Sie sind auf Seite 1von 47

Oracle BI EE 11g - Security Auditing

Venkatakrishnan J

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Who Am I?
Venkatakrishnan Janakiraman Over 8+ Years of Oracle BI & EPM experience Managing Director (India), Rittman Mead India Blog at http://www.rittmanmead.com/blog - Old & defunct blog http://oraclebizint.wordpress.com Oracle ACE EPM/BI Specialization Twitter - @krisvenkat

T : +44 (0) 8446 697 995 E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Agenda
Overview of BI EE Security Authentication Authorization Security Endpoints Overview Weblogic & EM BI Server Presentation Server - How is Web Catalog Security stored? - Account Structure - ACL Structure - Decompiling Security in .ATR files Security Audit What is a Security Audit? How to do a Security Audit? Demo of a custom Application
T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

What Are We Talking About, When We Talk About Security?


Security encompasses a wide area and set of tasks in OBIEE Aspects of security include: Users logging in and out User and group directories, internal and external to OBIEE User and group membership administration Job roles, rights and permissions Permissions on BI objects (reports, dashboards, KPIs etc) Application permissions (to use Answers, to create filters etc)

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

OBIEE 11g Security and Oracle Fusion Middleware 11g


OBIEE 11g delegates security to Oracle Fusion Middleware 11g Leverages Oracle Platform Security Services Users and Groups in RPD now moved to embedded WLS LDAP Server Applications RPD and Webcat groups replaced by FMW11g Application Roles Comprehensive SSL and Credentials Management Middleware Encrypted RPD Flexible authorization model through Database WLS and OPSS Still backwards compatible with Infrastructure & Management LDAP model in OBIEE 10g

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

OBIEE 11g Security Administration Tools


WebLogic Server Admin Server (LDAP Server, Security Providers) Fusion Middleware Control (Application Roles) BI Administration tool (subject-area, and row-level security) Catalog Manager, and Presentation Services Catalog View (object permissions) Presentation Services Administration Page (PS functional permissions)

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

WLS Embedded LDAP Server


By default, OBIEE 11g users and groups are now held in the WLS LDAP Server More robust directory for storing user details Recommended for <1000 users WLS Admin Server Console now used for creating and maintaining users BI Server outsources all authentication, authorization to FMW11g WLS LDAP Server can be swapped out for alternative directories (MS AD etc)

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Oracle BI EE 11g - Weblogic Console & EM

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Weblogic Console & EM


Access to Console & EM Controlled through Weblogic Default Roles Important to provision only Admin users for access - Assign to Administrators group - Add user to Admin Role Audit Use WLST to extract roles & members JMX API to extract roles & members

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Oracle BI EE 11g - BI Server Security

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

BI Server - Security End Points


Security controlled through BI Administrator Column and Subject Area based Security Init Block based Security (deprecated in 11g) Database Table LDAP Custom Authenticators Data level Security Permissions tab in Manage Identity LTS Content Connection Pool based Security - SSO into external sources (like Essbase) - VPD Connection scripts

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Subject Area & Column Level Security


Applied within the repository Applied directly in Presentation Area Applied directly in Permissions tab of User/Role Default Privileges is applied as READ Can be changed through a setting in NQSConfig.ini New 11g feature Permissions report Can be saved as a CSV for auditing

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Init Block Based Security


Authentication & Authorization through init blocks Does not work in 11.1.1.3 Works in 11.1.1.5 Deprecated in 11g Supported primarily for backward compatibility Assumes all security is done through - Web Catalog Groups (WEBGROUP) - BI Server Roles (GROUP) Switch over to 10g security mode completely - For using this feature - Potential Web Catalog permissions issue

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Data Level Security


Applied at Logical Table Sources Content Tab A bit difficult to audit Can be difficult to maintain with mutiple LTS Applied at the Permissions tab of User/Role General good practice Data Level security directly tied to the security - object Easy to Audit through XUDML or the new XML - API

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Oracle BI EE 11g - BI Presentation Server Security

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

BI Presentation Server - Security End Points


2 main security end points Presentation Catalog level security - Accounts - ACL - Attributes Presentation Privilege level security Very important Security behaviour has changed across releases More important to Audit - Chances of Permissions not being applied properly

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security


10g Web Catalog Security Web Catalog Groups stored in Web Catalog Cannot use RPD groups No concept of GUIDs User based security also possible 11g Web Catalog Security Application Roles Web Catalog Groups (only for backward compatibility) User based security Completely based on GUIDs Very important to understand web catalog migration

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Catalog Permissions


Catalog - Nothing but a set of folders Catalog security based on Permissions 6 different types of Permissions Full Control Modify Open Traverse No Access Custom - Read - Traverse - Write - Delete - Change Permissions - Set Ownership - Run BIP Report - Schedule BIP Report - View BIP Output
T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Permissions ACL Structure


All Permissions stored internally within BI EE as ACL Access Control List Very similar to binary unix representation (777,775 etc) Uses 16 digit binary representation - All bits 0 means No Access
Future Use Future Use Future Use Future Use Future Use Future Use Future Use View BIP Report Schedul e BIP Report Run BIP Report Set OwnerS hip Change Permissi ons Delete Write Traverse Read

15 14 13 12 11 10 9

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Permissions ACL Structure


Default Permission Values Though a binary representation numbers used in Web Services ACL Value (stored internally) - Is the number itself
Permission Stored ACL Value Binary Representation

Full Control Modify Traverse Open No Access Custom

65535 15 2 3 0 0-65535

B1111111111111111 B0000000000001111 B0000000000000010 B0000000000000011 B0000000000000000 BXXXXXXXXXXXXXXXXX

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Account Structure


Each Folder/Report/Dashboard Can have a User level Permission Can have an Application Role Permission Can have a Web Catalog Group Permission Accounts Stored internally as Object Properties Binary representation 7 bits in total

