To the left of the Help link is the link to the Administration screen. You can also save a link to the address http://[server]:<port>/analytics/saw.dll?Admin:
The content on the Administration screen is controlled and therefore, you will only see what the system administrator has privileged for you. A full-access user will see eight sections on the Administration screen.
The Security section provides links to the administration of catalog groups and system privileges.
Use the Session Management link to view currently logged in users and see what they are running. An active request could be canceled if they are taking too much time.
In Chapter 6 , Understanding the Systems Management Tools, we will see that we can create Users and Groups in our security store (LDAP). The Presentation Catalog uses those groups and users that have been previously set up, but it also has the facility to create its own groups. This may be useful for certain types of special access that you want to set up, or to group various users together. This is not suitable in your LDAP system. An example of this could be giving some users extra administration rights on a temporary basis, for example, for a couple of hours during a deployment. Note that it is not the best practice to manage security in both the Presentation service and WebLogic Enterprise Manager. So, changes made directly in the Presentation Service Group Administration should be treated as temporary.
All of the features of the Presentation service can be secured by allowing access to certain individuals or groups that are using the Manage Privileges screen (accessed from within the Administration screen). These privileges are at a more detailed level than those set in the Enterprise Manager. Defining and maintaining the privileges is an important requirement for any OBIEE project. If you do not want to give access to untrained users to certain features or administration areas, you can choose the users carefully and the matrix can be created in advance to decide who can use what.
The Manage Privileges screen has various sections that relate to the parts of the system the named users can access or use. You can provide access to groups and/or users, and you can also deny specific groups or users access to a particular feature.
The main section to consider is the access rights. The first section of the Manage Privileges screen controls general access to the main tools, for example, dashboards:
If you click on the link to the right of the item description, you can allocate or deny access. Try clicking on the Access to Dashboards link, which currently reads BI Consumer. Then, you will see a standard pop-up screen for allocating the rights to an object.
You can now click on the green plus sign to start adding more groups or users. This brings up the Add Users and Group form. Search for and select the role, group, or user to which you would like to give specific access. You can also select the role, group, or user for which you want to deny access.
Where possible, you should aim to assign permissions to roles. If this does not give sufficient granularity, choose groups. Again, if more granularity is required, choose individual users:
We will go into more depth on this in future chapters.
On the Administration screen, there is a facility to view and manage the current sessions. Sessions are simple individuals that have logged in and are running analyses, dashboards, reports, and so on:
Clicking on the Manage Sessions link directs you to the session-listing screen. At the top of the list, there is a list of the sessions logged-in, and in a running system, you will see the recent requests that have been sent to the BI server. The list is also known as the Cursor Cache list.
In the column headed Action, you can see highlighted words on which you can click to invoke the action. For running requests, you can click on the Cancel Running Requests button to cancel the cursor. For finished requests, you can click on View Log, which will bring up a window showing the details of the requests. The level of detail depends on the logging level that is set for the user. We can set it to a level of granularity so that we can see the logical SQL being issued, and drill all the way down to see the native database SQL being issued.
We mainly use logging of queries to solve performance problems. The SQL sent to the database can be examined to check whether any bottlenecks exist in the database.
This is a section on the Administration screen; it contains links to the following system settings:
- Managing mobile devices
- Loading metadata
- Toggling maintenance mode
Managing device types is not a common requirement, and in 12 years of OBIEE projects (new Siebel Analytics), I have never had a requirement to send data to a pager (!) or update the out-of-the-box settings.
Under the Maintenance and Troubleshooting, there is a link to a significant feature-Issue SQL. The Issue SQL option is normally used to test the BI server, and is not normally made available to users. The SQL referred to here is the OBIEE Logical SQL, not ANSI SQL, but note that there is a subtle difference between the Logical SQL that can be run in an analysis and the logical SQL that can be run here. For example, the following statements make use of the * notation to select all fields in the presentation-layer tables:
SELECT * FROM Players SELECT * FROM Tournaments SELECT * FROM TIME
The following example uses the SELECT_PHYSICAL statement to query the physical layer object:
SELECT_PHYSICAL CALENDAR_DATE FROM "TENNIS"."""tennis"."W_DATE_D;
You can also use the * notation:
SELECT_PHYSICAL * FROM "TENNIS"."""tennis"."W_DATE_D;
Functions can also be used in the statement to count the number of records in the date table, for example:
SELECT_PHYSICAL count(*) FROM "TENNIS"."""tennis"."W_DATE_D;
We will cover more details on the Oracle BI SQL (also known as Logical SQL) syntax later in this book.
