OBIEE 12c Security: LDAP Authentication and DB Authorization - Perficient Blogs
Blog
  • Topics
  • Industries
  • Partners

Explore

Topics

Industries

Partners

OBIEE 12c Security: LDAP Authentication and DB Authorization

OBIEE 12c by default uses WebLogic internal user directory for security purposes. This is effective only when the number of the users is very limited and is not expected to grow much over the years. But, in a real world business scenario, almost all implementations require configuring a more robust way to implement authentication and authorization to allow additional users access to OBIEE without changing a lot of things from the OBIEE end.

LDAP is one of the very effective ways to enable users to login with common IDs – that they use across a company network allowing access to OBIEE via the same central active directory as applications. It’s best to implement LDAP active directory in addition to the internal WebLogic user directory so that WebLogic IDs and other administrative IDs remain unaffected due to this change and also if required the default active directory can also be used if required separate to the LDAP directory. It’s best to create a new realm for the new LDAP authentication allowing easy toggling from one realm to another as and when required.

Pre-Requisites

  • Oracle Business Intelligence Enterprise Edition 12c g must be installed and running.
  • LDAP server to be used as the identity store that contains users must already be configured.

Security Settings

This document captures security settings in OBIEE 12c environment.

Authentication: Active Directory Authentication – LDAP

Weblogic Console Modifications

Login in to WelbLogic Manager using weblogic account. Click on bi -> Security Realms in left panel.

http://machine.domain.com:9500/console

Click on ‘myrealm’. Configuration -> General tab would open.

Click on “Providers” tab. Here you will see following three default ‘Authentication Providers’.

Click on “DefaultAuthenticator” provider. Click on Lock and Edit -> Change the Control Flag from Required to Sufficient and then Click Save.

Once the settings updated successfully message is displayed click on Activate Changes.

The ‘All Changes have been Activated. However 2 items must be restarted for the changes to take effect‘ message would be displayed. Wait for the entire process to complete before restarting OBIEE server.

First LDAP Authentication Provider needs to be set up. For that, go to Providers Tab -> Lock and Edit and Click on New.

Name it as “Edir_LDAP”. Select the type as IPlanetAuthenticator. Click OK.

Once done open the Edir_LDAP provider again and change the control flag to Sufficient. Save it.

Enter the following details in the provider specific tab.

Host: hostname.domain.com

Port: 123

Principal: uid=user1,ou=system,ou=users,dc=domain,dc=com

Credential: (Enter the password for the Principal Account listed above)

Confirm Credential: Re-enter the same

User Base DN: dc=domain,dc=com

All Users Filter: (&(uid=*)(objectclass=person))

User From Name Filter: (&(uid=%u)(objectclass=person))

User Search Scope: Subtree

User Name Attribute: uid

User Object Class: person

Group Base DN: dc=statestreet,dc=com

Group From Name Filter: (|(&(cn=%g)(objectclass=groupofUniqueNames))(&(cn=%g)(objectclass=groupOfURLs)))

Group Search Scope: Subtree

Group Membership Searching: unlimited

Max Group Membership Search Level: 0

Group from User Filter for Memberuid: (&(memberuid=%M)(objectclass=groupofuniquenames))

Static Group Name Attribute: cn

Static Group Object Class: groupofuniquenames

Static Member DN Attribute: uniquemember

Static Group DNs from Member DN Filter: (&(uniquemember=%M)(objectclass=groupofuniquenames))

Dynamic Group Name Attribute: cn

Dynamic Group Object Class: groupofURLs

Dynamic Member URL Attribute: memberURL

Connection Pool Size: 6

Connect Timeout: 0

Connection Retry Limit: 1

Parallel Connect Delay: 0

Results Time Limit: 0

Follow Referrals: check

Cache Enabled: check

Cache Size: 32

Cache TTL: 60

Cache Statistics Enabled: check

Guid Attribute: nsuniqueid

Identity Domain: Blank

No need to modify the Performance tab. Keep it default. Click Save and click Activate Changes. The following message in green would be displayed.

