/>          <views/>          <dnpattern/>       </routing>       <pluginChains xmlns="http://xmlns.oracle.com/iam/management/ovd/config/plugins">          <plugins>             <plugin>                <name>VirtualAttribute</name> <class>oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin</class> <initParams>                   <param name="ReplaceAttribute" value="uniquemember={cn=%uniquemember%,cn=Users,dc=gcbc,dc=com}"/>                </initParams>             </plugin>          </plugins>          <default>             <plugin name="VirtualAttribute"/>          </default>          <add/>          <bind/>          <delete/>          <get/>          <modify/>          <rename/>       </pluginChains>       <driver>oracle.jdbc.driver.OracleDriver</driver>       <url>%URL%</url>       <user>%USER%</user>       <password>%PASSWORD%</password>       <ignoreObjectClassOnModify>false</ignoreObjectClassOnModify>       <includeInheritedObjectClasses>true</includeInheritedObjectClasses>       <maxConnections>10</maxConnections>       <mapping> <joins/>          <objectClass name="groupofuniquenames" rdn="cn"> <attribute ldap="cn" table="GROUPMEMBERS" field="G_NAME" type=""/>             <attribute ldap="description" table="GROUPMEMBERS" field="G_NAME" type=""/>             <attribute ldap="uniquemember" table="GROUPMEMBERS" field="G_MEMBER" type=""/>          </objectClass>       </mapping>       <useCaseInsensitiveSearch>true</useCaseInsensitiveSearch>       <connectionWaitTimeout>10</connectionWaitTimeout>       <oracleNetConnectTimeout>0</oracleNetConnectTimeout>       <validateConnection>false</validateConnection>    </dataBase> </adapters>

   Now, open a command-prompt session in the server running Oracle Business Intelligence, and enter the following commands, adjusting for your particular environment and LDAP settings:

   cd c:\Middleware\oracle_common\bin
   set ORACLE_HOME=c:\Middleware\Oracle_BI1
   set WL_HOME=c:\Middleware\wlserver_10.3
   set JAVA_HOME=c:\Middleware\jdk160_24

   libovdadapterconfig -adapterName biSQLGroupAdapter -adapterTemplate bi_sql_groups_adapter_template.xml -host localhost -port 7001 -userName biadmin -domainPath c:\Middleware\user_projects\domains\bifoundation_domain -dataStore DB -root cn=Users,DC=gcbc,DC=com -contextName default -dataSourceJNDIName jdbc/BIDatabaseGroupDS

   When prompted, enter the password for the Administration Server. Once complete, you should see the message:

   Adapter created successfully: biSQLGroupAdapter

7. Now stop and restart the entire BI system. During the restart, you will see an error message saying that the connection pool you just created is unusable – this is expected and will not cause a problem.Now, go into Enterprise Manager and create a matching role for one of your new database-defined groups. You should see the new groups appearing when you go to add a group to the application role – if not, check the console output for the WebLogic Server for any diagnostic messages.

8. Finally, you’re now ready to test out the new roles and groups. Restart your entire BI system, then log in as one of the users with groups in the database tables, and then view the list of roles assigned to the user. You should see your new roles, corresponding to the group settings in the database tables, assigned to the user – in this case, the HR Manager role.

So that concludes my look this week at OBIEE 11g security. There’s a lot more you could cover – EBS integration, setting up of SSO and SSL, etc, but I think this gives you a flavour of what’s involved. On now to write the actual book chapter, so no blogging for me for a couple of weeks.

The post OBIEE 11g Connecting to Active Directory, and Obtaining Group Membership from Database Tables Security appeared first on Oracle for All.

Whats considerations do I need to make when exposing Oracle BI to the outside world?

How can I make a flexible security model which is robust enough to meet the demands of my organisation but easy to maintain?

The first question is based on a standard enterprise security model where the Oracle BI server is exposed by a web host, enabling SSL and tightening up access security.  This request can be complex to achieve but is something that we have implemented many times now.

The second question is much harder to answer, but our experience has led us to develop a multi-dimensional inheritance security model, with numerous clients that has yielded excellent results.

What is a Multi-dimensional Inheritance Security Model?

