OBIEE 12c Bypassing AD Groups — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12c Bypassing AD Groups

Received Response
31
Views
8
Comments
3310714
3310714 Rank 6 - Analytics Lead

Hi,

Just want to get your thoughts on the following security setup in OBIEE 12c.  We are integrated with Active Directory for users and groups.  The standard practice of setting up security in OBIEE is:   AD users --> AD Groups --> App Roles --> Folder/Repository Permissions

However, it takes about 1 month for our IT to setup an OBI group in Active Directory.  If I were to add the AD Users directly to the App Roles, do you see any major issues?  So instead of letting IT manage users and groups, I'm managing it myself.  I just hate to wait on others when I can be faster.

AD users --> App Roles --> Folder/Repository Permissions

Answers

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    It will work of course but be aware that

    a) the effort is wholly on your side

    b) you have to also make sure that People not just gain rights but also LOSE rights appropriately. i.e. if someone changes department or function he/she should not retain old rights and potentially see and Access things no longer allowed in the new position

    c) you're building a new little security ecosystem outside of your corporate security

  • Thomas Dodds
    Thomas Dodds Rank 8 - Analytics Strategist

    Management nightmare ...

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Oh without a shadow of a doubt

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Thanks for your insights.  If someone changes department, it'll IT 3-4 weeks to remove that person.  I can do it immediately even though it's more work on my side.   Ideally, our IT should be more efficient but I'm just considering other options.

  • saketsrv
    saketsrv Rank 5 - Community Champion

    Hi ,

    You can use an Oracle table for Database authorization (group/Application Role assignment) by configuring a "BISQLGroupProvider" which removes the dependency for IT Network team to create roles for you

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner
    saketsrv wrote:Hi ,You can use an Oracle table for Database authorization (group/Application Role assignment) by configuring a "BISQLGroupProvider" which removes the dependency for IT Network team to create roles for you

    @saketsrv I'd love to hear how that would work. So you're saying that Oracle table would do "group/Application Role assignment"?

  • saketsrv
    saketsrv Rank 5 - Community Champion

    Hi Christian,

    What i meant was he can create the groups in the table ,add AD users(BISQLGroupProvider)to that group,create role in EM,assign the role to the group and then he can set the security in analytics as per his requirements. This whole process removes the involvement of any network team.

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    If the OP's goal is to make the process faster / less complex then why add the additional step if you can do the same thing directly in Enterprise Manager?

    User -> App Roles directly through GUI or WLST

    Instead of

    User via SQL -> DB table group -> App Roles via GUI or WLST

    It also requires a DB table and an additional mechanism of data entry. Plus it even is something you need to deploy on the server in terms of configuration so probably has to go through the whole deployment process in order to have it existing on a productive system, production database etc etc