Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 16 Oracle Analytics Lounge
- 216 Oracle Analytics News
- 43 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 79 Oracle Analytics Trainings
- 15 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
OBIEE security - Custom Authorization Provider possibility?
Hi All,
I'd like to implement the Custom Authorization Provider for OBIEE, in way as is describe in Authorization Providers for WLS. (due the reason of proprietary security implementation in our system). I've read the guide about OBIEE security especially https://docs.oracle.com/middleware/1221/biee/BIESC/intro.htm#BIESC353 where is described:
Oracle Business Intelligence 12c is tightly integrated with the Oracle Fusion Middleware Security architecture and delegates core security functionality to components of that architecture. Specifically, any Oracle Business Intelligence installation makes use of the following types of security providers:
- An authentication provider that knows how to access information about the users and groups accessible to Oracle Business Intelligence and is responsible for authenticating users.
- A policy store provider that provides access to application roles and application policies, which forms a core part of the security policy and determines what users can and cannot see and do in Oracle Business Intelligence.
- A credential store provider that is responsible for storing and providing access to credentials required by Oracle Business Intelligence.
Therefore I expect there will be available the policy defined in deployment of application and this will be possible to consume and configure within en external security system, but it doesn't seem to work like this. Only security defined/shared with Oracle Fusion Middleware Security architecture is for application=bi-security-login and it's JSP login page, I'm not sure but is looks like others applications like OBI Presentation Service Administration or OBI Administration Tool uses any BI Repository RPD which is used separately.
Please could someone help me and explain how this could be integrated with any external security implementation such way, that we could load defined application Roles and Permissions configure relations externally and let the OBIEE use it?
Thank you for help.
Answers
-
Key question:
Mara.79 wrote:(due the reason of proprietary security implementation in our system).
^--- what is that proprietary security implementation?
0 -
It's the service with HTTP interface using separate DB for authentication / authorization (and supporting LDAP for authentication) with Java/.NET/C++ clients libs implementation. I think there is the possibility to load authorization data directly from DB, but not the authentication part due the LDAP internal request forwarding.
0 -
Hmm if you can get to the LDAP for authentication (and maybe also authorization; depends on what it stores) then it's pretty straight-forward.
Does it support standard LDAP protocols?
0 -
No our service doesn't support LDAP protocol, it has proprietary XML request/response interface and construct the LDAP authentication request internally. For authorization it supports only XML content HTTP request/response and loads security policy from DB. Service doesn't allow loading/storing security policy over LDAP, even not by internal adapting as for authentication part.
Thanks for helping.
0 -
To say it with the words of Liam Neeson:
That's a question that's too complex for a forum solution by about a power of 20
0 -
nice...
OK could we answer the simple question to conclude this thread? ...
The guide Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition: 1.2 Overview of Security in Oracle Business Intelligence (cited above) says: "Oracle Business Intelligence 12c is tightly integrated with the Oracle Fusion Middleware Security architecture and delegates core security functionality to components of that architecture." But this is true only for the login screen of OBIEE application, which have defined security in deployment descriptor, but rest of the application authorization as e.g. authorization for objects used in OBI is set up in metadata repository rpd file and NOT in the security realm defined authorization provider store (as e.g. in XACML).
Simply put there is no authorization integration with WLS for content defined in OBI Analytics app, but only for a app itself, as shows this figure
of Presentation Services Administration accessible from OBI Analytics app.
0 -
@Mara.79 What is your question there?
0 -
Question was:
?Can OBIEE be integrated with Weblogic Authorization Provider (defined in Security Realm)?
If NOT is it due the fact that OBIEE uses own proprietary security "storage" for authorization (application Roles and Privs.)?
0 -
WLS - either holds the users/groups OR retrieves them from a Provider
FMW EM - controls Application Roles; where a group (preferably over a user; from WLS) is made a member of the role <-- this is where OBIEE Roles 'integrate' with WLS
OBIEE RPD - controls the business logic and querying of underlying data sources; you can specify FMW application roles for row level filtering and object level access
OBIEE Web Catalog - the visible content of the BI system; you can specify permissions based on FMW application roles roles to objects in the catalog
When thinking of application roles think in terms of Roles for:
- what type of user (admin, author, consumer)
- data row filters (NA, ASIA, EMEA, etc)
- what objects can be seen
- webcatalog columns (salary, bank account, ssn, etc)
- folders, dashboards, reports, etc
0 -
Thank you for your response.
OK, so it means I can use custom Authentication Provider to define Groups, but not the custom Authorization Provider to define App Roles, this can by only done in FMW EM, right?
0