obiee 11g - overview of action framework

© Peak Indicators Limited

Oracle Business Intelligence 11g Overview of Action Framework

Antony Heljula

Technical Architect

© Peak Indicators Limited 2

Agenda

Action Framework Overview Types of Action

Navigate to BI Dashboard

Conditions

Action Links

Further AF Examples Invoke a Web Page (Run a Google Search)

Invoke a Browser Script (Get Google Directions)

OBIEE Web Services

Securing Web Services


Action Framework

Action Framework is an exciting new feature of OBIEE 11g that provides the facility to invoke a wide variety of actions or processes directly within the UI

This is a major enhancement, since OBIEE 10g is great for analysis but has limited capability for performing actions once your analysis is complete

OBIEE 11g Action Framework enables you to:

Navigate to related Oracle BI content

Invoke operations, functions, or processes in external systems

Actions can be initiated from:

Analyses

Dashboard pages

Agents (iBots in 10g)

Balanced Scorecard “objectives” and “initiatives”

KPIs


Creating Actions

Actions can be created as re-usable objects:

Or you can create “inline” actions: If you only want to use an Action once, you can define it directly within an analysis,

dashboard page, agent, scorecard objective, scorecard initiative, or KPI. These inline actions are not re-usable


Actions

There are various things an Action can do!

Types of Action

Note: When integrated with Siebel CRM it is also possible to “Navigate to Siebel CRM” (Appears by default with 11.1.1.5)


Examples

This supersedes “navigation” in OBIEE 10g:

Navigate to BI Content


Examples

It is possible to configure Action Links to appear conditionally

e.g. “View Sales Order Details” only appears if there are <500 Orders

Conditions

Vision Nordics has >500 orders so it is only possible to navigate to a

“summary” analysis

Vision UK and Ireland has <500 orders so it is possible to navigate

to a “detail” analysis


Examples

You can also configure Action Links to request confirmation before invoking the action:

Confirmation


Examples

Dashboard Pages can consist of “Action Links” and “Action Link Menus”

On Dashboards


Examples

An “Action Link” dashboard object will show an individual Action

On Dashboards: Action Links

NOTE: The Action Link can be displayed conditionally


Examples

An “Action Link Menu” dashboard object allows you to display a menu of multiple Action Links:

On Dashboards: Action Link Menus


Examples

KPIs can be configured with multiple Action Links

The KPI “Status” can be used to determine which Action Links appear

On KPIs


Balanced Scorecards can also be configured with multiple Action Links

The Objective or KPI “Status” can be used to determine which Action Links appear

Examples

On Balanced Scorecards


Examples

You can initiate multiple Actions once a Delivers Agent has completed:

The Actions can be initiated for every row returned by the Agent!

Delivers Agents

You can map the columns returned by the Agent to each of

the Action’s parameters


Further Examples


Example 1 : Navigate to a Web Page

In this example, we will demonstrate how to initiate an Action to navigate to a web page and run a Google search for a customer!


Example 1 : Navigate to a Web Page

The first thing to do is build a sample URL that achieves what you need

For example, the following URL will run a Google search on “Oracle Corporation”:

http://www.google.co.uk/search?q=Oracle Corporation

Notes


Example 2 : Invoke a Web Service

In this example, we will demonstrate to how to create an Action that will invoke a web service directly from a Dashboard

The Action will be called “Adjust Sales Forecast” will invoke a web service to modify a Sales Rep’s forecast target:


Example 2 : Invoke a Web Service

In order to invoke a web service, you typically need the URL for its Web Service Description Language (WSDL)

The owner of the site hosting the web service should be able to provide you with his

The WSDL returns an XML file providing details on all the web services that are available, such as the operations available and the parameters that need to be passed

For example, our web service has the following WSDL:

http://obiee11g:7001/Adjust_Sales_Forecast-Adjust_Sales_Forecast-context-root/Adjust_Sales_ForecastPort?WSDL

NOTE:

It is possible for the OBIEE administrator to set up a “Registry” containing a list of available web services, this means you don’t need to provide the WSDL URL

Setting up of this Registry will be discussed during a later topic

Notes


In this example, a “Get Directions” Action will be used to invoke a piece of browser script (Javascript) that will open Google Maps and show you the directions between your chosen location and the customer!

