As Mark had pointed out earlier here,
one of the significant changes in the BI EE 11g release is the
migration of security from the BI EE repository to Weblogic. Users and
Groups will no more be maintained within the rpd. Even in an external
authentication like LDAP, Groups will not be maintained within the
repository. This is good in many ways as it can significantly reduce the
size of the repository. The downside though is, in offline mode unless
there is a change in any security object (like custom filters to a group
etc), the users & groups will not become visible. The use of Web
Catalog Groups is no more recommended. It still exists primarily for
supporting upgrades. In this blog post, lets see how the new weblogic
based security works.
There is a terminology change that we need to get
used to while moving to BI EE 11g. Groups now refer to Weblogic groups.
BI EE specific groups are called as Application Roles. The figure shown
below explains the relationship between Users, Groups & Application
Roles.
Weblogic
security is much more comprehensive and it can support multiple
external directories like LDAP, OID etc. It also supports table
authentication. So, if you are planning on setting up external
authentication, its preferred to set it up at the Weblogic layer. We can
also setup external directories within BI EE (like in 10g).
To start with lets create a simple user bieeuser1 in the Weblogic Console Security Realm (http://localhost:7001/console).
While
creating a user we can assign it to a provider. A provider is the
authentication directory against which users will be authenticated. In
our case, we have created the user in the default weblogic directory. In
the same way lets create 2 more users bieerpdadmin &
bieewebcatadmin.
The idea is to provide the following privileges to each of the users that we have created
bieeuser1 – Casual user with no access to the repository but with read only access to dashboards (no answers)
bieerpdadmin – Repository Administrator with full control of the Repository objects but with no control on the web catalog.
bieewebcatadmin – Web Catalog Administrator with full control on the web catalog but with no access to the repository
bieerpdadmin – Repository Administrator with full control of the Repository objects but with no control on the web catalog.
bieewebcatadmin – Web Catalog Administrator with full control on the web catalog but with no access to the repository
Remember, its not always necessary to assign
users to weblogic groups. Users can be directly assigned to application
roles. Once the users are created, lets login to the Weblogic enterprise
manager and navigate to the coreapplication under the Business
Intelligence folder.
Now, right click on the coreapplication and choose the Security->Application Roles option
This should list all the default application roles available within BI EE.
Let’s
neglect the existing roles(ideally we will be reusing/reassigning the
default roles as much as possible) and create 3 new roles.
1. BIEERoleUser
2. BIEERoleRPDAdmin
3. BIEERoleWebCatAdmin
2. BIEERoleRPDAdmin
3. BIEERoleWebCatAdmin
For now lets not add any users/roles to these roles.
Lets
now navigate to the Application Policies and start granting specific
rights/grants to the roles that we created. Remember in any ADF
application we need to define application policies so that they can be
granted to individual users. We start with assigning the following
privileges to the BIEERoleUser
1. resourceType=oracle.bi.server.permission,resourceName=oracle.bi.server.queryUserPopulation
This basically provides an ability to query the BI Server repository.
Lets assign this privilege to the BIEERoleUser application role.
In the same way lets assign the following privileges to the BIEERoleRPDAdmin and BIEERoleWebCatAdmin
For BIEERoleRPDAdmin
1. resourceType=oracle.bi.server.permission,resourceName=oracle.bi.server.ManageRepositories
For BIEERoleWebCatAdmin
1. resourceType=oracle.bi.server.permission,resourceName=oracle.bi.server.queryUserPopulation
Now
that the roles have the right privileges, lets go back to the
Application Role screen and start assigning the 3 users to each of these
roles.
After
assigning these, if you try to login to the repository in online mode,
only the user bieerpdadmin can login. We have satisfied one requirement,
that is we have created a user who is the repository admin. For
presentation services, by default during install the privileges in
presentation services get assigned to only 3 default groups
BIAdministrator, BIAuthor and BIConsumer. So, to make bieewebcatadmin a
true webcatalog administrator we have to go to the Application Roles and
add the BIAuthor & BIAdministrator role to BIEERoleWebCatAdmin
This
will automatically make the user bieewebcatadmin user to be the
administrator of the webcatalog. Initially it is mandatory to assign a
new role to the BIAdministrator role as that is pre-configured to be the
only role having access to Privileges in Presentation Services.
Granting BIAdministrator to a role also opens up the access to the
repository. This can be disabled as well. It is not necessary to always
create new roles and assign policies to them. Existing roles can be
re-used and re-assigned. The entire security model is now more aligned
with Oracle Platform Security framework so that all the fusion
applications can integrate with each other seamlessly.
No comments:
Post a Comment