Examining OBIEE 11g Presentation Service Privileges and precedence

The Official Documentation for the 11g Oracle Business Intelligence (Security Guide) mentions the following key rules about the evaluation of the Presentation Service Privileges:

“Presentation Services privileges control the rights that users have to access the features and functionality of Presentation Services. Privileges are granted or denied to specific application roles, individual users, and Catalog groups using a privilege assignment table.”

The Presentation Service privileges can be access from the following URL: http://hostname:port/analytics/saw.dll?PrivilegeAdmin

image

“privileges are either explicitly set or are inherited through role or group membership, explicitly denying a privilege takes precedence over any granted, inherited privilege. Meaning that even if Application roles are nested and thus forming a hierarchy any denied privilege takes precedence over inherited grants or directly assigned grants.”

Additionally, the following example is provided within the D. Appendix section of the same Documentation page:

inherit_dl_privscatgrp

With the following statements regarding the evaluation:

    • User1 explicitly has the Executive role, and thus implicitly has Finance role and also Sales role.
    • User1 also explicitly has the BI Author role, and thus also implicitly has BI Consumer role.
    • User1’s flattened list of application roles is: Executive, BI Author, Finance, Sales and BI Consumer.

The effective privileges from Executive Role are Denied Administration privilege […] the Sales’ Denied Administration privilege takes precedence over Executive’s granted privilege, as Deny always takes precedence.”

As a showcase, the above has example has been re-created in a simplified version with all Application roles and the Presentation Service privilege for “Access to Administration” within the 11.1.1.7 Oracle BI Version:

image

The five Application roles of the above diagram have been configured within the Enterprise Manager (EM) Application role configuration:

image
All five Application roles are also correctly displayed for the User1 within the Oracle Business Intelligence “My Account” view:
image
Afterwards, the privileges have been configured (with Granted and Denied) for the Application roles within the Presentation Service privileges Administration page:image
However, contrary to the rule and the example the “Administration Page” privilege is not denied:
image

The “Administration Page” privilege is granted for User1 due to the Membership of the Executive Application Role.

For testing purposes the five Application roles of the example have been enhanced to the following six:

image

With the following test cases and results:

# User Privilege Executive Finance Sales Sales North Result
1 User1 Admin
Page
Granted / Denied / Granted
2 User1 Admin
Page
/ Denied Granted / Denied
3 User1 Admin
Page
Denied Granted Granted / Denied
4 User1 Admin
Page
/ Granted / Denied Denied
5 User1 Admin Page / Denied / Granted Denied
6 User1 Admin Page / Granted Denied / Denied

deriving the following rules for the determination of the Presentation Service privileges:

  • if a privilege is set (either with denied or granted) for a Application role directly assigned (member of/next) to the User this takes precedence over everything else (see #1+#3)
  • for siblings on the level (within the same hierarchy level) the more restrictive is applied (#2+ #6)
  • In case of inherited ancestor privileges the more restrictive is applied (#4+#5)

Links to the 11g Documentation:

Example of Determining a User’s Privileges with Application Roles 11.1.1.7

Example of Determining a User’s Privileges with Application Roles 11.1.1.9

Example of Determining a User’s Privileges with Application Roles 12.2.1.1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.