Professional Documents
Culture Documents
On a recent project I had to focus on security in OBIEE, so I thought Id consolidate my knowledge and share it with you here. The very first part shown in this post will be on the basics: what is Authentication and Authorization, and what are the different ways to achieve them.
Security Manager
Security Manager is a Utility administration tool that displays all the security information for a repository.
End users who make use of OBIEE for reporting need to be defined somewhere. These users can be defined either in the OBIEE RPD, External database tables, LDAP Servers or in Active directories with their respective passwords. BI Server Administrator user account is created automatically when a repository is created and cannot be deleted.
Figure 2. Showing where groups can be added. Authentication and Authorization Authentication means validating the user while logging in the OBIEE application. When a user logs in the
OBIEE application a request is sent to the BI Server asking that whether this user is a valid user or not. When BI Server validates the user, then only the user is able to login in the application Authorization means a user is authorized to view what all objects. Example, User A might be authorized to view only particular set of reports and dashboards based on the security applied.
a) Internal Authentication
You can maintain lists of users and their passwords in the Oracle BI repository using the Administration Tool. The Oracle BI Server will attempt to authenticate users against this list when they log on
b) LDAP
Users are authenticated based on credentials stored in LDAP. This is the BEST method to do authentication in OBIEE and it Supports Companys Single Sign on (SSO) philosophy as well.
c) External DB Authentication
We can maintain lists of users and their passwords in an external database table and use this table for authentication purposes
d) Database
Oracle BI Server can authenticate user through database logons If a user had read permissions on a specified database, the user is trusted by Oracle BI Server. This option is typically not a good option to use in real time as users have to be added in RPD users list.
e) Operating System
If a user is configured on a trusted windows domain, an Oracle Server user of the same name does not need to be authenticated by Oracle BI Server. This option is typically not a good option to use in real time as users have to be added in RPD users list. Creating several users in the RPD can be a cumbersome job and it will also increase the size of the RPD, so, according to the best practice, create the users and groups on the DB (or add in AD/LDAP) and associate them with the RPD groups by creating groups of the same name on the RPD as in DB.
OBIEE Security implementation (Part2): Internal Authentication will follow soon - stay tuned!