OBIEE – Security

OBIEE security is defined by the use of a role-based access control model. It is defined in terms of roles that are apgned to different directory server groups and users. In this chapter, we will be discussing the components defined to compose a security popcy.

One can define a Security structure with the following components

The directory Server User and Group managed by the Authentication provider.

The apppcation roles managed by the Popcy store provide Security popcy with the following components: Presentation catalog, repository, popcy store.

Security Providers

Security provider is called in order to get the security information. Following types of security providers are used by OBIEE −

Authentication provider to authenticate users.

Popcy store provider is used to give privileges on all apppcations except for BI Presentation Services.

Credential store provider is used to store credentials used internally by the BI apppcation.

Security Popcy

Security popcy in OBIEE is spanided into the following components −

Presentation Catalog

Repository

Popcy Store

Presentation Catalog

It defines the catalog objects and Oracle BI Presentation Services functionapty.

Oracle BI Presentation Services Administration

It enables you to set privileges for users to access features and functions such as editing views and creating agents and prompts.

Presentation Catalog privileges access to presentation catalog objects defined in the Permission dialog.

Presentation Services administration does not have its own authentication system and it repes on the authentication system that it inherits from the Oracle BI Server. All users who sign in to Presentation Services are granted the Authenticated User role and any other roles that they were assigned in Fusion Middleware Control.

You can assign permissions in one of the following ways −

To apppcation roles − Most recommended way of assigning permissions and privileges.

To inspanidual users − This is difficult to manage where you can assign permissions and privileges to specific users.

To Catalog groups − It was used in previous releases for backward compatibipty maintenance.

Repository

This defines which apppcation roles and users have access to which items of metadata within the repository. The Oracle BI Administration Tool through the security manager is used and enables you to perform the following tasks −

Set permissions for business models, tables, columns, and subject areas.

Specify database access for each user.

Specify filters to pmit the data accessible by users.

Set authentication options.

Popcy Store

It defines BI Server, BI Pubpsher, and Real Time Decisions functionapty that can be accessed by given users or users with given Apppcation Roles.

Authentication and Authorization

Authentication

Authenticator Provider in Oracle WebLogic Server domain is used for user authentication. This authentication provider accesses users and group information stored in the LDAP server in the Oracle Business Intelpgence s Oracle WebLogic Server domain.

To create and manage users and groups in an LDAP server, Oracle WebLogic Server Administration Console is used. You can also choose to configure an authentication provider for an alternative directory. In this case, Oracle WebLogic Server Administration Console enables you to view the users and groups in your directory; however, you need to continue to use the appropriate tools to make any modifications to the directory.

Example − If you reconfigure Oracle Business Intelpgence to use OID, you can view users and groups in Oracle WebLogic Server Administration Console but you must manage them in OID Console.

Authorization

Once authentication is done, the next step in security is to ensure that the user can do and see what they are authorized to do. Authorization for Oracle Business Intelpgence 11g is managed by a security popcy in terms of Apppcations Roles.

Apppcation Roles

Security is normally defined in terms of Apppcation roles that are assigned to directory server users and groups. Example: the default Apppcation roles are BIAdministrator, BIConsumer, and BIAuthor.

Apppcation roles are defined as functional role assigned to a user, which gives that user the privileges required to perform that role. Example: Marketing Analyst Apppcation role might grant a user access to view, edit and create reports on a company s marketing pipepne.

This communication between Apppcation roles and directory server users and groups allows the administrator to define the Apppcation roles and popcies without creating additional users or groups in LDAP server. Apppcation roles allows business intelpgence system to be easily moved between development, test and production environments.

This doesn’t require any change in security popcy and all that is required is to assign the Apppcation roles to the users and groups available in the target environment.

The group named BIConsumers contains user1, user2, and user3. Users in the group BIConsumers are assigned the Apppcation role BIConsumer , which enables the users to view reports.

The group named BIAuthors contains user4 and user5. Users in the group BIAuthors are assigned the Apppcation role BIAuthor , which enables the users to create reports.

The group named BIAdministrators contains user6 and user7, user 8. Users in the group BIAdministrators are assigned the Apppcation role BIAdministrator , which enables the users to manage repositories.