Click here to load reader

© 2015 Oracle Corporation - · PDF file© 2015 Oracle Corporation Oracle BI 11g Security Configurations Oracle BI 11.1.1.9.0 Adam Bloom Oracle BI Product Manager

  • View
    223

  • Download
    1

Embed Size (px)

Text of © 2015 Oracle Corporation - · PDF file© 2015 Oracle Corporation Oracle BI 11g...

  • 2015 Oracle Corporation

  • 2015 Oracle Corporation

    Oracle BI 11g Security Configurations

    Oracle BI 11.1.1.9.0 Adam Bloom

    Oracle BI Product Manager

  • 2015 Oracle Corporation

    The following is intended to outline our general

    product direction. It is intended for information

    purposes only, and may not be incorporated into any

    contract. It is not a commitment to deliver any

    material, code, or functionality, and should not be

    relied upon in making purchasing decisions.

    The development, release, and timing of any

    features or functionality described for Oracles

    products remains at the sole discretion of Oracle.

  • 2015 Oracle Corporation

    Agenda

    Authentication and Authorization for BI 11g

    Architecture Overview

    Supported Configurations

    Authentication Mechanisms with and without

    SSO

    System Users and the Credential Store

    Troubleshooting and Logging

    Types of Security

  • 2015 Oracle Corporation

    Authentication and Authorization for BI EE 11g

    For the purposes of comparing the approaches to authentication and authorization:

    Think of Authentication as the process of validating the userID and password and consequently setting the USER session variable in the BI EE session.

    Think of Authorization as the process of discovering the groups that the user is a member of, and then deriving which Application Roles (and associated permissions) the user should be granted. This results in setting the ROLES session variable in the BI EE Session. Refer to the slide GROUP and ROLES Session Variables

  • 2015 Oracle Corporation

    Authentication and Authorization for BI EE 11g

    At a high level, there are two approaches to authentication and authorization into BI EE 11g.

    Firstly, new in 11.1.1.3, we integrated BI into Fusion Middleware and now make use of the Fusion Middleware security mechanisms built on the FMW security infrastructure (OPSS).

    Authentication is via OPSS which in turn uses the Weblogic authentication mechanism (Authenticators defined in the Weblogic Security Realm). The resulting authenticated userID is used to set the USER session variable.

    Authorization is via OPSS to retrieve group membership via Weblogic Authenticators. This works together with the Policy Store to derive a list of Application Roles for the user and the groups assigned to that user. This list of Application Roles is used to set the ROLES session variable.

    Secondly, the 10-g style Init Block mechanism for authentication and authorization is still available.

    Authentication is via an Init Block that sets the USER session variable

    Authorization is via an Init Block that sets the GROUP (or ROLES) session variable

  • 2015 Oracle Corporation

    Authentication and Authorization for BI EE 11g

    Advice for customers on which Authentication and Authorization Mechanism to use

    Customers should not mix the two approaches. i.e they should not attempt to authenticate users using FMW security and authorize users using Init Blocks.

    Not all use cases are currently supported by FMW security. Until such time that FMW security is able to support a particular use case, customers should continue to use the 10g-style Init Block approach for authentication and authorization.

    If you use FMW security in BI 11g then both users and group membership should be available via one or more BI EE certified Authenticators defined in WLS.

    FMW security in BI 11g is limited to BI EE certified WLS authenticators that work with the User Role API.

  • 2015 Oracle Corporation

    Upgrading from 10g and Backwards

    Compatibility About the introduction of FMW Security to BI and Backwards compatibility of other

    authentication mechanisms:

    When introducing FMW security into BI, the aim was to provide as smooth an upgrade path, and as seamless backward compatibility, as possible.

    10g systems built on init blocks should continue to work in the same way when upgraded to 11g.

    About upgrading from 10g to 11g:

    If you upgrade 10g RPD users, they become Weblogic LDAP users in 11g (i.e. using FMW Security) so we no longer have RPD users. In this case, users and group membership for those users will be defined and maintained in the embedded Weblogic LDAP.

    On upgrade, all RPD groups are migrated to LDAP groups in the native Weblogic LDAP

    Additionally, on upgrade, all RPD groups used to secure elements of the RPD are migrated to Application Roles in the file-based Policy Store.

