Hi Folks,
Let me take you a walk through the security aspects in OBIEE 11g.
OBIEE security is mainly categorized into Authentication, Authorization and Data level/row level.
Authentication : it is the first layer/level in the security mechanism - validating the user's credentials (Validating username and their passwords time of log in to OBIEE analytics)
Authorization: it is the process of restricting/enabling obiee objects against the users based on the user's groups/application roles)
Eg: User with Admin group can access - view/modify/delete the dashboards,pages or reports.
User with BI Author role can only view set of dashboards/reports.
Data level or row level: it is the process of restricting the data/records in the reports based on the user's accessibility levels.
Eg: US HRMS Manger - able to see only US data but not other region data.
Implementation:
Implementing security can be done in several ways listed below,
Internal security: Defining users,groups and roles with in the OBIEE(Weblogic)
External security:: importing security stuff which is defined out side of OBIEE.
LDAP and AD
Database - External Table
SSO - Typically Oracle EBS, also possible for SEDC,Hyperion and MSAS.
LDAP: Pls follow the url for detailed document on configuring LDAP Click here for LDAP configuration
AD: Follow below steps to configure AD
Let me take you a walk through the security aspects in OBIEE 11g.
OBIEE security is mainly categorized into Authentication, Authorization and Data level/row level.
Authentication : it is the first layer/level in the security mechanism - validating the user's credentials (Validating username and their passwords time of log in to OBIEE analytics)
Authorization: it is the process of restricting/enabling obiee objects against the users based on the user's groups/application roles)
Eg: User with Admin group can access - view/modify/delete the dashboards,pages or reports.
User with BI Author role can only view set of dashboards/reports.
Data level or row level: it is the process of restricting the data/records in the reports based on the user's accessibility levels.
Eg: US HRMS Manger - able to see only US data but not other region data.
Implementation:
Implementing security can be done in several ways listed below,
Internal security: Defining users,groups and roles with in the OBIEE(Weblogic)
External security:: importing security stuff which is defined out side of OBIEE.
LDAP and AD
Database - External Table
SSO - Typically Oracle EBS, also possible for SEDC,Hyperion and MSAS.
LDAP: Pls follow the url for detailed document on configuring LDAP Click here for LDAP configuration
AD: Follow below steps to configure AD
Below are the steps involved in configuring AD with OBIEE 11.1.1.5:
1. Login to Weblogic console and create provider as BI Authenticator by navigating to Security Realms -> my realm.
2. Change the control flag of "Default Authenticator" from REQUIRED to SUFFICIENT.
3. Change the control flag of BI Authenticator from OPTIONAL to SUFFICIENT.
4. Update BI Authenticator provider with the below details under provider specific tab:
Sl.No
|
Parameter Name
|
Value
|
1
|
active directory host
|
Host name of the AD
|
2
|
port
|
389
|
3
|
principal
|
CN=Adminusername ,OU=Users,OU=,DC=domain DC=domain
|
4
|
ssl enabled
|
no
|
5
|
User Base DN
|
DC=,DC=
|
6
|
User Name Attribute
|
sAMAccountName
|
7
|
User Object Class
|
user
|
8
|
Group Base DN
|
OU=,DC=,DC=corp
|
9
|
GUID Attribute
| |
10
|
AllUsersFilter
|
(&(sAMAccountName=*)(objectclass=person))
|
11
|
AllGroupsFilter
|
(&(cn=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
|
5. Reorder the provider to make sure that BI Authenticator at the top of the list.
6. From EM Console, create user.login.attr and username.attr attributes to store identity configuration.
7. Create a custom property called virtualize and value as “true” to allow authentication from multiple providers.
8. Create a separate account in AD and add the password in credential provider.
9. Assign BI System role to user.
10. Ensure that New BI System user is a part of Weblogic Global Admin role.
11. Map the Active directory groups to Application roles and test the changes.
12. Login to weblogic server console by entering http://server:7001/console and providing with the user “adminuser” credentials.
13. Navigate to Home > Summary of Security Realms > myrealm > Users and Groups > adminuser
14. Click on the Groups tab and assign the Groups BI Admin, BI Administrators, BI Authors, BI Consumers, SDD Retail Sales Power Users, XMLP_ADMIN and XMLP_DEVELOPER to the user adminuser.
15. Click Save to save the changes.
16. Login to Presentation Analytics by entering
http://server:9704/analytics and providing with the user “weblogic” user credentials.
17. Navigate to Administration > Manage Privileges
18. Grant the following privileges to the user “user:
Access > Access to Answers
Access > Access to Dashboards
Admin: General > Manage Sessions
Admin: General > Manage Dashboards
Admin: Security > Manage Privileges
Admin: Security > Manage Catalog Groups
19. Navigate to Administration > Manage Catalog Groups
20. Add the user “adminuser” to the Catalog Groups:
BI Admin
BI Developers
DD Retail Sales Power users