Example 3 : Invoke a Browser Script



The following URL can be generated to get directions using Google Maps:

http://maps.google.co.uk/maps?&saddr={p1}&daddr={p2}

Parameters p1 and p2 can be anything such as a postcode or a set of Lang/Long co-ordinates (in the format “Lat,Long”)

In our example, we will pass 3 parameters to our javascript function:

Your location

Latitude of customer

Longitude of customer

The javascript function will concatenate the Lat/Long coordinates together and pass them to Google Maps as a single parameter

Notes



There is a “UserScript.js” file provided on the OBIEE server in which you must place your custom Javascript functions

UserScript.js is located in the following location on the OBIEE server:

[bi_server1] \bi_server1\tmp\_WL_user\analytics_11.1.1\xxxxx\war\res\b_mozilla\actions

NOTE: the [bi_server1] path is the following location:

[Middleware Home]\user_projects\domains\bifoundation_domain\servers\bi_server1

Notes



There is a special syntax for the UserScript.js file

For each Action you actually provide two separate Javascript functions!

The 1st function contains the actual code:

Notes

USERSCRIPT.getdirections = function(params)

{

var googleURL = "http://maps.google.co.uk/maps?&saddr="

+ params.your_loc

+ "&daddr="

+ params.dest_lat

+ ","

+ params.dest_long;

window.open(googleURL,"GetDirections");

};

Function name must be prefixed with “USERSCRIPT.”

The function accepts a single array of input parameters

Your refer to input parameters in the format: array.parameter



The 2nd function is used to define your input parameters

OBIEE uses this to automatically know which parameters are required

It has the following format (in this case we are defining 3 input parameters):

Notes

USERSCRIPT.getdirections.publish =

{

parameters:[

new USERSCRIPT.parameter("your_loc" , "Your Location" ,""),

new USERSCRIPT.parameter("dest_lat" , "Latitude Destination" ,""),

new USERSCRIPT.parameter("dest_long", "Longitude Destination",""),

]

};

The function has the same name as before, but has

the postfix “.publish”

Each parameter has 3 elements: 1) Variable name 2) Description 3) Default Value


OBI EE Web Services


OBIEE Web Services

OBIEE 11g comes equipped with a wide range of web services

There are two different types:

“Session based” web services

Web services for SOA (new with OBIEE 11g)

Refer to the OBIEE 11g Integrator’s Guide for detailed information:

http://download.oracle.com/docs/cd/E14571_01/bi.1111/e16364/toc.htm




Session Based OBIEE Web Services

There are a variety of OBIEE “session based” web services are available: HtmlViewService - obtain HTML to render BI dashboards/reports

iBotService - initiate iBots

MetadataService - Retrieve info on Subject Areas, Tables, Columns

ReplicationService - Replication between Presentation Catalogues

ReportEditingService - Add filter and other conditions to BI requests

SAWSessionService - Login, Logoff, Impersonate authentication functions

SecurityService - Identify BI EE accounts and privileges

WebCatalogService - Browsing and Managing the Presentation Catalogue

XMLViewService - Retrieve Oracle BI query results in XML format

Each of these web services contain one or more methods

They are referred to as “session based” because you have to establish a session with OBIEE first before you can use them (you need to pass in a valid Session Id)

The Web Service Definition Language (WSDL) format for Oracle BI web services can be obtained using the following example URL: http://localhost:9704/analytics/saw.dll?WSDL

http://localhost:9704/analytics/saw.dll?WSDL

http://localhost:9704/analytics/saw.dll?WSDL



When returning results in XML format, the structure is as follows:

It is also possible to specify a parameter to return the meta-data for each column of data returned e.g. name, data format, length etc

XML Results



To satisfy a particular requirement, normally a number of BI EE web services will have to be called in sequence e.g. Log in / Authenticate (SAWSessionService)

Obtain results in XML format (XMLViewService)

Log off (SAWSessionService)

This means you have to programmatically call the web services one after the other You log in to obtain the Session Id

You call the next web service and pass the Session Id in as a parameter

You call the next web service ……

These session based web services are therefore not too compatible with Action Framework on their own Action Framework initiates individual Actions with no connection between

them

Encapsulating into Workflows



It could be advisable therefore to “encapsulate” the sequence into a BPEL workflow:

BPEL workflow will orchestrate the initiation of the BI EE web services

The BPEL workflow will itself then be presented as a web service

Action Framework can then initiate this single “Action”

This is where Oracle BPEL and SOA Suite come into play....we will discuss more about this later….

Encapsulating into Workflows


OBIEE Web Services for SOA

“OBIEE Web Services for SOA” are quite different to the “Session Based” web services. There are three actions available: Execute Agent

Execute Condition

Execute Analysis

You don’t need to pass in a valid Session Id to use them They are still secured using a username/password in the credential store

Prompted filters and presentation variables included in the business intelligence objects are supported For example: if your Analysis has 3 “Is Prompted” filters then you can pass

values in for these at run-time

Only XML results are returned



Instead of being provided with a WSDL URL, you are in fact provided with a WSIL (Web Service Inspection Language) URL:

http://localhost:9704/biservices/inspection?wsil

This allows OBIEE to dynamically build up the set of web services available based upon the objects in the BI Presentation Catalogue. If you open up the WSIL URL in a browser, you can see that you are able to browse through the catalogue structure and you’ll find a web service for each Analysis, Condition and Agent!

WSIL…..not WSDL

http://localhost:7001/biservices/inspection?wsil



Consider this example where we have an Agent called “Sales History Agent”

We want to use Action Framework to invoke it…

Example



Create a new Action of type “Invoke a Web Service”

You can then browse through the catalog and invoke the web service associated with your Agent!

Create Action : Invoke a Web Service

The path to our Agent is: /shared/Agents/Sales History Agent

Here is the web service associated with the Agent



There are two parameters to configure, you can leave them “Optional”:

Session Country

Session Language

Configure Parameters



Execute the Action and see the “Alerts!” link appear:

Execute the Action!



There is some configuration required in order to use OBIEE Web Services for SOA

Firstly, you have to configure the FMW “credential store” with the username/password that will be used to browse the web services available

This account will always be used for browsing the web services, so users can only execute Actions on objects stored in “Shared” folders

Secondly we will configure the “ActionFrameworkConfig.xml” file with details such as:

The WSIL URL to use for browsing the web services

The authentication policy to determine what credentials etc are required to invoke the web services

Configuration



Open up Enterprise Manager and navigate to:

WebLogic Domain > bifoundation_domain

Then choose the menu option “Security > Credentails”

Configuration : Step 1



Within the “oracle.bi.enterprise” map, create a new credential key:

Key: wsil.browsing

Username: weblogic } for example

Password: welcome1 }




Create a new file called “wss_username_token_policy.xml” and paste in the following contents:

Save the file in the following location: [Middleware Home]\user_projects\domains\bifoundation_domain\config\fmwconfig\biinstances\coreapplication


<?xml version="1.0" encoding="UTF-8"?>

<oracle-webservice-clients>

<webservice-client>

<port-info>

<policy-references>

<policy-reference uri="oracle/log_policy" category="management"/>

<policy-reference uri="oracle/wss_username_token_client_policy" category="security"/>

</policy-references>

</port-info>

</webservice-client>

</oracle-webservice-clients>



Within the same folder, open up the “ActionFrameworkConfig.xml” file for editing

Configure the “<Registries>” tags to contain the following registry:

You should ensure the ?WSIL path is correct


<registries>

<registry>

<id>WS4SOA</id>

<name>OBIEE Web Services for SOA</name>

<content-type>webservices</content-type>

<provider-class>oracle.bi.action.registry.wsil.WSILRegistry</provider-class>

<description></description>

<location>

<path>http://localhost:9704/biservices/inspection?wsil</path>

</location>

<service-access>

<account>wsil.browsing</account>

<policy>wss_username_token_policy</policy>

<propagateIdentity>false</propagateIdentity>

</service-access>

</registry>

</registries>



Then configure the “<Accounts>” and “<Policies>” tags to contain the following configuration

You should not need to edit anything


<accounts>

<account>

<name>wsil.browsing</name>

<description>Account for BI WS for SOA</description>

<adminonly>false</adminonly>

<credentialkey>wsil.browsing</credentialkey>

<credentialmap>oracle.bi.enterprise</credentialmap>

</account>

</accounts>

<policies>

<policy>

<name>wss_username_token_policy</name>

<policyfile>wss_username_token_policy.xml</policyfile>

</policy>

</policies>



Save the “ActionFrameworkConfig.xml” file

Restart the following processes:

BI Presentation Services

Weblogic managed server “bi_server1”




Test! You should now be able to create an Action and see that the web services are automatically available for you to choose and execute:




Without further configuration, all the Web Services for SOA will be invoked as the same “wsil.browsing” account

Everyone has the same visibility of the common “Shared Folders” area

Everyone has the same visibility of the user’s own “My Folders” area

Common data visibility for all users

However, with further configuration it is possible to “secure” the web services to run as the user who is invoking the web service rather than the common “wsil.browsing” account

We will be dealing with securing web services in a later topic….

Important Note!



The securing of web services is obviously a very important topic

If you’re not careful, by default your custom web services will have no security so anyone can invoke them from anywhere!

You can secure web services within OWSM or within WebLogic. You secure a web service by assigning one or more “WS Policies”

In the example below, the “ExecuteAgent” web service has a security policy which enforces authentication using a username and password (Token):



There are two types of policy that can be attached to web services:

Oracle Web Services Manager (WSM) Policy

Policy provided by the OWSM

You can only attach OWSM security policies to JAX-WS Web services

You manage OWSM policies from with Oracle Enterprise Manager Fusion Middleware Control

WebLogic Web Service Policy

Policy provided by WebLogic Server

A subset of WebLogic Web service policies interoperate with Oracle WSM policies

You manage WebLogic Web service policies from the WebLogic Admin Console

NOTE:

It is recommended that you use OWSM policies over WebLogic policies whenever possible. You cannot mix your use of Oracle WSM and WebLogic Web service policies on the same web service

Policies



OWSM and WebLogic come with many predefined policies! The one to use largely depends on the customer’s needs:

As a general rule though you can simply consider the policies mentioned

on the next slides

Predefined Policies



By default, all the “OBIEE Web Services for SOA” are configured with a policy that requires a valid Username / Password credentials to be passed through:

The credentials are checked against whatever Identity Provider(s) is configured in WebLogic (by default, it will be its own embedded LDAP store)

In the case of OBIEE 11g, the credentials passed are stored in the “Credential Store” administered within Enterprise Manager (WebLogic Domain > Security > Credentials):

Username / Password (Token)



Although the policy “wss_username_token_service_policy” secures authentication, it does not cover all security aspects:

Confidentiality:

There is no use of public/private keys so the messages are not encrypted (usernames/passwords are not even encrypted)

Integrity:

The messages are not digitally signed, so you cannot guarantee the authenticity of the messages

NOTE: a private key is actually used to digitally sign messages

Username / Password (Token)



OWSM provides another policy “wss_username_token_with message_protection_service_policy”:

This security policy is much more secure:

Username/password credentials must be supplied

XML Messages are encrypted using public/private key

XML Messages are digitally signed using the private key

The downside is that you always have to supply a password!

You can use the “Credential Store” for this purpose, but it means you are always passing over the same credentials no matter which user is invoking the service

Username / Password (Token) with Message Protection



OWSM provides alternative policy “wss11_saml_token_with message_protection_service_policy”:

Instead of requiring a password, the client passes over a certificate which is then verified by the server (the server has a key store containing all the valid certificates)

This security policy is also very secure: Only clients with a “trusted” certificate are allowed XML Messages are encrypted using public/private key XML Messages are digitally signed using the private key

The benefit is that the username of the invoking user is propagated, so this policy supports the need for a service to run as different users. The downside is that the server has to trust that the user is valid. This method is commonly used by “partners” who need to integrate across the web and can trust each other

NOTE: The propagated user must have an entry in the recipient’s LDAP store

SAML Token with Message Protection



OWSM provides alternative policy “wss11_saml_token_with message_protection_service_policy”:

Instead of requiring a password, an X.509 certificate is passed over to the server to verify that the user has been authenticated and can be trusted (X.509 is commonly used in SSO applications)

This security policy is also very secure: Only clients with a valid X.509 certificate allowed

XML Messages are encrypted using public/private key

XML Messages are digitally signed using the private key

The username of the invoking user is propagated, so this policy supports the need for a service to run as different users. X.509 is a stronger and more secure form of SSO compared to SAML. Each user has a certificate which is tied to an individual entry in the company’s LDAP store

X509 Token with Message Protection

obiee 11g - overview of action framework

Documents