Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Row-Level Security, OBIEE Privileges, and Data Filtering
Hi,
We're trying to implement row-level security on several tables by setting a data filter on the user's role. The filtering works correctly for Consumer and Author roles, however, users with an Administrator role appear to bypass the data filter completely. Is there a way to force the data filter to apply to administrators?
We're on OBIEE 11.1.1.9.0
Thanks!
Answers
-
In the RPD, GRANT is stronger than DENY. So if you have conflicting rules because someone has Author and Admin the he will get the MOST PERMISSIVE rights. Not the most restrictive!
0 -
So are you waiting for more input now? It's all about designing a robust security solution which includes all aspects and roles including Admin.
Acutally @Gianni Ceresa and me just presented this at UKOUG on Monday http://www.slideshare.net/GianniCeresa/obiee-security-its-a-jungle-out-there
0 -
Sorry. Multiple fires today.
So, let me see if I understand, even when the data filter is applied to multiple roles, Administrators bypass the data filter?
For example:
Administrator_Role_A is a member of Author_Role_A, and Author_Role_A is a member of Consumer_Role_A.
Administrator_Role_B is a member of Author_Role_B, and Author_Role_B is a member of Consumer_Role_B.
User_1 is a member of Author_Role_A.
User_2 is a member of Administrator_Role_A.
User_3 is a member of Consumer_Role_A, and a member of Author_Role_B.
User_4 is a member of Author_Role_A, and a member of Administrator_Role_B.
In Analytics' privileges, Consumer_Role_A is granted permission to Subject Area A, and Authenticated User is denied.
Also in Analytics' privileges, Consumer_Role_B is granted permission to Subject Area B, and Authenticated User is denied.
In the RPD, Administrator_Role_A, Author_Role_A, and Consumer_Role_A have Read access to Subject Area A.
In the RPD, Administrator_Role_A, Author_Role_A, and Consumer_Role_A have No access to Subject Area B.
In the RPD, Administrator_Role_B, Author_Role_B, and Consumer_Role_B have Read access to Subject Area B.
In the RPD, Administrator_Role_B, Author_Role_B, and Consumer_Role_B have No access to Subject Area A.
In Identity Manager, there is a data filter that controls what data can be seen in a table in Subject Area A. The data filter is applied to the business model.
When the data filter is applied to Administrator_Role_A, Author_Role_A, and Consumer_Role_A:
- In Analytics, the data filter is effective for User_1.
- In Analytics, the data filter is effective for User_3.
- In Analytics, the data filter is ineffective for User_2.
- In Analytics, the data filter is ineffective for User_4.
When the data filter is applied to Administrator_Role_A, Author_Role_A, Consumer_Role_A, Administrator_Role_B, Author_Role_B, and Consumer_Role_B:
- In Analytics, the data filter is effective for User_1.
- In Analytics, the data filter is effective for User_3.
- In Analytics, the data filter is ineffective for User_2.
- In Analytics, the data filter is ineffective for User_4.
Based on my testing, it seems as if Administrators bypass data filters (???).
I know everyone is busy. Thank you, Christian!
Chad
0 -
3007432 wrote:In Analytics' privileges, Consumer_Role_A is granted permission to Subject Area A, and Authenticated User is denied.Also in Analytics' privileges, Consumer_Role_B is granted permission to Subject Area B, and Authenticated User is denied.
Ok so this --^ has nothing to do with data access rights. It's just about the basic right to access the SA.
3007432 wrote:In the RPD, Administrator_Role_A, Author_Role_A, and Consumer_Role_A have Read access to Subject Area A.In the RPD, Administrator_Role_A, Author_Role_A, and Consumer_Role_A have No access to Subject Area B.In the RPD, Administrator_Role_B, Author_Role_B, and Consumer_Role_B have Read access to Subject Area B.In the RPD, Administrator_Role_B, Author_Role_B, and Consumer_Role_B have No access to Subject Area A.
One more detail question: What is the default setting? What does AuthenticatedUser have for example? I assume all of your users are also part of the AuthenticatedUser, right? If that one is set to "Read" then that wins. As I said - in the RPD "Read" wins.
0 -
Was just chatting with Christian about this case and we both end up with the point of "authenticated user" on the subject area in the RPD, so give a try to this one first.
It's a bit annoying as the "default" permission works in 2 different ways in the presentation layer and so at the subject area level "authenticated user" is really important.
0 -
@Christian Berg & @Gianni Ceresa I hadn't looked at Authenticated User . . . I'll test over the weekend and update the question with my results.
0 -
Read you Monday
0 -
Hi!
Unfortunately, here's the set-up for the Authenticated User and the roles that have the data filter applied.
All three roles have the same access level, and the Authenticated User is set to "No Access" . . . Any suggestions?
Thanks!
0 -
You got custom roles there. Is there still any inheritance left between those custom ones and the vanilla ones?
0 -
Not that I can see . . . I'm not sure if this would be impactful, but we do "Create Like" the vanilla roles for both the application roles and the associated policies.
0
