Scenario
The proxyuser table is set up as follows:
ProxyUser TargetUser Proxylevel
Admin2 Cons1 restricted
Admin1 Cons1 restricted
Proxyuser: Admin1 – BIAdministrator
Targetuser: Cons1 – BIConsumer
In 11.1.1.6.9 environment, when Admin1 (Admin) acting as Cons1 (BIConsumer), everything looks good:
- Admin1 can see all links since she is a member of BIAdmin
- When performing Act as Cons1, screen shows only the items Cons1 entitled to see.
Since Cons1 is a member of BIConsumer, screen should not show Administration link, and all other links under "New" menu. This is the correct result.
In 11.1.1.7.140527 and 11.1.1.7.140114 environments, same permissions/privileges for the both users are given.
- Admin1 log on, screen shows Administartion links as expected.
- When performing Act as Cons1, screen shows Administration links and "New" menu shows Analysis, Dashboard...etc. This is incorrect behavior.
Workaround: change proxy level to "Full" instead of "Restricted" in the proxyuser table for a temporary workaround until the above bug is fixed.
Workaround
When you enable a user to be a proxy user, you also assign an authority level (called the proxy level). The proxy level determines the privileges and permissions granted to the proxy user when accessing the catalog objects of the target user. The following list describes the proxy levels:
Restricted — Permissions are read-only to the objects to which the target user has access. Privileges are determined by the proxy user's account (not the target user's account).
For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers.
Full — Permissions and privileges are inherited from the target user's account.
D.6 Enabling Users to Act for Others
The following Bug has been logged for this issue:
Bug 18695152 - OBIEE 11G: PRIVILEGES NOT APPLIED TO PROXY (ACT-AS) USERS
Thanks,
0 comments:
Post a Comment