Active Directory - default log in rights with no group

Question

Hi,

it is a documented feature that an end user gets rights to log in and use OBIEE when assigned no group in Active Directory.

i.e. When a user is created in Active Directory with a password and AD is configured as the security provider that user can then log into OBIEE and the roles assigned are; - BISecurity, BIConsumer and AuthenticatedUser

Is there any non-intrusive workaround to prevent this?

My OBIEE version is 11.1.1.9.0

Many thanks,

Robert.

Gianni Ceresa · Answer

Yes for the AD string, for the other one it's not remove the Authenticated User app role but remove it as member of BIConsumer.

As you see in this screenshot BIConsumer has 3 members : BIConsumers (a group coming from a LDAP), BIAuthor (an application role), authenticated-role (another application role).

You simply edit BIConsumer to remove authenticated-role as a member. Just by doing the authenticated users not port of any other AD group will lose almost all their privileges.

Robert Angel · Answer

Thanks for your input, can I just confirm that I understand you correctly.

The answer is to EITHER remove the Authenticated User application role (presumably the other roles do not inherit rights from Authenticated User?!)

OR

Add additional filters to the AD string

Is that what you are saying?

Many thanks, will mark as helpful!!

Robert.

Gianni Ceresa · Answer

Hi Robert,

This happen because in the AD authentication provider you just point on a high level branch of your AD containing all users and don't have any extra conditions to prevent every user to login.

What you see (app roles assigned to these new users) it's because of the "authenticated user" application role.

This is a special application role which is automatically assigned to every user with a valid username / password validated by the AD.

What you can do is remove "authenticated user" from the BIConsumer application roles (if I'm not wrong it's included there and so by inheritance your users get the BIConsum app role) and make sure you don't have any permission set on the "authenticated user" application role itself.

In that way these users will not be able to do anything in your system.

If you want to make the login to fail (for example for licensing issues) you will have to add some extra conditions to your AD authentication provider.