Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12C Security

Received Response
31
Views
4
Comments
user12058206
user12058206 Rank 4 - Community Specialist
edited Aug 13, 2024 6:09PM in Oracle Analytics Cloud and Server

Hello All,

I need some tips on this issue. Please guide.

We have LDAP implemented to OBIEE 12C. We have a group called ASGUsers in which around 10k users are there. We have other groups called county state national. So the users who are in county should see only county data similarly to other state and national groups are also in the same manner.

Most of the users who are in ASG Group has consumer role and are able to see all the dashboards these users are not in any of the county,state,National groups. so if we keep denied access to ASGusers group it is even blocking county,state,National groups view dashboard access.

I even tried to copy some of the users from ASGusers group to county,State,National groups and try to block ASGusers group but no use. Please guide how to overcome this issue.

Answers

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    OBIEE Security: It’s a Jungle Out There <<-- Funny how many security questions come up jus after I've presented this with @Gianni Ceresa

    Basically: Don't use DENY since that wins over GRANT in the front-end (RPD is the other way around). And separate your access control. Don't start mixing functional permissions with content permissions (webcat objects) with data permissions. Those are 3 different things.

  • user12058206
    user12058206 Rank 4 - Community Specialist

    We are not blocking anything in RPD. trying to block data permissions to the groups. I gone through your document but don't see the info what I am looking for.

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner 
    user12058206 wrote:..."trying to block data permissions to the groups"...   

    1.) Data access control, content control and functional permissions are ALL based on Application Roles, not Groups. groups are authentication entities which get translated into Application roles in Enterprise Manager

    2.) Data filtering should always happen in the RPD. If you're doing it in the front-end then you have to repeat is every single time you create a new object or are forced to include predefined filters in each object (which isn't much different as it is equally unhelpful). Always think and design reusable.

    3.) If security was something you could answer with a half-line response here in the forum then it would be about 100 times less capable. You will need to make an effort on your side to actually grasp these concepts.

  • 3310714
    3310714 Rank 6 - Analytics Lead

    Hi,

    Maybe show us what you've done so far, with some screenshots.