Set up https (SSL) for Weblogic and OBIEE

I have been blogging about the integration between Oracle eBS and Oracle BI EE. Apart from the integration, there are are few assumptions:

  • Oracle eBS is installed
  • Oracle BI is installed
  • Oracle eBS and Oracle BI are compatible with each other (http vs. https)
  • All necessary Oracle eBS patches are installed
    • R11 check
    • R12 included
  • The Web Browser should be able to accept cookies
  • The ICX session cookie name is case-sensitive
  • Oracle eBS and Oracle BI should be installed into the same domain (machine1.domain.ext = machine2.domain.ext)

At one of our clients we were confronted with the fact that in a new environment, Oracle eBS runs on https while our Oracle BI environment was still http. This conflicts with one of the assumptions above.

This blog entry is inspired by: Debashis Paul by guest authors Menno Harzing and Rob Chou. We have added cluster-configuration and changed the numbering.

These steps are followed to protect your data-transport from/to OBIEE via the internet.
There are two parts described below to accomplish this:

Part One – Configuration under Weblogic Console
Part Two – Configuration under OFMW Enterprise Manager

Part One – Configuration under Weblogic Console

  1. Login to Weblogic Administration Console.
  2. Click on Environments -) Servers -) AdminServer (admin) -) General tab
  3. Click Lock and Edit from the left pane.
  4. Check the ‘SSL Listen Port Enabled’ as 7022
    (this is not the default SSL port, so please check yours and modify based on that)
    This will ensure that you will be able to access the URL using 7022 port using https://
  5. Check also ‘Listen Port Enabled’ if you also want to access BI URL using http://
    Image
  6. Save the configuration
    the location of the resulting file is found at /u01/app/oracle/product/fmw/user_projects/domains/<DOMAIN_NAME>/config/config.xml
  7. Activate the changes from left pane
  8. Change BIEE_MANAGER_URL in start_stop_obiee.sh
    and ADMIN_URL in startManagedWeblogic.sh
    from t3://…PORT (e.g. 7001) to https://….:SSL-PORT (e.g. 7002)
  9. Restart the Weblogic Servers(Admin/Managed) and BI Servers components
  10. Accept the exception in browser when it prompts for it and continue accessing BI URL in secure HTTPS protocol(Note that once this has been made as https:// you have to access OFWM EM Control page and Weblogic Console page also in https:// going forward)

    Part Two – Configuration under OFMW Enterprise Manager

  11. Navigate to “<OFMW Home>\user_projects\domains\bifoundation_domain\bin” and take backup of startManagedWebLogic.cmd
  12. Edit and locate section with below content (on 1 line):JAVA_OPTIONS=”-Dweblogic.security.SSL.trustedCAKeyStore=”/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/cacerts” ${JAVA_OPTIONS}”
  13. Replace the above with below: (Kindly note that you have to change the OFMW Home path as applicable to your environment)JAVA_OPTIONS=”-Djavax.net.ssl.trustStore=”/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/DemoTrust.jks” -Djavax.net.ssl.trustStorePassword=”
  14. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  15. Log in to OFMW Enterprise managerIn the next steps via the System MBean browser SSL across all BI components will be configured
  16. Open System MBean Browser
    Image
  17. Invoke the Lock of BIDomain.
    Image
  18. Now we have to generate the certificates required as a prerequisite for enabling SSL,
    using the specified passphrase to protect both certificate stores and private keys.
    This enables internal https calls to the web server.
    The certificate type (pem or der) must be explicitly stated.Navigate to oracle.biee.admin –> bifoundation_domain –> BIDomain.BIInstance.SecurityConfiguration
    click on the BIDomain.BIInstance.SecurityConfiguration MBean.
    Click on the operation tab click on “generateSSLCertificates”.
    Image
  19. Enter the details asked for: For my case I have included below:
    Passphrase : ><change_password><
    webServerCACertificatePath : /wlserver_10.3/server/lib/CertGenCA.der
    certificateEncoding is: der
  20. Now click on Invoke
  21. Return to the path specified in step 17
  22. Click on simpleCommit (two items below lock).
  23. Repeat step 17 to lock
  24. Enable SSL for BI_SERVER1 on Weblogic Console (the same way as part 1, step 5)
    Image
  25. perform step 22 for simpleCommit.
  26. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  27. Go to Domain Structure – Environment – Clusters
  28. Click on Lock & Edit in top left pane
  29. Enable “Secured replication Enabled” for the cluster
    Image
  30. Click on Save at top or bottom
  31. Click on Activate Changes in top left pane
  32. Repeat step 17 to lock
  33. Click on attributes tab of the step 8
    (at BIDOMAIN.BIINSTANCE.SECURITYCONFIGURATION)
    Click on ‘SSLEnabled’ .
    Change the value to True
    Click on Apply
  34. perform step 22 for simpleCommit.
  35. Restart all the services of Weblogic (Admin/Managed/opmnctl/Node Manager/Process Manager)
  36. Return to Step 8 and click on “runSSLReport” ,
    Invoke it and find the output as below to ensure correct SSL communication across all BI components:
    Image

Thanks Menno Harzing and Rob Chou for this blogpost.

Setup Oracle eBS 2 Oracle BI SSO

I made several blogposts in the past. That’s why it could be useful to collect these posts into one document. This document covers all the steps needed to integrate Oracle eBS (R12) and Oracle BI (11g) with each other. SSO might be a little bit confusing. In this case it’s meant that you can log into Oracle BI via Oracle eBS without having to log in again and while maintaining context.

Setup Oracle BIA 7963 – Data Security

Customer wants to secure their data based on things like Ledger, Company, Operating Unit, etc. All users who login via Oracle eBS should inherit (based on the current responsibility) the same security settings in Oracle BI. The following is a possible solution.

Environment

  • Oracle eBS R12.1.1
  • Oracle BI EE 11.1.1.6.0
  • Oracle BIA 7.9.6.3
Setup

The setup consists of a few different parts

Data Security

The Data Security is based on different Roles and a Profile Option assigned to the responsibilities in Oracle eBS

Oracle eBS

  • Create ‘BI Type User’-profile option
  • Assign ‘BI Type User’-profile option to Responsibility
  • Assign Responsibility to User

Each Responsibility has either a specific ‘BI Type User’-profile option or a ‘BI Type User’-profile option on Site level. A view (xx_obia_user_groups_v) in Oracle eBS ‘holds’ the profile option information.

select fpov.level_value responsibility_id
 , fpov.level_value_application_id application_id
 , 'OBIA '
 || fpov.profile_option_value autorisatierol_code
 , fl.meaning autorisatierol
 from applsys.fnd_profile_option_values fpov
 , apps.fnd_profile_options_vl fpo
 , apps.fnd_lookups fl
 where fpo.profile_option_id = fpov.profile_option_id
 and fpo.application_id = fpov.application_id
 and fpov.profile_option_value = fl.lookup_code
 and fl.lookup_type = 'BI_TYPE_GEBRUIKER'
 and fpo.profile_option_name = 'XXBI_TYPE_GEBRUIKER'
 and fpov.level_id = 10003

Oracle BI

In Oracle BI, there is a Initialization Block which populates the; ROLES Session Variable

select ( select sector
 from apps.xx_obia_user_groups_v
 where responsibility_key = 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_KEY)'
 and responsibility_id = valueof ( nq_session.oltp_ebs_resp_id ) )
 || ';'
 || ( select autorisatierol_code &quot;ROLES&quot;
 from apps.xx_obia_user_groups_v
 where responsibility_key = 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_KEY)'
 and responsibility_id = valueof ( nq_session.oltp_ebs_resp_id ) )
 || ';'
 || ( select responsibility_key &quot;ROLES&quot;
 from apps.xx_obia_user_groups_v
 where responsibility_key = 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_KEY)'
 and responsibility_id = valueof ( nq_session.oltp_ebs_resp_id ) )
 &quot;ROLES&quot;
 from DUAL

Oracle Enterprise Manager (EM)

In the EM ‘all’ the different Application Roles, related to the Data Security are created.

There are a few different Application Roles;

  • Out-of the box
  • Data Security
  • eBS Profile

Out-of-the-Box

  • BIAdministrators
    • Administration privileges.
  • BIAuthors
    • Create, use or consume content.
  • BIConsumers
    • Use / consume content,
    • Every authenticated user.
  • BISystem
    • Component connections between products.

