Categories
Defining Data Security: Identity Manager or LTS?
Hi,
We are on OBI EE 11.1.1.7.0.
I would like to know the best place to define and maintain data security within an Oracle BI RPD file. I need to restrict data based on user groups, for example, members of group G1 can only view region Americas data, while members of group G2 can view region Europe data only.
At the moment, the data security is implemented in the LTSs of logical fact tables (Content tab > WHERE clause). However, we can define the data security using Identity Manager, as well, in an Oracle BI RPD file.
Could you let us know the pros and cons of the above two approaches or the best practices to be followed, please?
Thank you.
Regards,
Manoj.
Answers
-
Identity Manager. LTS is much more harcoded and extension/change of security rules will force you to touch the LTS object itself rather than just rule assigment in the Identity Manager.
0 -
Thanks Christian.
Using Identity Manager, do I need to duplicate 'Data Filters' with respect to all the Application Roles? For example, a user belonging to BIAuthor role should be restricted from seeing region Americas data and so, a user belonging to BIConsumer role. And, can the data security still be enforced even if I do not select any column from relevant dimension table?
Could you please let us know?
Regards,
Manoj.
Edit: We might want to move the row-level security to Identity Manager, hence the new couple of questions.
0 -
I believe my first question is wrong. As, if I create a row-level security via 'Data Filters' for BIConsumer role then automatically it will be applicable to BIAuthor role as well? Is that correct?
0 -
Hi,
The defined rules (Data Filters) are applied even if you don't select any column from the dimension with the rules on it (that's one of the problems with LTS filters, if you don't use the LTS => no filter => no security).
If your BIAuthor inherit the rules of BiConsumer it's because your app roles are related. BIAuthor is probably assigned as member of BIConsumer to inherit its permissions (and then BIAuthor has some extra ones).
0 -
Security is always enforced if you put the filter on a high-enough level - i.e. not just saying "Table"."Column Name" = myvariable or sth (I'm paraphrasing).
With rrgards to security applying tp app roles...just think about inheritance if an app role is a child of another then it will inheeit the filter from its parent because the effective user will have both app roles assigned at runtime.
0 -
My suggestion is to supplement the BIConsumer/BIAuthor roles with data security roles (and other permissions roles related to content) ... this gives you flexibility ... can have a user in BIDSAmericas (can see America region) and be either a BIConsumer or a BIAuthor. BIConsumer/BIAuthor/BIAdministrator are authorization roles - leave their intent alone. If you make changes you can introduce unwanted outcomes very quickly.
0 -
+1 Dont mix functional access and data access roles. Create a matrix with the two types where you can cross them.
0 -
This remind me of a presentation two great guys did lately at Kscope16 ...
So just a snapshot to visualize what Thomas and Christian are saying.
OBIEE privileges = the settings in the Privileges page of the OBIEE front-end administration page
Keep in mind application roles doesn't cost anything and can be linked together (inheritance), so don't try to get a generic BI Author / Consumer role doing everything, you will never manage to get a proper security in that way.
0 -
Gents, thanks for your valuable inputs.
0 -
Still not on slideshare or speakerdeck or are you still waiting with that?
0
