OBIEE Sagar !!! : Accidentally deleted BISystem Role

There was a time once where someone deleted BISystem Role from EM accidentally and all the hell broke loose and NO one was able to access OBIEE thru any of the authentication providers ( Default, AD , SSO) and it took a while to figure out until the system_jazn_data.xml's from Prod and Test were compared side by side.

When you check the log files you would see errors like this:
nqsever.log
[2013-02-14T13:22:45.000+00:00] [OracleBIServerComponent] [ERROR:1] [] [] [ecid: cb5a346296ed2a97:-7393df37:13cda108fa1:-8000-0000000000001ff6] [tid: 45bda940] [nQSError: 43126] Authentication failed: invalid user/password.
[2013-02-14T13:28:32.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004pRGflGvX3NA3_zlG7yW0002vb000000] [tid: 45ddc940] User OBIS spent 33.000000 milliseconds for http response when authenticateWithLanguage
[2013-02-14T13:28:32.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004pRGflGvX3NA3_zlG7yW0002vb000000] [tid: 45ddc940] User OBIS spent 0.000000 milliseconds for xerces parsing when authenticateWithLanguage
[2013-02-14T13:28:32.000+00:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 004pRGflGvX3NA3_zlG7yW0002vb000000] [tid: 45ddc940] The response for user OBIS during authenticateWithLanguage is: <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header/><env:Body><env:Fault><env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Value>env:Receiver</env:Value></env:Code><env:Reason><env:Text xml:lang="en-US">oracle.bi.security.service.SecurityServiceException: SecurityService::checkSystemUserPermissionsSystem user has not been granted required permission oracle.bi.server.impersonateUser</env:Text></env:Reason></env:Fault></env:Body></env:Envelope>

sawlog0
BI Security Service: 'Error Message From BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::checkSystemUserPermissionsSystem user has not been granted required permission oracle.bi.server.impersonateUser'

[2013-02-14T13:00:04.000-06:00] [OBIPS] [ERROR:31] [] [saw.security.odbcuserpopulationimpl.searchidentities] [ecid: ] [tid: ] Error retrieving user/group data from Oracle BI Server's User Population API.
Unable to create a system user connection to BI Server while running user population queries
Odbc driver returned an error (SQLDriverConnectW).
State: HY000. Code: 10058.
So I went ahead to creating this role in EM manually by comparing the Roles and Policies from Production.

Steps you need to follow in the case when BISystem Role accidently gets deleted:

1.Recreate the BISytem Role map this to BISystem User.

Login to EM
Business Intelligence > coreapplicaiton > Right click > Application Roles
Select the Application Stripe as obi
Click Create
Role Name: BISystem
Display Name: BI System Role
Members: BISystem User

2.Recreate BISystem Policies add BISystem Role as member to this.

Business Intelligence > coreapplication>Right Click > Application Policies
Select the Application Stripe as obi
Click Create
Add the BISystem Role as the Grantee
In the Permissions section, add the following:

oracle.bi.scheduler.manageJobs

Grants permission to use Job Manager to manage scheduled Delivers jobs.

oracle.bi.server.queryUserPopulation

Internal use only.

oracle.bi.server.impersonateUsers

Used by internal components that need to act on behalf of end users.

oracle.bi.server.manageRepositories

Grants permission to open, view, and edit repository files using the Administration Tool or the Oracle BI Metadata Web Service.

EPM_Essbase_Administrator

Grants permissions for EPM Essbase Administrator.

3.When creating Application policies for BISystem Roles if you dont find from the search results, then leave the Resource Name empty and click continue and manually add the Permission Class , Resource Name and Permissions Actions.

Example when you trying to add the oracle.bi.server.impersonateUser but could not find in search results leave the Resource name empty and click Continue

And enter these Permission Class, Resource Name and Permission Actions manually

There once you have added all the Policies and restart your services, OBIEE should be back up and you should be able to log back in again.

Reference:

http://docs.oracle.com/cd/E28271_01/bi.1111/e10543/install.htm

8 comments:

Ms NoxyMay 26, 2013 at 6:51 PM
This comment has been removed by the author.
karthikSeptember 18, 2013 at 6:55 AM
Thanks for this useful post. We accidentally deleted BISystem Role. I followed these steps. and It works fine now. Please note a minor correction, its "oracle.bi.server.impersonateUser" and not "oracle.bi.server.impersonateUser(s)"
deNovember 6, 2013 at 8:29 AM
i try do it but still don't working ... please someone help me andre_ricardo@me.com my email... thanks
Anuj MalhotraApril 22, 2014 at 1:59 PM
Tried the steps but not working.. After this, even the weblogic user is not able to login...
PPJuly 28, 2014 at 10:15 AM
I followed the above steps but i am still not able to add the oracle.bi.server.manageRepositories and the oracle.bi.server.impersonateUsers permissions. when i add them and click on OK .. it throws an error that the oracle.bi.server.impersonateUsers is missing. what to do?
VidyaSJuly 28, 2014 at 10:53 AM
Below are the permissions required for BISystem role,

oracle.bi.scheduler.manageJobs
oracle.bi.server.manageRepositories
oracle.bi.server.impersonateUser
oracle.bi.server.queryUserPopulation

Could you try creating oracle.bi.server.impersonateUser instead of "oracle.bi.server.impersonateUsers".
PPJuly 28, 2014 at 11:09 AM
i did it .... but its not able to accept the oracle.bi.server.impersonateUser permission.
its throwing error like

JPS-10471: Resource type is missing in the target name: "oracle.bi.server.impersonateUser", for permission: "oracle.security.jps.ResourcePermission

now wat to do?
ZiaNovember 8, 2014 at 10:16 AM
https://www.youtube.com/watch?v=dxwwMBDZKNs

Tuesday, February 26, 2013

Accidentally deleted BISystem Role

8 comments: