OBIEE 11g Basic Security1234

www.deliverbi.co.uk +44 (0)203 005 5244 Email : [email protected]

Page 1 of 34

Delivering World Class BI Solutions

OBIEE INTRODUCTION TO BASIC SECURITY SETUP 11G VS 10G

Authors: co founders of DELIVER BI Krishna Mohan (Projects Director) Shahed Munir (Technical Director)

18th August 2010


Page 2 of 34

Overview

This paper briefly explains the enforcement of basic security in OBIEE 10g and presents the steps to be carried out on OBIEE 11g to achieve the same results.

In OBIEE 10g the setup consists of creating users & groups where as in OBIEE 11g, setup consists of creating users, groups & roles.

The focus of this paper is the introduction of the basic security aspects of OBIEE 11g using 10g as a starting point. Steps required to create users, organise them into groups and enforcing data security are addressed in this paper using the following theme

Create two users Create two groups Setup group level filters to restrict the data (using single Answers report) depending on

the user region

The standard Paint RPD that comes with OBIEE 10g and 11g is used to explain the security setup.

In OBIEE 10g, the basic security can be enforced from within the RPD where as in OBIEE 11g the security is enforced in the Oracle Weblogic Server 11g Administration Console (hence forth referred as Weblogic Server) as well as the Oracle Enterprise Manager 11g Fusion Middleware Control (hence forth referred as OEM) and BI Administrator (hence forth referred as RPD).

OBIEE 11g users & groups are created on the Weblogic Server Users represent the individuals logging into OBIEE A selection of users is represented by Group Role is a new concept introduced in OBIEE 11g that can enforce security within the RPD and

the Presentation Catalog. Roles do not replace Groups but can co-exist. It should be noted that a Role is a mandatory building block to enforce security in OBIEE 11g

Though usage of Groups is optional in OBIEE 11g, it is strongly recommended to rely on Groups in association with roles to avoid re-starting OEM multiple times


Page 3 of 34

OBIEE 10g Setup Steps

Step 1: Creation of Group(s)

Login to Oracle BI Administration tool in offline mode and follow the navigation Manage Security


Page 4 of 34

Create two new users following the navigation Action New User


Page 5 of 34

Create two new Groups following the navigation Action New Group Once the Group is created, use the Add button at the bottom of the screen to associate the User created in the earlier step


Page 6 of 34

Click on the Permissions button in the above picture and navigate to Filters tab


Page 7 of 34

Click on Add button to add a filter and should see a screen given below


Page 8 of 34

Apply filter of type Logical Table Level and select Region field from Markets dimension and click on Select

Click on the three dots under the field Business Model Filter to open up Expression Builder


Page 9 of 34

Below is the Expression Builder.

Type in the text CENTRAL REGION

Click on OK


Page 10 of 34

After you have clicked ok you will see the below.

Similarly pick up Western Region Group and create filter with text WESTERN REGION for Region field with in Markets dimension


Page 11 of 34

Start the BI servers and login to OBIEE as Central_U1 user


Page 12 of 34

Create simple answers report

The data filter is applied at group level to Central regions only to retrieve restricted data.

When logged in as Western_U1, the data filter is applied to bring data related to Western Region only

This security setup will restrict the data retrieved by all OBIEE components like analysis reports / Dash Boards for any user associated with the Group.

Now will move on to OBIEE 11G and see how we can get the same result.


Page 13 of 34

OBIEE 11g Setup Steps

User Name for this installation is weblogic and can be used to login into all 3 server instances listed below.

Setup URL WebLogic Console http://oraclepc:7001/console Oracle Enterprise Manager http://oraclepc:7001/em Business Intelligence Enterprise Edition http://oraclepc:9704/analytics

Weblogic Server Administration Console 11g

Note : Users and Groups are setup in the Weblogic server administrator console 11g.

Login to Weblogic Server


Page 14 of 34

Once logged into the Weblogic server click on Security Realms as displayed in picture below. Options visible in the left hand side panel once logged in. 4th Option Down.

You will be presented with a screen to select a security realm, the default realm is myreal. Click on myrealm to continue onto next screen.


Page 15 of 34

This is the screen where we can click on the tabs to set up users and groups for myrealm. Click on the User and Groups tab.

Click on the Groups tab. We can start setting up a group. The default security provider we will need here is Default Authenticator. You can create as many groups as you like as in central group, northern group etc. Groups are containers to hold users. Click on New to create a group.


Page 16 of 34

Fill in the relevant details to create a group. Name of a group could be anything but we went with Centralgroup to control users who are eligible to see certain data sets or dashboards, reports etc. When the required details are entered.

Click OK and you will return to earlier screen and you will see the Users tab. Click on the Users tab. This is where we can set up users that can access Dashboards and Reports etc. Click on new to create a new user.


Page 17 of 34

Here you can create a user.

Remember a user can login to OBIEE whether they are in a group or not. Fill in user name / password etc. click OK,


Page 18 of 34

You will arrive back at the previous screen. Click on Users Tab.


Page 19 of 34

Click on the user name you created. This will take you to a user settings screen. On this screen click on the groups tab and assign the group you created earlier. You can keep creating as many users as you like and assign them to this group. Even if you do not assign users to a group, they will still work in OBIEE. But it will make life a lot easier if you utilise groups when it comes to setting up the OEM Authentication further on in this paper. Click Save.

