Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 14 Oracle Analytics Lounge
- 211 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 77 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
How to prevent a valid LDAP user with no authorization from accessing OBIEE 12.2.1.4.0
Hello Experts,
We have OBIEE 12.2.1.4.0 on Linux. we are using Sun Directory Server as our LDAP server for storing Users & Groups. we have mapped the LDAP Groups to corresponding Application Roles and granted access to catalog objects to these application roles accordingly. We have a situation where we need to deny access to valid LDAP users who have no authorization(who are not a member of any reporting LDAP groups) to access OBIEE system. Currently, anyone who is authenticated is able to get in .
Please advise. Your help is greatly appreciated.
Regards
Rakesh
Answers
-
3822729 wrote:Currently, anyone who is authenticated is able to get in .
How is that possible? If a user isn't member of a group, it doesn't get any valid application role and therefore it must not be able to access.
Did you cut the inheritance to "authenticated users", did you?
Because any user with a valid login/password will get that application role, the default one. By default it has some privileges, but when you setup security you generally cut that link to not give authenticated user any privilege or permission, not allowing them to do anything.
Just a warning: do not deny things for that role as you will lock yourself out ! Setup security properly and everything will be fine.
0 -
Hi Gianni
No, we did not cut the inheritance to the authenticated users. We haven't denied anything to the Authenticated User role. We are trying to find a solution where only privileged users(member of specific LDAP groups) can access OBIEE.
Regards
Rakesh
0 -
So there is the first place to look into, standard debugging:
- what roles do a user not supposed to get in have?
- why those roles are assigned to that user?
- why those roles are allowed to login and do things?
Sounds like you aren't in control of your security model now, look into the model you setup, look into inheritances, you must have an issue there.
There isn't any hidden thing: roles are defined, permissions are defined, inheritance rules are known.
And as said early: have a look at the "authenticated user" role, that's often the first of issues in a security model not well defined.
0 -
Thanks Gianni. will look into the model to find where we messed up.
0