The wordy title is actually a simple concept that incorporates 5 key areas:

• Easy to setup and maintain
• Flexible
• Durable
• Expandable
• Be consistent throughout the product

While there numerous ways of implementing a security model in Oracle BI, by sticking to the key concepts above, we ensure we get it right.  The largest challenge we face in BI is the different types of security required, and all three need to work in harmony:

• Application security
• Content security
• Data security

Understanding the organisation makeup

The first approach is to consider the makeup of a common organisation and build our security around it.

This diagram shows different Departments (Finance, Marketing, Sales) whose data is specific to them, so normally the departmental users should only see their own data that is relevant to them.  In contrast the IT department who are developing the system need visibility across all data and so do the Directors.

What types of users do I have?

Next is to consider the types of users we have:

1. BI Consumer: This will be the most basic and common user who needs to access the system for information.
2. BI Analyst: As an Analyst the user will be expected to generate more bespoke queries and need ways to represent them. They will also need an area to save these reports.
3. BI Author: The BI Author will be able to create content and publish that content for the BI Consumers and BI Analysts.
4. BI Department Admin: The BI Department Admin will be responsible for permissions for their department as well as act as a focal point user.
5. BI Developer: The BI Developer can be thought of as the person(s) who creates models in the RPD and will need additional access to the system for testing of their models. They might also be responsible for delivering Answers Requests or Dashboards in order to ‘Prove’ the model they created.
6. BI Administrator:  The Administrator will be responsible for the running of the BI system and will have access to every role.  Most Administrator Task will not require Skills in SQL/Data Warehouse and is generally separated from the BI Developer role.

The types of users here are a combination of every requirement we have seen and might not be required by every client.  The order they are in shows the implied inheritance, so the BI Analyst inherits permissions and privileges from the BI Consumer and so on.

What Types do I need?

Depending on the size of organization determines what types of user groups are required. By default Oracle ships with:

1. BI Consumer
2. BI Author
3. BI Administrator

Typically we would recommend inserting the BI Analyst into the default groups:

1. BI Consumer
2. BI Analyst
3. BI Author
4. BI Administrator

This works well when there is a central BI team who develop content for the whole organization. The structure would look like this:

For larger organizations where dashboard development and permissions is handled across multiple BI teams then the BI Department Administrator group can be used to locally manage permissions for each department.  Typically we see the BI team as a central Data Warehouse team who deliver the BI model (RPD) to the multiple BI teams.  In a large Organization the administration of Oracle BI should be handled by someone who isn’t the BI Developer, the structure could look like:

Permissions on groups

Each of the groups will require different permissions, at a high level the permissions would be:

Understanding the basic security mechanics in 10g and 11g

In Oracle BI 10g the majority of the security is handled in the Oracle BI Server.  This would normally be done through initialisation blocks, which would authenticate the user from a LDAP server, then run a query against a database tables to populate the user into ‘Groups’ used in the RPD and ‘Web Groups’ used in the presentation server.  These groups would have to match in each level; Database, Oracle BI Server and Oracle BI Presentation Server.

With the addition of Enterprise Manager and Weblogic the security elements in Oracle BI 11g radically changed.  Authenticating the user is in the Oracle BI server is no longer the recommended way and is limited in Linux. While the RPD Groups and Presentation Server Web Groups still exist they don’t need to be used.  Users are now authenticated against Weblogic.  This can be done by using Weblogic’s own users and groups or by plugging it into a choice of LDAP servers.  The end result will be Groups and Users that exist in Weblogic.  The groups then need to be mapped to Application Roles in Enterprise Manager, which can be seen by the Oracle BI Presentation Services and Oracle BI Server.  It is recommended to create a one to one mapping for each group.

What does all this look like then?

Assuming this is for an SME size organization where the Dashboard development (BI Author) is done by the central BI team the groups would like:

The key points are:

• The generic BI Consumer/Analyst groups give their permissions to the department versions
• No users should be in the generic BI Consumer/Analyst groups
• Only users from the BI team should be in the generic BI Author/Administrator group
• New departments can be easily added
• the lines denote the inheritance of permissions and privileges

Whats next – The Web Catalog?

The setup of the web catalog is very important to ensure that it does not get unwieldy, so it needs to reflect the security model and we would recommend setting up some base folders which look like:

Each department has their own folder and 4 sub folders. The permissions applied to each department’s root folder is BI Administrators so full control is possible across the top.  This is also true for every folder below however they will have additional explicit permissions described to ensure that the department cannot create any more than the four sub folders.

