What’s new w.r.t. security in 11g ?
- Users and Groups are now managed via WebLogic instead of the RPD
- New concept of “Application Roles” is introduced which is maintained in Enterprise Manager
- Administrator user is no longer default user for inter-component communication
- Separate is password required to access RPD
- SSL an SSO is now much easier to implement
- Built-in LDAP to support Authorization
- “Credential Store” function is now under Weblogic control
- In Admin tool “Manage > Identity” inplace of “Manage > Security”
Here is the OBIEE
11g security model
How it works ?
Users and Groups are maintained under Weblogic Administration
Console and by default OBIEE uses Weblogic embedded LDAP store for authentication.
(However, alternative
“Identity Providers” can be configured e.g. OID, AD etc)
Once authenticated, users are then mapped to Application
Roles which govern what users can do within each individual application.
Application roles are managed under Weblogic
Enterprise Manager.
Security Policies are then applied based on the user’s
Application Roles.
For example,
John is a Sales Manager. He will be authenticated by the LDAP
Identity Provider. After authentication he will be authorized by assigning to
the “Sales Dashboard Users” application role. All Security Policies associated
with the application role will be applied on the user. For example, John will
get access to the “Sales Dashboard” but she can only see data for the Corporate
Accounts that he manages.
Default Security Setup
The “default Roles” have the following privileges in Oracle BI EE 11g:
BIAdministrator Role
- Manage BI Repository (RPD)
- Administer BI Publisher
BIAuthor Role
- Privileges defined in BI Presentation Catalog
- BI Publisher Develop / Design / Schedule Reports
BIConsumer Role
- Privileges defined in BI Presentation Catalog
- BI Publisher Excel / On-line Report Analyzer
“Manage Privileges” within Oracle BI. (See below Privileges
defined in BI Presentation Catalog)