An Alias tab appears on the Presentation Catalog, Presentation Table, and Presentation Column dialog boxes. You can use this tab to specify or delete an alias for the Presentation layer objects.
OBIEE , INFORMATICA, OBIA DAC TRAINING FOR DETAILS CALL 09959531832 email ID: obieetraining03@gmail.com
Presentation Columns
The presentation column names are, by default, identical to the logical column names in the Business Model and Mapping layer. However, you can present a different name by clearing both the Use Logical Column Name and the Display Custom Name check boxes in the Presentation Column dialog box.
To provide a convenient organization for your end users, you can drag and drop a column from a single logical table in the Business Model and Mapping layer onto multiple presentation tables. This allows you to create categories that make sense to the users. For example, you can create several presentation tables that contain different classes of measures—one containing volume measures, one containing share measures, one containing measures from a year ago, and so on.
- General. Use this tab to create or edit presentation columns.
- Aliases. Use this tab to specify or delete an alias for a presentation column.
- Right-click a presentation table in the Presentation layer, and then choose New Presentation Column.
- In the Presentation Column dialog box, to use the name of the logical column for the presentation column, select the Use Logical Column check box.
- To specify a name that is different from the Logical Column name, clear the Use Logical Column check box, and then type a name for the column.
- To assign user or group permissions to the column, click Permissions.
- In the Permissions dialog box, assign permissions, and then click OK. For more information about assigning permissions, refer to Setting Permissions for Repository Objects.
- To select the logical column, click Browse.
- In the Browse dialog box, select the column, and then click Select.
- (Optional) Type a description of the presentation column.
- To define any aliases for the logical column, click the Aliases tab.
- In the Business Model and Mapping layer, double-click the presentation column.
- In the Presentation Column dialog box, click Edit.
- In the Logical Column dialog box, make any changes or review the information, and then click OK.
Labels:physical layer
Presentation Layer
Presentation Tables
You can use presentation tables to organize columns into categories that make sense to the user community. Presentation tables in the Presentation layer contain columns. A presentation table can contain columns from one or more logical tables. The names and object properties of the presentation tables are independent of the logical table properties.
The Presentation Tables dialog box has three tabs: General, Columns, and Aliases. The functionality provided in each tab is described in the following list:
- Right-click a catalog folder in the Presentation layer, and then select New Presentation Table from the shortcut menu.
- In the General tab, specify a name for the table.
- Click the Permissions button to open the Permissions dialog box, where you can assign user or group permissions to the table. For more information about assigning permissions to a presentation table, refer to Setting Permissions for Repository Objects.
- (Optional) Type a description of the table. NOTE: To give the appearance of nested folders in Answers, prefix the name of the presentation folder to be nested with a hyphen and a space and place it after the folder in which it nests (- <folder name>). For example, to nest the Sales Facts folder in the Facts folder, place the Sales Facts folder directly after Facts in the metadata and change its name to - Sales Facts. When Answers displays the folder name in the left pane, it omits the hyphen and space from the folder name. To nest a second folder, for example Marketing Facts, in the Facts folder, change its name to - Marketing Facts and place it directly after Sales Facts. The standard preconfigured repositories provide additional examples for you to review.
- In the Presentation layer, right-click a catalog and select Properties.
- In the Presentation Catalog dialog box, click the Presentation Tables tab.
- In the Presentation Tables tab, select a table and click Remove.
- Click Yes to remove the table, or No to leave the table in the catalog.
- Click OK.
Labels:physical layer
Presentation Layer
Presentation Catalogs
In the Presentation layer, presentation catalogs (subject areas) allow you to show different views of a business model to different sets of users. Presentation catalogs have to be populated with contents from a single business model. They cannot span business models.
When creating a presentation catalog, selecting the option Export logical keys causes any columns in the Presentation layer that are key columns in the Business Model and Mapping layer to be listed as key columns to any ODBC client. This is the default selection. In most situations, this option should be selected. Many client tools differentiate between key and nonkey columns, and the option Export logical keys provides client tools access to the key column metadata. Any join conditions the client tool adds to the query, however, are ignored; the Oracle BI Server uses the joins defined in the repository.
If you set an implicit fact column this column will be added to a query when it contains columns from two or more dimension tables and no measures. The column is not visible in the results. It is used to specify a default join path between dimension tables when there are several possible alternatives.
The Presentation Catalog dialog box has three tabs: General, Presentation Tables, and Aliases. The functionality provided in each tab is described in the following list:
- In the Presentation layer, right-click and select New Presentation Catalog.
- In the Presentation Catalog dialog box, in the General tab, type a name for the presentation catalog and click Permissions.
- In the Permissions dialog box, assign user or group permissions to the catalog folder, and then click OK. For more information about assigning permissions to a presentation catalog, refer to Setting Permissions for Repository Objects.
- In the Presentation Catalog dialog box, from the Business Model drop-down list, select a business model.
- To expose the logical keys to other applications, select the option Export logical keys.
- (Optional) Type a description of the catalog folder.
- Set an Implicit Fact Column.
- Click OK.
Labels:physical layer
Presentation Layer
Presentation Layer Objects
The Presentation layer adds a level of abstraction over the Business Model and Mapping layer. It is the view of the data seen by client tools and applications.
The Presentation layer provides a means to further simplify or customize the Business Model and Mapping layer for end users. For example, you can hide key columns or present the schema as a single table. Simplifying the view of the data for users makes it easier to craft queries based on users' business needs.
Labels:physical layer
Presentation Layer
Presentation Layer
The Presentation layer provides a way to present customized views of a business model to users. Presentation Catalogs in the Presentation layer (called Subject Area in Oracle Answers) are seen as business models by Oracle BI Presentation Services users. They appear as catalogs to client tools that use the Oracle BI Server as an ODBC data source. The following topics describe the Process of creating the Presentation layer.
NOTE: In offline editing, remember to save your repository from time to time. You can save a repository in offline mode even though the business models may be inconsistent.
Copy Business Models to Publish to Users
There are several ways to create a Presentation Catalog in the Presentation layer. The recommended method is to drag and drop a business model from the Business Model and Mapping layer to the Presentation layer, and then modify the Presentation layer based on what you want users to see. You can move columns between presentation tables, remove columns that do not need to be seen by the users, or even present all of the data in a single presentation table. You can create presentation tables to organize and categorize measures in a way that makes sense to your users.
Remove Any Unneeded or Unwanted Columns
One important reason to use a custom Presentation layer is to make the schema as easy to use and understand as possible. Therefore, users should not be able to view columns that have no meaning to them. The following columns are examples of columns that you might want to remove from the Presentation layer:
- Key columns that have no business meaning.
- Columns that users do not need to view (for example, codes, when text descriptions exist).
- Columns that users are not authorized to see.
NOTE: You can also restrict access to tables or columns in the security layer. For more information, refer to Security in Oracle BI.
Rename Presentation Columns to User-Friendly Names
By default, presentation columns have the same name as the corresponding logical column in the Business Model and Mapping layer. However, you can specify a different name to be shown to users by changing the name in the Presentation Column dialog box. Whenever you change the name of a presentation column, an alias is automatically created for the old name, so compatibility to the old name remains.
Export Logical Keys in the Presentation Catalog
For each presentation catalog in the Presentation layer, decide whether to export any logical keys as key columns to tools that access it in the Presentation Catalog dialog box. Exporting logical keys is irrelevant to users of Oracle BI Presentation Services, but it may be advantageous for some query and reporting tools. If you decide to export logical keys, be sure the logical key columns exist in the table folders. In this situation, your business model should use logical key/foreign key joins.
When you select the option Export logical keys in the Presentation Catalog dialog box, any columns in the Presentation layer that are key columns in the Business Model and Mapping layer are listed as key columns to any ODBC client. This is the default selection. In most situations, this option should be selected.
Labels:physical layer
Presentation Layer
Managing Query Execution Privileges
The Oracle BI Server allows you to exercise varying degrees of control over the repository information that a user can access.
Controlling query privileges allows you to manage the query environment. You can put a high level of query controls on users, no controls, or somewhere in between. The following list contains some types of activities you may want to limit:
- Restricting query access to specific objects, including rows and columns, or time periods
- Objects. If you explicitly deny access to an object that has child objects, the user will be denied access to the child objects. For example, if you explicitly deny access to a particular physical database object, you are implicitly denying access to all of the physical tables and physical columns in that catalog. If a user or group is granted or disallowed privileges on an object from multiple sources (for example, explicitly and through one or more groups), the privileges are used based on the order of precedence, as described in Group Inheritance.
