nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Oracle Communities

Oracle Analytics and AI

Child Item

OBIEE 12c Bypassing AD Groups

3310714

Hi,

Just want to get your thoughts on the following security setup in OBIEE 12c. We are integrated with Active Directory for users and groups. The standard practice of setting up security in OBIEE is: AD users --> AD Groups --> App Roles --> Folder/Repository Permissions

However, it takes about 1 month for our IT to setup an OBI group in Active Directory. If I were to add the AD Users directly to the App Roles, do you see any major issues? So instead of letting IT manage users and groups, I'm managing it myself. I just hate to wait on others when I can be faster.

AD users --> App Roles --> Folder/Repository Permissions

Find more posts tagged with

Accepted answers

All comments

[Deleted User]

It will work of course but be aware that

a) the effort is wholly on your side

b) you have to also make sure that People not just gain rights but also LOSE rights appropriately. i.e. if someone changes department or function he/she should not retain old rights and potentially see and Access things no longer allowed in the new position

c) you're building a new little security ecosystem outside of your corporate security

Thomas Dodds

Management nightmare ...

[Deleted User]

Oh without a shadow of a doubt

3310714

Thanks for your insights. If someone changes department, it'll IT 3-4 weeks to remove that person. I can do it immediately even though it's more work on my side. Ideally, our IT should be more efficient but I'm just considering other options.

saketsrv

Hi ,

You can use an Oracle table for Database authorization (group/Application Role assignment) by configuring a "BISQLGroupProvider" which removes the dependency for IT Network team to create roles for you

[Deleted User]

saketsrv wrote:Hi ,You can use an Oracle table for Database authorization (group/Application Role assignment) by configuring a "BISQLGroupProvider" which removes the dependency for IT Network team to create roles for you

@saketsrv I'd love to hear how that would work. So you're saying that Oracle table would do "group/Application Role assignment"?

saketsrv

Hi Christian,

What i meant was he can create the groups in the table ,add AD users(BISQLGroupProvider)to that group,create role in EM,assign the role to the group and then he can set the security in analytics as per his requirements. This whole process removes the involvement of any network team.

[Deleted User]

If the OP's goal is to make the process faster / less complex then why add the additional step if you can do the same thing directly in Enterprise Manager?

User -> App Roles directly through GUI or WLST

Instead of

User via SQL -> DB table group -> App Roles via GUI or WLST

It also requires a DB table and an additional mechanism of data entry. Plus it even is something you need to deploy on the server in terms of configuration so probably has to go through the whole deployment process in order to have it existing on a productive system, production database etc etc