Data Security & eBS Profile

Oracle BI Administrator (Identity Manager)

In the Identity Manager, the Business Model Filters are applied to the Data Security Application Roles

The Business Model Filters are based on the Initialization Blocks. Some out-of-the-box, others custom.

This setup should be sufficient to apply Data Security to all queries, which query the Logical Tables with the Business Model Filters applied to it.

Note: Application roles data filters won’t apply for users with BI Administrator role.

By definition the BIAdministrator application role is granted the “oracle.bi.server.manageRepositories” permission, which is equivalent to the 10g “Administrator” user who also had unrestricted access. Hence, data filters won’t affect users with BIAdministrator Role. (source: Oracle Support)

Simulate Oracle eBS to Oracle BI login via SQL

There is an interesting (for me at least) topic on OTN about integrating Oracle eBS security into Oracle BI. It is a topic about getting Oracle eBS HR-Security to work in Oracle BI. Robin Moffat has a blogpost about;  ‘Validating EBS-BI authentication, without BI’. He refers to an My Oracle Support article (758392.1), which provides some (additional) troubleshooting details.

When I want to simulate Oracle eBS to Oracle BI login via SQL, I use some SQL-statements / scripts, to see what happens or at least should happen. If I need to know which HR-Orgs I could expect based on the Oracle eBS HR-Security I use the following scripts;

Query User – Responsibility — Rol

Check which responsibilities a user has within Oracle eBS.

select fu.user_id
 , frv.responsibility_id
 , fa.application_id
 , frv.responsibility_key
 , frv.responsibility_name
 from apps.fnd_responsibility_vl frv
 , applsys.fnd_application fa
 , applsys.fnd_request_groups frg
 , apps.fnd_user_resp_groups_all furga
 , applsys.fnd_user fu
 where fa.application_id = frv.application_id
 and TRUNC ( SYSDATE ) between fu.start_date
 and NVL ( fu.end_date
 , to_date ( '31-DEC-4712'
 , 'DD-MON-YYYY' ) )
 and fu.user_id = furga.user_id
 and TRUNC ( SYSDATE ) between furga.start_date
 and NVL ( furga.end_date
 , to_date ( '31-DEC-4712'
 , 'DD-MON-YYYY' ) )
 and furga.responsibility_id = frv.responsibility_id
 and frv.request_group_id = frg.request_group_id(+)
 and fu.user_name like :p_user_name
 and frv.responsibility_name like :p_responsibility_name
order by frv.responsibility_name

Excecute Apps Initialize

Run the Apps Initialize script to get the session in context of the user / responsibility combination of your choice, based on the previous query.

BEGIN
apps.fnd_global.apps_initialize(user_id, resposnsibility_id, resposnsibility_application_id, security_group_id);
END;

Validate the Context

Check the output of the previous step

select fnd_global.resp_id
 , fnd_global.resp_appl_id
 , fnd_global.security_group_id
 , fnd_global.resp_name
 , fnd_global.user_id
 , fnd_global.employee_id
 , fnd_global.user_name
 , ( select distinct responsibility_key
 from fnd_responsibility
 where responsibility_id = fnd_global.resp_id )
 responsibility_key
 from DUAL

Validate HR-Security

If all the above steps have completed like expected, you are able to check the query within the Oracle BI Initialization Block (IB) related to HR-Security. In my case it’s IB; ‘HR Organization’. This IB has the following query;

