Obiee Security, 7 Active Directories

Similar Messages

• OBIEE Security 10g to 11g: Groups

  I had a Security scenario that I wanted to throw out to the forum...
  In 10g, we made use of the GROUP system variable to pull a users group membership from a database table. This was a Session Variable initialized upon each login.
  Data-level and object-level security was different for each group.
  In our environment users had the ability to switch groups, so they could be active in one of the groups and inactive in the others. We provided a form (WriteBack) that allowed them to set what group they wanted to be active for. They would then log out and log back in and have their new group assignments.
  In the Session Variable this was done by pulling in only groups that were flagged as Active. This worked great as it was done at the Session level. So I could login once and see Dashboard A, swtich my role, then log back in and NOT see Dashboard A.
  I know 11g still has the concept of WEBGROUPS, that would mimic the above, but my understanding is that Oracle is pushing the use of Application Roles.
  My question is how would the above behavior be ported over to 11g using Application Roles? I didn't think the population of an Application Role was Session Based, my belief is that it is populated when the Admin Server/Managed Servers are bought up pulling from the applcable Security Provider.
  Edited by: DustinC on Jan 19, 2012 1:29 PM
  Edited by: DustinC on Jan 20, 2012 3:54 PM
  Edited by: DustinC on Jan 22, 2012 12:45 PM
  Edited by: DustinC on Jan 23, 2012 11:40 AM

  Q1. how deploy external database security(users, groups) to OBIEE 11g.
  we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
  Solution:
  http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
  http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
  Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
  Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
  while configuring AD via weblogic console we need to give the users and group info
  Solution refer:
  http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
  Thanks
  Deva

• Report on OBIEE Security

  We use Default Authenticator and implemented the security using Weblogic console. Now my client want to see a report on the OBIEE security implemented; he want to see all the groups, roles, users listed and also interested in seeing what users and roles assigned to various groups for the project.
  Is it possible to read Weblogic security Metadata?
  Appreciate your thoughts on this.
  Thanks
  Bees

  Was my answer correct? If so, please indicate so (top right of my last post). If not, then what was your answer?

• Alternate method of implementing EBS-OBIEE security

  We have tried implementing the EBS-OBIEE security as per Metalink Note ID 555254.1(without SSO). How ever, we realised that for cookie based integration to work, both EBS, OBIEE URL need to reside on the same domain. At client location, the applications are hosted in different domains.
  Any tested/proven alternative method, where we can pass the EBS responsibilities (say Operating Unit) to OBIEE?
  Regards
  KSK

  Hi all,
  yes, the session variable ':USER' is not picking the user name, but when i hard code it to 'BI_ADMIN" this works fine.
  i have tried the following formats in the place of ':USER':
  VALUEOF(NQ_SESSION.USER)
  VALUEOF(NQ_SESSION."USER")
  VALUEOF("NQ_SESSION.USER")
  UPPER(VALUEOF(NQ_SESSION.USER))- checking if any problem with case
  None of them worked.!!
  When I remove the whole " USR.USER_NAME=':USER'
  the sql runs fine..please help

• OBIEE Security - How to setup SSO-integrated EBS users & mobile access?

  I'm looking for the best approach to solution my company's OBIEE Security requirements, they are:
  1) Create a standard authentication/security process at an enterprise level
  2) Maintain EBS Roles to provide object-level and data-level security in OBIEE
  3) EBS Users must go through the EBS portal to get to OBIEE (ie. single signon integration)
  4) non-EBS users must go through the OBIEE portal
  5) Both EBS and non-EBS users need ability to use the OBIEE iPad mobile application
  So for the EBS users, I've implemented the SSO integration between OBIEE 11.1.1.5.0 and EBS R11 based on the Oracle white paper [ID 1343143.1]. I've also set up an Authorization session init block to read the user's EBS Roles and set up object/data level security.
  For the non-EBS users, I've kept the default identity store (WLS-LDAP) and authentication provider.
  My question is what's the best approach for providing mobile access to the EBS users? Obviously I can't pass an HTML cookie to the iPad for these guys. Assuming these EBS users are in an corporate-LDAP store, I was thinking to setup a dual authentication store that connects to both corporate-ldap(EBS) and the WLS-integrated LDAP(non-EBS).
  Will this work? Does anyone have a better approach they'd like to share?

