Académique Documents
Professionnel Documents
Culture Documents
Agenda
On upgrade, any element in the RPD that was secured by an RPD group will become
secured by the Application Role with the same name (created during the upgrade process)
The upgrade process does not do anything with Web Groups. Web Groups continue to exist
in 11g, but customers are encouraged to replace them with Application Roles.
2015 Oracle Corporation
This is the only method able to secure data using the current responsibility of the user
This is the only method that allows Action Links back to E-Business Suite
This approach has known limitations with Delivers due to the integration with EBS Responsibilities
This approach has known issues with BI Publisher as this approach does not allow BI Publisher to impersonate a user
Please refer to Doc ID 1937856.1 for an updated method that lifts some of the limitations of the ICX cookie approach
This approach does not work with BI Office or BI Mobile or SmartView
If E-Business Suite is integrated with OID (and optionally OSSO), then BI EE can point to the same OID either via FMW
security or via Init Blocks.
Init Blocks should not rely on the availability of an ICX cookie for the user
Some customers have a separate login for BI and maintain the EBS and BI user populations independently.
Init Blocks should not rely on the availability of an ICX cookie for the user
This is the only method that allows Action Links back to Siebel
Behind the scenes this method is based on posting a UserID and Password to BI from Siebel
(&NQUSER/&NQPASSWORD method).
This method could potentially use either FMW security or Init Blocks depending on the individual implementation design
If Siebel has been configured to authenticate against LDAP (and optionally SSO), then BI EE can point to the same LDAP
either via FMW security (assuming it is a BI EE certified LDAP) or via Init Blocks.
This method has not been updated for BI 11g and is based on a 10g Technote
Behind the scenes this method is based on posting a UserID and Password/SessionID to BI from PeopleSoft
(&NQUSER/&NQPASSWORD method).
This method could potentially use either FMW security or Init Blocks depending on the individual implementation design
If PeopleSoft has been configured to authenticate against LDAP (and optionally SSO), then BI EE can point to the same
LDAP either via FMW security (assuming it is a BI EE certified LDAP) or via Init Blocks.
Other approaches may be possible including integration through the PeopleSoft portal
Method 1
Based on the BIEE 10g approach to SSO.
This approach works with both FMW security or Init Block-based authentication and authorization.
This approach is for BIEE only (i.e. not BI Publisher or RTD). BI Publisher has a similar mechanism.
The steps to configure this approach are:
1. Login to Enterprise Manager Fusion Middleware Control.
Select Business Intelligence and go to the Security tab.
Click Lock and Edit.
In the SSO drop down, select Custom SSO.
Click Apply.
Click Activate changes.
2. Modify instanceconfig.xml file located at
mwhome/instances/instance1/config/OracleBIPresentationServicesComponent/coreapplication_obips1
Add/edit the following entry
Authentication>
<!--This Configuration setting is managed by Oracle Business Intelligence Enterprise Manager-->
<EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,CustomSSO</EnabledSchemas>
</Authentication>
Replace Proxy-Remote-User with the username variable in the HTTPHeader as per your SSO implementation.
b> Create an Authentication Schema definition for CustomSSO in the same file (somewhere within the
<AuthenticationSchemas> tags, but not inside any existing <AuthenticationSchemaGroup> )
<AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE"
proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI" >
<RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user"
biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user"
biVariableName="PWD" options="secure"/>
<RequestVariable source="httpHeader" type="auth" nameInSource="Proxy-Remote-User"
biVariableName="IMPERSONATE" options="required" />
</AuthenticationSchema>
Replace Proxy-Remote-User with the username variable in the HTTPHeader as per your SSO implementation
Please note that modifying the authenticationschemas.xml file is a customization that will be ignored by any
patching or upgrade. There's also a risk that the customization may not be possible in a future release. Like
any customization, you are responsible for testing the solution to make sure it is secure and works as
intended.
Please note that Oracle BI does not support using URL parameters for authentication other than the
standard &NQUSER &NQPASSWORD approach.
Architecture Overview
WebLogic
OPSS
BI Publisher
Identity Store
Policy Store
Analytics
Security
Service
OWSM
Credential Store
LDAP: WLS,
OID, AD etc.
LDAP (OID) or
File-based.
MDS
OBIPS
OBIS
Scheduler
System User Connection
Supported
FMW Security
Init Block
BISQLGroupLookup Provider
Not Available
* -
Not tested
*2 -
Unless the user passwords are available in the underlying database to authenticate against, these Authenticators can only be used with an SSO mechanism.
