This discussion is archived
8 Replies Latest reply: Mar 11, 2013 3:18 PM by Turbokat RSS

OBIA Security Implementations

naeem akhtar Newbie
Currently Being Moderated
Dear All,

Please suggest me the technique to implement security in OBIA as per below business objective.

1.     Access should be denied after three (3) unsuccessful log in attempts, After which, the user account will be locked and needed to be reset by the Administrator to allow re-log in to the system.
2.     Log in session should be limited only to one (1) per user.
3.     The system session time out should be allowed; time out duration can be set only by the systems administrator.
4.     The system should provide change password facility concept.
5.     The user password should expire after the maintained expiration date. Once the password expires, the user should be asked to encode his/her new password.
The user password should:
a.     Be case-sensitive; and
b.     Have a minimum of eight (8) and maximum of twenty (20) alphanumeric characters.
6.     The system should provide different user groups and access levels.

Please give me a roadmap to implement this.

Thanks
Naeem Akhtar
  • 1. Re: OBIA Security Implementations
    Turbokat Pro
    Currently Being Moderated
    Are you using any SSO for authentication users .? Let us know
  • 2. Re: OBIA Security Implementations
    naeem akhtar Newbie
    Currently Being Moderated
    No, we are not using or thinking about SSO so far.

    Regards
    Naeem Akhtar
  • 3. Re: OBIA Security Implementations
    Turbokat Pro
    Currently Being Moderated
    If you are using default authenticator provider ( weblogic LDAP ) security then all of these could be achieved by default.

    1. Access should be denied after three (3) unsuccessful log in attempts, After which, the user account will be locked and needed to be reset by the Administrator to allow re-log in to the system.
    BY default in Weblogic my realm the user is locked out after 5 unsuccessful attempts in 30mins .. to change go to Security Realms -> Select your realm (myrealm in my case) -> User Lockout -> uncheck Lockout Enabled

    2. Log in session should be limited only to one (1) per user.
    If you are using only one authentication provider that is default weblogic LDAP then only one user can login per session as users are identified by GUID's not usernames.


    3. The system session time out should be allowed; time out duration can be set only by the systems administrator.
    Weblogic LDAP should by default timeout , but if you want to customize follow the post below
    http://rampradeeppakalapati.blogspot.com/2012/08/configure-session-timeout-in-obiee-11g.html

    4. The system should provide change password facility concept.
    Change Password for users in 11g was not available.
    This should be customized by using custom java code. Pls refer to :
    obieedue.blogspot.sg/2012/07/changing-user-password-in-obiee-11g.html
    http://www.rittmanmead.com/2011/10/changing-your-password-in-obiee-11g/
    Oracle still has not provided any fix or patch for this , see Bug 11836170 : ENABLE NON ADMIN USERS TO CHANGE PASSWORDS IN OBIEE 11G
    This is because security communication OBIEE and WLS where users are stored might have to consider several authentications providers, doing this very difficult to manage.

    5. The user password should expire after the maintained expiration date. Once the password expires, the user should be asked to encode his/her new password.
    By default in Weblogic LDAP there is no such feature available to expire the Password automatically. You will have to write your Custom Authenticator or use AD Server or any other LDAP Server as the user store.

    The user password should:
    a. Be case-sensitive; and
    b. Have a minimum of eight (8) and maximum of twenty (20) alphanumeric characters.

    These can be modified by going to weblogic console > Security realms > Providers > Password Validation Provider

    6. The system should provide different user groups and access levels.
    This can be done using EM by Users/Roles setup.

    Hope this helps. Pls mark if it does.

    Let us know if you have any questions.

    Thanks,
    SVS
  • 4. Re: OBIA Security Implementations
    naeem akhtar Newbie
    Currently Being Moderated
    Hello SSVS,

    You comments is very helpful to me and answering almost everything.

    Just little thing more.

    If we don't have Ldap or AD. and we want to do it from EBS or Custom Database then how we will do it?

    Thanks
    Naeem Akhtar
  • 5. Re: OBIA Security Implementations
    Srikanth Mandadi Guru
    Currently Being Moderated
    Hi,

    Can validate users from external tables which is similar to below steps provided for LDAP.

    Validate User from external table instead of LDAP.
    http://www.rittmanmead.com/2010/11/oracle-bi-11g-active-directory-security-using-init-blocks-variables-10g-style/

    Regards,
    Srikanth
  • 6. Re: OBIA Security Implementations
    Turbokat Pro
    Currently Being Moderated
    Hello,

    If you want to use users from EBS, you can configure the Single Sign on between EBS and OBIEE using ICX authentication, all the user and session management is maintained by Oracle EBS.

    EBS -SSO - http://docs.oracle.com/cd/E23943_01/bi.1111/e16364/ebs_actions.htm#CHDHCAFD

    using DB Authentication - How to Create a Basic SQL Authenticator [ID 1342157.1]

    Doc ID 1338007.1 refers to configuring OBIEE 11.1.1.5.0 to use SQLAuthenticator

    Hope this helps. Pls mark if it does.

    Thanks,
    SVS
  • 7. Re: OBIA Security Implementations
    naeem akhtar Newbie
    Currently Being Moderated
    It is good to have SSO but I will avoid it if other things meets my requirement.

    We have to buy difference licences for SSO :)
  • 8. Re: OBIA Security Implementations
    Turbokat Pro
    Currently Being Moderated
    EBS -SSO - http://docs.oracle.com/cd/E23943_01/bi.1111/e16364/ebs_actions.htm#CHDHCAFD - This one does not need license :)

    Also there is Windows Native Authentication for OBIEE 11g which does not require acquiring additional license.

    Hope this helps. :)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points