• The Dashboard folder is where the dashboards go and the departments BI Developers group will have Full control and the departments BI consumer will have read . This will allow the departments BI Developers to create dashboards,  the departments BI Administrators to apply permissions and the departments consumers and analysts the ability to view.
• The same permissions are applied to the Dashboard Answers folder to the same effect.
• The Development Answers folder has Full control given to the departments BI Developers and no access to for the departments BI Analysts or BI Consumers. This folder is mainly for the departments BI Developers to store answers when in the process of development.
• The Analyst folder is where the departments BI Analysts can save Answers. Therefore they will need full control of this folder.

I hope this article gives some insight into Security with Oracle BI.  Remember that our Global Services products offer a flexible support model where you can harness our knowledge to deliver your projects in a cost effective manner.

The post OBIEE Enterprise Security appeared first on Oracle for All.

OBIEE security consists of 2 parts:

• Security Infrastructure setup (Done from WLS Console and EM)

Here we define the Application roles and assign them privileges(that is associate Application role to a Application Policy) Application Role is created based on our security need and is used for grouping users, so that a group security policy can be defined.

• Data and Object security setup (Done from the rpd file)

To restrict users from seeing tables/columns or filtering the data they see, we need to have the object and data security in place. This is done from rpd file. This is the most important step in security implementation

Let’s see the steps involved in security implementation.

Security Infra setup

We will define a user and a group in web logic server

Log on to web logic server(WLS) console (URL http://localhost_ip:7001/console)

This is the home page of WLS console

Click on Security Realms

In Security realms page click on “myrealm”

Go to “Users and Groups” tab>”Groups”>New and add a new WLS group called DieselModelViewers_WLS

Go to “Users and Groups” tab>”User”>New and add a new user called diesel_user

;

Associate the diesel_user to DieselModelViewers_WLS group

Next log on to Enterprise Manager (URL http://localhost_ip:7001/em)

Navigate to Business Intelligence > coreapplication > Business Intelligence Instance >Security>Application Role

Create a new Application role to be used for our data and object security by clicking on new.

Call the Application Role and DieselModelViewers

The  click on 

Associate this application role with the WLS group DieselModelViewers_WLS created earlier

Object and Data Security Setup

Log in to the rpd and click Manage>Identity

Go to the Application Roles tab, check that the newly created Application role “DieselModelViewer” is visible

Click on Permissions button

We can now define a new data filter for the DieselModelViewers group, click on

Define a new security filter for the above application role as shown above.

Data security is done, next lets see object security.

We want to hide the presentation table WB_TEST from members of DieselModelViewers application role, like diesel_user. Double click on WB_TEST table and the above window opens up, click on permissions Deny permission to DieselModelViewers by clickingNoAccess.This will restrict diesel_user from seeing WB_TEST table in his subject area.

Next log in to Answers/Analysis page.

Lets check a report that has all fuel types, since an admin user can see all fuel types we will choose to see it from weblogic user

As we see , here the report is not restricted based on fuel type.

Lets login using the diesel_user

Try to access the subject area (noe we can only access subject area, but cant create a report because of BIConsumer privilege

We dont see the WB_TEST Presentation table due to object security

We also don’t see the fuel types, other than DIESEL, due to data security

The nqquery.log shows that DIESEL filter is added on to the select statement, which confirms that data security is working.

The post OBIEE11g Security Setup appeared first on Oracle for All.

There are 2 main options to implement this security:

• front end – from the presentation services
• back end – from the catalog manager

OBIEE Front-End Security

Browse through your catalog until you reach your desired main folder/object on which you want to apply security.

Our example shows application on the OBIEE folder “Shared Folders/00. BI Insight – demos”.

Select the folder from the tree at the right side and then click Permission from the bottom of the right column. Second option is selecting parent Folder from Tree view column, then select folder from list view column, and click on “More” link. A Permissions option/link will appear.

You will notice you have various options now available:

1. Apply effective permissions
2. Replace with parent’s folder permissions
3. Set parent folders permissions to “Traverse Folder”
4. Add users/roles
5. Apply permissions for selected users/roles
6. Delete selected users/roles
7. Applying permissions to sub-folders (selecting a number of group/role/users – button will display the list of available privileges and apply the selection to all selection)
8. Applying permissions to all items within folder

When adding permissions (on click on the plus button), you will have options to add Application Roles, Catalog Groups or Users. Search list allows you to select by any of the above categories, or overall:

Write your search criteria (or leave blank when you want the full list) and click the Search button

then select the desired User/Role/Group and move to the right (Selected Members list):

then select the type of Permissions you want to grant and click OK.

