Applying Security in an Oracle OBIEE 11g Domain

The full topic of this article is an overview on applying security in an Oracle OBIEE 11g domain. One of the main concerns partners, developers and administrators have with the new Oracle Business Intelligence (OBI) platform is how to keep confidential data safe and grant users specific permissions.

Fortunately, especially for developers, there aren’t any big changes for applying security in comparison with the 10g platform from an overall point of view; however there are a few things to be considered such as the new application-server technology. So, the purpose of this article is to explain the security architecture and as a result be able to apply protection to a company’s confidential data properly.

With the introduction of Weblogic application server within Oracle BI EE 11g Domain, security is now dependent on Oracle Fusion Middleware (OFM) infrastructure. Therefore, thanks to this OFM middle tier, onwards security is centralized and shared from a common layer.

Users’ definitions are no longer in the repository as in 10g, instead users will use Weblogic which has its own LDAP server (note: this LDAP server is not recommended for more than 1,000 users). See the picture below:

1

To have a proper understanding about security, let’s divide this topic into two main parts: Authentication & Authorization. So, what do each of these mean?

Authentication is about validating credentials and allowing users to connect.

Authorization is about what a user can see once they have access to the application.

Moreover, to apply security we will use Components from a platform call: Oracle Platform Security Services (OPSS). This is used through different Security Providers.

2

Three Security Providers exist, each related to one another when applying security:

  • Authentication Provider: this deals with the user’s access based on the credentials found in the Identity Store.
  • Police Store Provider: applies Application Role based on the LDAP associated groups.
  • Credential Store Provider: grants credentials from OBIEE components.

From a simple installation of OBIEE 11g three standard Groups in the Identity Store are found:

  • BI Administrators: this group will contain all administrative users. (Note that for 11g the Administrator user is no longer the administrator for our BI Domain. This is defined during the 11g installation where it is possible to set up any user as an Administrator)
  • BI Authors: this group is for developer users.
  • BI Consumers: this group is created for BI users.

Also, with a simple installation three out-of-the-box Roles are created:

  • BI Administrator Role: this role is mapped to BI Administrators group
  • BI Author Role: this role is mapped to BI Authors group
  • BI Consumer Role: this role is mapped to BI Consumers group

Every Role has a Security Policy associated, which is in charge of defining what a user can see and do. These permissions are divided into three areas:

  • Application Policy: BI permissions like Admin rights, Publisher access…
  • Data Access Rights: Set of permissions over the RPD metadata
  • Presentation Services Object level Access: Presentation Catalog privilege, catalog object access…

 

Sergi G
sergi.guinon@clearpeaks.com