Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

How to allow specific set of user to login to OBIEE Application

Received Response
141
Views
8
Comments
S R Battula
S R Battula Rank 4 - Community Specialist
edited Aug 13, 2024 6:02PM in Oracle Analytics Cloud and Server

We have configured windows AD authentication with OBIEE 11.1.1.9.0 and now every single user in the AD can login to OBIEE application.

is there any way to restrict  the OBIEE access to specific set of AD users?. Example : i have 100 users in AD and only i need to allow 30 user to login to OBIEE , i don't want remaining  70 users to use OBIEE application. 

Any help appreciated. Thanks!!!

Answers

  • vai
    vai Rank 4 - Community Specialist

    You can create a group in windows active directory and add those 30 users to that group.

    Once added, add the group filter at below location :

    login to console ->  security realms -> myrealm ->Providers tab -> click on your AD Group -> Provider Specific tab

    for example if windows AD group name is OBIEE_GROUP, then add below filter in Groups sectoin ->

    Group Base DN -  CN=OBIEE_GROUP,OU=Group-Standard,OU=Groups,DC=<DOMAINNAME>,DC=com

    All Groups Filter - (objectclass=group)

    refer below link ->

    http://www.redstk.com/welcome-to-obiee12c-configuring-external-ldap-authentication-part-1/

  • Robert Angel
    Robert Angel Rank 8 - Analytics Strategist

    There is a special application role which is automatically assigned, 'authenticated user'

    What you can do is remove 'authenticated user' from BIConsumer Application roles.

    Thanks to Gianna Ceresa (if I remember correctly) who originally answered this question for me.

    Hope this helps,

    Robert.

  • Sherry George
    Sherry George Rank 7 - Analytics Coach

    Hi,

    Is this a static list ? As in, is it always just the same thirty that needs access? If that is the case, why don't you bring in just the thirty from AD with an  appropriate filter.

  • Gianni Ceresa
    Gianni Ceresa Mod

    Take all the previous answers, put them together and you get your solution

    What you ask can be done in few ways, some being better than others. If you can filter at the AD level (so pointing OBIEE to a subset of your AD only, a sub-branch or something, or add an extra condition based on membership of the users to a group or an AD attribute) it's the best way as your OBIEE environment will not even be aware of the other users existing in AD (and this is also the way to avoid issues with licensing when you have a limited number of licenses).

    Second approach (which you must ideally always do even if you implement the first) is to restrict access and functionalities in OBIEE based on application roles. And you assign your users to applications roles based on AD groups or a DB table or something else (depends how you planned to managed things).

    And also what Robert said: by default authenticated user has too many privileges, so take it out of any other application roles to avoid unwanted inheritances and a big security hole.

    As a side note: filtering access to OBIEE based only on application roles is a problem for licensing because it's the OBIEE application already doing the work to allow or refuse access, so from a theoretical point of view you would need a license even for the users you are forbidding (so better to avoid ending up there if you can).

    PS: if you AD doesn't have anything allowing you to simple filter the 30 users you can code the AD filter with the 30 usernames directly (maybe exactly what Sherry George said), but no need to tell you how less dynamic and uncomfortable it is for management ... (had a client managing 900 users like that, they screw up the list of people few time blocking full access to everybody).

  • S R Battula
    S R Battula Rank 4 - Community Specialist

    Thank you all for the solutions and explanations .

    i have tried one option associating user to BI Consumers  Application role and removed 'authenticated user' from BI Consumers, it is working fine.

    but  i think restricting users with Separate Group in Windows active directory is  best practice.

  • Gianni Ceresa
    Gianni Ceresa Mod

    Good practice for sure

    It also depends a lot on your company and who is in charge of what. Often a "one AD group to one application role" mapping is adopted, in such way you give the responsibility to manage that part of the security out to the security team and you simply set restrictions/authorizations on content and functionalities without having to care who is into that application role or not (real users).

  • User_5Y5LN
    User_5Y5LN Rank 1 - Community Starter

    I have more than 1000 thousands users so, I created a group OBIE and 2 sub group BI1 and BI2 and set 6 usres in B1 and 4 in B2 in active directory.

    User Base DN: i selected  all users OU=xx-users

    All Users Filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=B1,OU=OBIE Group,OU=XX-Groups,DC=xxx,DC=xxx))

    Group Base DN: OU=OBIE ,OU=xx-Groups,DC=xx,DC=xx

    All Groups Filter: (&(objectClass=group)((OU=*BI*)

    from weblogic console i can see 6 + 4 users and 2 groups which is good.

    But from EM console when i tried to crate a new role i can find all the users so, why can i see all users here in EM?? and they can access BI.

    i removed authenticated role so no one can access now BI "You don't have the privilege to access this page. Please contact your system administrator. obiee"

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    @2787083

    1.) This isn't your thread

    2.) It is an Answered thread

    So please don't add new questions to it but follow the forum rules and open a new thread where you explain your problem precisely and in detail.