12c, Analytics Server, Data Visualization, OAS, obiee

With last Friday’s release of Oracle Analytics Server and Gianni beating just about everybody to a first write-up on how to get it running (after getting the correct versions first) I thought it would be time for a real-world reality check of this newest incarnation of the Oracle Analytics family for on-premises clients.

OAS it the gateway to OAC with pretty much seamless moving from OAS to OAC or deploying things both on-premises and in-cloud in a hybrid setup. New features galore but in turn a dependency on assuring that on-premises is built in a way that they can be moved to the cloud easily. More on this in a moment.

This release is aimed at lifting existing OBIEE customers on par with OAC in terms of functionalities. Customers who for whatever reason do not want or can not move to the cloud. A decision which is valid in and of itself as not everything or everybody has to go to the cloud.

Many functionalities of OAS which weren’t available on-premises so far at all and/or were tied to additional licensing costs are given to customers with existing licenses – for free. Now I have to say it fulfills this bit more than well. To say that Oracle was generous in scooping ladles of additional stuff into it is an understatement.

You can see a full list off features differences here.


HOWEVER the huge issue I see is precisely that list of feature differences combined with the fact that most OBIEE customers have systems that are running since years, are very mature, HIGHLY integrated into their other business-critical systems and their business processes. You know…the things companies actually use to make money. Sadly almost all existing things that aren’t fancy eye-candy for executives but make a solution successful and workable are marked as “deprecated” which translates to:

“Deprecated: Deprecated features won’t be enhanced in the future but are supported for the full life of the Oracle Analytics Server 5.5.x release. Where indicated, a deprecated feature might be desupported in a future, major release. “

  • Oracle Marketing Segmentation – Well isn’t that a major punch below the belt line. Using analytics as the marketing engine for Siebel was half the reason Siebel bought nQuire in the first place. Getting rid of said segmentation engine for Siebel Marketing and drop the related functionality may cause existing customers to both leave both Analytics and Siebel. One stone, two birds. Sadly not the good kind of kill.
  • Flat Files and XML-based Data Sources – Having this in DV is fine, but confining its use to data sets and no longer have the ability to model it properly into corporate data structures? A step back since you simply do not have the same level of integration and access control in terms of detailed row-level filtering and even attribute filtering/masking anymore.
  • Session Personalization using System Session Variables – Now this is just silly. It seems that nobody ever went through any RPD of clients with thousands of users in worldwide implementations and went “Oh hey they are actually using this to make the system react more dynamically without hard-coding 5 gazillion things!”.
  • Act As Another User – Again how can anybody who worked more than 2 weeks on any real life project consider this a candidate to be deprecated? Ever had to Act As another user around the globe to see his data or pick up his slack or troubleshoot? Can you imagine that not every business user is ok with planning a meeting to screen-share with you because they have more important things to do like running the business? Thought not.
  • Database Storage for User Group Memberships – The absolute kicker. This takes the cake (with cream and cherry on top). Like deprecating Marketing Segmentation but taken to the extreme. Customers using other Oracle applications and leveraging what they have already implemented there to help secure and control analytics from a functional, content and data access control perspective are being left out in the cold.

I love OAC and what it has done to the product line and brought to the cloud line-up. But OAS? With that feature list? Well I only hope somebody realizes that it may not be a good idea to completely disregard the existing and blindly chase after buzzwords when compiling the list of things to remain in the product.

Bet on the future and continue developing things in that direction but please don’t sacrifice the existing things on the altar of the new. Especially if the reason is just “because reasons”.

11g, 12c, 19c, admin, obiee, security, standard configuration

Many times I come across posts and emails asking for help on specific configuration changes or questions asking for help achieving certain things.

Long story short – you can over-complicate everything if you don’t look at what the standard gives you efore going off and hacking / scripting things in an uncontrolled fashion that will come back to haunt you when you patch or upgrade.

Case in point: Implementing new, custom links which should react to standard security privileges.

As in: Adding a link is documented by Oracle, but how can you make this link react to standard privileges which are tied to your Application Roles?

Oracle provides the out-of-the-box functionality of custom links since several years with all the usual bells and whistles. Problem is, that by far not all options are documented in detail with examples. Top tip here: guess what you will never have everything in the documentation, so the important thing is where to look for more information.

Enter the XSD! Every configuration XML comes with an accompagning XSD style sheet which maps all elements and attributes that the XML supports. Find that XSD and you have all the documentation you could ever want. Following the example of making links dependent on OOTB security privileges:

Here we see one of our administrators (prodney) logged in and seeing two custom links rendered. The “SampleApp V607 Index” and the “Custom Link” which is a link to the documentation. Now we don’t want non-admin users to be able to access the documentation link. So how do we go about this?

