Manohar Paleti

My photo
Hyderabad, AP, India
Working as a BI Consultant, Served for various organizations as an OBIEE Developer by building the BI Solutions for Business Decision Making..

Tuesday, September 3, 2013

Security in OBIEE 11g

Hi Folks,

Let me take you a walk through the security aspects in OBIEE 11g.

OBIEE security is mainly categorized into Authentication, Authorization and Data level/row level.
Authentication : it is the first layer/level in the security mechanism - validating the user's credentials (Validating username and their passwords time of log in to OBIEE analytics)
Authorization: it is the process of restricting/enabling obiee objects against the users based on the user's groups/application roles)
Eg: User with Admin group can access - view/modify/delete the dashboards,pages or reports.
User with BI Author role can only view set of dashboards/reports.
Data level or row level: it is the process of restricting the data/records in the reports based on the user's accessibility levels.
Eg: US HRMS Manger - able to see only US data but not other region data.

Implementation:

Implementing security can be done in several ways listed below,
Internal security: Defining users,groups and roles with in the OBIEE(Weblogic)
External security:: importing security stuff which is defined out side of OBIEE.
LDAP and AD
Database - External Table
SSO - Typically Oracle EBS, also possible for  SEDC,Hyperion and MSAS.
LDAP: Pls follow the url for detailed document on configuring LDAP Click here for LDAP configuration

 AD: Follow below steps to configure AD

Below are the steps involved in configuring AD with OBIEE 11.1.1.5:
1. Login to Weblogic console and create provider as BI Authenticator by navigating to Security Realms -> my realm.
2. Change the control flag of "Default Authenticator" from REQUIRED to SUFFICIENT.
3. Change the control flag of BI Authenticator from OPTIONAL to SUFFICIENT.
4. Update BI Authenticator provider with the below details under provider specific tab:
Sl.No
Parameter Name
Value
1
active directory host 
Host name of the AD
2
port
389
3
principal 
CN=Adminusername ,OU=Users,OU=,DC=domain DC=domain
4
ssl enabled
no
5
User Base DN  
DC=,DC=
6
User Name Attribute
sAMAccountName
7
User Object Class    
user
8
Group Base DN    
OU=,DC=,DC=corp
9
GUID Attribute  

10
AllUsersFilter
 (&(sAMAccountName=*)(objectclass=person))
11
AllGroupsFilter
(&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
5. Reorder the provider to make sure that BI Authenticator at the top of the list.
6. From EM Console, create user.login.attr and username.attr attributes to store identity configuration.
7. Create a custom property called virtualize and value as “true” to allow authentication from multiple providers.
8. Create a separate account in AD and add the password in credential provider.
9. Assign BI System role to user.
10. Ensure that New BI System user is a part of Weblogic Global Admin role.
11. Map the Active directory groups to Application roles and test the changes.
12. Login to weblogic server console by entering http://server:7001/console and providing with the user “adminuser” credentials.
13. Navigate to  Home > Summary of Security Realms > myrealm > Users and Groups > adminuser
14. Click on the Groups tab and assign the Groups BI Admin, BI Administrators, BI Authors, BI Consumers, SDD Retail Sales Power Users, XMLP_ADMIN and XMLP_DEVELOPER to the user adminuser.
15. Click Save to save the changes.
16. Login to Presentation Analytics by entering 
http://server:9704/analytics and providing with the user “weblogic” user credentials.
       17. Navigate to Administration > Manage Privileges
       18. Grant the following privileges to the user “user:
Access > Access to Answers
Access > Access to Dashboards
Admin: General > Manage Sessions
Admin: General > Manage Dashboards
Admin: Security > Manage Privileges
Admin: Security > Manage Catalog Groups
       19. Navigate to Administration > Manage Catalog Groups
20. Add the user “adminuser” to the Catalog Groups: 
BI Admin
BI Developers 
DD Retail Sales Power users




1 comment: