Datalevel security in Ldap

Similar Messages

• Secure External LDAP with local user provisioning in a org.

  To all:
  I'm working with 05Q1 or as some say v3. I was able to successfully set up user authentication with external ldap and dynamic creation of users with in local org and ldap and map over attributes for storage into local ldap. Now I need to try and make it a secure external ldap authentication. Without disturbing any of the other orgs with in the local system.
  Is it possible without turning on security for all? Where would the certs be stored for the secure external LDAP that I am authenticating against?
  Help would be appreciated.
  If anyone is trying to do the same thing let me know if your having trouble. I sure did, just getting to the point that I am right now.
  Thanks,
  - Milo

  Hi,
  Check following forum thread.
  Re: custome role maper example
  Regards,
  Kal

• HOW TO DO: J2EE declaritive Security without LDAP????

  My client doesn't want to store stuff in LDAP, and we already have existing authoriztion infrastruction stored in a DB. How can I my existing security infrastructure in conjuction with J2EE declarative security and iAS (6sp3, Solaris, oracle db, web clients)?

  <i>Q: HOW TO DO: J2EE declaritive Security without LDAP?</i>
  A: It can't be done with iAS. iAS 6.x expects security information to be in LDAP.
  Your only option if they want to use a relational database is either to use some sort of meta directory (replication) to move the data from the relational database, or so sort of LDAP to RDBMS gateway.
  David
  http://www.amazon.com/exec/obidos/ASIN/076454909X/

• ADF security : JAZN-LDAP

  Hi,
  We are working on the development of an application with Oracle ADF (JDev 10.1.3).
  We implemented security with lightweight XML provider and it's working perfectly.
  Next month we will deploy our application and so we will use a LDAP server.
  Is it easy to jump from XML to LDAP?
  Do we just have to select LDAP prodiver in the security wizard and then to map application groups to LDAP groups in the orion-application.xml file?
  With this solution, is it still possible to edit authorizations at design time for pages, iterators, etc ?
  Thanks in advance for your help!

  Hi,
  you didn't read the documentation, do you ? Anyway, the LDAP upload is a bit difference from how you imagine it
  - ADF Security permissions are written to the workspaces' \.adf\META-INF\app-jazn-data.xml file. So in fact you don't change the security settings for your project in JDeveloper. This means it remains for future addition
  - You use a migration utility provided by OC4J Security to create an XLIFF file out of \.adf\META-INF\app-jazn-data.xml
  http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/configxml.htm#CIHIFGBJ
  - Then you upload this to OID
  Frank

• Data level security in ldap

  Hi Experts,
  I am new to obiee
  can you any one explain how to give data level security if we use LDAP authentication
  it would be great help for me.
  thanks in advance.
  reg,
  jell

  Hi,
  Security LDAP.
  For Authentication purpose we can use LDAP.
  For Data level security purpose you can use external table.
  Ex: user's comming from LDAP for Authentication purpose
  Please refer the below link.
  http://satyaobieesolutions.blogspot.com/2012/06/dataobjectcolumn-level-security-in.html
  http://satyaobieesolutions.blogspot.com/2012/06/external-table-authentication-and-row.html --- External Table.
  Hope this help's
  Thanks
  Satya

• Reg:rpd security vs ldap

  hi,
  i have merged two repositories where one is using LDAP server for authentication,initialization block for autorization and portalpath and the second one using rpd security only.now after i merged i will be implementing LDAP authentication and authorization for the new merged rpd.
  now, my doubt is that the second rpd using the rpd security has declared some filters for some groups in the permissions in security.so,if i implement ldap server authentication and authorization where the group of an user,portalpath are authorized,the filter in permissions on the group would work normally or should i use authorization init block to get the filters?
  i have used below link for authorization
  http://obieeblog.wordpress.com/
  thanks

  If the group names are same in both case then filter applied on grps will work normally. Just implement this and perform some unit testing inorder to validate the security after merge. Hope this is clear

• Security - using LDAP groups

  I want to protect my EJB using LDAP groups. WLS is recognizing WLS users but unable
  to recogniz groups. Here is my weblogic-ejb-jar.xml
  <security-role-assignment>
  <role-name>channel-role</role-name>
  <principal-name>system</principal-name>
  <principal-name>mygroup</principal-name>
  <principal-name>cn=mygroup,ou=groups,o=mycompany</principal-name>
  </security-role-assignment>
  It recognizes user system but not the group. LDAP group is cn=mygroup,ou=groups,o=mycompany.
  When I pass the credentials from the client of a uniquemember, WLS generates a
  security exception. It won't recognise mygroups or cn=mygroup,ou=groups,o=mycompany
  either.
  Any suggestions?
  Thanks
  -Surya

  Yes, It has impact. You create groups in the Repository & Answers and assign the object level permissions.
  You Populate Group Variable during authentication via LDAP server. Once you login with X name you see the authorized groups in the my account.
  For dashboard A - For group Executive - User X - You have given full access.
  Now you have changed the Group name to AD_Executive. When You Login variable values would be
  User - X
  Group - Ad_Executive
  Dashboard A - No permissions.
  If you have a scenario of changing the group names then get Groups from database using Init block after authorization.

• Declarative ADF Security with LDAP provider other than OID possible  ?

  All samples I found regarding declarative security in ADF are done with an .xml repository or mention the possible use of OID as such repository.
  Thing is that client will not have OID but other LDAP v3 compilant provider.
  In this scenario is it possible to use the ADF Declarative Security or should we have to implement a custom module for the interaction ?
  Thanks,
  Claudio.

  You are right, in this article:
  http://www.oracle.com/technology/products/jdev/howtos/10g/jaassec/index.htm
  says:
  In Oracle Containers for J2EE 10.1.3, users can also be defined in 3rd party LDAP servers.
  However it doesn't give any concrete sample.
  Question is: can I say the client that we can develop based on .xml or OID and then change to other 3rd party LDAP server without changing code ?
  Thanks,
  Claudio.

• INTEGRATING PUBLISHER WITH OBI EE SECURITY USING LDAP

  Hi !
  Just learned about how integrating BI Publisher with OBI EE Security had to be set. (SA SYSTEM blah blah blah)
  My question is : what if my OBI EE security is already based on LDAP server ? How do I manually insert user logon in SA_USER as I'm supposed to do ? No way...any turnaround ? Should I base my BI PUB security on the LDAP server ?
  Thanks in advance
  Yannis

  Hi,
  I too have the same question.
  Could you please let us know whether using "Oracle BI server" security model in BIP would address the SSO between Oracle BI and BI Publisher when BI uses LDAP authentication?
  Also I am facing some issues in setting up BI security in BIP.
  The issue is that, when logged into BIP as Administartor, Roles and Permissions tab of Admin displays only two roles namely "Administrator" and "XMLP_TEMPLATE_ONLINE".
  SA subject area is also set.
  Could you please let me know your thoughts on the same?
  Thanks in Advance.

• Security Issue - LDAP Authentication and supply of empty passwords

  Security Issue with OC4J and JAZN LDAP Realm
  Product Versions:
  OC4J 9.0.3
  Infrastructure 9.0.2.1
  When using form based authentication or basic authentication in a WebApp, OC4J authenticates any existing user that as a password defined with an empty password.
  Example: If you have a user with the username "user" and password "password". In the login of the WebApp if you supply only the username, OC4J authenticates the user.
  Notes:
  - If we supply a wrong password we are not authenticated
  - If we supply the correct password we are authenticated.
  To reproduce the problem, I have used Oracle callerInfo jazdemo, configured to used the JAZN LDAP Realm named sample_subrealm, that is installed with 9ias infrastructure
  Notes: If I use JAZN XML Realm everything works as expected.
  Bruno Antunes
  Java Software Engineer

  Jeremy - You'd have to use database authentication to achieve that. Create a DAD without specifying a username/password and change the app's current authentication scheme to DATABASE. Then users can login using their database account credentials. LDAP won't be used when you do this so you'll have to keep the database account passwords in sync with LDAP somehow if that's important.
  Scott

• A third-party directory servers/security provider (LDAP)

  Here is a scenario. If a security provider is a third-party directory servers that supports LDAP, is there a way to define roles in my schema table but LDAP be my authentication security provider? Sounds like a double security provider! (Looks like I had asked something similar long time ago)
  Or does the LDAP server needs to be a real provider (authentication and authorization and handle roles as well and not leave anything for me except permissions) while I set up permissions in system-jazn-data.xml and define roles in web.xml that matches the roles in ldap?
  Since the third party security provider throws in a login dialog, I may not have to use custom login module. But, I want to set up permissions. Hope I am making sense. Default realm jazn will now be replaced by something that says it is ldap. Is that assumption correct?
  If I make sense, please point to a doc about the above scenario.
  Thanks

