After we solve that problem we can't save the analysis with the scary note:
" Catalog object privilege validation failed for user to path XXXXXXXXX. You do not currently have sufficient privileges to save a report or dashboard page that contains HTML markup. Custom column format may contain HTML tags, only the following formats may currently be used: 'Plain text', 'Plain text (don't break spaces)'. "
For the first we should add the following 3 lines in instanceconfig.xml.
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
</Security>
***** see better and secure option bellow.
For the second (saving) one more line.
Both under the security section.
This is for version 12.2.1.3 - true value for EnableSavingContentWithHTML:
(this option also returns the option of "Contains HTML Markup" in text object of dashboard)
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
<EnableSavingContentWithHTML>true</EnableSavingContentWithHTML>
</Security>
I didn't test it, but I believe this is for versions 12 under 12.2.1.3 - false value for CheckUrlFreshness:
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
<CheckUrlFreshness>false</CheckUrlFreshness>
</Security>
Next restart the presentation server (OBIPS)
As a result I can see images:
And the analysis can be saved.
***** a better and secure option
Following Gianni Ceresa advise, lets make it smarter. The <Enable>false<Enable> means we allow any source, and that is not very secure. It's better to allow specific sources.
For example the Pikachu picture comes from the site https://assets.pokemon.com
So I'll allow external sources only from that site.
Instead of:
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<Enable>false</Enable>
</ContentSecurityPolicy>
</Security>
In ContentSecurityPolicy I will add a Directive with the value of the site.
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<PolicyDirectives>
<Directive>
<Name>img-src</Name>
<Value>https://assets.pokemon.com</Value>
</Directive>
</PolicyDirectives>
</ContentSecurityPolicy>
</Security>
The picture that comes from URL: https://assets.pokemon.com/static2/_ui/img/chrome/external_link_bumper.png still works fine but if I try to use instead a picture of a Snorlax from the URL https://rankedboost.com/wp-content/plugins/ice/pokemon-go/Snorlax-Pokemon-Go.png it will not work:
As you might guess, it's not because OBIEE prefers Pikachu, but because I didn't allow anything from site https://rankedboost.com.
I'll add it to the Value like this:
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<ContentSecurityPolicy>
<PolicyDirectives>
<Directive>
<Name>img-src</Name>
<Value>https://assets.pokemon.com https://rankedboost.com</Value>
</Directive>
</PolicyDirectives>
</ContentSecurityPolicy>
</Security>
Restart OBIPS and....
You can see a deeper dive into CSP here: https://gianniceresa.com/2016/10/google-map-in-an-obiee-12c-analysis/
Just a reminder to myself, Oracle BI12c: placing custom images in BI Server and reference using fmap from https://biapplications.wordpress.com.
Moshe, hope it helps. Best wishes for next year.
Thanks Boris,
ReplyDeleteIt surely solved the issue.
My deep appreciation for your knowledge, abilities and will.
Thanks for the help over last 10 years.
Moshe
Interesting post, I would add it's better to configure CSP to allow loading pictures from whitelisted domain instead of turning off CSP completely which open the door to XSS & co. Same file and almost the same amount of xml.
ReplyDeleteThank You. Updated following your advise.
DeleteThank you , the post helped me !!
ReplyDelete