You can grant:

• Full Control
• Modify
• Open
• Traverse
• No Access
• Custom

1. Custom permission allows any combination of the available rights on the right.
2. Full Control – all rights from image;
3. Modify – Read, Traverse, Write and Delete Permissions
4. Open – Read & Traverse Rights (this is the typical right to be granted to a consumer of reports)
5. Traverse – available only for folders – it allows users to access items within the folder, but not creating/adding additional information to the folder itself;
6. No Access – denied access to the object

After getting your selections and rights in order, you can also set up the owner (by selecting the appropriate radio button – default is no selection if creator of report/current owner is not in the list). You can then apply your permissions on current folder only, or recursively on the sub-folders (child folder tree) and/or the items within the folder (analysis, dashboard, prompt, filter …) by checking the appropriate check-boxes at the bottom of the pop-up window:

As a test, I’ve logged in with my test user a_test (member of OBIEE Top Management application role) and I can only see my selected folder in the Shared Reports folder.

:

OBIEE Back-End Security

The second option of implementing this type of security is using the Catalog Manager tool.

Open Catalog online, using Catalog manager

by specifying  the URL and using an Admin user (e.g. weblogic)

This will provide you with a Tree view

and a Table view:

You will be able to view:

• system folders
• shared folders
• users folders

All under root.

Please note the view provided by the catalog manager or namings will depend on your version of OBIEE. However, principles explained in this blog will still apply.

When selecting a given folder you can access various options, like Copy, Cut, Rename, Smart Rename, Create, Permissions and Properties.

So Catalog manager will not only allow you to change permissions, but also properties (Applied recursively )

or managing your folders content.

The permissions screen is pretty much similar to the one on the OBIEE front end:

allowing adding permissions, changing them or removing them.

In the same way, you can add permissions on Application Roles and/or Catalog Groups and/or Users, with the same option types

You can apply changes Recursively, however this will apply them to both Sub-folders and items within the folder. There is no distinction at this level between the two types.

You also have a Replace Option, as presented bellow:

The effect on both security implementation options (Catalog Manager/Front End) is similar for the end user.

Applicability

There are various test cases when you might choose using the Catalog Manager over the Front-End setup of security.

One of the most common issues experienced by users is linked to the user’s personal folders:

• general unable to access (cannot see my folder)
• unable to access saved selections
• unable to create any more saved selection

In this type of scenario, Catalog Manger will allow you access to user’s folder. Solution is to re-grant the user Full Control to his own folder – applied recursively.

The post OBIEE 11g Security Catalog Objects & Access to Users Folders appeared first on Oracle for All.

Security can be applied also at a more granular object level, and used in customizing the same dashboard for different users groups, by securing sections and tabs.

When would you use this?  When you want to have users accessing the same dashboard but seeing different content:

– e.g. your management will also want to look at the overall team progress alongside the individual progress (new tab for team progress in same dashboard)

– your different regions or user groups will want to have different filtering criteria on same report – you can achieve this by applying the entire selection of filters with is prompted, while showing for each group a different prompt with only the selectors the user/group of users would want to see for each region/group/organization.

Post will explain on a simplistic way how to achieve section and tab security. Applicability will depend on your business.

Tab Security

On the targeted dashboard go to Edit, and from Dashboard Options options select  Dashboard Properties.

You will see there a list of your existing pages in the Dashboard Pages section

on which you’ll have various options:

1. Rename
2. Select a prompt to capture default filters and variables
3. Permissions
4. Delete Page
5. Specify who can save Shared Customizations
6. Specify who can assign Default Customizations
7. Hide Page check-box
8. Show Add To Briefing Book check box
9. Change order of tabs

A hidden page, when run, will display dashboard name and content (no tabs nor page name are displayed)

Please note that My Dashboard will only have available options:

• rename
• select a prompt to capture default filters and variables
• delete
• hide page
• Add To Briefing Book
• Change order of tabs

Permission are set up similar to Folder permissions, with different levels of permissions:

• Full Control
• Modify
• Open
• No Access
• Custom

Section Security

Within a page, you have multiple sections.

