ObjectandDataLevelSecurity

143

Security Authentication and Authorization

Business Challenges
Only qualified people should have access rights to Oracle BI Application Data needs to be protected so that only authorized users can access sensitive information Users should automatically see the information that is relevant to their roles

Oracle BI Security
Oracle BI Security provides ability to authenticate users through logon It controls user access to data It secures access control on object and data levels

Authentication
Is the process by which a system verifies (with a user ID and password) that a user has the necessary permissions and authorizations to log on and access data. Oracle BI Server authenticates each connection request that it receives. By default authentication is Oracle BI Server Authentication

Types of Authentication
1. Oracle BI Server Authentication (Internal Authentication, Default method used for authentication) 2. Third party tool Authentication o LDAP (Lightweight Directory Access Protocol) o ADSI(Microsoft Active Directory) 3. Custom Authentication Creating User Names and Password in a database table is called custom authentication

Security Manager
Security manager is a utility in the Administration Tool that displays all the security information for a repository. Security Manager provides options for defining users and repository groups Groups allow membership to users and other groups o Simplifies administration of large number of users o Provides a set of security attributes Go to Manage > Security to open Security Manager.

ObjectandDataLevelSecurity
144

Creating User
User accounts can be defined explicitly in: o An Oracle BI Server repository o An external source (such as a database table or an LDAP server) Users must be authenticated by Oracle BI Server for a session to take place. Use Security Manager in the Administration Toll to create a user in the repository. In the Security Manager, select Action > New > User, or select Users in the left pane and right click in the right pane white space, and select New User. Enter name, password, and logging level (mostly the logging level is 1 or 2) and Group membership (in which groups he belongs) information for a user. Group Membership: You can grant rights to the user individually, through groups, or a combination of the two. To grant membership in a group, select as many groups as you want the user to be a part of in the Group Membership portion of the dialog box. Groups must already be defined to appear here.

ObjectandDataLevelSecurity
145

Creating Group
Combination of Users is called as Group. A group may contain individual Users or another Group. Use Security Manager to create groups and then grant membership in them to users or other groups. You can create an unlimited number of groups in a repository. Each group can contain: o Explicitly granted privileges (perform/permissions) o Implicitly granted privileges through membership in another group In the Security Manager, select Action > New > Group, or select Groups in the left pane, right click the right pane, and select New Security Group.

Administrators Group
Oracle BI Server has one predefined group, the Oracle BI Server Administrators group. Members of this group have the authority to access and modify any object in a repository. Any user who is a member of the Administrators group has all the privileges of the Administrator user

Group Inheritance
Users can have explicitly granted privileges. They can also have privileges granted through membership in groups, which in turn can have privileges granted through membership in other groups, and so on. (Ex: User1 will have explicitly privileges for Table B and Table C) Privileges granted explicitly (directly) to a user have precedence (priority/preference) over privileges granted through groups. Privileges granted explicitly to a group take precedence over any privileges granted through other groups. If security attributes conflict, a user or group is granted the least restrictive security attribute.

From the above diagram we can come to understand, the total privileges granted to User1 are READ access for TableA, TableB, and TableC.

Hierarchy
Click the hierarchy icon in the left pane of the Security Manager, and then expand the tree in the right pane, to see the hierarchy of the users and groups

ObjectandDataLevelSecurity
146

Authorization
Authorization is a process it validates what are all the options can be accessed by user. Authorization is a process by which an application verifies what a user or group is authorized to o View, referred to as permissions (Defined for server and presentation catalog objects) o Perform, referred to as privileges (Defined for presentation catalog objects only) Authorization is enforced on two levels. 1. Object-Level Security 2. Data-Level Security

Object-Level Security
Object-Level security is implemented to control access to repository and presentation catalog objects. Object level security can be divided into 2 types A. RPD level or Presentation Layer Security (Catalog, Table, Column) B. Web Catalog Security (Folder, Dashboard, Dashboard Page, Section, Request, Filter, Privilege) Object Level Security

Presentation Layer Catalog (rpd)

Web Catalog

Catalog

Table

Column

Folder Dashboard Dashboard Page Section Request Filter Privilege

A. RPD level security

Controls access to Oracle BI repository objects (metadata), such as subject areas, tables, and columns o Configured in the Oracle BI Administration Tool In RPD level security we can hide or show (Denied or Grant) Presentation Catalogs, Tables, Columns for a particular user or group. User can only have either Read or No Access to a repository object

i) Creating Permissions to User/Group

All restrictions and controls can be applied at the user level, at the group level, or a combination of the two. 1. From the Administration Tool menu bar, choose Manage > Security. 2. In the Security Manager Dialog box, in the tree pane, select Users or Groups properties. 3. In the User or Group dialog box, click Permissions.