- Time periods. If you do not select a time period, access rights remain unchanged. If you allow or disallow access explicitly in one or more groups, the user is granted the least restrictive access for the defined time periods. For example, suppose a user is explicitly allowed access all day on Mondays, but belongs to a group that is disallowed access during all hours of every day. This means that the user will have access on Mondays only.
- Objects. If you explicitly deny access to an object that has child objects, the user will be denied access to the child objects. For example, if you explicitly deny access to a particular physical database object, you are implicitly denying access to all of the physical tables and physical columns in that catalog.
- Controlling runaway queries by limiting queries to a specific number of rows or maximum run time
- Limit queries by setting up filters for an object
All restrictions and controls can be applied at the user level, at the group level, or a combination of the two.
- From the Administration Tool menu bar, choose Manage > Security.
- In the Security Manager dialog box, in the tree pane, select Users or Groups.
- In the right pane, right-click the name that you want to change and select Properties.
- In the User or Group dialog box, click Permissions.
- In the User/Group Permissions dialog box, click the General tab and perform the following steps:
- In the General tab, to explicitly allow or disallow access to one or more objects in the repository, click Add.
- In the Browse dialog box, in the Name list, select the objects you want to change, and then click Select.
- In the User/Group Permissions dialog box, assign the permissions by selecting or clearing the Read check box for each object. (Default is a check) If the check box contains a check, the user has read privileges on the object. If the check box contains an X, the user is disallowed read privileges on the object. If it is blank, any existing privileges (for example, through a group) on the object apply.For more information about assigning permissions, refer to Setting Permissions for Repository Objects.
- To explicitly allow or disallow populate privilege or the ability to execute direct database requests for specific database objects, perform the following steps:
- Click the Query Limits tab and select the database.
- In the Populate Privilege drop-down list, select Allow or Disallow.
- To explicitly allow or disallow the ability to execute direct database requests for specific database objects, in the Execute Direct Database Requests drop-down list, select Allow or Disallow.
- Click OK twice to return to the Security Manager dialog box.
- From the Administration Tool menu bar, choose Manage > Security.
- In the Security Manager dialog box, in the tree pane, select Users or Groups.
- In the right pane, right-click the name that you want to change and select Properties.
- In the User or Group dialog box, click the Permissions tab.
- In the User/Group Permissions dialog box, click the Query Limits tab and expand the dialog box to view all columns.
- To specify or change the maximum number of rows each query can retrieve from a database, in the Query Limits tab, perform the following steps:
- In the Max Rows column, type the maximum number of rows.
- In the Status Max Rows field, select a status using Table 39 as a guide.
- Click OK twice to return to the Security Manager dialog box.
- From the Administration Tool menu bar, choose Manage > Security.
- In the Security Manager dialog box, in the tree pane, select Users or Groups.
- In the right pane, right-click the name that you want to change and select Properties.
- In the User or Group dialog box, click the Permissions tab.
- In the User/Group Permissions dialog box, click the Query Limits tab and expand the dialog box to view all columns.
- To specify the maximum time a query can run on a database, in the Query Limits tab, perform the following steps:
- In the Max Time column, select the number of minutes.
- From the Status Max Time drop-down list, select a status using Table 39 as a guide.
- To restrict access to a database during particular time periods, in the Restrict column, click the ellipsis button.
- In the Restrictions dialog box, perform the following steps:
- Click OK twice to return to the Security Manager dialog box.
- From the Administration Tool menu bar, choose Manage > Security.
- In the Security Manager dialog box, in the tree pane, select Users or Groups.
- In the right pane, right-click the name that you want to change and select Properties.
- In the User or Group dialog box, click Permissions.
- In the User/Group Permissions dialog box, click the Filters tab.
- In the Filters tab, to add an object to filter, perform the following steps:
- In the User/Group Permissions Filters dialog box, perform the following steps:
- In the Expression Builder dialog box, create a logical filter, and then click OK.
- In the User/Group Permissions Filters dialog box, from the Status drop-down list, select a status using Table 39 as a guide.
- Click OK twice to return to the Security Manager dialog box.
Assigning Populate Privilege to a User or Group
When a criteria block is cached, the Populate Stored procedure writes the Cache/Saved Result Set value to the database.