Thats it you have set up users and groups. The good thing about the Weblogic server is once you have setup users and groups you dont have to stop or start the BI Services. It is as simple as setting up a user and assigning the user to a group.

Next steps are to set up a role, A role is visible at RPD level so that you can filter data etc and is also available at the Catalogue level so that you can control security on dashboards and reports etc.


Page 20 of 34

OEM Enterprise Manager

Goto http://oraclepc:7001/em This could be the default URL for Your OEM

The enterprise manager console is used to upload a RPD, restart bi services, create roles (Roles that can be accessed in the RPD and catalogues) as well as other administration tasks.

Login to OEM (Oracle Enterprise Manager Fusion Edition)


Page 21 of 34

Once logged in you will see a panel on the far left of the screen click on + on Business intelligence this will drop down and display core application. You will be presented with the screen below. Here you can see you are on the overview tab. You can start and stop BI services from here. Click on Restart services this will restart your services, make sure its coming back with 100% once all services have started as in screenshot below.


Page 22 of 34

Now that services are ok and refreshed we can click on the security tab. Here you will see a small navigation link called configure and manage application roles. Click on configure and manage application roles. Once clicked this will bring up a screen where we can start setting up roles.


Page 23 of 34

As you can see all the default roles are displayed. We can cover default roles at a later date. But I can tell you that BI Consumer is given to all users by default. Once you Click on Create... a screen will open where we can create a new role. Note the BI Server will require a restart every time a role(s) are created. This is where our group that we set up in the weblogic server comes in handy. A role can be assigned to a user or a group. But you dont want to restart the server every time you add a user. So add a group and the users can be added at weblogic server level to the Group so no restart is needed.

Click on Create...


Page 24 of 34

In the create application role screen start creating a role. Fill in Role name and scroll down the page and add the group we created earlier on. Once complete click OK. After a role is created you will need to restart the bi server so that the role is captured automatically when the BI server is restarting. Click OK

Once the BI server has restarted the role(s) and users will be visible in the RPD in online Mode only. You can however check them out in online mode and check them in and they will be available in offline mode too within the BI Administrator.

The role will also be visible in the Catalogue Manager for dashboards etc. Below is an example in the administrator RPD on how we can control the data using a filter the same as OBIEE 10g.


Page 25 of 34

Open BI Administrator IN ONLINE MODE (Blue Folder is online mode and fill in required connection information.)


Page 26 of 34

Ensure the roles are visible in the BI Administrator by going to tool bar at top and selecting Manage Identity Click on Application Roles Tab

As you can see the roles we created in the OEM have now appeared here after the BI Services were restarted.

Users created in the Weblogic server can also be viewed in BI Administrator. Note Groups created in Weblogic cannot be viewed here. Best Practice is to use Roles.


Page 27 of 34

Check users to see if they are assigned to the relevant roles that the groups were assigned to in OEM by double clicking the user in BI Administrator.

Users are members of a Group created in weblogic. The Group is associated with a Role in OEM. Using these associations, a user will be connected to a Role (through Group membership). In BI Admin, for a User you can only see the affiliated Roles and will not be able to see Groups. Ensure that the appropriate roles are displayed with the tick for the chosen User. Note that BIConsumer is a default role as mentioned earlier. Click on cancel.

User Group Role


Page 28 of 34

We will arrive back to the users tab then click on the application roles tab.

As the roles are now visible in the RPD we can start creating filters on the role to condition the data.

Double click the relevant role, It will ask you to check out . Click Yes as we need to edit the role to add a filter.


Page 29 of 34

Double click the role again and you can now click on the Permissions Tab


Page 30 of 34

This will open a window which is used to create the filter similar to that of 10g just click on the green + and away you go.

Add a field from Physical Table Layer by clicking on the green +.


Page 31 of 34

Field has been added. Click onto the Data Filter field. Then click the Calculator style icon to start building the restriction in expression builder if required


Page 32 of 34

Fill in the condition required to restrict data.

Click OK and your filter has been set to restrict data at Role Level. Keep clicking OK till you get back to the Main BI Administration screen. Check Roles Back in to Online RPD.

While checking in your RPD if you get a ERROR NQS : 37005 Transactional update failed, close RPD and restart your BI services. This should resolve the issue. Log back in ONLINE mode and then repeat the steps above to create your filters. These filters can be set in offline mode once your BI Server is down.

Remember : User has a group and group has a role you can now assign users to a group and your data in Analysis and dashboards will be filtered as in OBIEE 10g.

Roles created can also be viewed within the Catalogue Manager in OBIEE.


Page 33 of 34

We can now login to OBIEE as the user we created centraluser and the data set will be restricted to only central regions.

If we login as weblogic with no filters we can see all the data

Thats it. You now know how to set up a user, group and role within OBIEE 11g and set up filters to restrict data.


Page 34 of 34

WWW.DELIVERBI.CO.UK

Email us now for in depth training courses in OBIEE 11g , Any questions or queries :

Email: [email protected]

Phone : +44 (0)203 0055244

Documents

OBIEE 11g Basic Security1234