As you use LDAP for user authenticaction, user management is therefore external to Weblogic.
You just need to map an LDAP group to a Weblogic application role. The Application Role should be set up to gi users all the access they need.
This way, the new user group would need a user who has access to LDAP that can add/remove LDAP users to/from the LDAP group that has been mapped to the Weblogic application role.
The weblogic admin console and enterprise manager aren’t for standard users so if for example, they need a modification to the access the LDAP group requires, then that needs to be managed by a central admin team.
Currently we use LDAP to authenticate, and then through enterprise manager we assign users to a security group, which then gets mapped to a security role. All good so far
In Enterprise Manager you assign users to application roles. You don't assign users to groups there. Users/Group assignment happens in the LDAP.
Perhaps Im rambling, but just curious has anyone implemented OBIEE where it allows end users to self govern access?
Everything you do in EM is just one thing: A GUI on top of WLST commands so that means you can potentially build your own GUI on top of those same commands.
That "new custom security GUI" obviously needs to have the same level of administrative access - i.e. a weblogic-like level of access and you need to grnat that to your "security admin users". And also whenever anything changes in the real product you need to update your custom security solution.
You could use a SQL Authenticaotr in the WLS security realm and have scripts which create new application roles based on any new security group which you create in the tables used by the SQL authenticator.
Long story short: there are ways but if you aren't 100% sure of what you're doing and what they will be doing, then it's probably a bad idea. Security is a non-trivial topic.
"is that they also want to self govern their own users." = shadow-team = enterprise additional costs and risk
Trans: the lunatics running the asylum....
Many thanks for all the replies
Generally the gist that I got is
- Is it possible to let users self govern security? Yes
-Is it easy/common place to do this sort of thing? No
I will have to have a chat with my manager to explain all of this - My team recently got merged into another team, and thus there are a lot of questions regarding what can OBIEE do and can not do. So I got tied up and finally am back.
Again many thanks for the replies, its much appreciated.
You forgot; -
- is it wise to allow users to self-manage security - No
- will it wind up in a mess which will take some rectifying by IT at a later date - Yes
there are a lot of questions regarding what can OBIEE do and can not do
Basically: trust nothing your integrator says and come here first to ask confirmation ;-)
And re security and what Robert just added - let me add this: In terms of compliance and topics like the european GDPR it is pretty much legal suicide to let users do that.
It's a governance nightmare let alone the management complications