OBIEE Security Implementation (Part 1): Basics

On a recent project I had to focus on security in OBIEE, so I thought Id consolidate my knowledge and share it with you here. The very first part shown in this post will be on the basics: what is Authentication and Authorization, and what are the different ways to achieve them.

Purpose of Security in OBIEE

Before starting with anything, let's understand the need for security. OBIEE is a reporting tool wherein multiple users belonging to multiple groups create multiple reports and dashboards. Reports created by a particular group of users should be visible to that particular group only or some specific data should be visible to only a specific set of people. So, to achieve this we need to have some sort of security protecting reports belonging to group users from the users of other groups. We achieve this security using Users and Groups to set permissions.

Security Manager
Security Manager is a Utility administration tool that displays all the security information for a repository.

End users who make use of OBIEE for reporting need to be defined somewhere. These users can be defined either in the OBIEE RPD, External database tables, LDAP Servers or in Active directories with their respective passwords. BI Server Administrator user account is created automatically when a repository is created and cannot be deleted.

Figure 1. Showing where OBIEE RPD users can be added.

Creating several users in the RPD can be a cumbersome job and it will also increase the size of the RPD, so, according to the best practice create the users and groups on the DB(or add in AD/LDAP) and associate them with the RPD groups by creating groups of the same name on the RPD as in DB.

Figure 2. Showing where groups can be added. Authentication and Authorization Authentication means validating the user while logging in the OBIEE application. When a user logs in the
OBIEE application a request is sent to the BI Server asking that whether this user is a valid user or not. When BI Server validates the user, then only the user is able to login in the application Authorization means a user is authorized to view what all objects. Example, User A might be authorized to view only particular set of reports and dashboards based on the security applied.

User Authentication in OBIEE:

The goal of the authentication configuration is to get a confirmation of the identity of a user based on the credentials provided. The authentication process in OBIEE is managed by the BI Server using two variables USER and PASSWORD. Ways of Authentication:

a) Internal Authentication
You can maintain lists of users and their passwords in the Oracle BI repository using the Administration Tool. The Oracle BI Server will attempt to authenticate users against this list when they log on

b) LDAP
Users are authenticated based on credentials stored in LDAP. This is the BEST method to do authentication in OBIEE and it Supports Companys Single Sign on (SSO) philosophy as well.

c) External DB Authentication
We can maintain lists of users and their passwords in an external database table and use this table for authentication purposes

d) Database
Oracle BI Server can authenticate user through database logons If a user had read permissions on a specified database, the user is trusted by Oracle BI Server. This option is typically not a good option to use in real time as users have to be added in RPD users list.

e) Operating System
If a user is configured on a trusted windows domain, an Oracle Server user of the same name does not need to be authenticated by Oracle BI Server. This option is typically not a good option to use in real time as users have to be added in RPD users list. Creating several users in the RPD can be a cumbersome job and it will also increase the size of the RPD, so, according to the best practice, create the users and groups on the DB (or add in AD/LDAP) and associate them with the RPD groups by creating groups of the same name on the RPD as in DB.

User Authorization in OBIEE:

Types of Authorization:

a) Data Level Security

Data-level security controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI Answers, and so on) based on the user's association to data in the transactional system. This controls the type and amount of data that you can see in a report. When multiple users run the same report, the results that are returned to each depend on their access rights and roles in the organization. For example, a sales vice president sees results for all regions, while a sales representative for a particular region sees only data for that region.

b) Object Level Security

Object-level security controls the visibility to business logical objects based on a user's role. You can set up object-level security for metadata repository objects, such as subject areas and presentation folders, and for Web objects, such as dashboards and dashboard pages, which are defined in the Presentation Catalog.

OBIEE Security implementation (Part2): Internal Authentication will follow soon - stay tuned!