When clicking the Section Options, you will be able to:

• make it conditional
• change permissions
• rename
• change formatting
• allow drill in place
• allow collapse
• show/hide section header/title

Permission at section level are set up with Granted/Denied option. (you either allow a user/role/group to see/execute the section or not)

On my example, the a_test user will have restricted access, while Admins will see additional content.

test user access:

Administrator access:

The post OBIEE 11g Dashboard Security appeared first on Oracle for All.

In a summary report we are using a hierarchical column. We now need to link this summary report to a detail report. Challenge is while linking the two, since parameter passing does not support pass of Hierarchical columns.

Solution

Implementation – Using Hierarchical columns

In this solution option we will be using an additional hierarchical column in detail report and selection steps.

1. In the detail report add the hierarchical column and hide it . Don’t exclude the column .
2. Go to the selection steps , here the highlighted column is our hierarchical column.
3. Edit the “Start with all members” and select the ‘override with prompt’ and select OK.  
4. Then click the “Then, Next Step” and keep all the members of detail level of the hierarchy column as shown here  
5. Save the detail report and link the summary report with detail report using an action link.

Report behavior

Summary report: select desired level value:

When drilling into detail report, observe selected data:

Hope this solution will help you as well when dealing with hierarchical columns.

The post OBIEE Action link passing Hierarchical Column level appeared first on Oracle for All.

What is ‘BISystemUser’

OBIEE System User ‘BISystemUser’
“BISystemUser” is an internal OBIEE system user used as an inter-bi-component communication user, this could also be used when Impersonation is used. This is referenced by an Authenticator (usually Default Authenticator unless changed to different providers like Active Directory or other directory).

Scenario

 Impact on Deleting ‘BISystemUser’

 When deleting the ‘BISystemUser’, when default access configuration, OBIEE System will no longer allow any user to login.

Deleting the user causes the system to close down on allowing any connections into the Presentation layer; any user trying to login will be thrown authentication error (“An invalid Username or Password was entered.”).

Step by Step

Weblogic ‘BISystem’ Role Check

• Login to weblogic: http://host:port/em
• Go to Business Intelligence->coreapplication->Security->Single Sign On ->Application Policies and Roles -> Configure and Manage Application Roles

• Select the ‘BISystem’ role from list and check on the Membership section if the ‘BISystemUser’ is still there

• if user is not found in there will need to add it after its re-creation

Weblogic User Check

• Go to Oracle Weblogic Server Security Provider for User Management page (you will need to login again)

• Check in the table for ‘BISystemUser’ user

• If user does not exist go to Recreating User step

Recreating User

• Create new user by clicking new
• Useful tips:
  • Make sure Name for the user is exactly‘BISystemUser’
  • For best practice make sure you fill in a meaningful description – to ensure user is not deleted again by mistake (eg. System user, internal OBIEE use)

• Keep in mind password for the ‘‘system.user” Password Check & Changestep

‘system.user’ Password Check & Change

• Go to WebLogic Domain->bifoundation_domain->(right click)->Security -> Credentials

• In here, edit the ‘system.user’ and update password to match the one for the re-created user

Delete Cached Credentials

Within the operation system, we need to delete the cached credential files, to make sure our changes are applied.

File name is (there will be 2 files, a cacheduserinfo and a cacheduserinfo.atr – both need to be deleted)

• For Linux OS (make sure you have read/write rights on the oracle files – best use root rights):
  • go to root folder (or oracle home): cd / (cd oracle home path)
  • search files: find -name cacheduserinfo – this will list up files cacheduserinfo for all user, so you will need to select the path for the bisystemuser (will be something like this ./u01/oracle/mw/i…../root/users/bisystemuser/_prefs/cacheduserinfo)
  • delete files: rm path/filename
  • confirm delete: Y
• For Windows OS:
  • search for files: cacheduserinfo and atr and delete them

(Command line for search: dir  cacheduserinfo .* /s – make sure you are searching within oracle home directory. To get there use: cd path)

Finish and Test

Restart Services

In order for changes to be applied, we need to restart the  BI server components for system to reload new permissions, configured.

• in weblogic go to Business Intelligence->coreapplication->Overview
• restart all

 Please test your work to OBIEE.

This tests were done on OBIEE 11.1.1.7.1.

The post OBIEE An invalid Username or Password was entered appeared first on Oracle for All.

As OBIEE is targeted as an enterprise wide solution for reporting, and single point of truth, you might experience the need for securing your content based on your targeted audience.