ObjectandDataLevelSecurity
147

4. In the User/Group Permissions dialog box, click the General tab and perform the following steps: a. In the General tab, to explicitly allow or disallow access to one or more objects in the repository, click Add. b. In the Browse dialog box, in the Name list, select the objects you want to change, and then click Select. c. In the User/Group Permissions dialog box, assign the permissions by selecting or clearing the Read check box for each object. (Default is a check) If the check box contains a check, the user has read privileges on the object. If the check box contains an X, the user is disallowed read privileges on the object. If it is blank, any existing privileges (for example, through a group) on the object apply.

ObjectandDataLevelSecurity
148

ii) Set permissions from the Presentation Catalog/Table/Column properties dialog box
We can also set permissions to users or groups directly from the presentation catalog, table or column properties dialog box in rpd.

1. From the rpd select a Presentation Catalog or Table or Column and right click > Properties (or Double click). 2. Click on Permissions tab, select Show all users/groups check box. 3. Assign the permission for users (by default everyone has read access)

B. Web Catalog Object level security

Controls access to Oracle BI Presentation Catalog objects, such as dashboards, folders, filters, views, and reports. This will be done in Oracle BI Presentation Services.

Oracle BI Presentation Administration Page

Manage the Presentation Catalog groups and users. Set permissions for Oracle BI Presentation Catalog items, control access to dashboards. Manage the privileges and rights that are given to groups and users. To access Administration page, click the Settings link and then select Administration in the dropdown list.

ObjectandDataLevelSecurity
149

Permissions and Privileges

Permissions: Users can access only the data that is appropriate for them. Achieved by applying access control in the form of permissions Privileges: Users can perform only those actions that are appropriate to them. Achieved by applying user rights in the form of privileges Presentation Catalog Groups and Users Presentation Catalog groups are defined by the system or by an administrator. When a user is assigned to a group, the user becomes a member of that group. Presentation Catalog group membership is used to determine the permissions and privileges that are associated with a user, by either explicit assignment or inheritance. System-Defined Presentation Catalog Groups Everyone: By default, all users belong to the Everyone group. This is why the group does not appear on the Groups and Users screen of the application. Authenticated Users: When a user is authenticated by the Oracle BI server, that user automatically becomes a member of the Authenticated Users group. The Authenticated Users group is itself a member of the Everyone group. Presentation Server administrators: Members of the Presentation Server administrators group are users who are Oracle BI Presentation Server administrators. The default member of this group is the Oracle BI Presentation Catalog administrator. By default, only members of the Presentation Catalog Administrators group have access to administrative functions, but this can be changed by changing privilege assignments.

ObjectandDataLevelSecurity
150

Creating a New Catalog Group In the Oracle BI Presentation Administration Page select Manage Presentation Catalog Groups and Users In the Presentation Catalog Security: Groups and Users window, click the Create a new Catalog Group link to open the Create Catalog Group window.

Here we created a catalog group name Country Manager. Now we have to assign users/Groups to created catalog group Select the catalog group, in the Manage Groups window, to assign users to a Web group (Users are created only in the repository). Shown in the next page screenshot.

ObjectandDataLevelSecurity
151

Defining Permissions
Permissions can be defined on Interactive Dashboards, Answers requests or Shared folders. Presentation Catalog: Permission Types No Access o Access is not allowed for specified user or group. o Explicitly denying access takes precedence over other permissions. Read o Authority is given to view content but not to make changes. Change/Delete o Authority is given to view content, make changes, and delete content. Full Control o Authority is given to view content, make changes, delete content, set permissions, and delete the item, folder, or Interactive Dashboard. Traverse Folder o Authority is allowed (or denied) to move through folders to reach other files or folders. o Users can access objects in folders within the selected folder when the user does not have access to the selected folder In web catalog security we can provide permissions on 1. Folders 2. Dashboard 3. Dashboard Page 4. Section 5. Request 6. Saved Filter 7. Defining Privileges

ObjectandDataLevelSecurity
152

i) Providing permission to User on Shared Folder / Request / Saved Filter Login as Administrator into Presentation Services, go to Settings > Administration Select Manage Presentation Catalog in the Administration Page

Select the Shared Folder Permission Icon (denoted with lock Key) on which you want to give permissions to users. Change items Permission window will open.

