Wednesday, May 24, 2017

Authorization in OBIEE 12c (User/Group Security)

This post explains one of the ways to setup user level or group level security using a table in database. This uses a table in database that will have User and Group columns and includes users belonging to respective groups as records.

These groups would have to be added to Roles in Console and the permissions will be provided on these roles in Analytics (Folder/dashboard permissions in catalog or Column/data restrictions (RPD)). Once the User logs in BI Server identifies to which role user belongs to after checking the User/Group combination in this table and then identifying group/role relation in Console.

Scenario: There are Users (either created in Weblogic Console or Active Directory integrated) who would have to be provided with necessary privileges for object level and data level security based on business team they belong to (groups).

This is a two step process where data source need to be created first and then SQL authenticator will have to be configured.

1) Data Source:

1) Open WL Console, http://<server>:9500/console and click on Lock & Edit in Change Center on top left
2) From the menu on left select Services and then Data Sources
3) In Data Sources page click on New and then Generic Data Source
4) Provide following in the new pagr

Name: BIDBProviderDS
JNDI Name: jdbc/BIDBProviderDS
Database Type: <your database>

5) Select the database driver in next screen (for Oracle - Oracle Driver (Thin) for instance Connections
6) In the next page enter your database details that will be having the new table
7) Click next and then Test Configuration to verify the connection to database
8) If everything looks good click on Activate Changes on top left
9) Restart the services (Admin.biserver and components)

-- Create two tables in database as OBIEE_GROUPS and OBIEE_GROUP_MEMBERS


2) SQL Authenticator:

1) 1) Open WL Console, http://<server>:9500/console and click on Lock & Edit in Change Center on top left
2) From the menu on left select Security Realm and then myrealm
3) In the Providers tab click New and then provide name (SQLGroupProvider) and select BISQLGroupProvider from the drop down and click Ok
4) In the next screen click on new authentication provider that is just added - SQLGroupProvider
5) Under Configuration/Common select OPTIONAL in Control Flag list drop down and hit Save
6) Under COnfiguration/Provider Specific fill in below details and then click Save

·         Data Source JNDIName: jdbc/BIDBProviderDS    
·         SQLList Groups: SELECT GROUP_NAME FROM OBIEE_GROUPS WHERE GROUP_NAME LIKE ?  
·         SQLGroup Exists: SELECT GROUP_NAME FROM OBIEE_GROUPS WHERE GROUP_NAME = ? 
·         SQLIs Member: SELECT GROUP_MEMBER FROM OBIEE_GROUP_MEMBERS WHERE GROUP_NAME = ? AND GROUP_MEMBER = ?
·         SQLList Member Groups: SELECT GROUP_NAME FROM OBIEE_GROUP_MEMBERS WHERE GROUP_MEMBER = ? 
·         Descriptions Supported: Check Mark this option

·         SQLGet Group Description: SELECT GROUP_DESC FROM OBIEE_GROUPS WHERE GROUP_NAME = ?
7) Then click on Reorder button in Providers page and then make sure new SQLGroupProvider is top in the list followed by ADAuthenticator (if you have it) and then DefaultAuthenticator

8) Restart the services and test the user security, let me know your thoughts in comments.

Cheers!





No comments:

Post a Comment