OBIEE security consists of 2 parts:
• Security Infrastructure setup (Done from WLS Console and EM)
Here we define the Application roles and assign them privileges(that is associate Application role to a Application Policy) Application Role is created based on our security need and is used for grouping users, so that a group security policy can be defined.
• Data and Object security setup (Done from the rpd file)
To restrict users from seeing tables/columns or filtering the data they see, we need to have the object and data security in place. This is done from rpd file. This is the most important step in security implementation
Let’s see the steps involved in security implementation.
• Security Infrastructure setup (Done from WLS Console and EM)
Here we define the Application roles and assign them privileges(that is associate Application role to a Application Policy) Application Role is created based on our security need and is used for grouping users, so that a group security policy can be defined.
• Data and Object security setup (Done from the rpd file)
To restrict users from seeing tables/columns or filtering the data they see, we need to have the object and data security in place. This is done from rpd file. This is the most important step in security implementation
Let’s see the steps involved in security implementation.
Security Infra setup
We will define a user and a group in web logic server
Log on to web logic server(WLS) console (URL http://localhost_ip:7001/console)
This is the home page of WLS console
Click on Security Realms
In Security realms page click on “myrealm”
Go to “Users and Groups” tab>”Groups”>New and add a new WLS group called DieselModelViewers_WLS
Go to “Users and Groups” tab>”User”>New and add a new user called diesel_user
;
Associate the diesel_user to DieselModelViewers_WLS group
Next log on to Enterprise Manager (URL http://localhost_ip:7001/em)
Navigate to Business Intelligence > coreapplication > Business Intelligence Instance >Security>Application Role
Create a new Application role to be used for our data and object security by clicking on new.
Call the Application Role and DieselModelViewers
The click on
Associate this application role with the WLS group DieselModelViewers_WLS created earlier
Object and Data Security Setup
Log in to the rpd and click Manage>Identity
Go to the Application Roles tab, check that the newly created Application role “DieselModelViewer” is visible
Click on Permissions button
We can now define a new data filter for the DieselModelViewers group, click on
Define a new security filter for the above application role as shown above.
Data security is done, next lets see object security.
We want to hide the presentation table WB_TEST from members of DieselModelViewers application role, like diesel_user. Double click on WB_TEST table and the above window opens up, click on permissions Deny permission to DieselModelViewers by clicking NoAccess.This will restrict diesel_user from seeing WB_TEST table in his subject area.
Next log in to Answers/Analysis page.
Lets check a report that has all fuel types, since an admin user can see all fuel types we will choose to see it from weblogic user
As we see , here the report is not restricted based on fuel type.
Lets login using the diesel_user
Try to access the subject area (noe we can only access subject area, but cant create a report because of BIConsumer privilege
We dont see the WB_TEST Presentation table due to object security
We also don’t see the fuel types, other than DIESEL, due to data security
The nqquery.log shows that DIESEL filter is added on to the select statement, which confirms that data security is working.
No comments:
Post a Comment