Security Settings in 11G

I was creating a new user in OBIEE 11G and the security settings seems to be completly different from that of OBIEE 10g. Before setting the Security it is good to have a basic knowledge of the basics jargons in OBIEE 11G.

 Basic Understanding of the Security settings of OBIEE 10g and OBIEE 11g

One of the biggest differences between OBIEE 10g security and OBIEE 11g security, is that users and groups are no longer held primarily in the repository; instead, these details are held by default in the WebLogic Server LDAP server, which gets installed alongside OBIEE when you install the product.

Within OBIEE itself, in common with all Oracle Fusion Middleware 11g-based products, you actually assign application permissions and privileges to application roles, not these LDAP groups. Behind the scenes, the LDAP groups and users in your WLS LDAP server are mapped to these application roles, allowing you to create simple 1:1 role to group mappings if you want, as shown in the diagram below:

Comparison of security settings of 10g and 11g


Security Settings of 10g 

With OBIEE 10g, the security setup between the BI Presentation Server, BI Server and external LDAP directories and authenticators looked as in the diagram below, with the OC4J or other J2EE/IIS application server hosting the Analytics application and BI Publisher (amongst other front-end components), and the Presentation Server then authentication against the BI Server, which in turn may have contacted one or more external directories to provide authentication.


A credential-store was created, post-install, to hold the system user account details required to permit communication between BI Publisher, the Scheduler and BI Presentation Services, and all user accounts and groups were held in the BI Server, and replicated to the Presentation Server as users first logged in. Whilst this worked fairly well, the disadvantages were:

Security Settings in 11g

OBIEE 11g, through its use of the Fusion Middleware platform, moves to an architecture where the BI Server no longer stores users and group details, no longer provides the actual authentication, but instead delegates this process to Fusion Middleware’s Oracle Platform Security Services, so that the security architecture now looks like this:


The big difference here is that there’s now a security abstraction layer within WebLogic Server (actually, within Fusion MIddleware 11g) called Oracle Platform Security Services, that provides three abstracted services for OBIEE, and for other Fusion Middleware-based applications:

All of these services are registered through things called providers, and we’ll look in more detail at providers and how you use them to link to Active Directory, for example, in tomorrow’s post. For now though, just bear in mind that security has now moved to WebLogic and Fusion Middleware, and we’re using the Fusion Middleware concept of application roles when we come to assign permissions and privileges to groups of users.
For now though, what does this mean in terms of setting up users, groups and these new application roles for an out-of-the-box installation of OBIEE11g? As shown in the diagram right at the start of this posting, an out-of-the-box installation of OBIEE comes with three main application roles that you can grant to individual users, or LDAP groups:
These roles correspond to a set of LDAP groups within the embedded WebLogic Server LDAP Server that have almost the same names (plural rather than singular) as these application roles:

To be continued..

Rittman Mead

Labels: ,