Restart the OBIEE servers after running the ./stop.sh and ./start.sh scripts located at $Oracle_Home/user_projects/domains/bi/bitools/bin.

Once it is started to validate if LDAP authentication is correctly setup, search for a particular user id by going back to weblogic console -> ‘mysecurityrealm’ >> Users and Groups >>  Users >> customize this table.

Enter a user id under ‘Criteria’ and hit enter. If LDAP authentication is setup right, you will be able to pull that userid from server:

Enterprise Manager Configuration Changes

The next step is to configure OBIEE to see users from your new LDAP provider in addition to the weblogic internal directory users.  To do this you need to login to the Enterprise Manager with your admin user account

Once logged in, from the Weblogic Domain drop-down menu select Security -> Security Provider Configuration

From the Security Provider Configuration screen expand ‘Security Store Provider’, then expand Identity Store Provider and finally click ‘Configure’

In this screen we need to add a new Custom Property. Click the +Add button.

Then enter a property name of ‘virtualize’ and a value of ‘true’. Then click OK again to save:

Click OK again.

Similarly add one more property of OPTIMIZE_SEARCH = true.

Restart the OBIEE servers after running the ./stop.sh and ./start.sh scripts located at $Oracle_Home/user_projects/domains/bi/bitools/bin.

Object Level Security: Storing Groups in Database

We will look at settings for connecting the system to an external set of database tables that contain the group membership for users authenticated through LDAP.

Pre-Requisites

  • A suitable database schema containing at least one table with the required groups in it, and a mapping table which maps those groups to the names of users authenticated by LDAP must be running and accessible from the WebLogic Server on which Oracle BI EE is running. There is a job which extract User responsibilities which match User Group data from EBS and loads into Data warehouse. Let’s assume that the table name is STT_AUTHORIZATION_GROUPS..
  • Copy the “bi-sql-group-provider.jar” file from the location $ORACLE_HOME/bi/plugins/security to $ORACLE_HOME/wlserver/server/lib/mbeantypes. Stop and Start the entire OBIEE server using the scripts present at $Oracle_Home/user_projects/domains/bi/bitools/bin.

Configure the Data Source

Login into WebLogic Console and click on ‘Services’ >> ‘Data Sources’:

Lock and Edit.

Click New -> generic data source.

Enter the details marked in Red and click Next.

Select the following Driver and click Next.

Click Next.

Enter the following details and click Next.

Check all the details and Test Configuration. It should succeed. Click Next.

Select the target and click Finish.

The datasource will be created.

Next create a BISQLGroupProvider against this JDBC data source.

Configuring the BISQLGroupProvider SQL Authenticator

Go back to Services >> Security Realms >> mysecurityrealms >> Providers. Click New.

Put the name as BIGroups and Type BISQLGroupProvider. Click OK.

Notice ‘control Flag’ under configuration >> common tab for ‘BIGroups’. It should be Optional.

Click on ‘Provider Specific’ tab. This authentication provider is using ‘BIGroupsSource’ as JDBC data source. We will talk about configuring that data source in subsequent screenshots. Please follow pre-requisites for setting ‘BIGroupsSource’ before adding it as data source. Steps are listed in next section.

Data Source JNDIName:JDBC/BIGroupsSource

Group Membership Searching: Unlimited

Max Group Membership Search Level: 0

SQLList Groups:SELECT WEB_GROUP FROM TABLE_NAME WHERE WEB_GROUP LIKE ?

SQLGroup Exists: SELECT WEB_GROUP FROM TABLE_NAME WHERE WEB_GROUP = ?

SQLIs Member: SELECT USERID FROM TABLE_NAME WHERE WEB_GROUP = ? and substr(UPPER(USERID), 2, 6) = substr(UPPER(?), 2, 6)

SQLList Member Groups: SELECT WEB_GROUP FROM TABLE_NAME WHERE SUBSTR (UPPER (USERID), 2, 6) = SUBSTR (UPPER (?), 2, 6)

Descriptions Supported: check

SQLGet Group Description: SELECT WEB_GROUP FROM TABLE_NAME WHERE WEB_GROUP = ?

Save. Go back to Providers List and reorder as below. Activate Changes.

Create custom Application Roles and assign them to Groups using EM

We have three custom groups GPS_AUTHOR, GPS_ADMIN and GPS_CONSUMER. Now we need to assign them application roles.

Login into Oracle Enterprise Manager.

Expand Weblogic Domain tree on left hand side.

Select Security -> Application Roles.

By default we have three application roles that come with the installation and one superuser: weblogic.

Here create three custom application roles ‘GPS_ADMIN’, ‘GPS_AUTHOR’ and ‘GPS_CONSUMER’ and assign them to respective groups.

Screenshots below show how each custom GPS role is assigned to a GPS group:

GPS_ADMIN role should have same rights has BIServiceAdministrator and GPS_AUTHOR should have BIContentAuthor rights. So assign GPS_ADMIN, GPS_AUTHOR role under box BIServiceAdministrator, BIContentAuthor roles respectively.

Restart the entire OBIEE server.

Validate the Custom Application Roles from  Analytics

Login into analytics using one of the userid authenticated against LDAP and navigate to My Account >> Roles and Catalog Groups. You should see your custom application role here.

Assign permissions to Application Roles using Analytics

Login into analytics using weblogic account and navigate to Administration >> Security >> Manage Privileges.

Here you can assign permissions to individual components to each custom Application Role. It is a self-explanatory process.

6 thoughts on “OBIEE 12c Security: LDAP Authentication and DB Authorization

  1. Hi Avik,

    we’ve configurend both LDAP and BISQLProvider on our enviroment.

    We see DB groups in EM and we can associate them to Application Roles.

    But if we log-in to Analytics with a LDAP user (which are related to a DB group in our SQL tables), under My Account –> Roles and Catalog Groups we didn’t see the Application Role.

    Any Suggestion?

    Thanks in advance.

    Francesco

  2. Avik Dutta Post author

    Hi Francesco,

    Thanks for following my blog. So if I understand correctly the LDAP authentication is working properly since you can login to the BI portal with LDAP credentials.

    Can you please do the following to test it a bit more thoroughly:
    “validate if LDAP authentication is correctly setup, search for a particular user id by going back to weblogic console -> ‘mysecurityrealm’ >> Users and Groups >> Users >> customize this table. Enter a user id under ‘Criteria’ and hit enter. If LDAP authentication is setup right, you will be able to pull that userid from server”

    If this is fine, then make sure you HAVE TAGGED the newly created application roles (with identical names) to the groups being retrieved from database. Make sure you have followed everything precisely mentioned under the section: “Object Level Security: Storing Groups in Database”.

  3. Hi Avik,

    thanks for your reply.

    Yes we have configured correctly our LDAP because users can already access to analytics.

    The problem is to assign users to Application Roles in the SQL Database Tables.

    We tried to create the application roles with the same name of the groups (at database level) but nothing seems to happen.

    We’ve seen, with a SQL profiler, that a query is generated that controls that the connected user are present in our SQL tables. But again if we go to My Account –> Roles and Catalog Groups we didn’t see the Application Role we didn’t see the Application Roles assigned.

    We think (but we are not sure) that a problem could be with the configuration of the bi_sql_groups_adapter_template.xml file.

    In the section “Object Level Security: Storing Groups in Database” of your post we followed everything, also with the oracle documentation: JBDC datasource are working correctly, provider flags are configured correctly.

    Any suggestions?

    Thanks

    Francesco

  4. Avik Dutta Post author

    Its strange because I have done this process following the identical steps and have never faced such problems. I am thinking doing the same in a fresh new environment just to make sure its not or is a problem with the environment or configuration files.

  5. Hi Avik,

    just a question: we’ve see that you’ve not mentioned the bi_sql_groups_adapter_template.xml file in your guide, did you modify it or not?

    Thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up