overview on OBIEE11g Security Setup

OBIEE security consists of 2 parts:
Security Infrastructure setup (Done from WLS Console and EM)
Here we define the Application roles and assign them privileges(that is associate Application role to a Application Policy) Application Role is created based on our security need and is used for grouping users, so that a group security policy can be defined.
Data and Object security setup (Done from the rpd file)
To restrict users from seeing tables/columns or filtering the data they see, we need to have the object and data security in place. This is done from rpd file. This is the most important step in security implementation

Let’s see the steps involved in security implementation.


Security Infra setup
 
We will define a user and a group in web logic server
 
 
Log on to web logic server(WLS) console (URL http://localhost_ip:7001/console) 
 
 
This is the home page of WLS console
 
 
Click on Security Realms
 
 
In Security realms page click on “myrealm”
 
 
Go to “Users and Groups” tab>”Groups”>New and add a new WLS group called DieselModelViewers_WLS
 
 
Go to “Users and Groups” tab>”User”>New and add a new user called diesel_user
 
;
 
Associate the diesel_user to DieselModelViewers_WLS group
 
Next log on to Enterprise Manager (URL http://localhost_ip:7001/em)
 
 
Navigate to Business Intelligence > coreapplication > Business Intelligence Instance >Security>Application Role
 
 
Create a new Application role to be used for our data and object security by clicking on new.
 
 
Call the Application Role and DieselModelViewers
 
The  click on 
 
 
Associate this application role with the WLS group DieselModelViewers_WLS created earlier
 
 
Object and Data Security Setup
 
 
Log in to the rpd and click Manage>Identity
 
 
Go to the Application Roles tab, check that the newly created Application role “DieselModelViewer” is visible
 
 
Click on Permissions button
 
We can now define a new data filter for the DieselModelViewers group, click on
 
Define a new security filter for the above application role as shown above.
 
Data security is done, next lets see object security.
 
 
We want to hide the presentation table WB_TEST from members of DieselModelViewers application role, like diesel_user. Double click on WB_TEST table and the above window opens up, click on permissions Deny permission to DieselModelViewers by clicking NoAccess.This will restrict diesel_user from seeing WB_TEST table in his subject area.
 
Next log in to Answers/Analysis page.
 
Lets check a report that has all fuel types, since an admin user can see all fuel types we will choose to see it from weblogic user
 
 
As we see , here the report is not restricted based on fuel type.
 
Lets login using the diesel_user
 
 
Try to access the subject area (noe we can only access subject area, but cant create a report because of BIConsumer privilege
 
 
We dont see the WB_TEST Presentation table due to object security
 
 
We also don’t see the fuel types, other than DIESEL, due to data security
 
 
The nqquery.log shows that DIESEL filter is added on to the select statement, which confirms that data security is working.
 

No comments:

Post a Comment

Popular Posts