*3
Only those Authenticators related to Identity Stores that have an appropriate implementation of the OPSS UserRole API may be used. OBIEE restriction only (BIP and RTD can use multiple authenticators).
10g-Style SSO
Not Available
FMW Security
Supported
* -
*2
Both BI and E-Business Suite must appear to be in the same Internet Domain.
*3 -
OBIEE restriction only (BIP and RTD can use additional authenticators)
Application Server
(Weblogic domain)
Security Realm
Policy
Embedded
LDAP
Store
(system-jazn-data.xml)
9
Web
OPSS
Browser
8
user
Enter UserID
and
Password to
/analytics
Login Form
BI Session
returned to
browser
cookie
bimiddleware
1
Managed Server
12
analytics
11
BI Session returned
Oracle BI
Server
4
Oracle BI
Presentation
Services
3
UserID and
Password
used in
Connection
string to BI
Server
(ODBC)
10
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
Application Server
(Weblogic domain)
Security Realm
5b
Policy
Embedded
6b
LDAP
5c
6c
Web
Store
(system-jazn-data.xml)
7b
5d
OPSS
Browser
8
user
6a
Enter UserID
and
Password to
/analytics
Login Form
BI Session
returned to
browser
cookie
5a
bimiddleware
1
Managed Server
12
7a
analytics
11
BI Session returned
Oracle BI
Server
4
Oracle BI
Presentation
Services
3
UserID and
Password
used in
Connection
string to BI
Server
(ODBC)
10
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
Application Server
(Weblogic domain)
Security Realm
5b
Policy
Embedded
6b
LDAP
5c
6c
Web
Security Service
calls OPSS API
to retrieve
User/Role
information
Store
(system-jazn-data.xml)
7b
5d
user
BI Session
returned to
browser
cookie
6a
5a
7a
bimiddleware
1
Managed Server
12
OPSS
Browser
Enter UserID
and
Password to
/analytics
Login Form
analytics
11
BI Session returned
Oracle BI
Server
4
Oracle BI
Presentation
Services
3
UserID and
Password
used in
Connection
string to BI
Server
(ODBC)
10
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
Virtualization
Follow 7.3.2.2 Configuring the Service for Multiple LDAP using Fusion Middleware Control
in this doc:
http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/idstoreadm.htm#CIAIDIFI
<EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,SSO-Siteminder
</EnabledSchemas>
</Authentication>
Application Server
(Weblogic domain)
OPSS retrieves Permissions for the Subject from the Policy Store
Security Realm
7b
Embedded
6b
LDAP
7c
6c
Web
Policy
Store
Security Service calls OPSS API to Assert the User
(system-jazn-data.xml)
10
8b
6d
OPSS
Browser
9
user
6a
Security Service
calls OPSS API
to retrieve
User/Role
information
BI Session
returned to
browser
cookie
13
User navigates
to /analytics
having
1
previously
authenticated
against a
supported SSO
mechanism
Security Service
returns an object to
BI Server with
attributes for user
profile data,
application roles and
permissions. The BI
Session is now
authenticated
7a
8a
bimiddleware
Managed Server
analytics
Oracle BI
Server
5
3
12
BI Session returned
Oracle BI
Presentation
Services
4
UserID and
Impersonator ID
(BISytemUser)
used in
Connection
string to BI
Server (ODBC)
11
Session and
Session
Variables for
User & Roles
returned to
Presentation
Services
System Users
BISystemUser
OracleSystemUser
Used by OWSM
By default called OracleSystemUser and a member of the OracleSystemGroup
User name can be changed, but need to follow FMW documentation
By default created in the native Weblogic LDAP and referenced via the Default
Authenticator. This can be changed.
Doc ID 1359798.1
Or
BI Security Guide
Types of Security
SSL
J2EE Perimeter
App Roles for Authorization
Web Groups for Authorization
Data Level Security
SSL Everywhere
SSL Configuration in Oracle Business Intelligence
One-way SSL easy to configure.
Perimeter Security
J2EE Security
Authenticate (and authorization) into the J2EE container can
be inherited by the J2EE applications within that container
Weblogic container uses Asserters and Authenticators
Business
Intelligence
Roles
Users
Oracle
LDAP
Groups
Users
Identity
Store
Data-level Security
The same as 10g
Plus new Essbase functionality