  Please post the details of the application release, database version and OS.
  We have a customer, who has upgraded to EBS R12 recently. With EBS R12 there comes a responsibility that enables users to directly open embedded BI in EBS. When people do LDAP authentication to EBS, they can directly open the OBIEE inside the EBS. But, when the EBS is SSO (OAM+WNA) integrated, OBIEE SSO in EBS does not work. What is the error?
  It could be related that OAM generated cookies are not recognized by embedded OBIEE.
  Is there a way to do a setup with both OAM SSO enabled to EBS, and EBS-OBIEE SSO is enabled inside EBS ? I do not think there is a single document that covers all the above (I believe you are aware of the individual docs).
  For urgent issue, please always log a SR.
  Thanks,
  Hussein

• Can an SCCM 2012 instance handle multiple Active Directories?

  Hi All,
  Historically (SCCM 2007 or
  earlier version), each active directory
  domain has need an SCCM instance. Has that changed/improved in SCCM 2012 so that each instance can handle multiple Active Directories?

  Historically (SCCM 2007 or
  earlier version), each active directory
  domain has need an SCCM instance.
  That's not true BTW.
  Torsten Meringer | http://www.mssccmfaq.de

• Add users from several Active Directories in SAP BPC

  Hello everybody,
  Does anybody know if you can add users from several Active Directories in SAP BPC??
  In affirmative case, how can you add several Active Directories in SAP BPC??
  Thank you very much.
  Best regards,
  Fernando

  Hi,
  We almost have same issue to add users from several Active Directories.
  BPC server is in Domain A. We perform to add users from Domain B. Our trusted relation between AD is Domain B approve Domain A (unidirectional).
  We cannot get one user which is able to browse both AD. So we install BPC with a user which has rights to browse Domain A  and we use another user in COM+ component (OsoftUSerManage) which has right to browse Domain B.
  But it is not working : we encounter an issue (access denied) in web administration by adding users from Domain B.
  Any idea ?
  Env. : BPC 5.1 SP6

• Web service security with active directory

  Hi,
  i want to protect my webservice by using active directory for authentication.
  (i am using jdeveloper 10.1.3.1 and bundled OC4J)
  i follow the document web service developer guide (section External LDAP Security Providers) and set up the LDAP security provider...
  in the OC4J web admin security page...i have press the 'test ldap authorization'
  button to CONFIRM the ldap connection is correctly set.
  but when i call the web service, deployed in that OC4J container,
  operation fail with the following message :
  javax.xml.rpc.soap.SOAPFaultException: UnsupportedCallbackException: oracle.security.jazn.callback.IdentityCallback@19f410 not available to gather authentication information from the user
  at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
  at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
  at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
  at test.proxy.ws1.runtime.MyWebService1SoapHttp_Stub.getUserNameYY(MyWebService1SoapHttp_Stub.java:134)
  at test.proxy.ws1.MyWebService1SoapHttpPortClient.getUserNameYY(MyWebService1SoapHttpPortClient.java:50)
  at test.proxy.ws1.MyWebService1SoapHttpPortClient.main(MyWebService1SoapHttpPortClient.java:33)
  could anybody help me?
  thank you very much

  actually i use the default setting provided by oracle's configuration
  wizard for active directory
  User:
  LDAP User Name Attribute: sAMAccountName
  LDAP User Object Class : inetOrgPersion
  User Search Scope: subtree
  User Search Base: dc=xxx, dc=com
  Groups:
  LDAP Group Name Attribute: cn
  LDAP Group Object Class: group
  LDAP Group Member Attribute: member
  Group Search Scope: subtree
  Group Membership Search Scope: direct
  Group Search Base: dc=xxx, dc=com
  using the same user, user searchbase, i can search the AD using other
  tools.
  could anybody help me ?
  thank yous.

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• OBIEE Security

  Hi,
  I want to know about various types of security provided in OBIEE.
  I come across terms like row level security and column level securtiy, I want to know about these two terms wrt OBIEE. and how we provide these type of security.
  Thanks
  Shashank Gupta

  Row level security is implemented by Data Security Groups
  There are three kind of groups - data values groups (like UK etc)
  data visibility groups (like Sales ) & Security groups like Country Based Security
  Object Level Security:
  Now for Data Visibilty under the filter you can explicitly select what subject areas a user can query like sales (Data visibility groups - Sales)
  Row Based Security:
  A Session Initianlization block is fired as a user logs and records the groups he is member of
  ex.UK Group, Sales Group & Country Based Security Group.
  The group Country Based Security Group under the filter tab has folllowing - value of dimension country = value of NQSESSION.GROUP
  Hope this helps !!

• Obiee Security Query

  Hi All,
  Can we have display a Scection in Dashborad Page to One particular User and Another Section of the Dashborad to Another User. If Both the Section are in One Single Dashborad Page.
  Many Thanks in Advance

  Hi,
  pls go through this link for applying the security in OBIEE restricting the users and to add the roles and reponsiblites.
  http://obiee2go.wordpress.com/2012/06/14/obiee-11g6-how-application-roles-groups-and-users-work-in-obiee-11g/
  Thanks,
  Yogi.

