Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
How to allow specific set of user to login to OBIEE Application
We have configured windows AD authentication with OBIEE 11.1.1.9.0 and now every single user in the AD can login to OBIEE application.
is there any way to restrict the OBIEE access to specific set of AD users?. Example : i have 100 users in AD and only i need to allow 30 user to login to OBIEE , i don't want remaining 70 users to use OBIEE application.
Any help appreciated. Thanks!!!
Answers
-
You can create a group in windows active directory and add those 30 users to that group.
Once added, add the group filter at below location :
login to console -> security realms -> myrealm ->Providers tab -> click on your AD Group -> Provider Specific tab
for example if windows AD group name is OBIEE_GROUP, then add below filter in Groups sectoin ->
Group Base DN - CN=OBIEE_GROUP,OU=Group-Standard,OU=Groups,DC=<DOMAINNAME>,DC=com
All Groups Filter - (objectclass=group)
refer below link ->
http://www.redstk.com/welcome-to-obiee12c-configuring-external-ldap-authentication-part-1/
0 -
There is a special application role which is automatically assigned, 'authenticated user'
What you can do is remove 'authenticated user' from BIConsumer Application roles.
Thanks to Gianna Ceresa (if I remember correctly) who originally answered this question for me.
Hope this helps,
Robert.
0 -
Hi,
Is this a static list ? As in, is it always just the same thirty that needs access? If that is the case, why don't you bring in just the thirty from AD with an appropriate filter.
0 -
Take all the previous answers, put them together and you get your solution
What you ask can be done in few ways, some being better than others. If you can filter at the AD level (so pointing OBIEE to a subset of your AD only, a sub-branch or something, or add an extra condition based on membership of the users to a group or an AD attribute) it's the best way as your OBIEE environment will not even be aware of the other users existing in AD (and this is also the way to avoid issues with licensing when you have a limited number of licenses).
Second approach (which you must ideally always do even if you implement the first) is to restrict access and functionalities in OBIEE based on application roles. And you assign your users to applications roles based on AD groups or a DB table or something else (depends how you planned to managed things).
And also what Robert said: by default authenticated user has too many privileges, so take it out of any other application roles to avoid unwanted inheritances and a big security hole.
As a side note: filtering access to OBIEE based only on application roles is a problem for licensing because it's the OBIEE application already doing the work to allow or refuse access, so from a theoretical point of view you would need a license even for the users you are forbidding (so better to avoid ending up there if you can).
PS: if you AD doesn't have anything allowing you to simple filter the 30 users you can code the AD filter with the 30 usernames directly (maybe exactly what Sherry George said), but no need to tell you how less dynamic and uncomfortable it is for management ... (had a client managing 900 users like that, they screw up the list of people few time blocking full access to everybody).
0 -
Thank you all for the solutions and explanations .
i have tried one option associating user to BI Consumers Application role and removed 'authenticated user' from BI Consumers, it is working fine.
but i think restricting users with Separate Group in Windows active directory is best practice.
0 -
Good practice for sure
It also depends a lot on your company and who is in charge of what. Often a "one AD group to one application role" mapping is adopted, in such way you give the responsibility to manage that part of the security out to the security team and you simply set restrictions/authorizations on content and functionalities without having to care who is into that application role or not (real users).
0 -
I have more than 1000 thousands users so, I created a group OBIE and 2 sub group BI1 and BI2 and set 6 usres in B1 and 4 in B2 in active directory.
User Base DN: i selected all users OU=xx-users
All Users Filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=B1,OU=OBIE Group,OU=XX-Groups,DC=xxx,DC=xxx))
Group Base DN: OU=OBIE ,OU=xx-Groups,DC=xx,DC=xx
All Groups Filter: (&(objectClass=group)((OU=*BI*)
from weblogic console i can see 6 + 4 users and 2 groups which is good.
But from EM console when i tried to crate a new role i can find all the users so, why can i see all users here in EM?? and they can access BI.
i removed authenticated role so no one can access now BI "You don't have the privilege to access this page. Please contact your system administrator. obiee"
0 -
1.) This isn't your thread
2.) It is an Answered thread
So please don't add new questions to it but follow the forum rules and open a new thread where you explain your problem precisely and in detail.
0