Select on Show Users and Groups in the Change items permission window to display all the users and Groups. You can observe Full control permission by default, click on the link to toggle between different permissions (Full Control, Read, Change/Delete, No Access and Traverse folder).

In the similar way we can provide permissions to Request, Saved Filter by navigating to that object

10

ObjectandDataLevelSecurity
153

ii) Providing Dashboard Permissions to User Login as Administrator into Presentation Services, go to Settings > Administration Select Manage Interactive Dashboards in the Administration Page

Further steps to define the permissions of Dashboard to users is similar to defining permissions to Request /Saved filter iii) Providing Dashboard Page Permissions to User Login as Administrator into Presentation Services Click on the Dashboard on which you want to give permissions to users. Select Page Options > Edit Dashboard

Click on Dash Board Properties Permissions Icon and to define permissions to users is similar way like other objects.

11

ObjectandDataLevelSecurity
154

iv) Providing Section Permissions to Users Login as Administrator into Presentation Services Click on the Dashboard on which you want to give permissions to users. Select Page Options > Edit Dashboard Click on Section Properties > Permissions, and to define permissions to sections is similar way like other objects.

12

ObjectandDataLevelSecurity
155

With Privileges users can perform only those actions that are appropriate to them. Achieved by applying user rights in the form of privileges Ex: Create Folder, Views, iBots, publish iBots. Privileges are useful to control the functionality access of OBI. Functionality examples are DDR, Answer Link, Dashboard link etc. Privileges can be: o Granted to users and groups explicitly - This has precedence over privileges inherited through groups o Granted or denied to users through memberships in groups o A user who is a direct member of two or more groups, with conflicting privileges, is granted the least restrictive privileges of the groups Process Login as Administrator into Presentation Services, go to Settings > Administration Select Manage Privileges in the Administration Page Locate the privileges you wish to assign to users or Web groups Add users to grant or deny the privileges

v) Defining Privileges

Privileges are 2 types 1) Granted 2)Denies

13

ObjectandDataLevelSecurity
156

Query Limits
Oracle BI Server allows you to exercise varying degrees of control over the repository information that users and groups can access Use Query Limits tab to: o Control the number of rows received by a user or group o Control the maximum query run time o Enable or disable Populate Privilege o Enable or disable Execute Direct Database Requests Process: Setting Query Limits In the RPD go to Manage > Security Select User or Group to set query limits Select Permissions tab and select Query Limits

Set limit for a query based on number of rows or time o Enable: Enforces restriction and cancels the query o Disable: Disables the restriction and no limits will be inherited from the parent groups o Warn: Logs message in NQServer.log and NQQuery.log if row limit is reached o Ignore: Limits will be inherited from the parent groups If there is no row limit to inherit, does not enforce limit 14

ObjectandDataLevelSecurity
157

Setting Timing Restrictions: By clicking on the Ellipses you will navigate to the below window.

Prohibits users from being able to query, restrict access to a database during particular time periods Allows other production tasks to be performed such as batch reporting and table updating, without hindering performance

15

ObjectandDataLevelSecurity
158

Data Level Security

Data needs to be protected so that only authorized employees can access sensitive information Employees should automatically see the information that is relevant to their roles

Data Level Security

Hiding some of the records or data for a particular user or group is called as Data-Level Security. Data Level Security defines what data an end user sees in a report o It is critical that users only see the data they are authorized to view Allows Oracle BI Server to bring up different data for different users for the same report o Example: A sales report displays different results for the VP of Sales versus the Regional Manager of Asia Region

Process: In the rpd go to Manager > Security Select either users or groups for which data level filters should be applied Select the Permissions Tab > Filters > Add Select the object to restrict query access

