How to prevent a valid LDAP user with no authorization from accessing OBIEE 12.2.1.4.0

Question

Hello Experts,

We have OBIEE 12.2.1.4.0 on Linux.  we are using Sun Directory Server as our LDAP server for storing Users & Groups. we have mapped the LDAP Groups to corresponding Application Roles and granted access to catalog  objects to these application roles accordingly.  We have a situation where we need to deny access to valid LDAP users who have no authorization(who are not a member of any reporting LDAP groups) to access OBIEE system. Currently, anyone who is authenticated is able to get in .

Please advise. Your help is greatly appreciated.

Regards

Rakesh

3822729 · Answer

Thanks Gianni. will look into the model to find where we messed up.

Gianni Ceresa · Answer

So there is the first place to look into, standard debugging:

- what roles do a user not supposed to get in have?

- why those roles are assigned to that user?

- why those roles are allowed to login and do things?

Sounds like you aren't in control of your security model now, look into the model you setup, look into inheritances, you must have an issue there.

There isn't any hidden thing: roles are defined, permissions are defined, inheritance rules are known.

And as said early: have a look at the "authenticated user" role, that's often the first of issues in a security model not well defined.

3822729 · Answer

Hi Gianni

No, we did not cut the inheritance to the authenticated users. We haven't denied anything to the Authenticated User role. We are trying to find a solution where only privileged users(member of specific LDAP groups) can access OBIEE.

Regards

Rakesh