OBIEE Security - Anyway to allow end users to self manage? — Oracle Analytics

Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE Security - Anyway to allow end users to self manage?

Received Response
51
Views
9
Comments
chillychin
chillychin Rank 6 - Analytics Lead
edited Aug 13, 2024 5:38PM in Oracle Analytics Cloud and Server

So our OBIEE user population is generally small - my group would get an access request maybe a few times a month usually.

Currently we use LDAP to authenticate, and then through enterprise manager we assign users to a security group, which then gets mapped to a security role. All good so far

We have a new group of users that are aiming to use OBIEE for their reporting needs. The twist though, is that they also want to self govern their own users.

As I mentioned, traditionally an admin would log into EM to set up the appropriate security. But in EM, we of course have a lot of other functionality, such as starting and stopping the services - And we of course dont want to give this ability out willy nilly.

I know theres a few places that we can control security, such as in the RPD, enterprise manager, weblogic console or the presentation services (analytics) itself.

But we definitely dont want to give a non technical person access to the RPD, EM or the WLC, unless we can restrict sections of these items which I have not seen before. Now with the presentation services, we 'may' be able to allow people the ability to manage folders they own to allow access. But I can see this becoming a real mess real fast. And an end user would still need to be authenticated first, before even getting to be authorized for areas of the presentation services.

Perhaps Im rambling, but just curious has anyone implemented OBIEE where it allows end users to self govern access?

If so, how did you go about doing it?

Thanks in advance

Answers

  • Joel
    Joel Rank 8 - Analytics Strategist

    As you use LDAP for user authenticaction, user management is therefore external to Weblogic.

    You just need to map an LDAP group to a Weblogic application role. The Application Role should be set up to gi users all the access they need.

    This way, the new user group would need a user who has access to LDAP that can add/remove LDAP users to/from the LDAP group that has been mapped to the Weblogic application role.

    The weblogic admin console and enterprise manager aren’t for standard users so if for example, they need a modification to the access the LDAP group requires, then that needs to be managed by a central admin team. 

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner 
    chillychin wrote:Currently we use LDAP to authenticate, and then through enterprise manager we assign users to a security group, which then gets mapped to a security role. All good so far    

    In Enterprise Manager you assign users to application roles. You don't assign users to groups there. Users/Group assignment happens in the LDAP.

    chillychin wrote: Perhaps Im rambling, but just curious has anyone implemented OBIEE where it allows end users to self govern access?

    Everything you do in EM is just one thing: A GUI on top of WLST commands so that means you can potentially build your own GUI on top of those same commands.

    BUT

    That "new custom security GUI" obviously needs to have the same level of administrative access - i.e. a weblogic-like level of access and you need to grnat that to your "security admin users". And also whenever anything changes in the real product you need to update your custom security solution.

    OR

    You could use a SQL Authenticaotr in the WLS security realm and have scripts which create new application roles based on any new security group which you create in the tables used by the SQL authenticator.

    Long story short: there are ways but if you aren't 100% sure of what you're doing and what they will be doing, then it's probably a bad idea. Security is a non-trivial topic.

  • Thomas Dodds
    Thomas Dodds Rank 8 - Analytics Strategist

    "is that they also want to self govern their own users." = shadow-team = enterprise additional costs and risk

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    @chillychin Did you just give up on this thread?

  • Robert Angel
    Robert Angel Rank 8 - Analytics Strategist

    Trans: the lunatics running the asylum.... 

  • chillychin
    chillychin Rank 6 - Analytics Lead

    Many thanks for all the replies

    Generally the gist that I got is

    - Is it possible to let users self govern security? Yes

    -Is it easy/common place to do this sort of thing? No

    I will have to have a chat with my manager to explain all of this - My team recently got merged into another team, and thus there are a lot of questions regarding what can OBIEE do and can not do. So I got tied up and finally am back.

    Again many thanks for the replies, its much appreciated.

  • Robert Angel
    Robert Angel Rank 8 - Analytics Strategist

    You forgot; -

    - is it wise to allow users to self-manage security - No

    - will it wind up in a mess which will take some rectifying by IT at a later date - Yes

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner 
    chillychin wrote:
    there are a lot of questions regarding what can OBIEE do and can not do

    Basically: trust nothing your integrator says and come here first to ask confirmation ;-)

    And re security and what Robert just added - let me add this: In terms of compliance and topics like the european GDPR it is pretty much legal suicide to let users do that.

  • Thomas Dodds
    Thomas Dodds Rank 8 - Analytics Strategist

    It's a governance nightmare let alone the management complications