Friday, November 14, 2014

OBIEE 11g Understanding Security: Introduction to OBIEE Security Model (What’s new ???)

What’s new w.r.t. security in 11g ?

  • Users and Groups are now managed via WebLogic instead of the RPD 
  • New concept of “Application Roles” is introduced which is maintained in Enterprise Manager 
  • Administrator user is no longer default user for inter-component communication 
  • Separate is password required to access RPD 
  • SSL an SSO is now much easier to implement 
  • Built-in LDAP to support Authorization
  • “Credential Store” function is now under Weblogic control
  • In Admin tool “Manage > Identity” inplace of “Manage > Security”

Here is the OBIEE 11g security model

How it works ?

Users and Groups are maintained under Weblogic Administration Console and by default OBIEE uses Weblogic embedded LDAP store for authentication. (However, alternative 
“Identity Providers” can be configured e.g. OID, AD etc)

Once authenticated, users are then mapped to Application Roles which govern what users can do within each individual application. Application roles are managed under Weblogic 
Enterprise Manager.

Security Policies are then applied based on the user’s Application Roles.

For example,
John is a Sales Manager. He will be authenticated by the LDAP Identity Provider. After authentication he will be authorized by assigning to the “Sales Dashboard Users” application role. All Security Policies associated with the application role will be applied on the user. For example, John will get access to the “Sales Dashboard” but she can only see data for the Corporate Accounts that he manages.

Default Security Setup

The “default Roles” have the following privileges in Oracle BI EE 11g: 

BIAdministrator Role 

  • Manage BI Repository (RPD) 
  • Administer BI Publisher 

BIAuthor Role 
  • Privileges defined in BI Presentation Catalog 
  • BI Publisher Develop / Design / Schedule Reports 
BIConsumer Role 
  • Privileges defined in BI Presentation Catalog 
  • BI Publisher Excel / On-line Report Analyzer 

“Manage Privileges” within Oracle BI. (See below Privileges defined in BI Presentation Catalog)