The customlinks.xml controls the rendering of custom links as described in the official documentation: https://docs.oracle.com/middleware/bi12214/biee/BIESG/GUID-FF6954BA-2DE0-4422-BA58-05F32936F4FF.htm#BIESG3738

That XML file itself is goverened by the customlinks.xsd file. In there we find the following information on the privilege usage:

<xs:attribute name="id" type="xs:string" use="required" />
<xs:attribute name="iconSmall" type="xs:string" use="optional" />
<xs:attribute name="privilege" type="xs:string" use="optional" />
<xs:attribute name="src" type="xs:string" use="optional" />

Now let’s look back at the documentation and an

<link id="l1" name="OTN" description="OTN open in new window" src="http://www.oracle.com" target="blank" >
      <location name="header" />

My customlinks.xml says the following for the “Custom Link” one:

<link id="l2" name="Custom Link" description="Instructions on how to insert a custom URL on OBI EE headers" src="http://docs.oracle.com/cd/E23943_01/bi.1111/e10541/answersconfigset.htm#BIESG3738" target="blank" iconSmall="common/info_ena.png">
        <location name="header" insertBefore="home"/>

Nice. Now let’s add 1 and 1.

“id” and “source” are both attributed of “link” just like privileges which gives us the necessary indication of how to use it.

<link id="l1" name="SampleApp OTN Page"  [skipped...] privilege=" hmm what goes here=?! ">

For the content of the “privilege” attribute we simply refer back to the documentation again:

<link id="l1" name="SampleApp OTN Page"  [skipped...] privilege="privileges.Access['Global Admin']">

Which puts the whole entry in the customlinks.xml to this:

<link id="l2" name="Custom Link" description="Instructions on how to insert a custom URL on OBI EE headers" src="http://docs.oracle.com/cd/E23943_01/bi.1111/e10541/answersconfigset.htm#BIESG3738" target="blank" iconSmall="common/info_ena.png" privilege="privileges.Access['Global Admin']>
        <location name="header" insertBefore="home"/>

Restarting things will now give me the same resutl for my administrative user “prodney”:

And the correctly secured result for my non-admin user “testuser01”:

Piece of cake.

12c, security

Following up on my last post it turns out that the conundrum is nothing but Enterprise Manager currently displaying things in a somewhat sub-optimal manner. The permissions etc are all there but they are just not being displayed under their respective permission class.

WLST confirms this when listing things with listResources(appStripe=”obi”)

So conundrum = just a hick-up 🙂

11g, 12c, application policies, OBI, permissions, security

So we know that 12c made some small changes in the security area – the most well known being “BI Administrator” being renamed to “BI Service Administrator”.

This can cause some issues when importing 11g BAR files with old “BI Administrator” roles but set “security model=false” during import. Well this isn’t what this post is about but still something you may want to remember 😉

What this post IS about is the little weirdness which is happening in Application Policies and the Permissions you can grant to a policy and its principals.

Let’s look at the permissions granted to “BI Service Administrator”. There’s two set of rights which look suspiciously similar:

Can you spell “redundant”?

Ok let’s turn this upside down and create a new application grant for a “close to Admin”-type set of rights:

Searching by “Permission Class” oracle.security.jps.ResourcePermission yields 14 results.

Funny enough we don’t find all four of the permissions in the screenshot above. Two catalog permissions are present – “oracle.bi.presentation.catalogmanager.manage” and “*” for the oracle.bi.catalog permission type. “*” for oracle.bi-repository isn’t there though. Hmmm. Let’s search by “Resource Type” and try to find the four in question one by one.

Why hello there. Not only do we find all four but also a nice little remark on the two known ones: Legacy Permission from BI 11g

So it seems that those two are about to get dropped and be replaced by the new “*” resources. But why is only one of the two new permissions visible when searching by “Resource Class” when it seems to actually HAVE the correct resource class assigned to it?

Smells like something needing a little fix. Most important though: going through permissions by resource type and checking the ones labeled as “Legacy 11g” is a good idea in order to not be relying on things on their way out of the product…

12c, dashboard, OBI, obiee

A new functionality has been introduced in the latest release of OBI – – which has gone a bit unnoticed since it hasn’t been included in the documentation anywhere. This is surprising since it’s been requested since a long time.

Dashboard subpages!

As of this release the usual 3-level dashboard hierarchy has been transformed into a 4-level one:

  • Dashboard group
  • Dashboard
  • Dashboard page
  • Dashboard subpage

dashboard sub-pages

Configuration is very straight-forward. Just click the usual “Add” button which will give you two options as of now: