BI Catalog Files ! How it works – The Security & Privileges


As we all know that comparing to its previous counterpart i.e Siebel where Catalog file stored into a single .webcat file ,Oracle put away the concept of single file rather all the catalog components including the privileges to them has now been stored in the disk(OS file system)  itself as a Files and Folders. Reason is simple maintainability , scalability and ease of migration .

File/Folder name is based on OBI display name of dashboards , pages etc .The URL has been encoded all in lower case i.e.

Object Name => object+name

Every file and folder of the catalog has now being associated “.atr” file
– object+name
– object+name.atr

For e.g :  Dashboard Ranks & Toppers become “ranks+&+toppers”  folder inside “_portal” and having associated “ranks+&+toppers.atr” file  to hold the permissions .

Even if the users , groups have associated permissions maintained under “/<root>/system/security/users” and “/<root>/system/security/groups” .

Apart from that,  other system related global privileges maintained under below files :

“/<root>/system/privs”
– /catalog
» /changepermissionsprivilege
» /changepermissionsprivilege.atr
» /maintenancemodeprivilege
» /maintenancemodeprivilege.atr
– /generalprivs
» /global+admin
» /global+admin.atr
» /global+answers
» /global+answers.atr
» /global+portal
» /global+portal.atr
– /security
» /administerprivs
» /administerprivs.atr
» /takeownershipprivs
» /takeownershipprivs.atr

Lets tamper how this privilege files have security byte assigned to it by using Linux command “xxd” of dumping binary file to Hex :

a) Privilege file :

– The number of accounts granted this privilege is located at byte 12.
– The account list starts at byte 13.
» Each account listed contains 13 bytes
» The first 2 bytes always seems to be 00 01
» The next 8 bytes are the HEX ID of the account
» The next 2 bytes determine if the privilege is granted or explicitly denied
◊ FF FF – Granted (for the first entry in the list)
◊ 01 00 – Granted (for other entries in the list)
◊ 00 00 – Explicitly denied
» The next byte always seems to be 00

b) privilege.atr file
– Byte 5 contains the length of the display name.
– Byte 9 is where the display name starts.

c)  object+name.atr file
– Byte 4 Contains the length of the object name that starts on Byte 8
– Byte 8 Start of the name of the object in nice form, including caps and spaces.
– Byte (11 + value of Byte 4) – Contains the HEX ID of the owner of this object – 8 Bytes
– Byte (19 + value of Byte 4) – Contains the number of permissions that have been assigned, in our case to groups.
– Next, each of the permission is represented in a 13 byte block.
» The first 2 bytes seems to always be 00 01
» The next 8 bytes of the 12 byte block contains the HEX ID of the user or group.
» The next 2 bytes of the 12 byte block contains the permission granted.
◊ FF FF – Full Control
◊ 0F 00 – Change/Modify
◊ 03 00 – Read
◊ 02 00 – Traverse
◊ 00 00 – No Access
» The last byte seems to always be 00

Thanks to Calpoly for these amazing info !

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s