Hi All, I'd like to implement the Custom Authorization Provider for OBIEE, in way as is describe in Authorization Providers for WLS. (due the reason of proprietary security implementation in our system). I've read the guide about OBIEE security especially https://docs.oracle.com/middleware/1221/biee/BIESC/intro.htm#BIESC353 where is described: Oracle Business Intelligence 12c is tightly integrated with the Oracle Fusion Middleware Security architecture and delegates core security functionality to components of that architecture. Specifically, any Oracle Business Intelligence installation makes use of the following types of security providers: * An authentication provider that knows how to access information about the users and groups accessible to Oracle Business Intelligence and is responsible for authenticating users. * A policy store provider that provides access to application roles and application policies, which forms a core part of the security policy and determines what users can and cannot see and do in Oracle Business Intelligence. * A credential store provider that is responsible for storing and providing access to credentials required by Oracle Business Intelligence. Therefore I expect there will be available the policy defined in deployment of application and this will be possible to consume and configure within en external security system, but it doesn't seem to work like this. Only security defined/shared with Oracle Fusion Middleware Security architecture is for application=bi-security-login and it's JSP login page, I'm not sure but is looks like others applications like OBI Presentation Service Administration or OBI Administration Tool uses any BI Repository RPD which is used separately. Please could someone help me and explain how this could be integrated with any external security implementation such way, that we could load defined application Roles and Permissions configure relations externally and let the OBIEE use it? Thank you for help.

Thank you for your response. OK, so it means I can use custom Authentication Provider to define Groups, but not the custom Authorization Provider to define App Roles, this can by only done in FMW EM, right?

WLS - either holds the users/groups OR retrieves them from a Provider FMW EM - controls Application Roles; where a group (preferably over a user; from WLS) is made a member of the role <-- this is where OBIEE Roles 'integrate' with WLS OBIEE RPD - controls the business logic and querying of underlying data sources; you can specify FMW application roles for row level filtering and object level access OBIEE Web Catalog - the visible content of the BI system; you can specify permissions based on FMW application roles roles to objects in the catalog When thinking of application roles think in terms of Roles for: - what type of user (admin, author, consumer) - data row filters (NA, ASIA, EMEA, etc) - what objects can be seen - webcatalog columns (salary, bank account, ssn, etc) - folders, dashboards, reports, etc

nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Oracle Communities

Oracle Analytics and AI

Child Item

OBIEE security - Custom Authorization Provider possibility?

Mara.79

Hi All,

I'd like to implement the Custom Authorization Provider for OBIEE, in way as is describe in Authorization Providers for WLS. (due the reason of proprietary security implementation in our system). I've read the guide about OBIEE security especially https://docs.oracle.com/middleware/1221/biee/BIESC/intro.htm#BIESC353 where is described:

Oracle Business Intelligence 12c is tightly integrated with the Oracle Fusion Middleware Security architecture and delegates core security functionality to components of that architecture. Specifically, any Oracle Business Intelligence installation makes use of the following types of security providers:

An authentication provider that knows how to access information about the users and groups accessible to Oracle Business Intelligence and is responsible for authenticating users.
A policy store provider that provides access to application roles and application policies, which forms a core part of the security policy and determines what users can and cannot see and do in Oracle Business Intelligence.
A credential store provider that is responsible for storing and providing access to credentials required by Oracle Business Intelligence.

Therefore I expect there will be available the policy defined in deployment of application and this will be possible to consume and configure within en external security system, but it doesn't seem to work like this. Only security defined/shared with Oracle Fusion Middleware Security architecture is for application=bi-security-login and it's JSP login page, I'm not sure but is looks like others applications like OBI Presentation Service Administration or OBI Administration Tool uses any BI Repository RPD which is used separately.

Please could someone help me and explain how this could be integrated with any external security implementation such way, that we could load defined application Roles and Permissions configure relations externally and let the OBIEE use it?

Thank you for help.

Find more posts tagged with

Accepted answers

All comments

Thomas Dodds

Yes ... Provide for managing users/groups ... FMW Enterprise Manager for assigning them to Application Roles