3 Replies Latest reply on Jan 22, 2013 2:40 AM by Mark.Thompson

    Configuring External Table Authorization with WLS Authentication for 11g

      I think I've googled and read everything possible, yet I'm still not able to get this thing working. I'm using

      I would like to authenticate using the native WLS LDAP. And I can. I log in to OBIEE Analytics just fine with a user/pw stored in native WLS LDAP. But of course, it hasn't yet gotten the proper authorization.

      I would like to AUTHORIZE using an external table. But according to http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/legacy.htm#CHDBBIHG section A.2.3 Setting Up Authorization Using Initialization Blocks: "Initialization blocks to set ROLES or GROUP session variables will only function when the user fails to authenticate through an authenticator configured in the WebLogic security realm, and the user instead authenticates through an initialization block."

      That seems to be true. I've tried the old 10g initialization block method to read external tables during Authorization. I can successfully use that method to update every other session variable, including the DISPLAYNAME system session variable. So I know that the syntax I'm using is right. Therefore, the statement above must be true: the authorization and the authentication must happen in the same place. Now, I would like to take Oracle to task for that, but I'll save that for another posting.

      So according to that logic, it appears that the authorization via external table would have to happen as part of the WLS login.

      That's what I've also gathered from the Rittman posting located at http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/.

      Unfortunately, that article is specifically describing an Active Directory implementation. But it seems that the basic information might be the same, so I've done this so far:

      1. copied the BISecurityProviders.jar file
      from: [middleware_home]/Oracle_BI1/bifoundation/security/providers
      to: [middleware_home]/wlserver_10.3/server/lib/mbeantypes
      and then restarted the Admin Server to make the new authenticator called BISQLGroupProvider available.

      2. Created a new Authentication Provider (BISQLGroupProvider)

      3. Set the control flag for the new provider to SUFFICIENT

      4. Set the security flag for the original DefaultAuthenticator to OPTIONAL

      5. Moved the new provider to the top of the list

      6. Set up the two security tables exactly as described in the Rittman article.

      One question that I still have is related to the Provider Specific SQL statements. Each of the four select statements include one or two question marks in their SQL, so I don't know whether to leave those alone or try to figure out what belongs in the SQL in place of the question marks. For now, I'll leave them alone.

      7. Restarted everything.

      8. Log in to Analytics.

      Unfortunately, at this point the login assigns only Authenticated User and BIConsumer into the ROLES session variable. As I noted above, I'm able to use external tables to populate other session variables. But the ROLES (and GROUP) session variables show Authenticated User; BIConsumer. Based on the external table, they should show BIAuthor.

      What am I doing wrong or what am I missing in WLS?