All the tools mentioned at the beginning of the chapter store user-defined objects in a folder structure. This structure is bound together in a Presentation Catalog, also known as a Web Catalog. The catalog not only makes use of your operating system file and folder management, but also adds a layer of security and management. Each object is stored with a security reference and properties marker, which control when and how the objects are accessible:
The catalog is managed by the web-based administration screens of the Presentation Server, or by using a Windows-based Catalog Administration tool (also known as the Catalog Manager).
All properties and controls are available directly in Catalog View. Tasks such as copying, renaming, and changing permissions are undertaken while browsing the catalog.
From a user's perspective, there are two main folders that contain the subfolders and stored objects. These folders are as follows:
- Users
- Shared
The users folder (My Folders) contains a subfolder for each user that logs in. This provides a space for the users to store their own analyses and other objects securely. The option to use personal storage folders can be disabled.
On a recent project, we had up to 50,000 potential users. This could make the user folder very difficult to navigate, so we implemented one of the advanced features, which arranges the user folders into subfolders. In this case, the subfolders were the first two characters of the user name. Users such as Daniel and Dave are available in the DA subfolder. For projects where you have more than 1,000 users, consider adding the HashUserHomeHirectories parameter to the instance config.xml file.
Click on the Catalog link on the common menu to explore the catalog. The default view includes your personal folders and shared folders to which you have access. If you have sufficient permissions, you can switch to Admin View. Click on the drop-down icon and select Admin View. Standard users do not have the option of Admin View:
You are now presented with Admin View, which starts at a higher level of the Web Catalog Catalog Root. As an administrator, this allows you to see all the subfolders, but you will only be able to navigate to those folders if you have the permissions to do so. By default, you do not have permission to navigate to individual User Folders:
The objects you yourself create, such as your analyses or dashboard pages, are visible to you in your own User or Shared folders. There are also various hidden files that help to control your user experience. For example, users who have accessed the system using an iPad have their favorites stored in a hidden XML file.
To see the hidden items, tick on the Show Hidden Items checkbox in the top-right corner of the screen:
Management of the catalog is undertaken using the Oracle-supplied tools, that is, the web-based Presentation Server. However, you can back up the whole catalog, or parts of it, such as a dashboard, using normal operating system tools. On Linux, I tend to use .tar to compress a folder and store this as a backup, or copy it into another environment.
The object definitions and hidden files contain XML. Using the Catalog Manager, you can view the XML being used, and can even edit it directly in the Catalog Manager. This is an advanced feature, which is not necessary on most projects, nor undertaken without fully understanding the XML structures.
The XML files are also visible in your normal file explorer, and they can be useful, for example, if you want to find which analyses use a particular column from your BI server.
You can copy objects and complete dashboards. This feature speeds up the development cycles and encourages greater flexibility.
The method is widely available throughout the catalog, either in the Tasks pane (bottom-left corner) or by right-clicking on the object:
Users also have the ability to create more than one personal dashboard. For some power users, a single dashboard-My Dashboard-is just not enough. Having said that, it is also possible to create a dashboard in the Shared Folders and set the permissions so that you are the only person to see it; it has the same effect.
The downside of multiple personal dashboards is that only one dashboard My Dashboard is listed in the Dashboards menu. To navigate to other personal dashboards, you can locate them under My Folders in Catalog View.
One of the challenges we face on every project is how to develop, test, and deploy new dashboards and analyses without breaking the existing ones. Various approaches have been used at various companies, which either involve lots of downtime or, worse, no user-developed reporting. My preferred method is to use another part of the production system to create new dashboards, and only expose these when the testers have signed it off. This approach minimizes the risks of deploying from one network to another (which include permission issues and loss of user settings).
OBIEE 12c has a neat solution that allows users to archive their analysis, dashboards, folders, or other catalog objects, and save these archive files on the network. They can then be imported (unarchived) into another catalog. This process can be used to copy from a test catalog to a production one, for example.
Each folder, dashboard, analysis, and report has permissions attached. In fact, every object in the catalog has a form of permissions. In a preceding section, we saw that access to the features in the Presentation Catalog and Presentation Server have specific permissions (set by the Privileges screen), but access to the feature does not automatically allow access to the objects in the feature (for example, a report).
The permissions for the objects can be found under the right-click drop-down menu. The following screenshot shows the Permissions link for the Sample Reports folder:
If you click on the Permissions link, you will be presented with the Permissions form. A standard layout is used for all the objects, as seen in the following screenshot:
Here we can set permission levels (from full control to denied access). Note the options at the bottom of the form Apply permission to sub-folders and Apply permissions to items within folder. These are best left in the default mode of not applying.
Note that the dashboard sits inside a folder, so changing the folder can change the selection of users who can see your dashboard.