NOTE: Any Marketing user who writes a cache entry or saves a result set needs to be assigned the POPULATE privilege for the target database. All Marketing segmentation users and groups need to be assigned this privilege. Typically, all Marketing users are associated with a group and this group is granted the privilege. For more information about marketing cache, refer to the topic about setting up cache for target levels in the documentation for Oracle's Siebel Marketing application.
- From the Administration Tool menu bar, choose Manage > Security.
- In the Security Manager dialog box, in the tree pane, select Users or Groups.
- In the right pane, right-click the name that you want to change and select Properties.
- In the User or Group dialog box, click Permissions.
- In the User/Group Permissions dialog box, select the Query Limits tab.
- In the Query Limits list, expand the dialog box to view all columns.
- From the Populate Privilege drop-down list, select Allow or Disallow.
- Click OK twice to return to the Security Manager dialog box.
Labels:physical layer
security
Order of Authentication
If the user does not type a logon name, then OS authentication is triggered, unless OS authentication is explicitly turned off in the NQSConfig.INI file. For more information, refer to Oracle Business Intelligence Enterprise Edition Deployment Guide. Additionally, OS authentication is not used for Oracle BI Presentation Services users.
The Oracle BI Server populates session variables using the initialization blocks in the desired order that are specified by the dependency rules defined in the initialization blocks. If the server finds the session variable USER, it performs authentication against an LDAP server or an external database table, depending on the configuration of the initialization block with which the USER variable is associated.
Labels:physical layer
security
Maintaining Oracle BI Server User Authentication
You can maintain lists of users and their passwords in the Oracle BI repository using the Administration Tool. The Oracle BI Server will attempt to authenticate users against this list when they log on unless another authentication method has already succeeded, or database authentication has been specified in the NQSConfig.INI file.
Refer to Order of Authentication for additional information.
The Oracle BI Server user IDs are stored in nonencrypted form in an Oracle BI repository and are caseinsensitive. Passwords are stored in encrypted form and are casesensitive. The Oracle BI Server user IDs can be used to access any business model in a repository provided that the users have the necessary access privileges. User IDs are valid only for the repository in which they are set up. They do not span multiple repositories.
NOTE: If you are using LDAP or external table authentication, passwords are not stored in the Oracle BI repository.
For information about configuring user authentication, refer to Oracle Business Intelligence Enterprise Edition Deployment Guide.
Changing Oracle BI Server User Passwords
- Select Manage > Security.
- In the Security Manager dialog box, select Users in the left pane.
- In the right pane, right-click the user whose password you want to change.
- Select Properties from the shortcut menu.
- In the User tab, type the new password.
- In the Confirm Password text box, type the password again, and then click OK
Labels:physical layer
security
Delivers and Database Authentication
In Oracle BI Applications, users are always created in the operational application database, never in the Oracle BI repository. The Oracle BI repository is preconfigured for database authentication.
Oracle BI Scheduler Server runs Delivers jobs for users without accessing or storing their passwords. Using a process called impersonation, the Scheduler uses one user ID and password with Oracle BI Administrator privileges that can act on behalf of other users. The Scheduler initiates an iBot by logging on to Oracle BI Presentation Services with that Oracle BI Administrator ID and password.
For Delivers to work, all database authentication must be performed in only one connection pool, and that connection pool can only be selected in an initialization block for the USER system session variable. This is typically called the Authentication Initialization Block. When impersonation is used, this initialization block is skipped. All other initialization blocks must use connection pools that do not use database authentication.
CAUTION: Using an authentication initialization block is the only initialization block in which it is acceptable to use a connection pool in which :USER and :PASSWORD are passed to a physical database.
For other initialization blocks, SQL statements can use :USER AND :PASSWORD. However, because Oracle BI Scheduler Server does not store user passwords, the WHERE clause must be constructed as shown in the following example:
select username, groupname, dbname, schemaname from users
where username=':USER'
NQS_PASSWORD_CLAUSE(and pwd=':PASSWORD')NQS_PASSWORD_CLAUSE
where username=':USER'
NQS_PASSWORD_CLAUSE(and pwd=':PASSWORD')NQS_PASSWORD_CLAUSE
NOTE: When impersonation is used, everything in the parentheses is extracted from the SQL statement at runtime.
For more information, refer to the Oracle BI Delivers examples in Selecting and Testing the Data Source and Connection Pool.
Labels:physical layer
security
Database Authentication
The Oracle BI Server can authenticate users through database logons. If a user has read permission on a specified database, the user will be trusted by the Oracle BI Server. Unlike operating system authentication, this authentication can be applied to Oracle BI Presentation Services users. For information, refer to About Oracle BI Delivers and Database Authentication.
Database authentication can be used in conjunction with external table authentication. If external table authentication succeeds, then database authentication is not performed. If external table authentication fails, then database authentication is performed.
Refer to Setting Up External Table Authentication and Order of Authentication for additional details.
- Create users in the repository named identically to the users in a database. Passwords are not stored in the repository.
- Assign the permissions (including group memberships, if any) you want the users to have.
- Specify the authentication database in the Security section of the NQSConfig.INI file.
- Create a DSN for the database.
- Import the database into the Physical layer. You do not need to import the physical table objects. The database name in the Physical layer has to match the database name in the NQSConfig.INI file (as specified in Step 3).
- Set up the connection pool without a shared logon.
Labels:physical layer
security
External Table Authentication
Instead of storing user IDs and passwords in an Oracle BI repository, you can maintain lists of users and their passwords in an external database table and use this table for authentication purposes. The external database table contains user IDs and passwords, and could contain other information, including group membership and display names used for Oracle BI Presentation Services users. The table could also contain the names of specific database catalogs or schemas to use for each user when querying data.
NOTE: If a user belongs to multiple groups, the group names should be included in the same column separated by semicolons.
External table authentication can be used in conjunction with database authentication. If external table authentication succeeds, then database authentication is not performed. If external table authentication fails, then database authentication is performed.
External table authentication uses Oracle BI session variables that you define using the Variable Manager of the Administration Tool. For more information about the Variable Manager, refer to Using the Variable Manager.
Session variables get their values when a user begins a session by logging on. Certain session variables, called system variables, have special uses. The variable USER is a system variable that is used with external table authentication.
To set up external table authentication, you define a system variable called USER and associate it with an initialization block that is associated with an external database table. Whenever a user logs in, the user ID and password will be authenticated using SQL that queries this database table for authentication. After the user is authenticated successfully, other session variables for the user could also be populated from the results of this SQL query. For more information about session variables, refer to Understanding and Creating Session Variables.
The presence of a defined system variable USER determines that external authentication is done. Associating USER with an external database table initialization block determines that the user will be authenticated using the information in this table. To provide other forms of authentication, associate the USER system variable with an initialization block associated with a LDAP server or XML source. For more information, refer to Setting Up LDAP Authentication.
- Import information about the external table into the Physical layer. In this illustration, the database sql_nqsecurity contains a table named securitylogons and has a connection pool named External Table Security.
- Select Manage > Variables to open the Variable Manager.
- Select Initialization Blocks on the left tree pane.
- Right-click on white space in the right pane, and then click on New Initialization Block from the right-click menu.
- In the Initialization Block dialog box, type the name for the initialization block.
- Select Database from the Data Source Connection drop-down list.
- Click Browse to search for the name of the connection pool this block will use.
- In the Initialization String area, type the SQL statement that will be issued at authentication time. The values returned by the database in the columns in your SQL will be assigned to variables. The order of the variables and the order of the columns will determine which columns are assigned to which variables. Consider the SQL in the following example:
- If this query returns data, the user is authenticated and session variables will be populated. Because this query returns four columns, four session variables will be populated. Create these variables (USER, GROUP, DISPLAYNAME, and LOGLEVEL) by clicking New in the dialog's Variables tab.
- Click OK to save the initialization block.
Labels:physical layer
security
LDAP Authentication
Instead of storing user IDs and passwords in an Oracle BI repository, you can set up the Oracle BI Server to take the user ID and password typed by a user and pass them to an LDAP server for authentication. The server uses clear text passwords in LDAP authentication. Make sure your LDAP servers are set up to allow this.
In addition to basic user authentication, the LDAP server can also provide the Oracle BI Server with other information, such as the user display name (used by Oracle BI Presentation Services) and the name of any groups to which the user belongs. The LDAP server can also provide the names of specific database catalogs or schemas to use for each user when querying data. This information is contained in LDAP variables that get passed to Oracle BI session variables during the process of user authentication. For more information about session variables, refer to Understanding and Creating Session Variables.
