Set up multiple memberships and control the access on OBIEE folders
Is it possible to set up multiple memberships and control the access that way on different folders within a OBIEE application?
Basically, we need the ability to control access to folders as we will have multiple projects.
I thought that a way to solve this issue, is being able to select a group or also select "Application Membership" from the list in the screenshot below. Is there any way to do that?
Remembering that I can only add OBIEE application roles to the folders. I see this as potentially one way to do it, but ideally I don’t have an app role for every project we use. I would rather set up multiple memberships and control access that way.
Answers
-
Remembering that I can only add OBIEE application roles to the folders.
And why is it like that?
OBIEE does allow a lot of freedom on the security model you want to use. Application roles can represent a functional access, a content access or a mix of both. It just depends on the security model you decide to implement...
Nothing forbid you to implement a security model giving you control by project.
These are just 2 possible models, inheritance does all the magic and you can decide how far you want to push the concept based on your needs.
0 -
Hi @Gianni Ceresa ,
Thanks for that images. It does help me imagine how this needs to be set up. I’ve been playing around with it but am still running into some issues with it. It seems that my my new Application Role (pccd_BIContentAuthor) can still read the other folders even though I did not explicitly grant the role access to them. I’ve tried setting it up so that my main BIContentAuthor role contains the specific pccd_BiContentAuthor membership (which is the group that I am trying to limit access to):
My pccd_BiContentAuthor role:
My main BIContentAuthor role:
If I sign in as one of my pccd_BiContentAuthor users, I see all the folders when I am expecting to only see the PCCD folder since that’s the only folder I’ve granted access to.
To summarize what I am trying to do - I want to easily set up catalog folders that only specific Application Roles (that are tied to my AD group) can access. They should not have access to any other folders. But I want to do this by just going in and granting access to the folder they should have access to. I do not want to have to add all of my other custom roles role with No Access permissions to all the folders they shouldn’t have access to. We could potentially have 20+ catalog folders with 20+ roles at some point. I am not seeing how to do this short of going in and explicitly denying access to all the folders.
Please let me know if I am missing something or if you can provide suggestions.
0 -
Just a quick check: if you connect as one of your PCCD users and go on "my account" (top-right icon) and check what application roles you have, what do you see?
Inheritance can be a sneaky thing and keep jumping in messing what you have in mind, mainly when you try to add security on top of an existing situation little by little. Sometime security works better in a big bang release, just because you need to get fully rid of inheritance and that would break too many things to test piece by piece.
0 -
Hi @Gianni Ceresa ,
My current account shows the following:
I think the issue may be the fact that the BIConsumer role is applying to ALL authenticated-role users which I assume means any user who can log in. I am guessing I will need to remove this role from my folders or even remove the authenticated-role membership from the BIConsumer application role entirely. Let me know if you have any suggestions on this as I don’t want to break anything by doing this.
0 -
You need to carefully evaluate who "Authenticated User" is, because having this as member of BI Consumer could give you a serious licensing issue. Authenticated User is anyone with a valid username and password, if you connected to your enterprise AD or LDAP, this can be many more people than the number of licenses you own for the product.
It's often a good practice to remove Authenticated User as member of BI Consumer. Authenticated User generally shouldn't be used to grant or deny anything: it does exist and that's it, it should be ignored because it can easily be many more user than what you think it is.
Keeping it simple, what you are seeing is just normal inheritance. That's why I said that a security model implementation is often a big bang release, because you need to replace and break a lot of things to get the expected behavior. One thing to pay attention to is to not cut yourself out if you do changes little by little to an existing environment. But in OBIEE you can easily recover access anyway thanks to the offline catalog.
And you will almost certainly break something. A security model isn't a simple tiny thing, it touches every piece of your environment. Implementing it bit by bit also means you can easily have gaps and leave open access by mistake.
0 -
Hi @Gianni Ceresa ,
Thanks for the details. In my case I am only authenticating users in a specific OU with my AD system so it will be limited to those accounts. I also do not recall adding the authenticated-users membership to BIConsumer so this may be just an out of the box configuration. It sounds like I do want to remove it from the BIConsumer role. I will test this as soon as I can and see if it resolves my issue.
0 -
Authenticated user is member of BI Consumer by default in OBIEE 12c and it was already like that in 11g. 10g was different because the whole system was different (not WebLogic) with a very different security implementation.
0 -
Hi @Gianni Ceresa,
I am still trying to figure out how I can limit folder access based on AD group. Do you know how can I do it?
0