This series of OBIEE Security posts will explain how this can be accomplished and a couple of base factors in implementing security.

You will have different categories of users seeing different content types. So, the first thing you’ll need to do is define these categories for your company/delivered solution.

Now, please note, a user is not restricted to a single category. For instance, you might have a category for High Management. The HR head of a company will pertain to this, but he can also pertain to a second HR group, looking only at HR related data.

However your user-group association is provided for OBIEE, either LDAP, Database table (maintained through an application), direct association in WebLogic, there are several steps you will still need to proceed with in setting up your security.

Please keep in mind all security is applied on Application Roles (as a best practice) – both content, privileges as well as data security. The following steps will guide you through the entire process of creating a user, the associated group, then the Application Role and setting up the membership setup for the above. This will help you further on in setting up you security.

How?

One of the biggest differences between OBIEE 10g security and OBIEE 11g security is that users and groups are no longer held primarily in the repository; instead, these details are held by default in the WebLogic Server LDAP server, which gets installed alongside OBIEE when you install the product.

Now, you create users and groups within this LDAP server, and administer these users and groups using the WebLogic Server Administration Console.

In an out-of-the box installation, the LDAP integration is not configured from start. So, if your list of users is not provided from outside, you will need to create them within WebLogic.

Creating a new user

For creating a new user, login to your WebLogic Server Administration Console with an admin user (e.g. weblogic), accessing the link formatted as ::/console.

By default, the server is defined as the IP address where you have installed your BI Instance, and the default port for the Administration Console is 7001.

Go to Security Realms on the left hand side of the screen:

then select the security realm your BI Server is using (Default is myrealm):

and navigate to Users and Groups -> Users:

In here, you will have a list of all existing users (both your regular application users as well as some internal administration users for OBIEE), and the possibility to modify, delete or add a user.

For creating the user, please make sure to fill in all appropriate details:

Groups

Groups are deprecated in OBIEE 11g, and are replaced by Application Roles in the setup of security.

However, you will notice they still appear in WebLogic Server Administration Console.

These are usually generated from LDAP (together with your users list and authentication method).

For creating a new group, please follow these steps:

– from my realm (previous step on creating new user) go to Groups from the Users and Groups tab

and add new group. Please make sure you fill in all appropriate details.

Group membership

Please note, a group does not have an automated allocated member / parent group.

For this, you will need to go to the list of groups, select your group and go to Membership

then select and drag on the right hand side the desired list of existing groups as a chosen parent group.

The above setup implies that the new group TopManagement is a member of BIConsumers. This is a generic group stating the user will be consuming/executing BI Content. I would recommend any new group to have this as a parent group.

OBIEE Global Groups membership

On a new installation, you will notice 3 main groups that are created automatically by the system:

• BIConsumers
• BIAuthors
• BIAdministrators

The BIConsumers is the generic group of which all users are members. This defines a user as consuming OBIEE content (capable of executing reports and dashboards). Please note this implies only executing content.

BIAuthors group defines the list of users who can actually create and own content in OBIEE catalog. This content can be of various types, starting from saved customization, to analysis and dashboard content.

BIAdministrators defines the list of users who have administrative rights over the system: ownership, archive/unarchive content, privilege editing, security editing, e.t.c.

Now, there’s an implicit inclusion/membership logic for these groups.

Any BIAuthors user is automatically also a BIConsumers user, therefore, the BIAuthors membership has as parent group the BIConsumers one:

Also, in the same logic, any BIAdministrators user is also an author of content, therefore the BIAdministrators has as parent group BIAuthors:

User membership

Now, going back to our previous user, since his membership is not provided automatically through our LDAP configuration for this case, we will need to associate this user with the appropriate groups.

Go back to the Users and Groups -> Users and select your user from the users list

Edit your user

go to Groups tab, select your target group and drag it on the Chosen groups:

then save your changes:

Creating a new Application Role

For creating a new Application Role, login to your WebLogic Server Enterprise Manager  with an admin user (e.g. weblogic), accessing the link formatted as ::/em.

By default, the server is defined as the IP address where you have installed your BI Instance, and the default port for the Administration Console is 7001.

When the Enterprise Manager Homepage is displayed, navigate to the Business Intelligence > coreapplication menu item, then right-click on it. When the right-click menu is displayed, select Security > Application Roles  (path might differ if you have a clustered BI Server).