• "Content security" features in Director?

  Hi All,
  I have made several big e-learning projects  in Director 8 about 5 years back.At that time I got a security feature enabled to the projector file to make sure that only the original CD when put into the CD drive plays. This code was incorporated at the time of Replication of CD's and was not done using Director lingo.
  Now after 5 years I want to make more products using the latest Director software. First of all can someone let me know if there have been any updates in terms of content protection in Director. I mean is there any way the contents(or may be just the projector) are prevented from getting copied?.... I have absolutely lost touch with the latest features of the software. I would really apreciate if someone could give me links from where I can start. What are the options available to me for my requirement.
  Thanks!

  First of all can someone let me know if there have been any updates in terms of content protection in Director.
  No, there haven't. I would suggest sticking with what you know already is a tried and proven solution.

• F-Secure Booster Activation

  Hi, I've installed F-Secure Booster and appeared to have licensed it successfully, but once I restart the PC and try to launch the application it prompts for the license key again, and if I re-enter it tells me that I've "surpassed the maximum number of computers". I've confirmed all IE settings are as per the advice on the relevant forums but still have the same problem. Please can anyone advise?
  Many thanks in advance, Vince.

  Hello Oldviking,
  Could you review the 3 following articles:
  http://community.f-secure.com/t5/Security-for-PC/Activation-issue-Please-connect/ta-p/68554
  http://community.f-secure.com/t5/Security-for-PC/Activation-issue-F-Secure/ta-p/68556
  http://community.f-secure.com/t5/Security-for-PC/Activation-issue-Incorrect/ta-p/68555
  Resetting  Internet Security settings to default is also advised.
   

• Obiee security / Cache management scenarions and solution required

  scenario 1: Cache Mechanism implementation
  We have to develop a report which will populate the data from Cache for previous months and from database for current month simultaneously.
  Scenario 2: Security (users/groups) implementation
  We have to implement the authorisation on 20000+ roles (groups) in OBIEE. They want it to be implemented internally in OBIEE using some script/API so that all the roles will be created and as well as updated automatically in OBIEE whenever there are some updations in their database.
  Question 1: How is it possible to manage more than 20000 roles (groups) , each role is having different different privileges ?
  Scenario 3: How can we switch on or off row-level-security for different reports (As in some reports, data does not need to be restricted)"
  Example: A single report has a summary page and a detail level page. Summary page can be seen by everyone whoever logs on to the BI portal and accesses the report but when the user clicks on a figure on summary page to drill to detail he sees only his data that he has access rights to.

  scenario 1: Cache Mechanism implementation Can not be done. Either the query comes from the cache or it doesn't, it can not come from two sources.
  Scenario 2: Security (users/groups) implementation
  Question 1: How is it possible to manage more than 20000 roles (groups) , each role is having different different privileges ? Sure your requirement is to implement a specific security model not to have 20000 roles. You seem to have come with an implementation where you have 20000 roles which to me would seem like you are way off track. Could OBIEE support that? May be. Is it a good idea? Def not.
  They want it to be implemented internally in OBIEE using some script/API so that all the roles will be created and as well as updated automatically in OBIEE whenever there are some updations in their database.Whoever is "they" tell them that they are not OBIEE experts and they should not tell you how to implement things. Ask them to give you the actual business requirement rather than the "solution". You as an "OBIEE expert" should decide the best way to implement it in OBIEE. The typical approach is to have all the roles in a Database and populate the GROUP variable via a row-wise init block. Plenty of into in the forums about this. Script/API? Forget about it, not fast enough.
  Scenario 3: How can we switch on or off row-level-security for different reports (As in some reports, data does not need to be restricted)" If row-level-security is needed a the report level then you shouldn't implement it in the RPD but you should use filters in the different reports. Do not let the users change those reports.

• Jhs security ann active directory

  Hi,
  I try to use active directory for user authentication and I followed the oc4j documentation. I made a loginmodule in the system-jazn-data.xml ( in the embedded oc4j) and I changed the orion-application.xml with <jazn provider="XML" > <property name="custom.ldap.provider" value="true" /></jazn>
  I tried all the options of the security options in jheadstart but I don't see network traffic to the AD server
  thanks

  I am sorry, but support in using JAAS to access AD is outside the scope of this forum.
  Try the OC4J forum, and post the log messages you get in the jdev console there.
  Steven Davelaar,
  JHeadstart Team.