error “access denied for user to path




I just had a terrible catalog security situation, and while looking for solution stumbled into this bug. I think it’s important, because the error message is confusing and it’s really hard to troubleshoot this sort of problem.
Catalog Manager copy/paste removes correct permissions on Users subfolders, causes error “access denied for user to path..” at OBI login
Applies to:
Business Intelligence Server Administrator – Version: 10.1.3.2 to 10.1.3.4.0 [1900] – Release: 10g to 10g
In OBIEE 10.1.3.4, users are copied from one web catalog A (TEST environment) to another web catalog B (PRODUCTION Environment), using the Catalog Manager. After loading the new web catalog B, users are unable to login into OBI and see the following error:
access denied for user to path /users/…/_portal/dashboard layout.
Error Details
Error Codes: O9XNZMXB
Cause
In the Catalog Manager, when copying users in the catalog manager, permissions are not copied. The users are part of the system folder (i.e Catalog Manager > Users > Properties > Owner Account = System Account) , which is why Catalog Manager does not transfer the permissions.
The behavior was reproduced with 2 copies of Paint web catalog A and B.
Note: Before copying from Web Catalog A, here are the privileges for
a) Users folder – Owner – System Account
Explicit Permission – Presentation server Administrator(full), Everyone(Traverse)
b) Users > Paint Folder – Owner – System Account
Explicit Permission – Paint (change/delete)
c). Users > Paint > _portal folder – Owner – paint
Explicit Permission – paint (change/delete)
After pasting user folder in web catalog B, here are the permissions:
Note how the properties and permissions changed after pasting the user to the following:
a) Users > Paint Folder – Owner – System Account
Explicit Permission – Presentation server Administrator(full), Everyone(Traverse)
b). Users > Paint Folder – Owner – System Account
Explicit Permission – Presentation server Administrator(full), Everyone(Traverse)
Solution
The following has been raised to address a product enhancement request:
BUG 8316638 COPY AND PASTE USERS IN CATALOG MANAGER DOES NOT COPY PERMISSIONS
The current workarounds are:
a). Manually change the permissions on the user_id, _portal and other subfolders in the target web catalog so that they are the same as the source web catalog.
b). Use SAWREPA utility to promote the changes from TEST to PRODUCTION instead. The process works online, so you do not lose any up-time, and it should promote the users permissions correctly too.
Information about SAWREPA is documented in the following:
Oracle Business Intelligence Presentation Services Administration Guide > Administering the Oracle BI Presentation Catalog > Replicating Presentation Catalogs
Please note that SAWREPA requires that both the PROD and TEST webcatalog were originally developed from the same web catalog. If the PROD webcatalog was created from scratch, it could cause problems with SAWREPA since it relies upon common attributes in both catalogs.

No comments:

Post a Comment

Popular Posts