OBIEE Security

Similar Messages

• OBIEE Security 10g to 11g: Groups

  I had a Security scenario that I wanted to throw out to the forum...
  In 10g, we made use of the GROUP system variable to pull a users group membership from a database table. This was a Session Variable initialized upon each login.
  Data-level and object-level security was different for each group.
  In our environment users had the ability to switch groups, so they could be active in one of the groups and inactive in the others. We provided a form (WriteBack) that allowed them to set what group they wanted to be active for. They would then log out and log back in and have their new group assignments.
  In the Session Variable this was done by pulling in only groups that were flagged as Active. This worked great as it was done at the Session level. So I could login once and see Dashboard A, swtich my role, then log back in and NOT see Dashboard A.
  I know 11g still has the concept of WEBGROUPS, that would mimic the above, but my understanding is that Oracle is pushing the use of Application Roles.
  My question is how would the above behavior be ported over to 11g using Application Roles? I didn't think the population of an Application Role was Session Based, my belief is that it is populated when the Admin Server/Managed Servers are bought up pulling from the applcable Security Provider.
  Edited by: DustinC on Jan 19, 2012 1:29 PM
  Edited by: DustinC on Jan 20, 2012 3:54 PM
  Edited by: DustinC on Jan 22, 2012 12:45 PM
  Edited by: DustinC on Jan 23, 2012 11:40 AM

  Q1. how deploy external database security(users, groups) to OBIEE 11g.
  we used external database security in 10g. all the users and groups maintained in database and obiee rpd has security groups. repository has group information only so it is deployed groups information to obiee 11g by upgrade assistant but how can it deploy users in external database?
  Solution:
  http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
  http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
  Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
  Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
  while configuring AD via weblogic console we need to give the users and group info
  Solution refer:
  http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
  Thanks
  Deva

• Report on OBIEE Security

  We use Default Authenticator and implemented the security using Weblogic console. Now my client want to see a report on the OBIEE security implemented; he want to see all the groups, roles, users listed and also interested in seeing what users and roles assigned to various groups for the project.
  Is it possible to read Weblogic security Metadata?
  Appreciate your thoughts on this.
  Thanks
  Bees

  Was my answer correct? If so, please indicate so (top right of my last post). If not, then what was your answer?

• Alternate method of implementing EBS-OBIEE security

  We have tried implementing the EBS-OBIEE security as per Metalink Note ID 555254.1(without SSO). How ever, we realised that for cookie based integration to work, both EBS, OBIEE URL need to reside on the same domain. At client location, the applications are hosted in different domains.
  Any tested/proven alternative method, where we can pass the EBS responsibilities (say Operating Unit) to OBIEE?
  Regards
  KSK

  Hi all,
  yes, the session variable ':USER' is not picking the user name, but when i hard code it to 'BI_ADMIN" this works fine.
  i have tried the following formats in the place of ':USER':
  VALUEOF(NQ_SESSION.USER)
  VALUEOF(NQ_SESSION."USER")
  VALUEOF("NQ_SESSION.USER")
  UPPER(VALUEOF(NQ_SESSION.USER))- checking if any problem with case
  None of them worked.!!
  When I remove the whole " USR.USER_NAME=':USER'
  the sql runs fine..please help

• OBIEE Security - How to setup SSO-integrated EBS users & mobile access?

  I'm looking for the best approach to solution my company's OBIEE Security requirements, they are:
  1) Create a standard authentication/security process at an enterprise level
  2) Maintain EBS Roles to provide object-level and data-level security in OBIEE
  3) EBS Users must go through the EBS portal to get to OBIEE (ie. single signon integration)
  4) non-EBS users must go through the OBIEE portal
  5) Both EBS and non-EBS users need ability to use the OBIEE iPad mobile application
  So for the EBS users, I've implemented the SSO integration between OBIEE 11.1.1.5.0 and EBS R11 based on the Oracle white paper [ID 1343143.1]. I've also set up an Authorization session init block to read the user's EBS Roles and set up object/data level security.
  For the non-EBS users, I've kept the default identity store (WLS-LDAP) and authentication provider.
  My question is what's the best approach for providing mobile access to the EBS users? Obviously I can't pass an HTML cookie to the iPad for these guys. Assuming these EBS users are in an corporate-LDAP store, I was thinking to setup a dual authentication store that connects to both corporate-ldap(EBS) and the WLS-integrated LDAP(non-EBS).
  Will this work? Does anyone have a better approach they'd like to share?

