A number of inconsistencies can develop between a repository, the Oracle BI Presentation Catalog and an identity store.
The following sections describe the usual ways this can occur and how to resolve the inconsistencies:
Use this information to identify and resolve the issue.
Behavior
If a user is deleted from the identity store then that user can no longer log in to Oracle Business Intelligence. However, references to the deleted user remain in the repository until an administrator removes them.
Cause
References to the deleted user still remain in the repository but that user cannot log in to Oracle Business Intelligence. This behavior ensures that if a user was deleted by accident and re-created in the identity store, then the user's access control rules do not need to be entered again.
Action
An administrator can run the Consistency Checker in the Oracle BI Administration Tool in online mode to identify inconsistencies.
Use this information to identify and resolve the issue.
Behavior
A user is renamed in the identity store and then cannot log in to the repository with the new name.
Cause
This can occur if a reference to the user under the original name still exists in the repository.
Action
An administrator must either restart the BI Server or run the Consistency Checker in the Oracle BI Administration Tool to update the repository with a reference to the user under the new name. Once this has been resolved Oracle BI Presentation Services updates the Oracle BI Presentation Catalog to refer to the new user name the next time this user logs in.
Use this information to identify and resolve the issue.
Behavior
If a group that is associated with a user name does not exist in the identity store, you might see the following error in the nqserver.log:
[2012-10-04T12:00:00.000+00:00] [OracleBIServerComponent] [ERROR:1] [] []
[ecid: <ecidID>] [tid: d10] SecurityService::assertUserWithLanguage
[OBI-SEC-00018] Identity found <GUID> but could not be asserted
Look for the ECID in the bi_server1-diagnostic.log (or adminserver-diagnostic.log if using a simple install), you might see a warning something like the following:
[2012-10-04T12:00:00.314+02:00] [bi_server1] [WARNING] []
[oracle.jps.authentication] [tid: [ACTIVE].ExecuteThread: '2' for queue:
'weblogic.kernel.Default (self-tuning)'] [userId: OBISystemUser] [ecid:
<ecidID>] [WEBSERVICE_PORT.name: SecurityServicePort] [APP:
bimiddleware#11.1.1] [J2EE_MODULE.name: bimiddleware/security]
[WEBSERVICE.name: SecurityService] [J2EE_APP.name: bimiddleware_11.1.1]
javax.security.auth.login.FailedLoginException:
[Security:090305]Authentication Failed Getting Groups for User <UserID>
weblogic.management.utils.NotFoundException: [Security:090255]User or Group
<Groupname>[[
oracle.security.jps.internal.api.jaas.AssertionException:
javax.security.auth.login.FailedLoginException:
[Security:090305]Authentication Failed Getting Groups for User <UserID>
weblogic.management.utils.NotFoundException: [Security:090255]User or Group
<Groupname>
...
at
oracle.bi.security.subject.SubjectAsserter.assertUser(SubjectAsserter.java:85)
at
oracle.bi.security.service.URServiceBean.assertUserWithLanguage(URServiceBean.java:97)
at
oracle.bi.security.service.SecurityServiceBean.getGrantedRolesForUser(SecurityServiceBean.java:270)
at
oracle.bi.security.service.SecurityWebService$1GetGrantedRolesForUserAction.run(SecurityWebService.java:391)
at
oracle.bi.security.service.SecurityWebService$1GetGrantedRolesForUserAction.run(SecurityWebService.java:381)
at java.security.AccessController.doPrivileged(Native Method)
at
oracle.bi.security.service.SecurityWebService.getGrantedRolesForUser(SecurityWebService.java:397)
...
Caused by: javax.security.auth.login.FailedLoginException:
[Security:090305]Authentication Failed Getting Groups for User <UserID>
weblogic.management.utils.NotFoundException: [Security:090255]User or Group
<Groupname>
Cause
This can occur if a group associated with a user name does not exist in the identity store.
Action
Check the LDAP groups assigned to this user do actually exist and are readable by the principal used by WebLogic to access the LDAP.