OBIEE 11g: Permissions on Presentation Columns no Longer Work as Expected after Upgrading from OBIEE 10g To 11.1.1.7 (Doc ID 1916418.1)

Last updated on JANUARY 31, 2017

Applies to:

Business Intelligence Server Enterprise Edition - Version 11.1.1.7.140225 and later
Business Intelligence Suite Enterprise Edition - Version 11.1.1.7.140225 and later
Information in this document applies to any platform.

Symptoms

In OBIEE 111.1.1.7.140225, your user belongs to Group1 and Group2 in WebLogic Server.
Group1 is a member of Role1.
Group2 is a member of Role2.
Role1 and Role2 were created like the BiAuthor role.

In the repository, you give SubjectArea A - Sample Sales the following permission:

You log into Answers and click on My Account.
In the Roles and Catalogs tab, you see that the user shows as belonging to Authenticated User Role, Role1 and Role2.
However, if you create an analysis, this user does not see the column T05 Per Name Year.

In OBIEE 10g and OBIEE 11.1.1.6 with the same scenario, the user sees the column as the least restrictive security attribute is applied.

If there are multiple application roles acting on a user or application role at the same level with conflicting security attributes, the user or                
application role is granted the least restrictive security attribute.              
However, Oracle requires from 11.1.1.7 onwards that the application role with access to an object also have access to the object's container. For example, if                 
ApplicationRole 1 has permission to access Column A, which is part of Table B, then ApplicationRole1 must also have permission to access Table B.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms