After we solve that problem we can't save the analysis with the scary note:
" Catalog object privilege validation failed for user to path XXXXXXXXX. You do not currently have sufficient privileges to save a report or dashboard page that contains HTML markup. Custom column format may contain HTML tags, only the following formats may currently be used: 'Plain text', 'Plain text (don't break spaces)'. "
For the first we should add the following 3 lines in instanceconfig.xml.
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
</Security>
***** see better and secure option bellow.
For the second (saving) one more line.
Both under the security section.
This is for version 12.2.1.3 - true value for EnableSavingContentWithHTML:
(this option also returns the option of "Contains HTML Markup" in text object of dashboard)
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
<EnableSavingContentWithHTML>true</EnableSavingContentWithHTML>
</Security>
I didn't test it, but I believe this is for versions 12 under 12.2.1.3 - false value for CheckUrlFreshness:
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
<CheckUrlFreshness>false</CheckUrlFreshness>
</Security>
Next restart the presentation server (OBIPS)
As a result I can see images:
And the analysis can be saved.
***** a better and secure option
Following Gianni Ceresa advise, lets make it smarter. The <Enable>false<Enable> means we allow any source, and that is not very secure. It's better to allow specific sources.
For example the Pikachu picture comes from the site https://assets.pokemon.com
So I'll allow external sources only from that site.
Instead of:
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
</Security>
In ContentSecurityPolicy I will add a Directive with the value of the site.
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<PolicyDirectives>
<Directive>
<Name>img-src</Name>
<Value>https://assets.pokemon.com</Value>
</Directive>
</PolicyDirectives>
</ContentSecurityPolicy>
</Security>
The picture that comes from URL: https://assets.pokemon.com/static2/_ui/img/chrome/external_link_bumper.png still works fine but if I try to use instead a picture of a Snorlax from the URL https://rankedboost.com/wp-content/plugins/ice/pokemon-go/Snorlax-Pokemon-Go.png it will not work:
As you might guess, it's not because OBIEE prefers Pikachu, but because I didn't allow anything from site https://rankedboost.com.
I'll add it to the Value like this:
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<PolicyDirectives>
<Directive>
<Name>img-src</Name>
<Value>https://assets.pokemon.com https://rankedboost.com</Value>
</Directive>
</PolicyDirectives>
</ContentSecurityPolicy>
</Security>
Restart OBIPS and....
You can see a deeper dive into CSP here: https://gianniceresa.com/2016/10/google-map-in-an-obiee-12c-analysis/
Just a reminder to myself, Oracle BI12c: placing custom images in BI Server and reference using fmap from https://biapplications.wordpress.com.
Moshe, hope it helps. Best wishes for next year.
