Security Topics in Oracle Business Intelligence (OBIEE)
There are 4 important topics we should discuses about, they are:
1. Define security in the repository.
2. External table authentication.
3. LDAP authentication.
4. Database authentication.
Define security in the repository: In the Oracle BI Administration tool we can create users and groups to define permissions and authentication. We then grant permissions to users and groups.
Note: The privileges which are exclusively granted to a user have precedence over group’s privileges. Also, in case of a conflict the least restrictive privileges apply.
LDAP Authentication: Many compnies prefer implementing LDAP (Lightweight Directory Access Protocol) server authentication. many clients uses ADSI (Active Directory Service Interface) for their projects.
When asked about how LDAP is set up you can say that, in the security manager create an LDAP server. For this in security manager we go to Action> New> LDAP Server. This brings us to LDAP Server dialog box, where we fill in the parameters like Name, Host Name, Port No., LDAP Version (Default 3), Base DN, Bind DN in general settings. We also define settings in Advanced tab where we fill in Connection Time-Out, Domain Identifier, Enable/Disable SSL etc.
We then created an LDAP initialization block, which was associated with the LDAP Server. Here, we define USER as our system variable which is mapped to LDAP uid.
Note: We can also use LDAP server only to import user and group definitions. This is used when we don’t want external authentication by LDAP.
External Table Authentication:To implement this we have to create a table in the database which will have columns to define users, password, and groups, log level, display name, etc. information to define security and privileges. To use this table for authentication in OBIEE we created a new connection pool in the physical layer to connect to this db/table. Then we have to create an initialization block using the newly defined connection pool for this table. We then defined the initialization string (e.g. select username, password, lognumber, groupname from auth_table where username = ‘:USER’ and password = ‘:PASSWORD’). We then defined the corresponding variables (e.g. USER, PASSWORD, LOGLEVEL, GROUP etc.). We have to make sure that the order of variables is same as the initialize.
Database Authentication: We first make changes in our NQSConfig.ini file. In the security section, we specify our authentication database. Then we create users in the repository which are same as the users in our database. We assign these users privileges. We import this database in the physical layer of our repository using the DSN of that particular database. For this particular connection pool we set up a non shared logon. This connection pool will now be used to connect to the database. If you are able to connect, then you are authenticated successfully.