Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Want to restrict OBIEE 12c logins to one specific AD group

Received Response
41
Views
8
Comments
wjclark
wjclark Rank 1 - Community Starter
edited Aug 13, 2024 5:47PM in Oracle Analytics Cloud and Server

We have an OBIEE 12c installation that we would like to lock down so that only members of one certain AD group can access the application URLs.

Right now our authentication provider that was set up is wide open and allows anyone in our company with an AD account to log in.   We are controlling

what people can see via a Data Security table and the OBIEE roles, but we would like to be able to keep access restricted to few.

We are trying to do this in preparation to adding an OBIEE shortcut on our SSO page and we want only those approved users to access it.

I am wondering where on the provider specific tab in settings for my Provider, do I specify the AD user group.

pastedImage_0.png

Thanks

Bill

Answers

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    You just have to change the LDAP queries which pulls the users from the AD.

  • SonPat99
    SonPat99 Rank 6 - Analytics Lead

    Dear User 3468775,

    To elaborate what Mr. Berg has already said, you will have to create a new AD Group in LDAP and add all users whom you want to give access to OBIEE. Refine your queries in CONSOLE to pull only users from this newly created group and you are all set.

    pastedImage_0.png

    Mainly you will have to update the USER BASE DN.

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Yupp. From what he is writig I suppose he has the group already, so getting the query is a simole case of asking the AD team "What's the base DN for users and what's the group?".

  • Martin van Donselaar
    Martin van Donselaar Rank 6 - Analytics Lead

    At the very least you should remove authenticated-role from the BI Consumer Role to restrict login access to only users with BI Roles instead of anyone who has access to the LDAP.

  • wjclark
    wjclark Rank 1 - Community Starter

    Thank you all.  I just want to confirm that I am understanding correctly.   I have the DN for my group CN=IT-OBIEE-Users,OU=Security Groups,DC=win,DC=*****,DC=com

    I just need to replace the DC=win,DC=******,DC=com that is set as the user base DN in the settings with the DN for my group.

    Thanks

    Again.

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Yes

  • SonPat99
    SonPat99 Rank 6 - Analytics Lead

    There are two sections (see screenshot from previous reply):

    USER BASE DN

    GROUP BASE DN

    Please modify these sections with appropriate values.

  • SonPat99
    SonPat99 Rank 6 - Analytics Lead

    Please mark the thread as answered if your question has been answered so that other users can benefit.