  Please post the details of the application release, database version and OS.
  We have a customer, who has upgraded to EBS R12 recently. With EBS R12 there comes a responsibility that enables users to directly open embedded BI in EBS. When people do LDAP authentication to EBS, they can directly open the OBIEE inside the EBS. But, when the EBS is SSO (OAM+WNA) integrated, OBIEE SSO in EBS does not work. What is the error?
  It could be related that OAM generated cookies are not recognized by embedded OBIEE.
  Is there a way to do a setup with both OAM SSO enabled to EBS, and EBS-OBIEE SSO is enabled inside EBS ? I do not think there is a single document that covers all the above (I believe you are aware of the individual docs).
  For urgent issue, please always log a SR.
  Thanks,
  Hussein

• Obiee Security, 7 Active Directories

  I have 7 separate companies with separate Active Directories (AD) for each of the companies, I am now required to set up security that will incorporate all the 7 ADs for authentication.  The problem is if I add the ADs the one at the top will be the only one that will be used, if the user is not in the first/top AD then access will be denied, is there any way I can have it in such a way that the system can try verify the user in one AD and if not there move to the next one until it gets the user and authenticate them.

  Yes you can create 7 AD Authentication Providers in WLS Console and users stores and then you can enable virtualize = true property. This will enable you to authenticate users from multiple authentication providers.
  You can read more about that here :  FYI: Enabling Virtualization (virtualize=true) and OBI-SEC-00015 ~ Ask John OBIEE - Oracle Business Intelligence Guides,…
  HTH,
  SVS

• Obiee Security Query

  Hi All,
  Can we have display a Scection in Dashborad Page to One particular User and Another Section of the Dashborad to Another User. If Both the Section are in One Single Dashborad Page.
  Many Thanks in Advance

  Hi,
  pls go through this link for applying the security in OBIEE restricting the users and to add the roles and reponsiblites.
  http://obiee2go.wordpress.com/2012/06/14/obiee-11g6-how-application-roles-groups-and-users-work-in-obiee-11g/
  Thanks,
  Yogi.

• Obiee security / Cache management scenarions and solution required

  scenario 1: Cache Mechanism implementation
  We have to develop a report which will populate the data from Cache for previous months and from database for current month simultaneously.
  Scenario 2: Security (users/groups) implementation
  We have to implement the authorisation on 20000+ roles (groups) in OBIEE. They want it to be implemented internally in OBIEE using some script/API so that all the roles will be created and as well as updated automatically in OBIEE whenever there are some updations in their database.
  Question 1: How is it possible to manage more than 20000 roles (groups) , each role is having different different privileges ?
  Scenario 3: How can we switch on or off row-level-security for different reports (As in some reports, data does not need to be restricted)"
  Example: A single report has a summary page and a detail level page. Summary page can be seen by everyone whoever logs on to the BI portal and accesses the report but when the user clicks on a figure on summary page to drill to detail he sees only his data that he has access rights to.

  scenario 1: Cache Mechanism implementation Can not be done. Either the query comes from the cache or it doesn't, it can not come from two sources.
  Scenario 2: Security (users/groups) implementation
  Question 1: How is it possible to manage more than 20000 roles (groups) , each role is having different different privileges ? Sure your requirement is to implement a specific security model not to have 20000 roles. You seem to have come with an implementation where you have 20000 roles which to me would seem like you are way off track. Could OBIEE support that? May be. Is it a good idea? Def not.
  They want it to be implemented internally in OBIEE using some script/API so that all the roles will be created and as well as updated automatically in OBIEE whenever there are some updations in their database.Whoever is "they" tell them that they are not OBIEE experts and they should not tell you how to implement things. Ask them to give you the actual business requirement rather than the "solution". You as an "OBIEE expert" should decide the best way to implement it in OBIEE. The typical approach is to have all the roles in a Database and populate the GROUP variable via a row-wise init block. Plenty of into in the forums about this. Script/API? Forget about it, not fast enough.
  Scenario 3: How can we switch on or off row-level-security for different reports (As in some reports, data does not need to be restricted)" If row-level-security is needed a the report level then you shouldn't implement it in the RPD but you should use filters in the different reports. Do not let the users change those reports.