SELECT
 DISTINCT 'HR_ORG'
,TO_CHAR(SEC_DET.ORGANIZATION_ID)
FROM
(
SELECT
 'HR_ORG',
 ASG.ORGANIZATION_ID
FROM
 FND_USER_RESP_GROUPS URP
,FND_USER USR
,PER_SECURITY_PROFILES PSEC
,PER_PERSON_LIST PER
,PER_ALL_ASSIGNMENTS_F ASG
WHERE
 URP.START_DATE < TRUNC(SYSDATE)
AND (CASE WHEN URP.END_DATE IS NULL THEN TRUNC(SYSDATE) ELSE TO_DATE(URP.END_DATE) END) >= TRUNC(SYSDATE)
AND USR.USER_NAME = 'VALUEOF(NQ_SESSION.USER)'
AND USR.USER_ID = URP.USER_ID
AND TRUNC(SYSDATE)
 BETWEEN URP.START_DATE AND NVL(URP.END_DATE, HR_GENERAL.END_OF_TIME)
AND PSEC.SECURITY_PROFILE_ID = FND_PROFILE.VALUE_SPECIFIC('PER_SECURITY_PROFILE_ID', URP.USER_ID, URP.RESPONSIBILITY_ID, URP.RESPONSIBILITY_APPLICATION_ID)
AND PER.SECURITY_PROFILE_ID = PSEC.SECURITY_PROFILE_ID
AND PER.PERSON_ID = ASG.PERSON_ID
AND ASG.PERSON_ID = USR.EMPLOYEE_ID
AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
AND URP.RESPONSIBILITY_ID = DECODE(FND_GLOBAL.RESP_ID,
 -1, URP.RESPONSIBILITY_ID,
 NULL, URP.RESPONSIBILITY_ID,
 FND_GLOBAL.RESP_ID)
UNION
SELECT DISTINCT 'HR_ORG',
 ORGANIZATION_ID
FROM PER_ALL_ASSIGNMENTS_F ASG,
 FND_USER USR
WHERE ASG.PERSON_ID = USR.EMPLOYEE_ID
AND USR.USER_NAME = 'VALUEOF(NQ_SESSION.USER)'
AND TRUNC(SYSDATE) BETWEEN ASG.EFFECTIVE_START_DATE AND ASG.EFFECTIVE_END_DATE
AND ASG.PRIMARY_FLAG = 'Y'
) SEC_DET

You should replace the ‘VALUEOF(NQ_SESSION.USER)’ part with either the user or fnd_global.user_name.

Now you are able to see whether the Initialization Block is working like expected and retrieves the same values as it does in Oracle eBS. If you can conform these steps and the the Security isn’t working, it’s probably because one of the related IB’s doesn’t retrieve (all) the necessary values.

This whole post assumes that the integration is setup correctly.

Good Luck.

Upgrading from 10g to 11g (Update)

In preparation of an Oracle BI Applications (OBIA) upgrade to OBIA 7.9.6.3, I have been running the Oracle BI 11.1.1.6 Upgrade Assistant. Just to see whether we could expect (serious) issues. On the other hand I was curious how the Oracle BI 10g Security Groups would upgrade to the Oracle BI 11g Application Roles. Application Roles are managed via the the Enterprise Manager (Policy Store – system-jazn-data.xml). Actually Rittman Mead are running a 5-part series on Oracle BI 11g Security at the moment.

The Oracle BI Application Security is configured as follows in Oracle BI 10g. The responsibilities in Oracle eBS are created as groups in Oracle BI. After upgrading to 11g these groups are created as Applications Roles. If you check the in the Oracle BI 11g Weblogic Console, you would see that the responsibilities are also created as groups. These groups are created for Authentication (confirming the identity of a user) purposes. The Application roles are created for the Authorization (specifying access rights).

I have been blogging about the upgrade from 10g to 11g earlier. There doesn’t seem to be any major difference in the Upgrade Assistant in 11.1.1.6. You basically have to follow the same steps as in the previous versions.

After the upgrade I ran the Consistency Checker. A few ‘Warnings’ caught my eye. I haven’t seen those before so I guess they are introduced in Oracle BI 11g.

–> NQSError 39051 (Warnings) – Application Role “*****” is not defined in the Enterprise Manager.

There are 2 options to solve these errors:

Remove the Application Role from ….

  • …. the Policy Store via the Enterprise Manager
  • …. the Reporsitory (RPD) via the Identy Manager in the Oracle BI Administration Tool.

–> NQSError 39062 (Warnings) Initialization Block ‘*****’ uses Connection Pool ‘”*****”.”*****”‘ which is used for report queries. This may impact query performance.

It’s common practice to create an additional Initialization Block for Session variables. Check Nicolas’ blog for more details on the Oracle BI Connection Pools.

Cheers.

SLS: Subledger Security

I am in the proces of implementing security for Oracle BI Apps 7.9.6 in a Oracle eBS R12 environment. One of the requirements is Subledger Security (User Guide, My Oracle Support).

