8 Replies Latest reply: Mar 11, 2013 5:18 PM by Turbokat RSS

    OBIA Security Implementations

    Naeem Akhtar Khan
      Dear All,

      Please suggest me the technique to implement security in OBIA as per below business objective.

      1.     Access should be denied after three (3) unsuccessful log in attempts, After which, the user account will be locked and needed to be reset by the Administrator to allow re-log in to the system.
      2.     Log in session should be limited only to one (1) per user.
      3.     The system session time out should be allowed; time out duration can be set only by the systems administrator.
      4.     The system should provide change password facility concept.
      5.     The user password should expire after the maintained expiration date. Once the password expires, the user should be asked to encode his/her new password.
      The user password should:
      a.     Be case-sensitive; and
      b.     Have a minimum of eight (8) and maximum of twenty (20) alphanumeric characters.
      6.     The system should provide different user groups and access levels.

      Please give me a roadmap to implement this.

      Thanks
      Naeem Akhtar
        • 1. Re: OBIA Security Implementations
          Turbokat
          Are you using any SSO for authentication users .? Let us know
          • 2. Re: OBIA Security Implementations
            Naeem Akhtar Khan
            No, we are not using or thinking about SSO so far.

            Regards
            Naeem Akhtar
            • 3. Re: OBIA Security Implementations
              Turbokat
              If you are using default authenticator provider ( weblogic LDAP ) security then all of these could be achieved by default.

              1. Access should be denied after three (3) unsuccessful log in attempts, After which, the user account will be locked and needed to be reset by the Administrator to allow re-log in to the system.
              BY default in Weblogic my realm the user is locked out after 5 unsuccessful attempts in 30mins .. to change go to Security Realms -> Select your realm (myrealm in my case) -> User Lockout -> uncheck Lockout Enabled

              2. Log in session should be limited only to one (1) per user.
              If you are using only one authentication provider that is default weblogic LDAP then only one user can login per session as users are identified by GUID's not usernames.


              3. The system session time out should be allowed; time out duration can be set only by the systems administrator.
              Weblogic LDAP should by default timeout , but if you want to customize follow the post below
              http://rampradeeppakalapati.blogspot.com/2012/08/configure-session-timeout-in-obiee-11g.html

              4. The system should provide change password facility concept.
              Change Password for users in 11g was not available.
              This should be customized by using custom java code. Pls refer to :
              obieedue.blogspot.sg/2012/07/changing-user-password-in-obiee-11g.html
              http://www.rittmanmead.com/2011/10/changing-your-password-in-obiee-11g/
              Oracle still has not provided any fix or patch for this , see Bug 11836170 : ENABLE NON ADMIN USERS TO CHANGE PASSWORDS IN OBIEE 11G
              This is because security communication OBIEE and WLS where users are stored might have to consider several authentications providers, doing this very difficult to manage.

              5. The user password should expire after the maintained expiration date. Once the password expires, the user should be asked to encode his/her new password.
              By default in Weblogic LDAP there is no such feature available to expire the Password automatically. You will have to write your Custom Authenticator or use AD Server or any other LDAP Server as the user store.

              The user password should:
              a. Be case-sensitive; and
              b. Have a minimum of eight (8) and maximum of twenty (20) alphanumeric characters.

              These can be modified by going to weblogic console > Security realms > Providers > Password Validation Provider

              6. The system should provide different user groups and access levels.
              This can be done using EM by Users/Roles setup.

              Hope this helps. Pls mark if it does.

              Let us know if you have any questions.

              Thanks,
              SVS
              • 4. Re: OBIA Security Implementations
                Naeem Akhtar Khan
                Hello SSVS,

                You comments is very helpful to me and answering almost everything.

                Just little thing more.

                If we don't have Ldap or AD. and we want to do it from EBS or Custom Database then how we will do it?

                Thanks
                Naeem Akhtar
                • 5. Re: OBIA Security Implementations
                  Srikanth Mandadi
                  Hi,

                  Can validate users from external tables which is similar to below steps provided for LDAP.

                  Validate User from external table instead of LDAP.
                  http://www.rittmanmead.com/2010/11/oracle-bi-11g-active-directory-security-using-init-blocks-variables-10g-style/

                  Regards,
                  Srikanth
                  • 6. Re: OBIA Security Implementations
                    Turbokat
                    Hello,

                    If you want to use users from EBS, you can configure the Single Sign on between EBS and OBIEE using ICX authentication, all the user and session management is maintained by Oracle EBS.

                    EBS -SSO - http://docs.oracle.com/cd/E23943_01/bi.1111/e16364/ebs_actions.htm#CHDHCAFD

                    using DB Authentication - How to Create a Basic SQL Authenticator [ID 1342157.1]

                    Doc ID 1338007.1 refers to configuring OBIEE 11.1.1.5.0 to use SQLAuthenticator

                    Hope this helps. Pls mark if it does.

                    Thanks,
                    SVS
                    • 7. Re: OBIA Security Implementations
                      Naeem Akhtar Khan
                      It is good to have SSO but I will avoid it if other things meets my requirement.

                      We have to buy difference licences for SSO :)
                      • 8. Re: OBIA Security Implementations
                        Turbokat
                        EBS -SSO - http://docs.oracle.com/cd/E23943_01/bi.1111/e16364/ebs_actions.htm#CHDHCAFD - This one does not need license :)

                        Also there is Windows Native Authentication for OBIEE 11g which does not require acquiring additional license.

                        Hope this helps. :)