Search code examples
obieeoracle-bi

RPD privilege settings on objects don't take effect in OBIEE 12.2.1.0

I'm trying to deny presentation read privilege over an object on obiee12c RPD but it seems that my denial doesn't work and I still see the object. I have created a user and his group on Console Administration and linked the group and the user to an application role in Enterprise Manager (this role has the same application policy of the default BiContentAuthor); after that I set the necessary privilege accessing the administration tab as weblogic user in BI analytics. With the default application role I don't have problem to handle RPD privilege but with the newly created one I don't understand if I skip some steps,

any suggestion?

If can help I can post every necessary screenshot

EDIT:
This is a more detailed explanation:

I have two columns in the same datamart model:
1) a column with phone number (like 321 7654321), called "Phone"
2) a column with the same phone number censored (like *******321), called "Asterisked Phone"

I want that the users of a group can see only the column with the regular numbers, while the users of another group can see only the asterisked ones. To do so:

1) I have created a new application policy that is a copy of the default application policy applied for the default application role BIContentAuthor (to have some kind of simmetry)
2) I have created a new application role, called "BIContentAsterisk" and I have linked it to the newly created application policy
3) I have created, on WebLogic Console Administration, a new user, called "test.user", and a new group, called "BIContentAsterisks"
4) I have linked "test.user" and the group "BIContentAsterisks" to "BIContentAsterisk" application role in Enteprise Manager
5) Accessing the analytics with weblogic user I have setted, in the administration tab, the same privileges that has BIContentAuthor for BIContentAsterisk
6) I have setted in the RPD a denial to see "Asterisked Phone" for the group "BIContentAuthor" and it does what I expect
7) I have setted a denial to see "Phone" for the group "BIContentAsterisk" and it seems like it was ignored

As you can see from explanation the new user, group and application role were created with some kind of simmetry in mind as they have to do pratically the same things apart from see each one a different column for the phone number

Solution

  • In the RPD a grant wins over a deny. In the catalog a deny wins over a grant. So if you have conflicting rights in the RPD...you will still see it