The Application Roles page will then be displayed.

So at this point, there are three administrative tasks that you might need to perform around the WebLogic LDAP server, and application roles and policies:

• You may have to create new application roles, and assign users to these, either through existing LDAP groups or by creating some new ones
• You may have to alter or create new application policies, and
• You may need to bundle up these application roles and policies, and other security settings, and migrate these to a new server.

To create a new application Role, please make sure you specify all required criteria. Note that Display Name will be the name that will show up in Front-end/Presentation layer when you will want to apply security. If display name is null at creation time, display name will be the same as Role Name. Please make sure to fill in appropriate details in description field regarding the business scope of your role. This will be very helpful later on, when debugging and for other users.

Another detail you should be mentioning when creating a role is the role Members. Usually, you will add in all groups that should pertain to this role, as well as any additional Roles, if required. You can also add individual users.

In our case, I have added for our application role the TopManagement group.

Search for desired the group and click on the arrow (if you want a full list just click on the arrow, as the initial display is empty).

 then make sure to select the desired group (it will become grayed out) before clicking ok:

and then save your Application Role  with all desired changes

this save will bring you back to the application roles list, with a success message on the top:

OBIEE Global Application Roles membership

Please not the generic out-of-the box Application Roles that come with an OBIEE install:

• BIAutor
• BIConsumer
• BIAdministrator

Looking at membership, you will notice that BIAdministrator has as members ONLY the BIAdministrators group.

The BIAuhor has both BIAuthors associated group, as well as the BIConsumer Application role (the same type of inclusion we have noticed in the OBIEE groups)

while BIConsumer has BIConsumers associated group, as well as the BIAuthor Application role (the same type of inclusion we have noticed in the OBIEE groups) and a generic authenticated user application role (authenticated-role).

This last role is a generic OBIEE application role that any user who can login to your system will have by default.

Hope this helped you understand a bit of the logic behind users, groups and application roles.

The post OBIEE Security Users Groups and Application Roles appeared first on Oracle for All.

In some cases, even though the dashboard prompt seems to be applied, you get an error on the page for the report:

Once you click on the ‘Undo drills and view prompt values, the report will run, and will have the dashboard prompt applied.

2.    Scenario Details

We have this generic scenario:
–         a Time prompt

–         a simple report based on time, with the column exposed in the report and also prompted
with a column prompt used in the table view

which will result in a view like the one bellow

While saving this report, we add it to the dashboard, resulting in a simple dashboard, like this:

However, after certain changes, you get to the situation where the dashboard will throw the following error : (The layout of this view combined with the data, selections, drills, or prompt values chosen resulted in no data. Undo drills and view prompt values.)

Which is warning the user about some saved selections he’s not aware of.
Once the user clicks on the Undo drills and view prompt values, the report displays data as it should be, for the selected time period.

3.    Where Is the Problem?

The main question is now, where the problem is and how did it started?

Let’s see the steps we’ve been through and where it might be.

When creating the report, the report prompt column was populated by default, picking up the first value for the column, in the columns default sort order, correct?

Well, when saving the report like that, and adding it to the dashboard, we had no actual problem.

However, once we played around with the report, trying a couple of other selections in the column prompt, we save it again, with the default value back to the original one.
If we now go to the dashboard, we encounter our mysterious error.

What happened?
The report had now perceived, after the various selections, that the last selection is a saved selection which must be run initially on report load. That is the ‘saved selection’ we were not even aware of.

How to check for it?
If you go to edit your report, in the Advanced tab, you will notice the report XML.
You will see in there is a section/tag called ‘staticMemberGroup’.

If you still have a version of your initial report saved, and go to the Advanced tab to study the report’s XML, you will notice this report has no section/tag called‘staticMemberGroup’.

Fig. 1 Report with hidden saved selection

Fig. 2 Report with no hidden saved selection

Solving? We have two options, so far.

1. XML level option
2. View level option

XML level option implies changes on the report at XML level.
What you need to do is edit the XML and just delete the entire ‘pageEdgeState’ section/tag, and apply the changes.

View level option implies changes only on the table/pivot table with prompted column level.
What you need to do is edit the view, remove the column from the prompt section (move it to excluded), wait for the report view to load, save it, then move the column back in the prompt section and save the report.

Note: Please note this tests wer

The post OBIEE Undo drills and view prompt values message appeared first on Oracle for All.