LDAP authentication uses Oracle BI session variables, that you define using the Variable Manager of the Administration Tool. For more information about the Variable Manager, refer to Using the Variable Manager.
- Create an LDAP Server using the Administration Tool menu path: Manage > Security. For instructions, see Setting Up an LDAP Server.
- Create an LDAP initialization block and associate it with an LDAP server. Setting up an LDAP initialization block is explained in Process of Creating Initialization Blocks.
- Define a system variable named USER and map the USER variable to an LDAP attribute (uid or sAMAccountName). Session variables get their values when a user begins a session by logging on. Certain session variables, called system session variables, have special uses. The variable USER is a system variable that is used with LDAP authentication. For more information about the USER system variable, refer to Using System Session Variables and Defining a USER Session Variable for LDAP Authentication.
- If applicable, delete users from the Oracle BI repository file.
- Associate the USER system variable with the LDAP initialization block. For more information, see About Authenticating Users Using Initialization Blocks.
Defining a USER Session Variable for LDAP Authentication
To set up LDAP authentication, you define a system variable called USER and associate it with an LDAP initialization block that is associated with an LDAP server. When a user logs into the Oracle BI Server, the user ID and password will be passed to the LDAP server for authentication. After the user is authenticated successfully, other session variables for the user could also be populated from information returned by the LDAP server.
NOTE: If you create a variable for the same user in both the repository and in a LDAP server, the local repository user definition takes precedence and LDAP authentication will not occur.
For users not defined in the repository, the presence of a defined session system variable USER determines that external authentication is performed. Associating USER with an LDAP initialization block determines that the user will be authenticated by LDAP. To provide other forms of authentication, associate the USER variable with an initialization block associated with an external database or XML source. For more information, refer to Setting Up External Table Authentication.
- Select Manage > Variables from the Administration Tool menu.
- Select the System leaf of the tree in the left pane.
- Right-click on the right pane and select New USER.
- In the Session Variable - USER dialog box, select the appropriate LDAP initialization block from the Initialization Block drop-down list.
- Click OK to create the USER variable.
Setting the Logging Level
Use the system variable LOGLEVEL to set the logging level for users who are authenticated by an LDAP server. Refer to Setting a Logging Level for more information.
Labels:physical layer
security
Authentication Options
Labels:physical layer
security
Importing Users and Groups from LDAP
If your organization uses Lightweight Directory Access Protocol (LDAP), you can import your existing LDAP users and groups to a repository. After imported, all normal Oracle BI Server user and group functions are available. You can resynchronize your imported list at any time.
You can also authenticate against LDAP as an external source. When you do this, users are not imported into the repository. Users are authenticated, and their group privileges determined, when they log on. For more information about using LDAP authentication, refer to Setting Up LDAP Authentication.
NOTE: If you create a variable for the same user in both the repository and in a LDAP server, the local repository user definition takes precedence and LDAP authentication will not occur. This allows the Oracle BI Administrator to reliably override users that exist in an external security system.
Setting Up an LDAP Server
NOTE: For information about the basics of security and setting up authentication, refer to Oracle BI Security Manager.
For instances of Oracle BI that use ADSI as the authentication method, the following options should be used when setting up the AD instance:
- In Log On To, check All Computers or, if you list some computers, include the AD server as a Logon workstation.
- The following option must not be checked:
In the Administration Tool, the CN user used for the BIND DN of the LDAP Server section must have both ldap_bind and ldap_search authority.
NOTE: The Oracle BI Server uses clear text passwords in LDAP authentication. Make sure your LDAP Servers are set up to allow this.
- Open a repository in the Administration Tool in offline or online mode.
- From the application menu, choose Manage > Security.
- From the Security Manager menu, choose Action > New > LDAP Server.
- In the LDAP Server dialog box, in the General tab, complete the necessary fields. The following list of fields (or buttons) and descriptions contain additional information to help you set up the LDAP server:
- Host name. The name of your LDAP server.
- Port number. The default LDAP port is 389.
- LDAP version. LDAP 2 or LDAP 3 (versions). The default is LDAP 3.
