Authorization in Oracle BI Server (OBIEE)

by Deborah Volk on May 5th, 2009

Oracle Business Intelligence Server (BI Server) is a server product in Oracle's Business Intelligece Enterprise Edition Plus (OBIEE) suite. BI Server stores metadata such as business models in its own repository. Naturally, access to various repository assets needs to be secured. User accounts can be defined explicitly in an Oracle BI repository or in an external source (such as a database table or an LDAP-compliant directory server). Authenticating to an external source is a matter of configuration. Next comes everyone's favorite challenge - authorization.

BI Server uses groups as authorization principals, i.e. membership in a particular group equals access to stuff . Each group can contain explicitly granted privileges or privileges granted implicitly using membership in another group. Users can also have privileges granted through membership in groups, that in turn can have privileges granted through membership in other groups, and so on. (Sounds like a nightmare I had about recursion: I kept having a dream within a dream within a dream...) The challenge is twofold: 1) getting groups into BI Server 2) assigning users to groups.

One option for getting groups in is to define them from scratch in BI Server and manually assign users to these groups. The problem with this option is scale vs effort. For any sizeable deployment of OBIEE with thousands of users, defining groups from scratch is tedious but doable; putting users into those groups is a kiss of death. The conversation between business departments who will be consuming BI services and the IT folks standing up the infrastructure will go something like this:

Business User: I would like to run a report showing the monthly charge-offs segmented by sales territory and geography.

IT Architect: Sure thing. What groups do you want to have access to this report and what people need to be in those groups?

Business User: Everyone in dept 123 in sales territories A, B and C with manager title or higher.

IT Architect: We don't have such a group..

Business User: ...but I have it in Siebel!!

In other words, somewhere in the enterprise there exists a repository of users and their membership in one or more hierarchies (organizational, geographic, function-specific such as sales territories). In organizations that have deployed an identity management solution, this repository is usually a directory with an LDAP interface. (In organizations that haven't bothered with identity management, Active Directory with 300,000 groups is often encountered as a bottomless catch-all tar pit).

Assuming a directory (clean or stuffed with excess groups) exists, it would be desirable for BI Server to use the groups and users' group memberships already defined in the directory. BI Server gives you 1/2 of this - you can import users and groups but not users' group memberships from the directory into BI Server repository. Once you've imported users and groups, you still have to go through the exercse of assigning users to groups. Moreover, consider what happens when a new employee is hired or an existing employee fired (new user is added or removed from the directory). You have to re-synchronize the BI Server repository with the directory and do so on a regular basis. Ouch.

If we can't point to a directory, what can we do? The BI Server's solution for the authorization problem is a lowest-common denominator: database table. That is, you can point the Server to an external database and get the users, groups and users' group memberships from there. Crucially, the Server does not expect an actual table, it merely needs a result set in a certain format from a user-supplied SQL statement. The SQL statement does not have to hit the database, it can manufacture the results for all the BI Server cares. So we need to make our directory look like a database table...kind of like virtual directory but in reverse. This leads to a "classic" solution for those developing with databases - PL/SQL stored procedure that calls the directory via DBMS_LDAP package! Some might call this solution clever, others might call it an ugly kludge. (I've got one foot in each camp). The BI Server calls the procedure during session initialization so that the user's groups come across whenever he logs into the BI Server. No need to synchronize anything.

This works but surely there must be a better way of doing this. The root cause is a product limitation and BI Server will definitely solve it at some point. Meanwhile, the best option is to deploy an identity administration solution such as Oracle Identity Manager (OIM). This way you've got all 3 sets of data covered: 1) Users 2) Groups 3) Users' group membership. OIM can provision users and groups to BI Server repository (separate schema is best) and it can also put users into the provisioned groups inside the BI Server repository. OIM can do it based on one or more sources, be they a directory, an HR master such as Peoplesoft or Oracle HR or SAP or a combination thereof. OIM will keep BI Server's repository up-to-date with respect to these master sources and the BI Server can do authentication and authorization against it. This achieves the goal of using one, or more authoritative sources for storing users, groups and memberships and having any changes be propagated from there to the BI Server.

Problem solved? This is just the beginning. For a measure of the real problem, think about access control as a function of entitlements.


Posted in Oracle Identity Manager, Identity Management, Access Management, Directory Services    Tagged with obiee, entitlements, oim


1 Comments

rss - December 10th, 2010 at 2:19 PM
Actually i was able to retrieve the group information from AD when the groups a user belongs to were stored in a semi colon separated format( group1;group2) in a AD attribute other than the memerOf attribute, i used "notes", as that was available. I was able to retrieve the groups using an init block that uses the GROUP system variable, and the LDAP variable equated to that is info( info is the LDAP variable for notes attribute)

Leave a Comment
Search

Subscribe

follow on

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)