As per the documentation; Subledger Security is an extension to Oracle Financials that enables the user to selectively partition data within a single install of Oracle Financials. Subledger Security provides a system where all business units can access their own financial information only.

In my clients case it makes it possible to secure parties, customers and suppliers. Certain customers are only visible for selected responsibilities within the same operating unit.

For implementing the security I am interested in the database-implementation of SLS. Check the following diagram:

For all the Subledger Security tables you have to refer to the IGI-scheme in Oracle eBS:

Whether Subledger Security is applied depends on two profiles;

  • ‘Subledger Security : Security Group’
  • ‘Subledger Security : SLS Responsibility’

A query to retrieve the values of these profiles could be;


SELECT r.responsibility_id ,
  r.responsibility_key ,
  r.responsibility_name ,
  nvl(sr.profile_option_value, 'N') sls_responsibility ,
  nvl(sg.profile_option_value, 'No SLS Responsibility') sls_security_group ,
  nvl(i.sls_group, 'No SLS Responsibility') sls_group
FROM
  (SELECT t.profile_option_name ,
    t.user_profile_option_name ,
    v.level_id ,
    v.profile_option_value ,
    r.responsibility_id ,
    r.responsibility_key ,
    r.responsibility_name
  FROM fnd_profile_options_tl t ,
    fnd_profile_options p ,
    fnd_profile_option_values v ,
    fnd_responsibility_vl r
  WHERE t.profile_option_name    = p.profile_option_name
  AND p.application_id           = v.application_id
  AND p.profile_option_id        = v.profile_option_id
  AND r.responsibility_id        = v.level_value
  AND v.level_id                 = 10003 -- Responsibility
  AND t.user_profile_option_name = 'Subledger Security : Security Group'
  AND t.language                 = 'US'
  ) sg ,
  (SELECT t.profile_option_name ,
    t.user_profile_option_name ,
    v.level_id ,
    v.profile_option_value ,
    r.responsibility_id ,
    r.responsibility_key ,
    r.responsibility_name
  FROM fnd_profile_options_tl t ,
    fnd_profile_options p ,
    fnd_profile_option_values v ,
    fnd_responsibility_vl r
  WHERE t.profile_option_name    = p.profile_option_name
  AND p.application_id           = v.application_id
  AND p.profile_option_id        = v.profile_option_id
  AND r.responsibility_id        = v.level_value
  AND v.level_id                 = 10003 -- Responsibility
  AND t.user_profile_option_name = 'Subledger Security : SLS Responsibility'
  AND t.language                 = 'US'
  ) sr ,
  igi_sls_groups i,
  fnd_responsibility_vl r
WHERE sr.responsibility_id = sg.responsibility_id (+)
AND sr.responsibility_id (+)  = r.responsibility_id
AND i.sls_group (+)        = sg.profile_option_value ;

Other queries to find out which data a responsibility is allowed to view:

The query below gives insight in the available SLS Security Groups, eg”.: ‘AR Security for Dept A’

SELECT sls_groups --'AR Security for Dept A' 
FROM   igi_sls_groups
WHERE  sls_group_type = 'S';

The query below gives insight in which tables are ‘SLS Security’-enabled within a certain SLS Security Group.

SELECT sls_group --'AR Security for Dept A'
,      table_name -- HZ_PARTIES 
FROM   igi_sls_enabled_alloc_v;

The query below gives insight in which ‘IG_SLS_#’-table the ‘SLS-Security’-details are stored. Depending on the configuration, multiple ‘IG_SLS_#’-tables  (IG_SLS_1, IG_SLS_2, IG_SLS_3, IG_SLS_4, IG_SLS_5, etc.) can exist.

SELECT owner -- AR
,      table_name -- HZ_PARTIES
,      sls_table_name -- IG_SLS_1 
FROM igi_sls_secure_tables;

The query below gives insight in the actual id’s which are secured by the ‘SLS-Security’-settings. The rowid of the source table is stored in the ‘IG_SLS_#’-table.

