Allow me to introduce you to the Application Role Mapping validation script for OBIEE 12c. With this bit of code, we can utilize OBIEE's runcat command script to export our application role and permissions mapping information from multiple environments, and ensure their consistency. The picture below is an example of what you'll see as the final product. While it does not show you a side by side comparison of both environments, what it does do is display those objects in your lower environment that contain inconsistent application role or permissions mappings vs the target environment, and their respective configuration. The items in the path column then point you to that object in your lower environment catalog for further examination.
Our script only requires a few easy steps to generate a web-based view of any inconsistencies in application role and permissions mappings between your tested environments. Similar to the Baseline Validation Tool (BVT), this script goes one step further and executes a fine-grain examination and resulting view of application role and permissions mappings. The BVT only catches that something is different about the object, as indicated by the
Name column value, and tells you where to look.
While I'll be sure to go into more detail later, the first picture above shows us that we have a number of application role and/or permissions mappings that exist in the lower environment, however, do not in the target OBIEE environment. Curious? Let's jump right into it.
The security audit is essentially a 3-step process, and was designed to be really accessible and simple to use. It breaks out like this:
- Run the
security_audit.pyscript in both OBIEE12c environments (being the lower environment that possesses the proper app role/permission mappings and the target environment).
security_audit.pywill generate a .csv file in each environment.
- Move the CSV from the target environment into the directory where you've got the CSV in the lower environment. After you've got the files moved, you'll run
security_compare.pyand simply pass in the locations of your lower environment CSV, and then that of the target environment. Lastly, a browser will pop up, giving you an immediate view of any inconsistencies that exist between your two OBIEE 12c instances.
Let's take a look at the process in a bit more detail!
Step by Step
Run security_audit.py in Lower Environment
First, let's make sure we've got a few libraries installed that we'll need to run our code. I recommend using pip for this. You'll need to install pandas and flask if you have not done so already. Simply navigate to the security_audit directory you got from GitHub and then from the command line run:
First, the script is smart enough to figure out which kind of OS it's in. Second, if your
DOMAIN_HOME variable is set correctly (probably something like
ORACLE_HOME/user_projects/domains/bi), the runcat command will run, exporting a CSV that contains the information we need to run the next script, which does the actual crunching between environments. In Windows, the default output location is
C:, in Linux, the
The tool will prompt you to enter your
DOMAIN_HOME, should you not have one set in your environment.
Run security_audit.py in Target Environment
Next, in our target environment, being the OBIEE 12c instance we want to make sure contains the same app role mappings as in our lower environment, run the
security_audit.py script once again, following the same steps as outlined above. Rename the CSV to something different than the file that was written in your lower environment, as we're going to need to put both of these guys in the same directory.
So on that note, after you've renamed your security_mappings CSVs, move them to the same directory on your lower environment. We're simply renaming them so we don't clobber one version or the other, and for easy reference as to which file belongs to its corresponding environment.
Run security_compare.py in Lower Environment
At this point you should have two security_mappings.csv files (although, the names should be a bit changed at this point) in your lower environment. We're going to need them as inputs for the next part of the regression testing process. This next bit of code simply ensures consistency between the two environments. Once run, it will instantly display any catalog objects in your lower environment that contain any disparities in the way their application roles or permissions are mapped when compared against those in your target environment. As of this blog, there really is no good way to do this with any native OBIEE tool, that is aside from running the runcat reports yourself and doing the crunching. So let's do it!
Open a command prompt in your environment, taking note of where your two CSV files are located. In this example, we'll be using a Windows command prompt, with our files located directly off of the
In your command prompt, navigate to the location of your
.py files. On that note make sure you do not separate these from the other files in the
security_audit directory. Flask will need the other files to render the resulting webpage. Back to it. In my example below, I've navigated to the
security_audit directory, and then run the following:
And then watch the magic happen! Make sure you have pop-ups enabled if you're having trouble rendering the page. The script will auto-magically figure out the host name for your environment and run it there.
Owner - this is the owner of the catalog object that is showing the variance in permissions assignment under:
Name - this is the name of the object, as it is displayed in the catalog.
Path - this is the path to the object in the web catalog
ACL - these are the detailed permissions mappings based on each entity assigned to the particular object. There is an accompanying key to the left hand side to help you out.
Permissions - detail level permissions mapped to each object by owner entity.
Having any trouble running the script? Please get in touch! I would also love to hear some feedback on how it might have helped you perform one task or the other. Feel free to use the comments section below for this or to report any issues.