    On upgrade, any element in the RPD that was secured by an RPD group will become secured by the Application Role with the same name (created during the upgrade process)

    The upgrade process does not do anything with Web Groups. Web Groups continue to exist in 11g, but customers are encouraged to replace them with Application Roles.

  • 2015 Oracle Corporation

    Use Case Users in LDAP and Group Membership in

    Database FMW Security or Init Block for

    Authentication?

    The most common use case for BI customers is to authenticate users in LDAP with group

    membership coming from a database query. If you have users in LDAP and Group

    Membership for those users defined in a database table, use the BI SQL Group provider as

    described in the BI Security guide.

    The documented approach for integration with E-Business Suite continues to be based on Init

    Block authentication for BI EE 11.1.1.9.0.

    Security integration for BI Applications should follow the approaches in the BI Applications

    documentation.

  • 2015 Oracle Corporation

    Use Case Security Integration with

    E-Business Suite 11g Customers can use one of the following approaches to secure their BI EE system when

    sourcing data from E-Business Suite

    Direct E-Business Suite to BI EE security integration using the ICX cookie method as described

    in the BI EE Integrators Guide This is the only method able to secure data using the current responsibility of the user

    This is the only method that allows Action Links back to E-Business Suite

    This approach has known limitations with Delivers due to the integration with EBS Responsibilities

    This approach has known issues with BI Publisher as this approach does not allow BI Publisher to impersonate a user

    Please refer to Doc ID 1937856.1 for an updated method that lifts some of the limitations of the ICX cookie approach

    This approach does not work with BI Office or BI Mobile or SmartView

    Shared Identity Store with E-Business Suite If E-Business Suite is integrated with OID (and optionally OSSO), then BI EE can point to the same OID either via FMW

    security or via Init Blocks.

    Init Blocks should not rely on the availability of an ICX cookie for the user

    Independent Identity Stores for BI and EBS Some customers have a separate login for BI and maintain the EBS and BI user populations independently.

    Init Blocks should not rely on the availability of an ICX cookie for the user

    Other approaches may be possible

  • 2015 Oracle Corporation

    Use Case Security Integration with

    Siebel

    11g Customers can use one of the following approaches to secure their BI EE system when

    sourcing data from Siebel CRM

    Direct Siebel to BI EE security integration using the embedded method as described in the BI

    EE Integrators Guide This is the only method that allows Action Links back to Siebel

    Behind the scenes this method is based on posting a UserID and Password to BI from Siebel

    (&NQUSER/&NQPASSWORD method).

    This method could potentially use either FMW security or Init Blocks depending on the individual implementation design

    Shared Identity Store with Siebel If Siebel has been configured to authenticate against LDAP (and optionally SSO), then BI EE can point to the same LDAP

    either via FMW security (assuming it is a BI EE certified LDAP) or via Init Blocks.

    Independent Identity Stores for BI and Siebel

    Other approaches may be possible

  • 2015 Oracle Corporation

    Use Case Security Integration with

    PeopleSoft

    11g Customers can use one of the following approaches to secure their BI EE system when

    sourcing data from PeopleSoft

    Direct PeopleSoft to BI EE security integration using the embedded method This method has not been updated for BI 11g and is based on a 10g Technote

    Behind the scenes this method is based on posting a UserID and Password/SessionID to BI from PeopleSoft

    (&NQUSER/&NQPASSWORD method).

    This method could potentially use either FMW security or Init Blocks depending on the individual implementation design

    Shared Identity Store with PeopleSoft If PeopleSoft has been configured to authenticate against LDAP (and optionally SSO), then BI EE can point to the same

    LDAP either via FMW security (assuming it is a BI EE certified LDAP) or via Init Blocks.

    Independent Identity Stores for BI and PeopleSoft

    Other approaches may be possible including integration through the PeopleSoft portal

  • 2015 Oracle Corporation

    Use Case BI Mobile

    Please refer to:

    OBIEE 11g: BI Mobile Supported Security Configurations (Doc ID 1996632.1)

  • 2015 Oracle Corporation

    Use Case SmartView

    SmartView can use certain forms of SSO. Please refer to the EPM documentation:

    http://docs.oracle.com/cd/E17236_01/epm.1112/epm_se

Search related