- Base DN. The base distinguished name (DN) identifies the starting point of the authentication search. For example, if you want to search all of the entries under the
o=Oracle.com
subtree of the directory,o=Oracle.com
is the base DN. - Bind DN and Bind Password. The optional DN and its associated user password that are required to bind to the LDAP server. If these two entries are blank, anonymous binding is assumed. For security reasons, not all LDAP servers allow anonymous binding.
- Test Connection. Use this button to verify your parameters by testing the connection to the LDAP server.
- Click the Advanced tab, and type the required information. The following list of fields and descriptions contain additional information to help you set up the LDAP server: NOTE: The Oracle BI Server maintains an authentication cache in memory that improves performance when using LDAP to authenticate large numbers of users. Disabling the authentication cache can slow performance when hundreds of sessions are being authenticated.
- Connection timeout. When the Administration Tool attempts to connect to an LDAP server for import purposes or the Oracle BI Server attempts to connect to an LDAP server for user authentication, the connection will time out after the specified interval.
- Domain identifier. Typically, the identifier is a single word that uniquely identifies the domain for which the LDAP object is responsible. This is especially useful when you use multiple LDAP objects. If two different users have the same user ID and each is on a different LDAP server, you can designate domain identifiers to differentiate between them. The users log in to the Oracle BI Server using the following format:
- ADSI. (Active Directory Service Interfaces) A type of LDAP server. If you select the ADSI check box, Bind DN and Bind password are required.
- SSL. (Single Socket Layer) Check this box to enable this.
- User Name Attribute Type. This uniquely identifies a user. In many cases, this is the RDN (relative distinguished name). Typically, you accept the default value. For most LDAP servers, you would use the user ID. For ADSI, use sAMAccountName.
NOTE: For information about configuring cache settings and SSL, refer to Oracle Business Intelligence Enterprise Edition Deployment Guide.
Importing Users from LDAP
You can import selected users or groups, or you can import all users or groups. If you have previously performed an import, you can choose to synchronize the repository with the LDAP server.
- Open a repository in the Administration Tool in offline or online mode.
- From the application menu, choose Manage > Security.
- In the Security Manager, select LDAP Servers in the left pane to display existing LDAP servers in the right pane. Select the LDAP server from which you want to import users or groups, and select Import... from the right-click menu. (You can also select the server and then select LDAP > Import.)
- Select the users you want to import and click Import.
Synchronizing Users and Groups with LDAP
You can refresh the repository users and groups with the current users and groups on your LDAP server. After selecting the appropriate LDAP server, select LDAP > Synchronize (or choose Synchronize from the right-click menu).
Synchronization updates your list of repository users and groups to mirror your current LDAP users and groups. Users and groups that do not exist on your LDAP server are removed from the repository. The special user Administrator and the special group Administrators always remain in your repository and are never removed.
Labels:physical layer
security
Working with Groups
The Oracle BI Server allows you to create groups and then grant membership in them to users or other groups.
You can think of a group as a set of security attributes. The Oracle BI Server groups are similar to groups in Windows NT and Windows 2000, and to groups or roles in database management systems (DBMS). Like Windows NT and Windows 2000, and database groups or roles, Oracle BI Server groups can allow access to objects. Additionally, Oracle BI Server groups can explicitly deny particular security attributes to its members.
Groups can simplify administration of large numbers of users. You can grant or deny sets of privileges to a group and then assign membership in that group to individual users. Any subsequent modifications to that group will affect all users who belong to it. Externally defined users can be granted group membership by use of the GROUP session variable. For more information about session variables, refer to Using System Session Variables.
- Predefined Administrators Group
- Defined Groups
- Group Inheritance
- Adding a New Group
- Viewing Member Hierarchies
Predefined Administrators Group
The Oracle BI Server has one predefined group, the Oracle BI Administrators group. Members of this group have the authority to access and modify any object in a repository. The predefined Oracle BI Administrator user ID is automatically a member of the Oracle BI Administrators group.
Use caution in granting membership in the Oracle BI Administrators group to users or other groups. Membership in the Oracle BI Administrators group supersedes all privileges granted to a user, either through groups or explicitly through the user privileges. Any user who is a member of the Oracle BI Administrators group has all of the privileges of the Oracle BI Administrator user.
