Enabling Users to Act for Others

This section contains the following topics on enabling users to act for others:

Why Enable Users to Act for Others?

You can enable one user to act for another user in Oracle BI Presentation Services.

When a user, called the proxy user, acts as target user, the proxy user can access the objects in the catalog for which the target (another) user has permission.

Enabling a user to act for another is useful such as when a manager wants to delegate some of his work to one of his direct reports or when IT support staff wants to troubleshoot problems with another user's objects.

What Are the Proxy Levels?

When you enable a user to be a proxy user, you also assign an authority level (called the proxy level). The proxy level determines the privileges and permissions granted to the proxy user when accessing the catalog objects of the target user.

The following list describes the proxy levels:

  • Restricted

    Users have read-only permissions to the objects that the target user can access. Privileges are determined by the proxy user's account, not the target user's account.

    For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers.

  • Full

    Users inherit permissions and privileges from the target user's account.

    For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.

When you have enabled a user to act as a proxy user, that user can display the Act As option in the global header of Presentation Services to select the target user to act as, provided the Act As Proxy privilege has been set.

Before a proxy user can act as a target user, the target user must have signed into Presentation Services at least once and accessed a dashboard.

Note:

If another user can impersonate you as proxy user, you can see the users with the permission to proxy (Act As) you. To see these users, log in to Oracle Business Intelligence go to the My Account dialog box and display the extra tab called Delegate Users. This tab displays the users who can connect as you, and the permission they have when they connect as you (Restricted or Full).

Process of Enabling Users to Act for Others

To enable users to act for others, perform the following tasks:

Defining the Association Between Proxy Users and Target Users

You define the association between proxy users and target users in the database by identifying, for each proxy user/target user association, the following:

  • ID of the proxy user

  • ID of the target user

  • Proxy level (either full or restricted)

For example, you might create a table called Proxies in the database that looks like this:

proxyId targetId proxyLevel

Ronald

Eduardo

full

Timothy

Tracy

restricted

Pavel

Natalie

full

William

Sonal

restricted

Maria

Imran

restricted

After you define the association between proxy users and target users, you must import the schema to the physical layer of the BI Server.

Creating Session Variables for Proxy Functionality

To authenticate proxy users, you must create the two session variables along with their associated initialization blocks. For both variables, modify the sample SQL statement using the database schema.

  • PROXY

    Use the PROXY variable to store the name of the proxy user.

    Use the initialization block, ProxyBlock, and include code such as the following: 
     select targetId from Proxies where UPPER(targetid) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') and UPPER(proxyid) = UPPER(':USER')

  • PROXYLEVEL

    Use PROXYLEVEL variable to store the proxy level as Restricted or Full. If you do not create the PROXYLEVEL variable, then the Restricted level is assumed.

    Use the initialization block named ProxyLevel and include code such as the following:

    select proxyLevel from Proxies where UPPER(targetid) = UPPER('VALUEOF(NQ_SESSION.RUNAS)') and UPPER(proxyid) = UPPER(':USER')

Modifying the Configuration File Settings for Proxy Functionality

Use various elements in the instanceconfig.xml file to configure the proxy functionality.

See Creating a Custom Message Template for Proxy Functionality
  1. Open the instanceconfig.xml file for editing.
  2. Locate the section in which you must add the elements that are described in the following list:

    • LogonParam: Serves as the parent element for the TemplateMessageName and MaxValues elements.

    • TemplateMessageName: Specifies the name of the custom message template in the Custom Messages folder that contains the SQL statement to perform tasks related to displaying proxy and target users. The default name is LogonParamSQLTemplate.

      The name that you specify in the TemplateMessageName element must match the name that you specify in the WebMessage element in the custom message file. .

    • MaxValues: Specifies the maximum number of target users to be listed in theUser box in the Act As dialog box. If the number of target users for a proxy user exceeds this value, then an edit box, where the proxy user can enter the ID of a target user, is shown rather than a list of target users. The default is 200.

  3. Include the elements and their ancestor elements as appropriate, as shown in the following example: 
    <LogonParam>
     <TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName>
     <MaxValues>100</MaxValues>
</LogonParam>
  4. Save your changes and close the file.
  5. Restart Oracle Business Intelligence.