After selecting the filter, under Business model Filter click on Brows button Create logical filters using the expression builder Repository and session variables can also be used to filter the data dynamically for the user Use the Query Privilege Status field to enable or disable the filters o Enable The Filter is applied to any filter that access the object o Disable The filter is not used, and no other filters applied to the object at higher levels (for example through a group) are used. o Ignore The filter is not used, but any other filter on the object is applied (for example, through a group)

16

ObjectandDataLevelSecurity
159

With the above Data level security, user Venkatesh is able to see only Deptno = 10 data

Standards and Best Practices

1. While using LDAP Server for authentication purpose, do not import users from the LDAP server. 2. Thy System session Variables like : USER, :PASSWORD, :EMAIL, :GROUP, etc. should be set only in initialization blocks used for authentication purpose. 3. While implementing column level security for users, ensure that the parameter PROJECT_INACCESSIBLE_COLUMN_AS_NULL is set as YES.

FAQs
Question: What is Object level security? Ans: Object level security is granting or restricting access to a repository objects, web objects (presentation catalog/ Tables, Connection pools shared folder, shared dashboards etc) to the user/groups. Question: What is Authentication? Ans: Authentication is the process that validates the Credentials of the user who logs into the Administration. Question: What are the types of Authentication supported by Obiee? Ans: LDAP (Lightweight Directory Access Protocol) Database Authentication External Table Authentication OS Authentication

17

ObjectandDataLevelSecurity
160

Question: How does the LDAP server works? Ans: Never got a chance to work using this type of authentication. Question: How does the Database Authentication works? Ans: 1. Modify the AUTHENTICATION_TYPE key of SECURITY section of NQSConfig.INI to DATABASE. Assign the database in the physical layer DATABASE key. 2. Create Users that matches the login id in the database. No need to maintain password in the repository. Even if it is maintained it is ignored. 3. Create Groups and assign to the users created. 4. Ensure that in the connection pool the shared log on option is unchecked. 5. Assign connection pool to the user or group 6. When the users logs in thru Siebel Analytics, the BI Server attempts to login to the database server. If the login succeeds, then the user is connected with Siebel Analytics or else they are not. Question: How does the External Table Authentication Works? Ans: 1. Modify the AUTENTICATION_TYPE key of SECURITY section of NQSConfig.INI to NQS. 2. Do not need to maintain users or groups in the Siebel Analytics Repository. 3. Design table(s) to hold User authentication details (such as Login_id, Password, DisplayName, UserGroup, Web Groups etc.) 4. Create System Session variables for USER, DISPLAYNAME, GROUP, WEBGROUPS, LOGLEVEL etc. 5. Create an Initialization block that selects values from the respective database table(s) that maintains authentication details. Assign this Initialization Block to the respective system session variables. Question: Describe OS Authentication? Ans: Modify the AUTENTICATION_TYPE key of SECURITY section of NQSConfig.INI to BYPASS_NQS.OS Authentication enables the BI Server to use trusted connection feature of the OS. This authentication is not supported when the user Logs-in using Siebel Analytics Web client. Only applicable for applications that connection to BI server thru ODBC. Question: What are the different levels of security in Oracle BI? Ans: Object and Data level security Question: Where is the object level security implemented for the presentation tables? Ans: Object level security is implemented to control access to repository and presentation catalog objects. Set permissions from the Presentation Catalog/Table/Column properties dialog box User can only have either Read or No access to a repository object Example: Restrict Products table access to a user Question: What are the different permission types that can be assigned to users for presentation catalog objects? Ans: No Access o Access is not allowed for specified user or group. o Explicitly denying access takes precedence over other permissions. Read o Authority is given to view content but not to make changes. Change/Delete o Authority is given to view content, make changes, and delete content. Full Control

18

ObjectandDataLevelSecurity
161

Authority is given to view content, make changes, delete content, set permissions, and delete the item, folder, or Interactive Dashboard. Traverse Folder o Authority is allowed (or denied) to move through folders to reach other files or folders. o Users can access objects in folders within the selected folder when the user does not have access to the selected folder o

