OBIEE Step by Step Guide

October 19, 2009

OBIEE Security Permissions, Priveleges and Inheritance

Filed under: OBIEE Security — Tags: , , , — harikv @ 9:17 pm

How does OBIEE handle users? How is security enforced upon users? In what different places do you have security?

This blog is all about consolidating this information and help you easily understand what are the key points to remember in an OBIEE implementation and support.

Users are created, authenticated and authorized using different methods like LDAP, External Authentication and Database Authentoication.

Users, like in Windows AD (Active Directory), are classified into groups in OBIEE. Permissions and Priveleges (security attributes) are designated to groups and the collective permissions are propogated to each user. Do we give permissions and priveleges to each user? Probably not as its not a best practice and kills us to maintain. This is a proven paradigm in IT indusstry already.

Lets delve into what happens if the user belongs to two groups. He gets the least of permissions based on the two groups he inherited.

Ex: User A belongs to G1 and G2 groups. G1 has read and execute access on a particular object. G2 has only read access? So, what kind of priveleges does User A gets? Its just “Read” access.

Now, for the same user A, what if he gets exclusive access “Read” and “Execute” on an object? Giving exclusive accesses to users is not a best practice but for taken into consideration for this example. In this case, what happens? Well, now he has both “Read” and “Execute” priveleges. Now what if User A inherits “Deny” access through one of the groups lets say G3. Now User A is part of G1, G2, G3. Unfortunately, now the User “A” has “Deny” access effectively.

So, any “Deny” access either exclusive or through inheritance takes precedence to another type of privelege.

Is this how it works for both “Respository” and “Presentation Layer”? Did I answer one of my own questions posted above already 🙂 Yes, security is imposed on each user at both presentation level and repository level.

Now, a different question arises on which one gets enforced first? What if User “A” is denied access at the repository level? Well, in such a case, he cannot look at that particular object itself.

What if User “A” has access at the repository level but denied access at the Presentation level? Its still the same story. User “A” still has no access for that object through subject area/answers/dashboard.

Check out the documentation from Oracle regarding this (Repository Security Chapter 15 and Presentation Catalog)

The summary of the above links is copied over here for you:

Rules for Inheritance in Oracle BI

  • Any permissions or privileges given explicitly to a user override any permissions or privileges inherited from the Presentation Services group to which the user belongs.
  • If a user belongs to two groups and both groups are assigned permissions, the least restrictive permissions are given to the user.For example, if one group allows Read access and another allows Change access, the least restrictive access would be granted; in this example, Change access.NOTE:  The exception to this is if one of the two groups is explicitly denied the permissions, in which case the user is denied.
  • If a user belongs to Presentation Services group X, and Presentation Services group X belongs to Presentation Services group Y, any rule assigned to group X overrides any rule assigned to group Y.For example, if Marketing has Read permissions, Marketing Administrators, which is a member of Marketing, can have Full Control permissions.
  • Explicitly denying access takes precedence over any other permissions or privileges.

When assigning permissions or privileges it often useful to look at resolved permissions for users and groups at the bottom of the screen to make sure that everyone is inheriting correctly.

How does this help? See one of the problems I recently blogged and this clears the mud for the questions I asked myself towards the end.

As always, See you next time with one more OBIEE quirk and see how it can be solved..

Until next time, kudos to all OBIEE evangelists…….

1 Comment »

  1. if one group allows Read access and another allows Change access, the least restrictive access would be granted; in this example, Change access

    in above example read access will be least significant or not please tell me since i am new to obiee

    Comment by Hemant Raut — January 12, 2011 @ 4:45 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: