Tuesday, 16 July 2013

Regenerating User GUIDs for OBIEE 11g

Regenerating User GUIDs
I would suggest including regeneration user GUID process as one of the important migration job for OBIEE content migration process from test to production.
User Name Vs GUID
In Oracle Business Intelligence 11g users are recognized by their global unique identifiers (GUIDs), not by their names. GUIDs are identifiers that are unique for a given user. Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name.
GUID Regeneration Process
GUID regeneration is the process of regenerating any metadata references to user GUIDs in the Oracle BI repository and Oracle BI Presentation Catalog. During the GUID regeneration process, each user name is looked up in the identity store. Then, all metadata references to the GUID associated with that user name are replaced with the GUID in the identity store.
GUID regeneration might be required when Oracle Business Intelligence is reassociated with an identity store that has different GUIDs for the same users. This situation might occur when re-associating Oracle Business Intelligence with a different type of identity store, or when moving from test to production if a different identity store is used in production, and should be a rare event.
Risks and Mitigations
Note that if Oracle best practices are not observed and Oracle Business Intelligence repository data is migrated between systems that have different GUIDs for the same users, GUID regeneration is required for the system to function.
This is not a recommended practice, because it raises the risk that data and metadata secured to one user (for example, John Smith, who left the company two weeks ago) becomes accessible to another user (for example, John Smith, who joined last week).
Using Application Roles wherever possible and using GUIDs consistently across the full development production lifecycle prevents this problem from occurring.
Re-generate GUID’s
This task requires that you manually edit the configuration files to instruct Oracle BI Server and Oracle BI Presentation Server to regenerate the GUIDs on restart. Once completed, you edit these files to remove the modification.
1.    Update the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI:
  • Open NQSConfig.INI for editing at: ORACLE_INSTANCE/config/OracleBIServerComponent/coreapplication_obisn
  • Locate the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter and set it to YES, as follows:
FMW_UPDATE_ROLE_AND_USER_REF_GUIDS = YES;
·         Save and close the file.
2.    Update the Catalog element in instanceconfig.xml:
·         Open instanceconfig.xml for editing at: ORACLE_INSTANCE/config/OracleBIPresentationServicesComponent/coreapplication_obipsn
·         Locate the Catalog element and update it as follows:
<Catalog><UpgradeAndExit>false</UpgradeAndExit><UpdateAccountGUIDs>UpdateAndExit</UpdateAccountGUIDs></Catalog>
·         Save and close the file
3.    Restart the Oracle Business Intelligence system components using opmnctl:
cd ORACLE_HOME/admin/instancen/bin
Stop All - ./opmnctl stopall
Start All ./opmnctl startall
4.    Set the FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI back to NO. - Important: You must perform this step to ensure that your system is secure.
Update the Catalog element in instanceconfig.xml to remove the UpdateAccount GUIDs entry.
Restart the Oracle Business Intelligence system components again using opmnctl:
cd ORACLE_HOME/admin/instancen/bin
./opmnctl stopall
./opmnctl startall

No comments:

Post a Comment