Question: Can users be created in the presentation catalog? Ans: Users are created only in repository Question: What is the difference between permission and privilege? Permissions: Users can access only the data that is appropriate for them. Achieved by applying access control in the form of permissions Privileges: Users can perform only those actions that are appropriate to them. Achieved by applying user rights in the form of privileges Question: What is data level security? A: Data level security is restricting data being retrieved by or listed to the user. This is implemented using an expression defined in the Filter tab of User/Groups permission dialog or in the where condition in the content tab. Ex: Sales Rep can see only what he/she sold. Sales Regional Mgr can see only see sales made by reps reported to him/her Country Mgr can see all the sales made by people reporting to him/her Question: How is the data level security implemented? A: Data level security defines what data an end user see in the report Data level security is implemented in the repository by adding data level filters for each user/group Question: What are the different privilege status that can be set on a logical filter? A: Variables can be used to filter the data dynamically for the users Q: What are the different privilege status that can be set on a logical filter? A: Enable - The filter is applied to any filter that accesses the object Disable - The filter is not used, and no other filters applied to the object at higher levels (for example, through a group) are used Ignore - The filter is not used, but any other filter on the object is applied (for example, through a group) Question: What is authentication, in web as well as in RPD? Q: What is Authentication? How many types of authentication? Q: Explain different user authentication methods available in Siebel Analytics? Ans: Authentication is the process by which a system verifies, through the use of a user ID and password, that a user has the necessary permissions and authorizations to log in and access data. The Siebel Analytics Server authenticates each connection request it receives. a. Operaing system authentication b. External table authentication c. Database authentication d. LDAP authentication Question: How different levels of access authentication are classified? Ans: The levels are in number of four and their role is to block access to various databases or tables: 1) Operating level- without this authentication no one can get access in the application as this is the highest level of restriction. 2) Table- every physical table can be restricted. 3) Database- This can give total or partial access to the database by a user and a password to the user or can restrict all the access. 4) LDAPor Lightweight Directory Access Protocol it provides access limits for various folders or directories.

19

ObjectandDataLevelSecurity
162

Question: How do you implement security using External Tables and LDAP? Ans: o Instead of storing user IDs and passwords in a Siebel Analytics Server repository, you can maintain lists of users and their passwords in an external database table and use this table for authentication purposes. The external database table contains user IDs and passwords, and could contain other information, including group membership and display names used for Siebel Analytics Web users. The table could also contain the names of specific database catalogs or schemas to use for each user when querying data o Instead of storing user IDs and passwords in a Siebel Analytics Server repository, you can have the Siebel Analytics Server pass the user ID and password entered by the user to an LDAP(Lightweight Directory Access Protocol ) server for authentication. The server uses clear text passwords in LDAP authentication. Make sure your LDAP servers are set up to allow this. Question: In case of LDAP authentication, how user session was getting populated? Question: How to set up LDAP Security within Siebel Analytics Repository Question: Where are passwords for userid? LDAP, external table authentication stored respectively? Ans: Passwords for userid are in Siebel analytics server repository LDAP authentication in LDAP server external database in a table in external database Question: What are the different ways to authenticate a user in OBIEE system? Can OBIEE authenticate a user passing through multiple authentication methods? Question: Which statements are TRUE of Authenticated Users? Choose two. A. Authenticated Users group is a member of the Everyone group. B. All users belong by default. C. Users become a member of this group when a user is first authenticated by Siebel Analytics Server. D. All members by default have access to administrative functions, but can be changed by changing privileges. Ans: A, C Question: Can you bypass Siebel analytics server security? If so how? Q: How to Bypass the Repository Authentication? Ans: o Yes you can by-pass by setting authentication type in NQSCONFIG file in the security section as:authentication_type=bypass_nqs.instanceconfig.xml and nqsconfig.ini are the 2 places Question: You want to use a database built-in function bypassing the functions defined in OBIEE? What OBIEE function helps in achieving this? What is the syntax for this function? Question: What are the different levels of security in Oracle BI? Q: Security types in OBIEE and how can we achieve the same? Q: What are the levels of security? Ans: 1) Object level Security 2) Data level security Question: What is Object level security and Data level security? Question: What is the difference between Data Level Security and Object Level Security? Ans: Data level security controls the type and amount of data that you can see in reports. Object level security provides security for objects stored in the Siebel analytics web catalog, like dashboards, dashboards pages, folder and reports.

