Why do we need security in OBIEE?
OBIEE is a reporting tool wherein multiple users belonging to multiple groups create multiple reports and dashboards. Reports created by a particular group of users should be visible to that particular group only or some specific data should be visible to only a specific set of people. So, to achieve this we need to have some sort of security thereby we can protect reports belonging to a group of users from the users of other groups.
Users and Groups in OBIEE?
End users who make use of OBIEE for reporting need to be defined somewhere. These users can be defined either in the OBIEE RPD, External database tables, LDAP Servers or in Active directories with their respective passwords.
The users belonging to same business unit can be clubbed and Groups can be created for them. Its not always necessary to create users in the RPD but its necessary to create the groups in the RPD. Infact, creating several users in the RPD can be a cumbersome job and it will also increase the size of the RPD, so, according to the best practice create the users and groups on the DB(or add in AD/LDAP) and associate them with the RPD groups by creating groups of the same name on the RPD as in DB.
Types of Security in OBIEE?
Security in Oracle BI can be classified broadly into the following three types.
1. Object Level security/authorization
2. Data Level security/authorization
3. User Authentication / User Level Security
Authentication and Authorization?
Authentication means validating the user while logging in the OBIEE application. When a user logs in the OBIEE application a request is sent to the BI Server asking that whether this user is a valid user or not. When BI Server validates the user,then only the user is able to login in the application.
Authorization means a user is authorized to view what all objects. Example, User A might be authorized to view only particular set of reports and dashboards based on the security applied.
Now we can understand these terms in detail.
1.Object Level Security
As the name states, Object level security refers to restricting access to OBIEE objects between different users and groups. The access to following objects can be restricted using object level security: Presentation tables, Presentation table columns, Subject Areas, Reports, Dashboards, Project Specific shared folders.
Object-level security controls the visibility to business logical objects based on a user’s role.
You can set up object-level security for –
Repository level: In Presentation layer of Administration Tool, we can set Repository level security by giving permission or deny permission to users/groups to see particular table or column.
Web level: This provides security for objects stored in the Presentation Catalog, such as dashboards, dashboards pages, folder and reports. You can only view the objects for which you are authorized. For example, a mid level manager may not be granted access to a dashboard containing summary information for an entire department.
2.Data Level Security
Data Level Security is basically securing the data. Users belonging to particular group should see a certain set a data whereas users outside that groups shouldn’t see that data. Example: Users belonging to Asia group should see only the data for Asia region whereas users belonging to US region should see data for US region.
Data-level security controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI Answers, and so on) based on the user’s association to data in the transactional system.
This controls the type and amount of data that you can see in a report. When multiple users run the same report, the results that are returned to each depend on their access rights and roles in the organization. For example, a sales vice president sees results for all regions, while a sales representative for a particular region sees only data for that region.
Example
Here we will look at creating and using a session variable and how to implement row level security. This is mainly used to restrict data based on the user rights. The row level security will be useful in situations like: 1. Allowing user to see data that she has access to.
2. Showing data based on current date.
3. A sales manager can be shown data in his region only. A CEO can be shown data for all regions.
2. Showing data based on current date.
3. A sales manager can be shown data in his region only. A CEO can be shown data for all regions.
In this post we look at showing units ordered in the current month. we use a security filter to filter data for the current month.
Steps;
1. The first step is to create the session variable for the current month. To do so
a. In the Administration window, click on Action – > New -> Session ->Variable.Give CURRENT_MONTH as the name of the variable. Click on ‘New’ near the initialization block.
b. Give CURRENT_MONTH_INIT as the name of the initialization block. Click on Edit Data Source.
c. A new window opens. Select the connection pool by using the browse button.
d. Use database as the data source type.
e. Type in the following query:” select month(curdate()); ” in the default initialization string.
f. Click Ok to close the dialog.
g. In the Session variable initialization block, click on edit data target.
h. select the CURRENT_MONTH variable. Click on Ok.
i. Click on ok to create the session variable.
