OBIEE – Security
OBIEE security is defined by the use of a role-based access control model. It is defined in terms of roles that are aligned to different directory server groups and users. In this chapter, we will be discussing the components defined to compose a security policy.
One can define a Security structure with the following components
The directory Server User and Group managed by the Authentication provider.
The application roles managed by the Policy store provide Security policy with the following components: Presentation catalog, repository, policy store.
Security provider is called in order to get the security information. Following types of security providers are used by OBIEE −
Authentication provider to authenticate users.
Policy store provider is used to give privileges on all applications except for BI Presentation Services.
Credential store provider is used to store credentials used internally by the BI application.
Security policy in OBIEE is divided into the following components −
- Presentation Catalog
- Policy Store
It defines the catalog objects and Oracle BI Presentation Services functionality.
Oracle BI Presentation Services Administration
It enables you to set privileges for users to access features and functions such as editing views and creating agents and prompts.
Presentation Catalog privileges access to presentation catalog objects defined in the Permission dialog.
Presentation Services administration does not have its own authentication system and it relies on the authentication system that it inherits from the Oracle BI Server. All users who sign in to Presentation Services are granted the Authenticated User role and any other roles that they were assigned in Fusion Middleware Control.
You can assign permissions in one of the following ways −
To application roles − Most recommended way of assigning permissions and privileges.
To individual users − This is difficult to manage where you can assign permissions and privileges to specific users.
To Catalog groups − It was used in previous releases for backward compatibility maintenance.
This defines which application roles and users have access to which items of metadata within the repository. The Oracle BI Administration Tool through the security manager is used and enables you to perform the following tasks −
- Set permissions for business models, tables, columns, and subject areas.
- Specify database access for each user.
- Specify filters to limit the data accessible by users.
- Set authentication options.
It defines BI Server, BI Publisher, and Real Time Decisions functionality that can be accessed by given users or users with given Application Roles.
Authentication and Authorization
Authenticator Provider in Oracle WebLogic Server domain is used for user authentication. This authentication provider accesses users and group information stored in the LDAP server in the Oracle Business Intelligence's Oracle WebLogic Server domain.
To create and manage users and groups in an LDAP server, Oracle WebLogic Server Administration Console is used. You can also choose to configure an authentication provider for an alternative directory. In this case, Oracle WebLogic Server Administration Console enables you to view the users and groups in your directory; however, you need to continue to use the appropriate tools to make any modifications to the directory.
Example − If you reconfigure Oracle Business Intelligence to use OID, you can view users and groups in Oracle WebLogic Server Administration Console but you must manage them in OID Console.
Once authentication is done, the next step in security is to ensure that the user can do and see what they are authorized to do. Authorization for Oracle Business Intelligence 11g is managed by a security policy in terms of Applications Roles.
Security is normally defined in terms of Application roles that are assigned to directory server users and groups. Example: the default Application roles are BIAdministrator, BIConsumer, and BIAuthor.
Application roles are defined as functional role assigned to a user, which gives that user the privileges required to perform that role. Example: Marketing Analyst Application role might grant a user access to view, edit and create reports on a company's marketing pipeline.
This communication between Application roles and directory server users and groups allows the administrator to define the Application roles and policies without creating additional users or groups in LDAP server. Application roles allows business intelligence system to be easily moved between development, test and production environments.
This doesn’t require any change in security policy and all that is required is to assign the Application roles to the users and groups available in the target environment.
The group named 'BIConsumers' contains user1, user2, and user3. Users in the group 'BIConsumers' are assigned the Application role 'BIConsumer', which enables the users to view reports.
The group named 'BIAuthors' contains user4 and user5. Users in the group 'BIAuthors' are assigned the Application role 'BIAuthor', which enables the users to create reports.
The group named 'BIAdministrators' contains user6 and user7, user 8. Users in the group 'BIAdministrators' are assigned the Application role 'BIAdministrator', which enables the users to manage repositories.