Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
OBIEE 12c Bypassing AD Groups

Hi,
Just want to get your thoughts on the following security setup in OBIEE 12c. We are integrated with Active Directory for users and groups. The standard practice of setting up security in OBIEE is: AD users --> AD Groups --> App Roles --> Folder/Repository Permissions
However, it takes about 1 month for our IT to setup an OBI group in Active Directory. If I were to add the AD Users directly to the App Roles, do you see any major issues? So instead of letting IT manage users and groups, I'm managing it myself. I just hate to wait on others when I can be faster.
AD users --> App Roles --> Folder/Repository Permissions
Answers
-
It will work of course but be aware that
a) the effort is wholly on your side
b) you have to also make sure that People not just gain rights but also LOSE rights appropriately. i.e. if someone changes department or function he/she should not retain old rights and potentially see and Access things no longer allowed in the new position
c) you're building a new little security ecosystem outside of your corporate security
0 -
Management nightmare ...
0 -
Oh without a shadow of a doubt
0 -
Thanks for your insights. If someone changes department, it'll IT 3-4 weeks to remove that person. I can do it immediately even though it's more work on my side. Ideally, our IT should be more efficient but I'm just considering other options.
0 -
Hi ,
You can use an Oracle table for Database authorization (group/Application Role assignment) by configuring a "BISQLGroupProvider" which removes the dependency for IT Network team to create roles for you
0 -
saketsrv wrote:Hi ,You can use an Oracle table for Database authorization (group/Application Role assignment) by configuring a "BISQLGroupProvider" which removes the dependency for IT Network team to create roles for you
@saketsrv I'd love to hear how that would work. So you're saying that Oracle table would do "group/Application Role assignment"?
0 -
Hi Christian,
What i meant was he can create the groups in the table ,add AD users(BISQLGroupProvider)to that group,create role in EM,assign the role to the group and then he can set the security in analytics as per his requirements. This whole process removes the involvement of any network team.
0 -
If the OP's goal is to make the process faster / less complex then why add the additional step if you can do the same thing directly in Enterprise Manager?
User -> App Roles directly through GUI or WLST
Instead of
User via SQL -> DB table group -> App Roles via GUI or WLST
It also requires a DB table and an additional mechanism of data entry. Plus it even is something you need to deploy on the server in terms of configuration so probably has to go through the whole deployment process in order to have it existing on a productive system, production database etc etc
0