• OBIEE Security/ports

  Is there any secured port that can be used instead of 9704/ If so, how to make the changes from default port to someother http port? What type of authentication is enabled by default for users access over the internet?
  Edited by: user4683504 on Jul 21, 2010 12:32 PM

  Hi friend,
  OBIEE can manage user access by Security Manager in Administration Tool. Security manager is used to setup users, groups, synchronize with LDAP server and to control information can be used by users/groups.
  Port 9704 uses the authentication mechanism defined on Administration Tool, for example, using LDAP and Oracle database tables with information about users.
  Regards.

• OBIEE Security Alerts

  Is there a metalink note which lists all CPU or security alerts for the OBIEE product?
  We are currently applying the latest security patches for our various oracle products but cannot find any listing for OBIEE

  I don't think there're any security patches for OBIEE, at least I'm not aware of any. I think that OBIEE isn't a security threat in itself, as long as your servers are secure.

• About the OBIEE Security

  Hi all
  I have a small issue, I need to develop security in my project.
  Some users should not see the " Business_Group_Id ",
  I went to Secutiry -> Users ->selected a user -> Permissions tab ->
  In the general tab, I hv selected the Presentation Tab's Table -> Business_group_id ->OK
  BUT STILL I AM GETTING THE BUSINESS_GROUP_ID FOR THAT USER.
  CAN ANYBODY TELL ME ANY OTHER KIND OF SECURITIES....

  You have to set permissions like this.
  In your presentation layer, Open the column properties, and click on Permissions button. It will shows you are groups and users( if not check show all users), then set the permissions.

• OBIEE Security Using VPD

  I`ve read Venkat`s blog http://oraclebizint.wordpress.com/2007/08/29/obi-ee-10133-and-vpd/
  I have an working policy on my table:
  personal_history(district_id,city_id,company_id,department_id,job_id,employee_id, salary)
  For example on my policy the chiefs of department see only information on his employees, the managers for their own department.
  My policy function is far more complicated than Venkat`s Executive_Apply. I`ve checked VPD in database connection.My shared connection is based on vpd_admin which i gave him dba role.
  I put "select set_context_function(':USER') from dual" on before query in OBIEE Connection script, still in Answers there is no difference between managers and chiefs of department in number of rows.
  Why? What i`ve done wrong?
  Thank you!
  Razvan.

  I succeded with setting context and policy, in Aswers appears different rows for managers and chiefs of department but there is another problem :
  I have two connection pool , one with user dba owner of time dimension and fact table and the other with vpd_admin (context owner).
  I also have a role in which vpd_admin has select wrights on personal_history and other tables who`s owner is dba2 (another dba user).
  The two connection pools are in the same vpd database directory in Physical Layer.
  When i gave "update rowcount" on personal_history and the other`s tables which vpd_admin has select wrights it works.Policy works. BUT after i created the role and give it to manager and chief users in Answers none of the joins with other presentation tables doesn`t work with error table not found for dimension different from personal_history dimension.
  I modified just added vpd_admin to role and checked qualified table in second connection pool (the one with vpd_admin as user) .The query from each table without joining with each other works but in combination the error is table not found!
  Any idea?
  Thanks!

• OBIEE Security Problem

  Hi experts,
  We are getting problem in security..
  1. User A having the access to dashboards 1 ,2 and 3
  When user login he is able to see all the dashboards and some time he is able to see dashboard 1 and 2 .
  He is not able to see the dashboard 3 . So where is the problem..
  Please suggest.
  Thanks,
  F

  Each user when logged in, will have an entry in NQQuery.log for the session variable to pull the groups. Just check each SQL gets run OK - failure to , will mean no groups for that session (so maybe they only then see dashboards that 'everyone' can see)

• OBIEE Security - Account IDs

  Hi,
  Can anyone help me understand the "accountids" files under the webcat\root\system\security folder?
  Thanks in advance.

  Why do you need to know about them?
  http://catb.org/~esr/faqs/smart-questions.html#goal

• [OBIEE Security] create and manage user without entreprise manager

  Currently, the user creation and role assignment is done at company manager.
  I want to allow a small group of users to manage the rights (access to reports for example) to other users. All this without going through corporate manager.
  Is this possible?
  Best regards,
  Ben

  No, you cannot create user accounts in answers. If you are using default ldap from weblogic, all the users must be created in weblogic. If you do external table authentication, then you can add as many users as you want to the table based on your needs.
  Assign points if helpful.
  Regards,
  -Amith.