woensdag 30 november 2011

strange security behaviour

Dear community,

I'm writing this because I am facing a serious issue in OBI 11g (11.1.1.5) and I can't seem to pinpoint the exact problem. I hope you can share your thoughts with me in order to come up with a solution. The situation is as follows: There seems to be a mismatch between the Application Roles assigned to a user and the way they are translated onto the ACL's in the webcatalog. I use Weblogic's default Authenticator. Users sit in a group and for every group, there is a corresponding Application Role.
For instance:
There are also A_P020 group and role and a A_P030 group and role. The Group-to-Role mapping is always 1:1.



















In the catalog, access to objects is configured using Application Roles.
For instance: access to the P010 Dashboard is limited to users who are member of the A_P010 group (and as a consequence have the A_P010 application role assigned).

Now, what happens is this: a user who is assigned the A_P010 group and the A_P020 group sees the P010 and P020 Dashboards.
When I assign him membership to the A_P030 group too, he only sees the P010 dashboard....

This is reproducable behavior.

resyncing the GUID's didn't solve the problem.
In fact, when I move the webcatalog to a complete fresh installation of OBI 11.1.1.5 and create a new user and assign him the roles as described above, the same behavior occurs.

I'm lost...

The session information (under My Account) shows the correct application roles. It's the mapping onto the ACL's in the webcatalog that seems to be wrong.

Any input would be very much appreciated !

Kind regards,
René

Geen opmerkingen:

Een reactie posten