Defined Groups
You can create an unlimited number of groups in an Oracle BI repository. Each group can contain explicitly granted privileges or privileges granted implicitly using membership in another group. For more information about setting up a group, refer to Adding a New Group.
For example, you can create one group that denies access to the repository on Mondays and Wednesdays (Group1), another group that denies access on Saturdays and Sundays (Group2), and another that denies access on Tuesdays, Thursdays, and Fridays (Group3). Users who are members of Group2 can access the system only during weekdays, users who are members of Group1 and Group3 can access the system only on weekends, and so on.
Group Inheritance
Users can have explicitly granted privileges. They can also have privileges granted through membership in groups, that in turn can have privileges granted through membership in other groups, and so on. Privileges granted explicitly to a user have precedence over privileges granted through groups, and privileges granted explicitly to the group take precedence over any privileges granted through other groups.
If there are multiple groups acting on a user or group at the same level with conflicting security attributes, the user or group is granted the least restrictive security attribute. Any explicit permissions acting on a user take precedence over any privileges on the same objects granted to that user through groups.
Example 1
Suppose you have a user (User1) who is explicitly granted permission to read a given table (TableA). Suppose also that User1 is a member of Group1, that explicitly denies access to TableA. The resultant privilege for User1 is to read TableA, as shown in Figure 21.
Because privileges granted directly to the user take precedence over those granted through groups, User1 has the privilege to read TableA.
Example 2
Consider the situation shown in Figure 22.
- User1 is a direct member of Group1 and Group2, and is an indirect member of Group3, Group4, and Group5.
- Because Group5 is at a lower level of precedence than Group2, its denial of access to TableA is overridden by the READ privilege granted through Group2. The result is that Group2 provides READ privilege on TableA.
- The resultant privileges from Group1 are DENY for TableA, READ for TableB, and READ for TableC.
- Because Group1 and Group2 have the same level of precedence and because the privileges in each cancel the other out (Group1 denies access to TableA, Group2 allows access to TableA), the less restrictive level is inherited by User1; that is, User1 has READ access to TableA.
- The total privileges granted to User1 are READ access for TableA, TableB, and TableC.
Adding a New Group
- Open a repository in the Administration Tool. (The repository can be opened in either online or offline mode.)
- Display the security window by selecting Manage > Security.
- Select Action > New > Group from menu.
- Type a name for the group and click OK.
- To modify the group's permissions, open the Group dialog by double-clicking on the group icon you want to modify. If you click on Permissions, you can change permissions for multiple columns.
- You can grant rights to the group by adding other groups, by explicit configuration for the group, or a combination of the two. To grant membership to a group, click Add and select any users or groups you want to grant membership. Click OK after you have selected the groups and users.
- Set up any query permissions for the group. For information, refer to Managing Query Execution Privileges.
Viewing Member Hierarchies
- Click the hierarchy icon in the left pane of the Security Manager, and then expand the tree in the right pane.
- Select Tools > Query Repository from the main menu of the Administration Tool.
- To view all groups, select Security Groups from the Type drop-down list and click Query.
- To view all users, select Users from the Type drop-down and click Query.
- To view the groups that a group is a member of, select the group and click Parent. For example, to view what groups Group1 is a member of, select Group1 and click the Parent button.
Labels:physical layer
security
Subscribe to:
Posts (Atom)
Popular Posts
-
How to get a difference between two dates (in terms ) of days,weeks,months what every it may be The below formula gives you no.of days b...
-
https://forums.oracle.com/forums/search.jspa?forumID=378&threadID=&q=%22timestampadd%22+&objID=f378&dateRange=all&userI...
-
A Column Selector view adds a column selector to the results. A column selector is a drop-down list from which users can dynamically...
-
In this topic you create time series calculation measures using Oracle BI time series functions. Time series functions include AGO, T...
-
I was requested the other day for a custom job within OBIEE. The request was for an extra “Go” button which would be placed on to...
-
In OBIEE, the dashboard prompts are aligned to the left by default. One of the OBIEE developers I am working with asked me to fin...
-
In this topic, you learn how to create an analysis with a Pivot Table view, format, add a calculated column to a pivot table, add a...
-
Calculating grand total column or % of grand total is easy in pivot table view. But how can I create the same in a table view? ...
-
A presentation variable can be created as part of the process for creating a column prompt or a variable prompt. When the presentat...