Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 17 Oracle Analytics Lounge
- 218 Oracle Analytics News
- 44 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 81 Oracle Analytics Trainings
- 15 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
OBIEE Security - Anyway to allow end users to self manage?
So our OBIEE user population is generally small - my group would get an access request maybe a few times a month usually.
Currently we use LDAP to authenticate, and then through enterprise manager we assign users to a security group, which then gets mapped to a security role. All good so far
We have a new group of users that are aiming to use OBIEE for their reporting needs. The twist though, is that they also want to self govern their own users.
As I mentioned, traditionally an admin would log into EM to set up the appropriate security. But in EM, we of course have a lot of other functionality, such as starting and stopping the services - And we of course dont want to give this ability out willy nilly.
I know theres a few places that we can control security, such as in the RPD, enterprise manager, weblogic console or the presentation services (analytics) itself.
But we definitely dont want to give a non technical person access to the RPD, EM or the WLC, unless we can restrict sections of these items which I have not seen before. Now with the presentation services, we 'may' be able to allow people the ability to manage folders they own to allow access. But I can see this becoming a real mess real fast. And an end user would still need to be authenticated first, before even getting to be authorized for areas of the presentation services.
Perhaps Im rambling, but just curious has anyone implemented OBIEE where it allows end users to self govern access?
If so, how did you go about doing it?
Thanks in advance
Answers
-
As you use LDAP for user authenticaction, user management is therefore external to Weblogic.
You just need to map an LDAP group to a Weblogic application role. The Application Role should be set up to gi users all the access they need.
This way, the new user group would need a user who has access to LDAP that can add/remove LDAP users to/from the LDAP group that has been mapped to the Weblogic application role.
The weblogic admin console and enterprise manager aren’t for standard users so if for example, they need a modification to the access the LDAP group requires, then that needs to be managed by a central admin team.
0 -
chillychin wrote:Currently we use LDAP to authenticate, and then through enterprise manager we assign users to a security group, which then gets mapped to a security role. All good so far
In Enterprise Manager you assign users to application roles. You don't assign users to groups there. Users/Group assignment happens in the LDAP.
chillychin wrote: Perhaps Im rambling, but just curious has anyone implemented OBIEE where it allows end users to self govern access?
Everything you do in EM is just one thing: A GUI on top of WLST commands so that means you can potentially build your own GUI on top of those same commands.
BUT
That "new custom security GUI" obviously needs to have the same level of administrative access - i.e. a weblogic-like level of access and you need to grnat that to your "security admin users". And also whenever anything changes in the real product you need to update your custom security solution.
OR
You could use a SQL Authenticaotr in the WLS security realm and have scripts which create new application roles based on any new security group which you create in the tables used by the SQL authenticator.
Long story short: there are ways but if you aren't 100% sure of what you're doing and what they will be doing, then it's probably a bad idea. Security is a non-trivial topic.
0 -
"is that they also want to self govern their own users." = shadow-team = enterprise additional costs and risk
0 -
@chillychin Did you just give up on this thread?
0 -
Trans: the lunatics running the asylum....
0 -
Many thanks for all the replies
Generally the gist that I got is
- Is it possible to let users self govern security? Yes
-Is it easy/common place to do this sort of thing? No
I will have to have a chat with my manager to explain all of this - My team recently got merged into another team, and thus there are a lot of questions regarding what can OBIEE do and can not do. So I got tied up and finally am back.
Again many thanks for the replies, its much appreciated.
0 -
You forgot; -
- is it wise to allow users to self-manage security - No
- will it wind up in a mess which will take some rectifying by IT at a later date - Yes
0 -
chillychin wrote:
there are a lot of questions regarding what can OBIEE do and can not doBasically: trust nothing your integrator says and come here first to ask confirmation ;-)
And re security and what Robert just added - let me add this: In terms of compliance and topics like the european GDPR it is pretty much legal suicide to let users do that.
0 -
It's a governance nightmare let alone the management complications
0
