OBIEE Step by Step Guide

October 29, 2009

OBIEE Security FAQ Explained

How is security set up in OBIEE?  How many methods of security can be set up in OBIEE..

Lets start with Authentication and Authorization. 

Authentication is process of confirming whether the user is a valid user or not. Is he part of this company? Is he an employee of our external suppliers?

 Authorization is process of giving access to different pieces of the OBIEE. One user “UserA” can access dashboards, can create iBots, can schedule reports and can do administrative tasks. Another user “UserB” can see only part of what “UserA” has access to and “UserB” has access to some other tabs of the dashboard that “UserA” does not.

This layer of separating who can access what is done as part of Authorization.

How does OBIEE handle Authentication?

Its very flexible and can be integrated to one of your existing technologies like LDAP, Oracle EBS, AD, Oracle Database. So, do the same username have to exist in OBIEE security layer as part of rpd development? Yes, by default, OBIEE stores list of usernames and passwords and checks incoming credentials against it. 

Heard about External Table Authentication? Where does this come into play?

Instead of storing usernames and passwords directly in the rpd, these are stored in the database for better management purposes. This also helps in rpd migration and deployment across multiple environments.

 How is Authorization handled in OBIEE?

Authorization is done as part of security in Presentation Services.

 Does OBIEE have two layers of security?

Yes, first at the rpd level and second at the presentation services level.

Do you have to have the same username established at both rpd and presentation services levels for this to work?

Not necessarily based on my knowledge.. I will let others comment on this 🙂

What kind of priveleges can be granted from presentation services level?

Access to iBots, certain tabs in the dashboard, delivers, alerts, schedule reports etc etc..

Why is OBIEE security different compared to other BI tools?

Because its very flexible and can integrate into any existing security architecture an organization has built and reduces the need for one more layer of administration.. 

Did Oracle OBIEE did a good job of communicating and convincing the user community regarding the security architecture?

Probably not.. I understand the complexity behind this and the mere flexibility of the tool makes this even difficult.

 Until next time, kudos to all OBIEE evangelists

Thanks for your feedback……

 

Advertisements

4 Comments »

  1. I am new to OBIEE and am trying to get a handle on security. I can find very few resources and no definitive answers to some questions. I’m hoping you or someone who follows your blog will be able to help.

    As far as I have been able to figure out, the basic security model for OBIEE is a user gets access to everything until I take something away. This is the reverse of every other system I know of.

    My system is set up to use external authentication to MSAD via Oracle Hyperion Shared Services. I can restrict data in the repository by creating groups with filters. I can add users to those groups in Shared Services and, once I bounce the BI Server, the users will be restricted. If they login before I recycle the BI Server, they see everything. I can set up groups to restrict access to reports in Presentation Services. But I can’t add a user to a group until they first login once. Until a user logs in, their ID is not in the list of users that I can choose from to add to groups. The first time they login, they get everything.

    Is this correct? Am I missing something?

    Comment by Jerry — January 28, 2010 @ 12:22 am

    • Hi Jerry
      I am kind of new just like you regarding the Hyperion and OBIEE integration. I would let others comment regarding this.

      Any takers ??

      Comment by harikv — January 28, 2010 @ 1:51 am

  2. how does we set up security for 200thousand users in obiee

    Comment by raghu — January 16, 2011 @ 8:16 am

    • LDAP, Active Directory is the only answer coupled with setting up external database.

      Comment by harikv — January 21, 2011 @ 6:58 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: