Security
in OBIEE 11g
Key
Security Changes for Release 11g :
Some
of the key changes in OBIEE security in 11g are
- User and Groups are no longer defined in RPD
- User Profile is derived from LDAP server
- RPD is protected by RPD Password
- RPD is encrypted
- Introduction of Applications Roles
- User Administrator and Group Administrators not hard-coded in RPD
- Administrator user not used for Inter-Process Communication (component to component)
- Credential Store storage mechanism
OBIEE
11g provides a scalable default security mechanism available for immediate
implementation after installation. The default security mechanism provides
controls to manage users and groups, permission grants and credential store.
Following are the security controls that are available after the installation.
- An embedded LDAP server in WebLogic available to store users and groups known as “Identity Store”A file to store the permission grants information known as the “Policy Store”A file to store user and system credentials for inter process communication known as the “Credential Store”.
Let’s
look at the differences based on some of the common security concepts,
Authentication and Authorization.
Authentication:
In
10g default Authentication is RPD based. In 11g, the user and group definitions
are moved to a LDAP server embedded with WebLogic server known as the “Identity Store”. Users and Groups can
no longer be created in the RPD. Creation of Users and Groups and the
association of members to groups are managed in the WebLogic administration
console. WebLogic provides the default authentication provider for OBIEE 11g.
Users are authenticated by the WebLogic server based on the credentials in the
embedded WebLogic LDAP server. The embedded LDAP server is default
Authentication provider for WebLogic and hence OBIEE.
OBIEE
11g gets user, groups and other user attributes from the WebLogic LDAP server.
This also eliminates the limitation we had with previous versions of OBIEE
where only one Group for a user can be read directly from an LDAP server.
The
following screenshot shows the default Authentication provider.
WebLogic
supports integration with commercial identity management products (also known
as Authentication providers). The screenshot below lists some of the
Authentication Providers. OBIEE 11g certification matrix provides a list of all
supported Authentication Providers.
At
this time, the following Authentication providers are supported by OBIEE 11g.
- Active Directory 2003, 2008
- SiteMinder 6
- OpenLDAP 2.2.x
- Sun Java System Directory Server version 6.3
- eDirectory 8.8
The
following screenshot shows the users created in the WebLogic administration
console. By default users and groups are created using Oracle WebLogic Server
Administration Console. The following screenshot shows the groups
created using WebLogic administration console
The
following screenshot shows the groups created using WebLogic administration
console.
The
following screenshot shows the members associated to the groups in the WebLogic
administration console.
The
users and groups created in the WebLogic administration console can be viewed
in the OBIEE administration console. Before looking at the users in the RPD,
since we are discussing about the changes in Authentication, I would like to
cover the RPD password. In OBIEE 11g, every RPD is protected by an RPD
password. Remember, there are no “Administrator” user and “Administrators”
group in OBIEE 11g. Look at the RPD creation screenshot below. The RPD creation
utility, requests a password to protect the RPD. The same password is also used
to encrypt the password. In 10g only a few critical elements in the RPD were
encrypted. In 11g, the entire RPD is encrypted.
Let’s
take a look at the users that were created in the WebLogic admin console in
OBIEE administration console. Note that the menu item “Security” in 10g got
changed to “Identity” in 11g.
In
the screenshot below, we see that the users created using the WebLogic
administration console and stored in the WebLogic embedded LDAP server is being
displayed by the OBIEE administration console.
Note
that there is no option to create a user or a group in the menu from the
screenshot below. The OBIEE administration tool only displays users defined in
the WebLogic embedded LDAP server. There is a new menu item “Application
Roles”. I will cover this when discussing the changes in Authorization.
Even
though the underlying embedded WebLogic identity store is a LDAP server, OBIEE
server does not use the “Authentication” initialization block for the default
LDAP server embedded within the WebLogic server. The default WebLogic
authenticator is a replacement for the OBIEE authentication for users defined
in the RPD in 10g. This gives us two options to integrate an external LDAP
server with OBIEE for authentication. The external LDAP server can be integrated
with WebLogic server as an additional authentication provider or by integrating
the LDAP server with OBIEE like in 10g by registering the LDAP server in the
RPD and creating an “Authentication” initialization block based on the
registered LDAP server. The recommended approach going forward is to integrate
all authentication providers at the WebLogic level.
