OBIEE11g Security Setup

An overview on OBIEE11g Security Setup

OBIEE security consists of 2 parts:

• Security Infrastructure setup (Done from WLS Console and EM)

Here we define the Application roles and assign them privileges(that is associate Application role to a Application Policy) Application Role is created based on our security need and is used for grouping users, so that a group security policy can be defined.

• Data and Object security setup (Done from the rpd file)

To restrict users from seeing tables/columns or filtering the data they see, we need to have the object and data security in place. This is done from rpd file. This is the most important step in security implementation

Let’s see the steps involved in security implementation.

Security Infra setup

We will define a user and a group in web logic server

Log on to web logic server(WLS) console (URL http://localhost_ip:7001/console) 

This is the home page of WLS console

Click on Security Realms

In Security realms page click on “myrealm”

Go to “Users and Groups” tab>”Groups”>New and add a new WLS group called DieselModelViewers_WLS

Go to “Users and Groups” tab>”User”>New and add a new user called diesel_user

;

Associate the diesel_user to DieselModelViewers_WLS group

Next log on to Enterprise Manager (URL http://localhost_ip:7001/em)

Navigate to Business Intelligence > coreapplication > Business Intelligence Instance >Security>Application Role

Create a new Application role to be used for our data and object security by clicking on new.

Call the Application Role and DieselModelViewers

The  click on 

Associate this application role with the WLS group DieselModelViewers_WLS created earlier

Object and Data Security Setup

Log in to the rpd and click Manage>Identity

Go to the Application Roles tab, check that the newly created Application role “DieselModelViewer” is visible

Click on Permissions button

We can now define a new data filter for the DieselModelViewers group, click on 

Define a new security filter for the above application role as shown above.

Data security is done, next lets see object security.

We want to hide the presentation table WB_TEST from members of DieselModelViewers application role, like diesel_user. Double click on WB_TEST table and the above window opens up, click on permissions Deny permission to DieselModelViewers by clickingNoAccess.This will restrict diesel_user from seeing WB_TEST table in his subject area.

Next log in to Answers/Analysis page.

Lets check a report that has all fuel types, since an admin user can see all fuel types we will choose to see it from weblogic user

As we see , here the report is not restricted based on fuel type.

Lets login using the diesel_user

Try to access the subject area (noe we can only access subject area, but cant create a report because of BIConsumer privilege

We dont see the WB_TEST Presentation table due to object security

We also don’t see the fuel types, other than DIESEL, due to data security

The nqquery.log shows that DIESEL filter is added on to the select statement, which confirms that data security is working.