SELECT sls1.sls_rowid    
,      sls1.sls_sec_grp    
,      p1.party_id    
,      p1.party_number    
,      p1.party_name 
FROM   igi_sls_1 sls1 -- HZ_PARTIES    
,      hz_parties p1
WHERE  p1.ROWID = sls1.sls_rowid;

Using these queries, you should be able to select which id’s are available to a selected responsibility. Within the Oracle eBS R12 application, this is managed by policies (VPD – Virtual Private Database, RLS – Row Level Security)

Check the following query, to see how it’s setup;

select object_owner --'AR'
,      object_name  -- 'HZ_PARTIES'
,      policy_name  -- 'IGI_SLS_3_POL'
,      pf_owner     -- 'APPS'
,      function     --'IGI_SLS_1_FUN'
from   dba_policies
where  policy_name like 'IGI%'

With this information I am able to built ‘SLS Security’ into Oracle BI Applications.

UDML – Scripting

One of my clients wants to add loads of Security Groups into the repoitory. Of course this can be done manually, but in this case it would be better to script these groups into the database. I knew that UDML is an undocumneted feature in Oracle BI 10g. If you perform a search on Google, you could find enough information. I used the information provided by Venkat and Andreas.

There was one thing I couldn’t find out directly. I was looking for a possibility to nest Security Groups. It was not clear to me what the syntax should be. Again UDML to the rescue. You can use to script something into the repository. The other way around works as well. What I did was, I created a nested Security Group manually.

No I was able to extract the UDML-syntax from the repository;

G:\Oracle\10g\OracleBI\server\Bin\nQUDMLGen.exe -U Administrator -P Administrator -R "Y:\webLog\OBIBB\OBIBB - UDML\groupImport.rpd" -O "Y:\webLog\OBIBB\OBIBB - UDML\securityUDML.txt"  -S

 The ‘-S’  is for generating script for only security objects.

Output for ‘securityUDML.txt’ is as follows;

DECLARE REPOSITORY PROPERTIES (
 'CustomPresentationLayer' = '01',
 'PersistedNextUpgradeID' = '0A000000');
VERSION 1.1.184;
DECLARE SECURITY ROLE "Administrators" AS "Administrators" UPGRADE ID 2
 HAS USERS (
    "Administrator" )
 PRIVILEGES ( READ);
DECLARE SECURITY ROLE "Group01a" AS "Group01a" UPGRADE ID 4
 INHERITS FROM (
    "ManualGroup" )
 PRIVILEGES ( READ);
DECLARE SECURITY ROLE "Group01b" AS "Group01b" UPGRADE ID 6
 INHERITS FROM (
    "ManualGroup" )
 PRIVILEGES ( READ);
DECLARE SECURITY ROLE "ManualGroup" AS "ManualGroup" UPGRADE ID 9
 PROPAGATES TO (
    "Group01a",
    "Group01b" )
 PRIVILEGES ( READ);
DECLARE USER "Administrator" AS "Administrator" UPGRADE ID 3 FULL NAME {} PASSWORD 'D7EDED84BC624A917F5B462A4DCA05CDCE256EEEEEDC97D5213DF9555A8D6E566A4A72028AAD1FC28AA7433B66F722D0CEE88C996D2D894F' NEVER EXPIRES
 HAS ROLES (
    "Administrators" )
 PRIVILEGES ( READ);

Looking add this output, you see that the subgroup ‘INHERITS FROM’ the parentgroup. The parentgroup ‘PROPAGATES TO’ the subgroup.

Now using the following script I should be able to import subgroups and parentgroups into the repository:

DECLARE SECURITY ROLE "Group01a" AS "Group01a"
 PRIVILEGES ( READ);
DECLARE SECURITY ROLE "Group01b" AS "Group01b"
 PRIVILEGES ( READ); 
DECLARE SECURITY ROLE "Group02a" AS "Group02a"
 PRIVILEGES ( READ);
DECLARE SECURITY ROLE "Group02b" AS "Group02b"
 PRIVILEGES ( READ);
DECLARE SECURITY ROLE "Group01" AS "Group01"
PROPAGATES TO ("Group01a", "Group01b")
PRIVILEGES ( READ);
DECLARE SECURITY ROLE "Group02" AS "Group02"
PROPAGATES TO ("Group02a", "Group02b")
PRIVILEGES ( READ)
;

By using the nqudmlexec-executable, you should be able to import the parentgroups (“Group01” , “Group02”) and subgroups(“Group01a”, “Group01b”, “Group02a”, “Group02b”) into the repository.

I hope the same is possible for Catalog Groups. More to come.