In
my next blog entry I will discuss about the changes to “Authorization” in OBIEE
11g, the applications roles, policy store and the credential store.
Authorization:
Authorization
in 10g was achieved using a combination of Users, Groups and association of
privileges and object permissions to users and Groups. Two keys changes to
Authorization in OBIEE 11g are:
- Application Roles
- Policies / Permission Groups
Application Roles are introduced in OBIEE
11g. An application role is specific to the application. They can be mapped to
other application roles defined in the same application scope and also to
enterprise users or groups, and they are used in authorization decisions. Application roles in 11g
take the place of Groups
in 10g within OBIEE application. In OBIEE 10g, any changes to corporate LDAP
groups require a corresponding change to Groups and their permission
assignment. In OBIEE 11g, Application roles provide insulation between
permission definitions and corporate LDAP Groups. Permissions are defined at
Application Role level and changes to LDAP groups just require a reassignment
of the Group to the Application Roles.
Permissions
and privileges are assigned to Application Roles and users in OBIEE 11g
compared to Groups and Users
in 10g. The diagram below shows the relationship between users, groups and
application roles. Note that the Groups shown in the diagram refer to LDAP
Groups (WebLogic Groups by default) and not OBIEE application Groups.
The
following screenshot compares the permission windows from Admin tool in 10g vs
11g. Note that the Groups in the OBIEE 10g are replaced with Application Roles
in OBIEE 11g. The same is applicable to OBIEE web catalog objects.
The
default Application Roles available after OBIEE 11g installation are
BIAdministrator, BISystem, BIConsumer and BIAuthor.
Application policies are the authorization
policies that an application relies upon for controlling access to its
resources. An Application Role is defined by the Application Policy. The
following screenshot shows the policies defined for BIAdministrator and
BISystem Roles.
Note
that the permission for impersonation is granted to BISystem Role. In OBIEE
10g, the permission to manage repositories and Impersonation were assigned to
“Administrators” group with no control to separate these permissions in the
Administrators group. Hence user “Administrator” also had the permission to
impersonate. In OBI11g, BIAdministrator does not have the permission to
impersonate. This gives more flexibility to have multiple users perform
different administrative functions.
Application
Roles, Policies, association of Policies to application roles and association
of users and groups to application roles are managed using Fusion Middleware
Enterprise Manager (FMW EM). They reside in the policy store, identified by the
system-jazn-data.xml file. The screenshots below show where
they are created and managed in FMW EM.
The
following screenshot shows the assignment of WebLogic Groups to Application
Roles.
The
following screenshot shows the assignment of Permissions to Application Roles
(Application Policies).
Note: Object level permission
association to Applications Roles resides in the RPD for repository objects.
Permissions and Privilege for web catalog objects resides in the OBIEE Web
Catalog. Wherever Groups were used in the web catalog and RPD has been replaced
with Application roles in OBIEE 11g.
Following
are the tools used in OBIEE 11g Security Administration:
Users and Groups are
managed in Oracle WebLogic Administration console (by default). If WebLogic is
integrated with other LDAP products, then Users and Groups needs to managed
using the interface provide by the respective LDAP vendor – New in OBIEE 11g
Application
Roles and Application Policies are managed in Oracle Enterprise Manager -
Fusion Middleware Control – New
in OBIEE 11g
Repository object
permissions are managed in OBIEE Administration tool – Same as 10g but the assignment is to Application
Roles instead of Groups
Presentation Services
Catalog Permissions and Privileges are managed in OBI Application
administration page - Same as
10g but the assignment is to Application Roles instead of Groups
Credential Store: Credential Store is a
single consolidated service provider to store and manage the application
credentials securely. The
credential store contains credentials that either user supplied or system
generated. Credential store in OBIEE 10g is file based and is managed using
cryptotools utility. In 11g, Credential store can be managed directly from the
FMW Enterprise Manager and is stored in cwallet.sso file. By default, the Credential Store stores password
for deployed RPDs, BI Publisher data sources and BISystem user. In addition,
Credential store can be LDAP based but only Oracle Internet Directory is
supported right now.
As
you can see OBIEE security is integrated with Oracle Fusion Middleware security
architecture. This provides a common security framework for all components of
Business Intelligence and Fusion Middleware applications.
how to get the revenue upto 3 decial places, with out using data fornate,
ReplyDeletei tried truncate, but not able to get the result which i wnat ,
can any one help?