  Hi,
  Here is a scenario. If a security provider is a third-party directory servers that supports LDAP, is there a way to define roles in my schema table but LDAP be my authentication security provider? Sounds like a double security provider! (Looks like I had asked something similar long time ago
  You can use this scenario assuming you have a LoginModule that gets the authenticated user from LDAP and then queries the database for the security roles. This however doe not work with any of the LoginModules that are published on OTN or contained in OC4J
  Frank

• DataLevel Security

  Hi,
  Can any one tell how to provide data level security in obiee.
  Suppose i want user(Example:Venkat) to see only the east region data only without access whole data . then how we can provide security?

  Hi,
  Also You can implement this at RPD by creating goups and doing filter over the groups as shown in the blog below,
  http://www.rittmanmead.com/2007/05/13/obiee-and-row-level-security/
  Thanks,
  Vino

• How can you provide datalevel security on perticular user when using

  hi all
  how can we proved data level security for the single user when using external table authentication,
  again we have crated one more group in rpd and we have assigned user to that group,
  so ,is there any other way to do it????
  Thanks
  sreedhar

  Hi,
  If its is to restrict that user to view some data,then no need to place him in a separate group.Can achieve this...
  High priority is for restriction.
  Lets take group-Test with two users-test1,test2.These two users are under Test group.
  I applied data level security for only one user test1(restricted him to view market not equal to Central Region) but didn't apply data level security for test2.
  Now i added the group to presentation catalog and gave permission to dashboard showing Market report.
  When test1 logs in he can see all markets except Central Region,where as test2 logs in he can view all regions including Central Region.
  Here Test group is having full access so,test2 can view all regions but test1 user is restricted for some value and its working fine.
  If you want apply data level security to user to not view some data,then you can maintain that user in a group with many other users and achieve it.Above example shows it.
  If its is to restrict the whole group to view dashboard and make a single user in the group to view some data in the dashboard then its not possible(priority is for restriction) in this way,in this case its better to create that a new group to that user and assign him.
  Regards,
  Srikanth

• Datalevel security In Obiee11g

  Hi,
  How we will do data level security?if we have 4 (A,B,C,D)groups?in each group we have 10 users?if A group user entered if he run a report he can see 5000 records in report,if b group user entered he can see 8000,C group user entered he can see 10000 records,if D group member entered he can see 12000 records?How we will do?
  if Possible give me bit Detail Answer.

  Please follow the below steps to configure Data Level Security in OBIEE11g.
  1. Login to Console and try to use the existing groups BIConsurems, BIAUthors and BIAdministartors if suited for your requirements. If not create the new groups based on your requirement
  2. Add the users to the group
  3. Log in to EM, Use the existing roles if applicable, if not create new roles and assign proper roles like BIAuthor, BIConsumer and add the correposnding groups created at step 1
  4. Now open RPD in online mode and goto Manage -> Identity and then Action -> Synchronize Application Roles, Now in the Applciation Roles tab in Identity manager windows you will see the new Application Roles created at EM are present
  5. Now open properties of Application Roles and click Permissions and then Data Filters and specify the Data Filters for the corresponding cols in the corresponding Subject Areas
  6. In the Data Filters you can have hard coded value in the right side, if not you can have a Session initialization block and can have a SQL query which gets the corresponding site/region information from a database table and store the value into non system session variable as a single value of row wise initialization variable
  Once you are done with this save ur changes in RPD and then reload metadata services in Administration tab in analytics and re-login. Now you'll see Role Based Dashboards. You can verify the roles and groups that you are part of in the My Account -> Catalog groups and Catalog Roles...
  Thanks
  Sampat

• Migrating ADF Security from file-based provider to LDAP provider

  We have deployed a small application using ADF Security with file-based provider in OAS and it works fine.
  Now we want to migrate to ADF Security using LDAP provider.
  In order to make this possible we followed the next steps:
  - Migrate all the roles and policies from the file to OID with JAZNMigrationtool.
  - In OAS we've changed the Application Security Provider to 'Oracle Identity Management'.
  - Reset the OC4J instance.
  But there was no success, the application continues working with the file-based provider.
  What more is necessary to configurate?

  Hi,
  if you use EM make sure you change the setting for the application, not the general OC4J setting.
  You can also deploy the provider settings with the orion-application.xml file added to your project
  Frank