OAS Access Provisioning

Question

I am new to OAS had have been asked to evaluate the product in terms of User security and Access provisioning I had few questions on what is a good approach

* Can we create Provider group with the Organizations LDAP (not the WL embedded one) and then use a group from LDAP to control the access ie roles in doing so , we dont have to manage anything in Weblogic ie assigning the user a role or group?
* Or use WLT command line to manage the groups /roles within Weblogic and not use LDAP
* Any Other way

Ram-Oracle · Accepted Answer

@User_AAYSI

Welcome to the Oracle Analytics Community

Yes.we can configure Orgnization LDAP in OAS wls console.Please refer below documentation related to OID and Microsoft LDAP as external ldap providers.

https://docs.oracle.com/en/middleware/bi/analytics-server/security-oas/configue-oracle-analytics-server-use-alternative-authentication-providers.html#GUID-3F6BCB38-B1CC-4F95-88FF-25BA2E4FFB18

Thank you For posting query in Oracle Analytics Forum.

Ram-Oracle · Accepted Answer

Please create a group as an example , financeanalyst in external ldap

Add required users in ldap to the group financeanalyst

in oas ,map financeanalyst to roles such as biauthor

All members of the group automatically get biauthor permissions.

Gianni Ceresa · Accepted Answer

As said earlier by Ram, you can use your LDAP groups in OAS. But you still need to make a mapping job in OAS itself (Fusion Middleware EM, or via WLST scripts). Because the security in OAS is based on application roles, therefore you still need to map your LDAP groups to application roles at some point.

What you can do is to make that step "transparent". You define all the application roles you need to configure your security model. You create a group in your LDAP for each one of these application roles, and you do the mapping of your LDAP groups as members of the application roles (a 1-to-1 mapping).

From there you can then work only in your LDAP, adding users or groups as members of the groups that are a 1-to-1 representation of the application roles. If you don't want to work too much in FMW EM or WSLT scripts, this kind of solution is the best deal because you don't have to do much in there: a simple 1-to-1 mapping with a LDAP group representing the application role. And from there you control memberships to those app roles (which have an equivalent group) in your LDAP. And at the same time you have these application roles in OAS to be used to define security as you need.