Steps;
1. The first step is to create the session variable for the current month. To do so
a. In the Administration window, click on Action – > New -> Session ->Variable.Give CURRENT_MONTH as the name of the variable. Click on ‘New’ near the initialization block.
b. Give CURRENT_MONTH_INIT as the name of the initialization block. Click on Edit Data Source.
c. A new window opens. Select the connection pool by using the browse button.
d. Use database as the data source type.
e. Type in the following query:” select month(curdate()); ” in the default initialization string.
f. Click Ok to close the dialog.
g. In the Session variable initialization block, click on edit data target.
h. select the CURRENT_MONTH variable. Click on Ok.
i. Click on ok to create the session variable.
2. The next step is to use this session variable to filter the result for this month.
a. In the Administration tool. click on Manage -> Security.
b. Create a new User called MonthlyUser.
c. Create a new group called MonthlyUserGroup. Assign MonthlyUser to this group.
d. Open the MonthlyUserGroup dialog and click on Permissions.
e. Click the tab that says filters. Click on ‘Add’
f. In the name of the filter select the name of the table that you want to apply the filter on.
a. In the Administration tool. click on Manage -> Security.
b. Create a new User called MonthlyUser.
c. Create a new group called MonthlyUserGroup. Assign MonthlyUser to this group.
d. Open the MonthlyUserGroup dialog and click on Permissions.
e. Click the tab that says filters. Click on ‘Add’
f. In the name of the filter select the name of the table that you want to apply the filter on.
g. Click on the ellipsis in the business model filter column. Apply the filter
h. The group is now created.
h. The group is now created.
3. Login to BI answers using the MonthlyUser user. Select the columns from the store database. view results. You will notice that the results show data for the current month only.If you login by a user from the administrators group, data for all months will be visible.
3.User Authentication in OBIEE
The goal of the authentication configuration is to get a confirmation of the identity of a user based on the credentials provided.
In OBIEE, the credentials provided are hold in this two variables:
In OBIEE, the credentials provided are hold in this two variables:
- USER
- PASSWORD
The authentication process in OBIEE is managed by the BI Server.
OBIEE Support four types of authentication
- LDAP Authentication : Users are authenticated based on credentials stored in LDAP.This is the BEST method to do authentication in OBIEE and it supports company’s Single Sign On (SSO) philosophy as well.
- External Table Authentication : you can maintain lists of users and their passwords in an external database table and use this table for authentication purposes.
- Database Authentication : The Oracle BI Server can authenticates user based on database logins. If a user has read permission on a specific database. Oracle BI Presentation Services authenticates those users.
- Oracle BI Server User Authentication: You can maintain lists of users and their passwords in the Oracle BI repository using the Administration Tool. The Oracle BI Server will attempt to authenticate users against this list when they log on.
This is the home page of WLS console
Click on Security Realms
In Security realms page click on “myrealm”
Go to “Users and Groups” tab>”Groups”>New and add a new WLS group called DieselModelViewers_WLS
Go to “Users and Groups” tab>”User”>New and add a new user called diesel_user
Associate the diesel_user to DieselModelViewers_WLS group
Next log on to Enterprise Manager (URL http://localhost_ip:7001/em)
Object and Data Security Setup
Log in to the rpd and click Manage>Identity
Go to the Application Roles tab, check that the newly created Application role “DieselModelViewer” is visible
Click on Permissions button
We can now define a new data filter for the DieselModelViewers group, click on
Define a new security filter for the above application role as shown above.
Data security is done, next lets see object security.
We want to hide the presentation table WB_TEST from members of DieselModelViewers application role, like diesel_user. Double click on WB_TEST table and the above window opens up, click on permissions Deny permission to DieselModelViewers by clickingNoAccess.This will restrict diesel_user from seeing WB_TEST table in his subject area.
Next log in to Answers/Analysis page.
Lets check a report that has all fuel types, since an admin user can see all fuel types we will choose to see it from weblogic user