obiee 11g security: implementing it, issues and challenges
TRANSCRIPT
OBIEE 11g security:Implementing it, Issues and Challenges
Oracle Fusion Middleware product suite
OBIEE administrators may not have sufficient access rights to secure the various components of the Oracle Fusion Middleware suite
Done right, we can provide thorough protection of your company data just by focusing on OBIEE application security. We shall thus save time and avoid many potential issues.
1. Global Privileges
Implementing application-wide rights applying to every OBIEE user, generally depending on user roles.
Grant/Deny user access to given data sources (Subject Areas)
OBIEE Security - State of the artThere are two approaches to OBIEE security:
2. Catalog Security
Specific permissions are assigned for each object, folder or link in the OBIEE Web Catalog
-OBIEE displays a list including all the possible Global Privileges
-This allows finding out what specific rights actors have been granted or denied for each displayed Privilege
-We cannot check what specific rights users inherit from their respective roles/groups !!Potential security breach!!
OBIEE Security - State of the art
Global Privileges Management
-In order to edit the specific permissions for a given Privilege, OBIEE opens a pop-up dialog
-If we are modifying several Privileges, this will have to be repeated for each privilege change.
This is not the most user-friendly interface ever
The process is time-consuming, thus error-prone
OBIEE Security - State of the art
Global Privileges Management
-OBIEE allows managing what rights each user can be granted over the Web Catalog content; namely: objects or folders
-The use of Catalog Groups is recommended in order to make security management easier
-Explicitly defined permissions for each ressource can be reviewed. Going on navigating through the interface also enables retrieving a given user’s inherited permissions. However, it is not possible to figure out which group that very user inherits those rights from.
OBIEE Security - State of the art
Web Catalog Security
Let's now list the steps to go through to implement specific permissions for a given set of folders. For this test case, we are working with Oracle BI version 11.1.1.6.0
The procedure is always the same when setting or editing permissions on a given ressource is needed, but there are a few drawbacks, among which:
-Not user-friendly. Defining permissions is not easily done, so, confusing at first (steep learning curve). -Time-consuming. Unitary security management !!!Tedious tasks = Risk of human operator errors!!!-Missing information. Occasionally, users having inappropriate rights can be found, however without being able to identify the origin of such rights.
OBIEE Security - Web Catalog Security
Step by step approach to permissions implementation
1.Once logged in to OBIEE, navigate to the catalogs2.Select the parent folder you wish to apply security to. (Multiple selection is not possible)3.Click Permissions in the bottom left corner below the tree view4.Click Add users/roles in the permissions pop-up, and search for the desired users among the available roles and groups5.Select the users, groups and roles you wish to edit security of and select the desired security profile6.The selected permissions are now defined for all the selected actors. To implement specific permissions for each actor, it is necessary to define them actor by actor.7.Select whether or not these permissions should be applied to the folder items and subfolders.8.Finally, click OK to save the changes.
Note that these steps should be repeated if applying specific security permissions over each subfolder belonging to the previously edited parent folder.These repetitive actions make security implementation a really tedious task.
OBIEE Security - Web Catalog Security
Setting permissions: step by step approach
GB & SMITH’s 365view is a professional security management tool allowing:-Saving time and avoiding potential errors when updating OBIEE security-Easy and intuitive retrieval of the necessary security information in order to prevent any security breaches
-Automatic documentation of your OBIEE deployment security
365view is an easily deployed web-based application available for application servers, aiming at making content
and security management easier. In other words, it replaces to the standard OBIEE console for dealing with security
tasks. Moreover, this application goes way beyond Oracle BI: you can log in to other environments, technologies, or even to several OBIEE environments simultaneously.In the present case, we are interested in security, so, let us now focus on how to deal with and implement the same permission sets through 365view.
OBIEE Security
The professional approach
Once logged in to 365view, choose your OBIEE environment and directly log in to it.
Then, simply select “Shared Folders Security” in the OBIEE connector menu
OBIEE Security
The professional approach
OBIEE Security
The professional approachThe security matrix now opens, allowing selecting the specific resources and actors to edit the security permissions of. Effective rights for each actor are displayed on a single screen and common interface.
OBIEE Security
The professional approachEach security matrix cell gives access to a new tab where you can modify the permissions for the current ressource/actor couple:
It is possible to review which groups (and/or roles) the current permissions are
inherited from.There is no way to perform this check
through OBIEE
OBIEE Security
The professional approach365view also offers a major time-saving feature: multiple matrix intersection update.In order to set the same permissions for several actors and resources, select the desired cells, and then bulk-edit permissions in just a single step.
OBIEE Security
The professional approachA few steps were sufficient to set the desired security permissions over the selected folders. The matrix once again allows checking if everything has been set as desired.This comes with significant time savings for your company. More importantly: many potential human errors can be averted when setting catalog permissions.
OBIEE Security
The professional approachTo conclude, 365View comes with one more feature for improved company data security.
Security changes over time. Many users may have sufficient rights to change a given resources permission set.Documenting security on a regular basis is thus of paramount importance. This enables reviewing performed changes and finding out why permissions may have been edited.
365View allows exporting security matrices and scheduling such exports periodically in order to keep track of any changes.
GB&SMITH Solutions
SAP BusinessObjects (XIR2, XI3 & BI4)
Contact
Take a look at our solutions on:
www.youtube.com/360suite
REQUEST A DEMO!
Boston – London – Lille & Grenoble