This section contains the following topics on enabling users to act for others:
You can enable one user to act for another user in Oracle BI Presentation Services.
When a user, called the proxy user, acts as target user, the proxy user can access the objects in the catalog for which the target (another) user has permission.
Enabling a user to act for another is useful such as when a manager wants to delegate some of his work to one of his direct reports or when IT support staff wants to troubleshoot problems with another user's objects.
When you enable a user to be a proxy user, you also assign an authority level (called the proxy level). The proxy level determines the privileges and permissions granted to the proxy user when accessing the catalog objects of the target user.
The following list describes the proxy levels:
Restricted
Users have read-only permissions to the objects that the target user can access. Privileges are determined by the proxy user's account, not the target user's account.
For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers.
Full
Users inherit permissions and privileges from the target user's account.
For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.
When you have enabled a user to act as a proxy user, that user can display the Act As option in the global header of Presentation Services to select the target user to act as, provided the Act As Proxy privilege has been set.
Before a proxy user can act as a target user, the target user must have signed into Presentation Services at least once and accessed a dashboard.
Note:
If another user can impersonate you as proxy user, you can see the users with the permission to proxy (Act As) you. To see these users, log in to Oracle Business Intelligence go to the My Account dialog box and display the extra tab called Delegate Users. This tab displays the users who can connect as you, and the permission they have when they connect as you (Restricted or Full).
To enable users to act for others, perform the following tasks:
You define the association between proxy users and target users in the database by identifying, for each proxy user/target user association, the following:
ID of the proxy user
ID of the target user
Proxy level (either full or restricted)
For example, you might create a table called Proxies in the database that looks like this:
proxyId | targetId | proxyLevel |
---|---|---|
Ronald |
Eduardo |
full |
Timothy |
Tracy |
restricted |
Pavel |
Natalie |
full |
William |
Sonal |
restricted |
Maria |
Imran |
restricted |
After you define the association between proxy users and target users, you must import the schema to the physical layer of the BI Server.
To authenticate proxy users, you must create the two session variables along with their associated initialization blocks. For both variables, modify the sample SQL statement using the database schema.
PROXY
Use the PROXY
variable to store the name of the proxy user.
ProxyBlock
, and include code such as the following:
select targetId from Proxies where UPPER(targetid) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') and UPPER(proxyid) = UPPER(':USER')
PROXYLEVEL
Use PROXYLEVEL
variable to store the proxy level as Restricted or Full. If you do not create the PROXYLEVEL
variable, then the Restricted level is assumed.
Use the initialization block named ProxyLevel and include code such as the following:
select proxyLevel from Proxies where UPPER(targetid) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') and UPPER(proxyid) = UPPER(':USER')
Use various elements in the instanceconfig.xml file to configure the proxy functionality.
You must create a custom message template for the proxy functionality that contains the SQL statement to perform the following tasks:
Obtain the list of target users that a proxy user can act as. This list is displayed in the User field in the Act As dialog box.
Verify whether the proxy user can act as the target user.
Obtain the list of proxy users that can act as the target user. This list is displayed on the target user's My Account screen.
In the custom message template, you place the SQL statement to retrieve this information in the following XML elements:
Element | Description |
---|---|
getValues |
Specifies the SQL statement to return the list of target users and corresponding proxy levels. The SQL statement must return either one or two columns, where the:
|
verifyValue |
Specifies the SQL statement to verify if the current user can act as the specified target user. The SQL statement must return at least one row if the target user is valid or an empty table if the target user is invalid. |
getDelegateUsers |
Specifies the SQL statement to obtain the list of proxy users that can act as the current user and their corresponding proxy levels. The SQL statement must return either one or two columns, where the:
|
You can create the custom message template in one of the following files:
The original custom message file in the directory
A separate XML file in the directory
The name that you specify in the WebMessage element must match the name that you specify in the TemplateMessageName
element in the instanceconfig.xml
file. See Modifying the Configuration File Settings for Proxy Functionality.
To create the custom message template in the original custom message file:
Make a backup of the original custom message file in a separate directory.
Make a development copy in a different directory and open it in a text or XML editor.
To create the custom message template in a separate XML file, create and open the file in the BI_DOMAIN/bidata/components/OBIPS/custommessages directory.
You must configure a folder (custommessages) as an application in WebLogic Server, to make Oracle BI Presentation Services aware of it.
Start the custom message template by adding the WebMessage element's begin and end tags. For example:
<WebMessage name="LogonParamSQLTemplate"> </WebMessage>
After the </WebMessage>
tag:
Add the <XML> and </XML> tags
Between the <XML> and </XML> tags, add the <logonParam name="RUNAS"> and </logonParam> tags.
Between the <logonParam name="RUNAS"> and </logonParam> tags, add each of the following tags along with its corresponding SQL statements:
<getValues> and </getValues>
<verifyValue> and </verifyValue>
<getDelegateUsers> and </getDelegateUsers>
The following entry is an example:
<?xml version="1.0" encoding="utf-8" ?> <WebMessageTables xmlns:sawm="com.example.analytics.web.messageSystem"> <WebMessageTable system="SecurityTemplates" table="Messages"> <WebMessage name="LogonParamSQLTemplate"> <XML> <logonParam name="RUNAS"> <getValues>EXECUTE PHYSICAL CONNECTION POOL "01 - Sample App Data (ORCL)"."Sample Relational Connection" select targetId from SAMP_USERS_PROXIES where proxyId='@{USERID}'</getValues> <verifyValue>EXECUTE PHYSICAL CONNECTION POOL "01 - Sample App Data (ORCL)"."Sample Relational Connection" select targetId from SAMP_USERS_PROXIES where proxyId='@{USERID}' and targetId='@{VALUE}'</verifyValue> <getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL "01 - Sample App Data (ORCL)"."Sample Relational Connection" select proxyId, proxyLevel from SAMP_USERS_PROXIES where targetId='@{USERID}'</getDelegateUsers> </logonParam> </XML> </WebMessage> </WebMessageTable> </WebMessageTables>
Note that you must modify the example SQL statement according to the schema of the database. In the example, the database and connection pool are both named Proxy, the proxyId is PROXYER, and the targetId is TARGET.
If you created the custom message template in the development copy of the original file, then replace the original file in the custommessages directory with the newly edited file.
Test the new file.
(Optional) If you created the custom message template in the development copy of the original file, then delete the backup and development copies.
Load the custom message template by either restarting the server or by clicking the Reload Files and Metadata link on the BI Server Administration screen.