Question about the Security of the ODI Master and Work Repositories. When logging into ODI Studio in the 'Repository Connection Information' dialog box, there are 2 sections. This first 'Oracle Data Integrator Connection' specifies ODI Application Level Security; the ODI Admin would use SUPERVISOR and would then created ODI Logins for Developers with appropriate privileges to Projects, Topology etc..
However in the second section for 'Database Connection Information', this is where the DEV_ODI_REPO/[Passwod] (or other ODI Repository Schema) is specified.
If the Developer needs to know the DEV_ODI_REPO Password in order to create the Repository Connection, then what stops this Developer from using the DEV_ODI_REPO login at the Database Level?
The Developer can use SQL Developer (Toad etc.) to directly access to the Repository Tables. Isn't this a security breach?
In your folder C:\Documents and Settings\<user>\Application Data\odi\oracledi\, you will find a file snps_login_work.xml.
You can copy it on developer computer so he doesn't need to know the password (which is encrypted into the file).
For ODI 10g, it's in your ODI_HOME, under oracledi/bin/. You will need the snps_login_security.xml file as well.
I just have to mention what Bhabani found : it is possible to decypher this encrypted password : http://dwteam.in/security-concern-with-odi-snps_login_work-xml/
Hope it helps.
I see what you're saying with the snps_login_work.xml & snps_login_security.xml files, but I have a follow up question: If my login is currently with the SUPERVISOR account and I send the snps_login_work.xml & snps_login_security.xml to the developers, will they also have access with the SUPERVISOR account, or do these files just set the security for the repository connection and then the Developers would still need an ODI level login.
I think you may be able to still see my dilemma, in that I don't want to send those two files if they give SUPERVISOR ODI access. Thanks much, the info you provided does help.
What I usually do is the following for a new user :
- I create a new ODI login and set the security for this account.
- I connect with it so it's added to my snps_login_work.xml file.
- I duplicate the file then open the copy and remove all the other users.
- I put it on users's computer.
This way they only have access to their account and not to Supervisor.