Creating a Custom Message Template for Proxy Functionality

You must create a custom message template for the proxy functionality that contains the SQL statement to perform the following tasks:

  • Obtain the list of target users that a proxy user can act as. This list is displayed in the User field in the Act As dialog box.

  • Verify whether the proxy user can act as the target user.

  • Obtain the list of proxy users that can act as the target user. This list is displayed on the target user's My Account screen.

In the custom message template, you place the SQL statement to retrieve this information in the following XML elements:

Element Description

getValues

Specifies the SQL statement to return the list of target users and corresponding proxy levels.

The SQL statement must return either one or two columns, where the:

  • First column returns the IDs of the target users

  • (Optional) Second column returns the names of the target users

verifyValue

Specifies the SQL statement to verify if the current user can act as the specified target user.

The SQL statement must return at least one row if the target user is valid or an empty table if the target user is invalid.

getDelegateUsers

Specifies the SQL statement to obtain the list of proxy users that can act as the current user and their corresponding proxy levels.

The SQL statement must return either one or two columns, where the:

  • First column returns the names of the proxy users

  • (Optional) Second column returns the corresponding proxy levels

You can create the custom message template in one of the following files:

  • The original custom message file in the directory

  • A separate XML file in the directory

The name that you specify in the WebMessage element must match the name that you specify in the TemplateMessageName element in the instanceconfig.xml file. See Modifying the Configuration File Settings for Proxy Functionality.

  1. To create the custom message template in the original custom message file:

    1. Make a backup of the original custom message file in a separate directory.

    2. Make a development copy in a different directory and open it in a text or XML editor.

  2. To create the custom message template in a separate XML file, create and open the file in the BI_DOMAIN/bidata/components/OBIPS/custommessages directory.

    You must configure a folder (custommessages) as an application in WebLogic Server, to make Oracle BI Presentation Services aware of it.

  3. Start the custom message template by adding the WebMessage element's begin and end tags. For example:

    <WebMessage name="LogonParamSQLTemplate">
</WebMessage>

  4. After the </WebMessage> tag:

    1. Add the <XML> and </XML> tags

    2. Between the <XML> and </XML> tags, add the <logonParam name="RUNAS"> and </logonParam> tags.

    3. Between the <logonParam name="RUNAS"> and </logonParam> tags, add each of the following tags along with its corresponding SQL statements:

      • <getValues> and </getValues>

      • <verifyValue> and </verifyValue>

      • <getDelegateUsers> and </getDelegateUsers>

    The following entry is an example:

    <?xml version="1.0" encoding="utf-8" ?>
<WebMessageTables xmlns:sawm="com.example.analytics.web.messageSystem">
 <WebMessageTable system="SecurityTemplates" table="Messages">
  <WebMessage name="LogonParamSQLTemplate">
   <XML>
    <logonParam name="RUNAS">
     <getValues>EXECUTE PHYSICAL CONNECTION POOL "01 - Sample App Data  (ORCL)"."Sample Relational Connection" select targetId from SAMP_USERS_PROXIES where proxyId='@{USERID}'</getValues>
     <verifyValue>EXECUTE PHYSICAL CONNECTION POOL "01 - Sample App Data (ORCL)"."Sample Relational Connection" select targetId from SAMP_USERS_PROXIES where proxyId='@{USERID}' and targetId='@{VALUE}'</verifyValue>
     <getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL "01 - Sample App Data (ORCL)"."Sample Relational Connection" select proxyId, proxyLevel from SAMP_USERS_PROXIES where targetId='@{USERID}'</getDelegateUsers>
    </logonParam>
   </XML>
  </WebMessage>
 </WebMessageTable>
</WebMessageTables>

    Note that you must modify the example SQL statement according to the schema of the database. In the example, the database and connection pool are both named Proxy, the proxyId is PROXYER, and the targetId is TARGET.

  5. If you created the custom message template in the development copy of the original file, then replace the original file in the custommessages directory with the newly edited file.

  6. Test the new file.

  7. (Optional) If you created the custom message template in the development copy of the original file, then delete the backup and development copies.

  8. Load the custom message template by either restarting the server or by clicking the Reload Files and Metadata link on the BI Server Administration screen.