20

ObjectandDataLevelSecurity
163

Question: Explain OBIEE Security & Single Sign on Question: What are the different types of security you have worked in obiee? Ans: Object Level and data level Question: Where is the object level security implemented for the presentation tables? Ans: In rpd level security we can hid or show (denied or granted) tables, catalogs, columns for particular user or groups for the presentation tables Or select Presentation table in rpd level and got to properties > permission and select user/group for whom we need to give permissions Question: What is Object Level Security? Ans: The Object Level Security has is to protect the things like folder, pages, reports and dashboards that exist in the Siebel Analytics Web Catalog. Question: What is object level security? Ans: There are two types of object level security: Repository level and Web level o Repository level: In presentation layer we can set Repository level security by giving permission or deny permission to users/groups to see particular table or column. o Web level: This provides security for objects stored in the Siebel analytics web catalog, such as dashboards, dashboards pages, folder and reports you can only view the objects for which you are authorized. For example a mid level manager may not be granted access to a dashboard containing summary information for an entire department. Question: How will you implement security in obiee, so that subject areas accessed by one group are not accessed by another group? Ans: Using Security Manger in OBIEE Admin Tool, by creating two user groups and allowing only part of the subject area for one group and other part to the other user group. Question: How was the security set up in your last project? Question: How did you handle security management? Question: Where can you add new groups and set permissions? Ans: o you can add groups by going to manage>security>add new groups> You can give permissions to a group for query limitation and filter conditions. Question: What are the different permission types that can be assigned to users for presentation catalog objects? Ans: 1) Read 2) Change/Delete 3) Full Control 4) No Access 5) Traverse Folder Question: What are the different privilege statuses that can be set on a logical filter? Ans: 1) Granted 2) Denied Question: Where in the Siebel Analytics would you create Web groups and users? A. Siebel Answers B. Siebel Delivers C. Siebel Intelligence Dashboards D. Siebel Analytics Administration E. Disconnected Analytics Ans: D Question: Which are system-defined Web groups? Choose three. A. Authenticated Users B. System Administrators C. Defined Users D. Web Administrators E. Everyone Ans: A, D, E

21

ObjectandDataLevelSecurity
164

Question: For Every repository we have to define groups /users? Is there anyway we can define users/Groups once (in centralized way but not with LDAP) use them in every repository? Ans: We can use Custom Authentication (Creating user names and passwords in a database table is called custom authentication) Question: What is data level security? Ans: o This controls the type an amount of data that you can see in a report. When multiple users run the same report the results that are returned to each depend on their access rights and roles in the organization. For example a sales vice president sees results for all regions, while a sales representative for a particular region sees only data for that region. Question: If you want to limit the users by the certain region to access only certain data, what would you do? Ans: Using data level security. o Siebel Analytics Administrator: go to Manage -> Security in left hand pane u will find the user, groups, LDAP server, Hierarchy What you can do is select the user and right click and go to properties, you will find two tabs named as users and logon, go to user tab and click at permission button in front of user name you have selected as soon as u click at permission you will get a new window with user group permission having three tabs named as general ,query limits and filter and you can specify your condition at filter tab, in which you can select presentation table ,presentation columns ,logical table and logical columns where you can apply the condition according to your requirement for the selected user or groups. Question: How do we define Row Level Security in OBIEE? Ans: Row level Security is nothing but we are providing Data level Security. This we can do in 2 types. If the user is available in Repository then we can restrict that in the mange ->Security->User -> Permissions -> Filter ->Add-> in this we can use with Expression Builder and write the Query If the users are available in some DB table then in this case we can use the session variables and give the permissions by using session variables Question: Have you implement the data level security? What are various ways you can implement that? Ans: Yes, we can implement Data level security in RPD level in the user/group level. Click on Permissions of a user/group, go to Filters tab and follow the steps to build data level security. Question: What does Data Level Security in OBIIE? Ans: Its role is the control of data type and amount seen in a report. Each user may see a different report according to the access that they have in the company. Question: How is the data level security implemented? Question: How did you do Data Level Security and what are the different ways of doing it? Question: How to hide Certain Columns From a User? Ans: We can hide a column in Application access level security Do not add the column in the report Do not add the column in the presentation layer. Or use data level security

22