All Pattern Search

App Role(s) Pattern Search

Catalog Group(s) Pattern Search

User(s) Pattern Search

App Role

Catalog Group

User

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Object Security - Propagation


3 ways to apply permissions in a Catalog Object Apply access directly to the user on the catalog Object Apply access directly to an application role(s) - One or more application roles Apply access to an application role(s) - Hierarchical Permission Propagation

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security - Security Example 1


No Access Privilege - Takes precedence when only role based security is assigned User A is a member of AppRole 1 and AppRole 2

AppRole 1

No Access

Catalog Object

Effective Permission User A

No Access

AppRole 2

Full Control

Member Of Assigned Privilege

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security - Security Example 2


Highest Access Privilege - Takes precedence when multiple roles based access is assigned. But no role should have No Access Privilege User A is a member of AppRole 1 and AppRole 2

AppRole 1

Read

Catalog Object

Effective Permission User A

Full Control

AppRole 2

Full Control

Member Of Assigned Privilege

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security - Security Example 3


Direct User Assignment - Takes precedence over anything else User A is a member of AppRole 1 and AppRole 2

AppRole 1

No Access

Catalog Object

Effective Permission User A Read

Read

AppRole 2

Full Control

Member Of Assigned Privilege

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security - Group Inheritance Example 1


Group Inheritance automatically gets applied at the User Level User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 Effective Permission

AppRole 1

User A

Full Control

Catalog Object

AppRole 2

Full Control

Member Of Assigned Privilege

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security - Group Inheritance Example 2


Group inheritance works similarly to multiple group assignments User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 Effective Permission

No Access

AppRole 1

User A

No Access

Catalog Object

AppRole 2

Full Control

Member Of Assigned Privilege

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security - Group Inheritance Example 3


Group inheritance works similarly to multiple group assignments User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 Effective Permission

Read

AppRole 1

User A

Full Control

Catalog Object

AppRole 2

Full Control

Member Of Assigned Privilege

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Security - Group Inheritance Example 4


Direct User Assignment - Takes precedence over anything else User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 Effective Permission

Read

AppRole 1

User A Write

Write

Catalog Object

AppRole 2

Full Control

Member Of Assigned Privilege

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog Object Security - Propagation


Security Propagation Folder/item when assigned only to roles (no inheritance) - No Access to a folder if one of the roles have No Access - Highest Privilege access to a folder if none of the roles have No Access Folder/item when assigned to roles (with inheritance) - Inheritance works as long as just one role (part of the parentage) is assigned access - Inheritance will work as folder based security if multiple roles as part of the inheritance are assigned - No Access to a folder if one role has No Access - Highest Privilege access if none of the roles have No Access User assigned directly - Takes precedence over everything else - Even when a role has no access assigned
T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Catalog Access Type


2 access types in 11g Windows Mode Linux Mode Default - Windows Mode Windows Mode To access a folder, no traverse access is required for all parent folders Linux Mode To access a folder, traverse access is required for all parent folders InstanceConfig.xml setting MustHaveTraverseAccessToParent

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Security Files


Catalog Object Security Stored at the Object level as a .ATR file ATR file structure is pure binary All properties applied through catalog manager - Stored in this file Use a HEX editor - Identify byte code - Identify HEX code

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Interpreting Security Files


Permissions stored as HEX Application role stored as ASCII

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Interpreting Security Files


Permissions stored as HEX Stored alongside the application role

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Full Control

Full Control Dec: 65535 Bin: 111111111111111 HEX: FFFF

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Open

Open Dec: 3 Bin: 0000000000000011 HEX: 0003

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Interpreting Security Files


Catalog Groups & Users Stored in encrypted format

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Interpreting Security Files


Encrypted Users & Groups Present under /system/security/accountids/xxx/

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Web Catalog - Interpreting Security Files


Byte Code of Encrypted User/Catalog Stores the name

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Oracle BI EE 11g - HEX Editor


Demo

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Presentation Server Privilege Security - Basics


3 important points Privilege when assigned only to roles (no inheritance) - Least Access Privilege access to the user User assigned directly - Takes precedence over everything else - Even when a role has Denied access

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Security Audit
Security Audit Its a means of finding out which user has access to what. Its a means of finding out any possible security holes Its a means of finding out whether security is being applied properly Very critical Since BI Systems expose most critical data For SOX compliance For various local government security audit compliance

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

What to Audit?
Weblogic Console Native Users and Groups Access to Console & EM User-Group Membership Enterprise Manager Application Roles Application Policies Application Role Membership BI Server Column & Subject Area level Security Data Level Security

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

What to Audit?
BI Presentation Server Catalog level Security - Object level Access Control - Object level Permissions Privilege level Security - Granular UI access control - Administration Access control

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

How to Audit?
Weblogic Console & EM WLST JMX API BI Server XML API XUDML Web Services BI Presentation Server Web Services Catalog Manager API - Native Java - Newly introduced CLI

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Custom Application - Rittman Mead


Does a complete automated audit of an existing 11g system Automated Program using documented APIs Prebuilt reports/dashboards Search for all objects a user has access to - Direct Association - Indirect Association Privilege report A complete audit report Also provides ability Incremental security change - during WC migration

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11

Oracle BI EE 11g - Security Auditing


Venkatakrishnan J

T : +44 (0) 8446 697 995 or (888) 631 1410 (USA) E : enquiries@rittmanmead.com W: www.rittmanmead.com

Saturday, 12 November 11