Thursday, January 26, 2017

Security: Authentication and Authorization

There are two types of security in OBIEE:
1) Authentication
2) Authorization


Authentication

  • Authentication is a process in which system verifies a user for its valid credentials. Generally it verifies the Username and password of a user to make sure that the user has sufficient privileges to enter the system.
  • Oracle BI server authenticates the user.
  • Console is the place where we create users http://localhost:7001/console. Login using Administrator privileges.
  • On left hand side under Domain structure --> Security realms --> myrealm --> Users & groups tab--> User sub-tab--> New -->
    • Name: BI101USER1
    • Password: welcome1
    • Confirm password: welcome1
  • click on ok, the user gets created.
  • Since this is created by Administrator, BI101USER1 is a valid user.
  • To authenticate a user, Oracle BI server uses following 2 technologies:
    • LDAP : OBIEE 11g has LDAP integrated with it already. LDAP stands for Lightweight directory access protocol.
    • External table
Authorization
  • Once a valid user logs into the system, what can be accessed by him is controlled by Authorization process.
  • Authorization is enforced in following two ways:
    • Object level
    • Data level or Row level

  • Since the valid user is created but no group is assigned to it, thus when we login to Analytics using BI101USER1, we do not see access to analysis, dashboard, prompt or any such OBIEE objects. 
  • In order to grant the access, we need to assign use BI101UER1 to the BIAythor group. To do this, go to console--> double click on BI101USER1, go to Groups sub-tab and assign BIAuthor group to BI101USER1 and save it.
  • Now we can go to Analytics --> reload server metadata -->sign out Administrator user. 
  • Restart the BI Presentation server as shown below so that the changes get reflected.


  • Now sign in as BI101USER1. All the OBIEE objects are accessible now. This is how to authorize a valid user to access OBIEE objects.


Object level Security:

This is further divided into 2 kinds since we have 2 kinds of objects:
  • Repository level
    • Subject area
    • Presentation tables
    • Their columns
    • Hierarchy object
  • Presentation catalog level
    • Reports
    • Dashboards
    • KPIs
    • Scorecards
    • Filters
    • Prompts
In order to implement Authorization, we need to consider each of the object mentioned above.

1) Repository level
  • For implementing authorization to any object in Repository, open it in Online mode.
  • Now doubles click the object of interest e.g. Sales subject area, Customers table, Revenue column etc.
SUBJECT AREA
  • For Subject area, double click on Sales subject area-->Check out-->
  • Go to General tab--> permissions-->
  • There will a list of users mentioned, if you do not see BI101USER1 then  got to "set online user filter"--> click * -->hit enter ---> select BI101USER1 --->ok. Now you will see this user in the list as shown below: Give appropriate READ/WRITE/NO ACCESS/DEFAULT access.

     
  • If we give no access, then BI101USER1 will not be able to see Sales subject area in Analytics.
  • Check-in changes and save.
PRESENTATION TABLE/COLUMN/HEIRARCHY
  • Select any table of interest say Customers.
  • Double click on Customers table -->check out-->general tab--> permissions button-->
  • For BI101USER1 click on no-access --> ok-->ok.
  • Check in changes & save.
  • Now loging to Analytics using Administrator user and reload server metadata.
  • Now login using BI101USER1 , the customer table will not be available.
  • 34:02
2) Presentation catalog level
  • Go to Analytics and log in with Administrator user.
Report
  • Go to Catalog and select any report of interest e.g. Agent Report
  • Click on More--> Permissions-->
     

  • Click on green plus button and add BI101USER1 to the users list.
     

  • If we select No access, then BI101USER1 will not see Agent report next time he logs in.
    • Open: Open the Report but no edit access
    • Modify: Open , Read and write, Traverse access
    • Full control:  Open , Read and write , traverse (Navigating from one report to other report )access
    • Custom: The permissions can be selected from a list as shown below:
       

  • Difference between Modify and Full control is that Full control allows to provide access to other users. 55:05

Dashboards

  • Login to Analytics using Administrator user -->Catalog-->Click on expand under Dashboards-->Click on more in any saved Dashboard of interest like "OBIEE Dashboard"-->Permissions--->Add BI101USER1--> set  permission to ---> Open/Read/Write/Traverse/No access/Full control etc -->ok-->ok.
  • Now sign out and login using BI101USER1 and open the catalog-->dashboard. If we provide no access then "OBIEE Dashboard" can not be seen in the catalog.


Dashboard Page

  • Login to Analytics using Administrator user -->Catalog-->Click on expand under Dashboards-->Double click and open any saved Dashboard of interest like "OBIEE Dashboard"-->Go to any page of interest like "PV Page"--> On right hand side click on Edit dashboard button--> Dashboard properties> Select PV page-->click on permissions as shown below:


   



  • Add BI101USER1 using green plus button as shown below:


   



  • Click ok--ok-->Save the OBIEE dashboard.
  • Login using BI101USER1 and go to catalog, double click and open the OBIEE dashboard--> No PV page can be seen.
  • This is how we restrict the BI101USER1 from viewing the dashboard page.














   
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)