Forum Stats

  • 3,853,690 Users
  • 2,264,255 Discussions
  • 7,905,433 Comments

Discussions

Integration Siebel CRM with OBIEE - security

Hi Experts,

We have created reports using OBIEE 10.1.3.4.1 from Siebel CRM (8.1.1) OLTP. The OBIEE dashboard is also embedded in Siebel CRM.

Here in CRM, Positions and Responsibility is created based on which the CRM users have access restrictions to different views and Data in CRM.

LDAP is being used for user authentication

My question.

Without creating same CRM users in OBIEE how can I implement the same access control to the OBIEE reports as that in Siebel CRM. – same database is used by CRM and OBIEE

I got some documentation on OBIA, where the same access restrictions can be implemented as that of in CRM without maintaining the users in OBIEE.

We are not using OBIA. So is there anyway Siebel CRM can be integrated with OBIEE for access control.

Thanks,
Surath

Edited by: user8681498 on Sep 17, 2009 1:31 AM

Answers

  • mod100
    mod100 Member Posts: 282
    Hi,

    The way that OBIA uses Siebel security is very simple. It runs some SQL against the Siebel database to get all the responsibilities of the current user and puts them in the session variable GROUP via row-wise initialisation i.e. SELECT 'GROUP', responsibility.name from ..... (I'm not going to put the SQL in here as you don't have the apps so not sure about restrictions). The end result of this is that the user will now belong to any groups defined in OBIEE which have exactly the same name as the responsibilities they have in Siebel. Access can then be restricted by group and you haev the same object level security as in Siebel.

    It should be pretty simple for you to recreate the above in your non apps OBIEE environment.

    Regards,

    Matt
  • 719036
    719036 Member Posts: 4
    Dear Matt,

    Thanks for your reply. So what I understand is we need to create the groups in OBIEE same as the ‘Responsibilities’ in CRM.

    But in CRM ‘Responsibility’ is for view access and ‘Position’ is for Data access control.

    Now will you please confirm where the Groups in OBIEE should be same as ‘Responsibility’ or ‘Positions’ in CRM?

    Also, what about the USERs? Do I need to create same user in OBIEE again after they are being created in CRM?

    I really appreciate your help.

    Thanks,
    Surath
  • mod100
    mod100 Member Posts: 282
    edited Sep 21, 2009 2:29AM
    Hi,

    In OBIEE groups are responsible for object level security i.e. who can see what objects, and are also responsible for setting the filters on objects which control data level security. So if you are a memer of the group "Group 1" then you will have access to the objects (i.e. presentation tables, dashboards, shared folders etc) that the group can see, and you will also have any data filters for that group (in Manage -> Security, double click on the group and then hit the permissions button and go to the filters tab) applied when you try to access a table with filters set on it.

    To then get data level security you need to think about what you want to implement, as in Siebel there are many different levels, i.e. SalesRep, Organization, Sub-Organization etc. For any of these you will need to use an initialisation block to get the appropriate value(s) from the Siebel database for the current user and store them in a session variable. For instance, assume you want to implement Primary-Organization based security, you would need to build an initialisation block which returns all Org Ids for the current user and stores them row-wise in a variable for example ORGANIZATIONS. In the ETL you would need to make sure that the primary org id for the record being loaded is stored on it in the data warehouse. Then you would create a filter for a group with something like this:

    Core."Dim - Opportunity".BU_ID = VALUEOF(NQ_SESSION."ORGANIZATION")

    So that when a user tried to access data from "Dim - Opportunity" some SQL would be added to the end of the request like this:

    AND W_OPTY_D.BU_ID IN ('0','1','2','3');

    As far as user goes, there is no need to create the user in the RPD, just use an authentication initialisation block to authenticate them directly against the Siebel database instead.

    Finally, to confirm the groups in OBIEE can be anything you want I was just telling you how Oracle do it in OBIA, which is to make them exactly the same as the repsonsibility name, and then use some SQL to get all the user's responsibilities from the Siebel database.

    Is there some reason you don't just licence the apps, trying to recreate the functionality that NQuire, Siebel and then Oracle have been incrementally working and improving upon over the last 10 years is going to be a tall order.

    Regards,

    Matt
    mod100
This discussion has been closed.