1 / 55

OBIEE Technical Conference

OBIEE Technical Conference. Security Overview Dan Malone. Session Overview.

wmindy
Download Presentation

OBIEE Technical Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OBIEE Technical Conference Security Overview Dan Malone

  2. Session Overview This is such a big topic that we have devoted 2 sessions to it. We will discuss how PeopleSoft security is used to drive security in the data warehouse and OBI. We will discuss OBI privileges and object permissions and how we modeled our security for Dashboards and Answers. We will also provide a brief overview on how we implemented CAS authentication and Single Sign On.

  3. Security From 30,000 Feet • Identification • Authentication • Authorization • Audit

  4. Consistent Security Across Applications • PeopleSoft • Data Warehouse • OBIEE • BI Server • Presentation Services • Answers • Dashboards

  5. Identification/Authentication • Identification • Common USERNAME across all • Authentication • Web Single Sign-On (CAS) • PeopleSoft • OBIEE Presentation Services

  6. CAS Integration with OBI • Need slides from David K.

  7. CAS Integration OC4J Servlet Container Soulwing CAS Client http://www.soulwing.org/ Gets USERNAME into Session Cal Poly Developed Filter Copies Session USERNAME into Request Header REMOTE_USER OBI Single Sign-On Tells OBI to get REMOTE_USER from Request Header

  8. Single Sign-On • Create Impersonator Admin account in Repository • USER Session Variable • Session Initialization Block select lower(':USER') from dual

  9. Issues with Web Single Sign-On • Can not use database security • Proxy User • How to perform administrative tasks • Include a local Role in Presentation Server Administrators • Method to login as Administrator user • Password on URL https://server/analytics/saw.dll?nquser=Administrator&nqpassword=<password>

  10. Authorization • Privileges • Web Catalog • Objects • Permissions • Groups

  11. Authorization: Privileges • Access • Admin • Catalog • Dashboards • Answers • My Account • Subject Area XXXX • View XXXX

  12. Privileges: Things to Remember • Most default to Everyone • Don’t remove Personal Storage before creating a default Dashboard • New Subject Area will not show up until someone starts Answers • Privileges can not be migrated

  13. Privileges: Demo DEMO

  14. Authorization: Web Catalog Objectsfor Dashboards • Folder • Dashboard • Page • Request

  15. Authorization: Web Catalog Objectsfor Answers • Subject Area • Folder • Request

  16. Authorization: Web Catalog Permissions • No Access • Traverse • Read • Change/Delete • Full Control

  17. Authorization: Groups • BI Server/Repository Security • Groups • Presentation Services Security • Web Groups

  18. Authorization: Groups PeopleSoft Finance Roles Consolidated Roles Tables Data Warehouse Roles PeopleSoft HCM Roles BI Server Groups Presentation Services Web Groups Other Application Roles

  19. Groups via Session Variables: Step 1 • Set up Oracle Table/View for Groups

  20. PAUSE – Session Variables Tables Groups v Other Variables Display Name Email Address Session Variables

  21. Groups via Session Variables: Step 2 • Session Initialization Block • Row-wise initialization • No Caching • Execution Precedence select name, value from dwadmin.obiee_session_variables where cp_username = lower(':USER')

  22. Session Variables Initialization Block

  23. Groups via Session Variables: Step 3 • Create OBI Groups • BI Server • Group • Presentation Services • Web Group

  24. Groups: Things to Remember • Do not manually grant BI Server Groups to Users • Group and Web Group must be exactly the same name

  25. Groups: Demo DEMO

  26. Authorization: Dashboards • Create a folder for each Subject Area • Create a sub-folder for each Page • Requests • Each Dashboard has the same permissions • Each Page on the Dashboard has the same permissions

  27. Authorization: Things to Remember • Object Owner ALWAYS has Full Control • Set Owner to Administrator • Permission Inheritance… Sort of. • Apply changes to sub-folders • Web Based Tool Default: YES • Windows Based Tool Default: NO • Special user: System Account

  28. Recommendations • Keep it simple! • Assign permissions to groups only • Assign permissions at the folder level • Everything in a folder has the same permissions

  29. Authorization: Demo DEMO

  30. Row Level Security • What data drives Row Level Security? • PeopleSoft DEPTID

  31. Row Level Security: Step 1 • Create Oracle Table/View for DEPTIDs

  32. PAUSE – Session Variables Tables Groups v Other Variables Display Name Email Address Session Variables HRDEPTIDs FinanceDEPTIDs Finance FUNDs

  33. Session Variables Table

  34. Row Level Security: Step 2 • Session Initialization Block • Same initialization block that we used for GROUPS • If done this way, the initialization block does not need to change

  35. Row Level Security: Step 3 • Open the Logical Data Source • In the business model layer, not the physical layer

  36. Row Level Security: Step 4 • Add the appropriate where statement to limit rows based on the new session variable. • Use the expression builder to generate the code. • Since the HR_DEPTID is a dynamic session variable, it does not show up in the list of available variables. • Select the USER variable to generate the code, then change the variable name to HR_DEPTID.

  37. Row Level Security: Demo DEMO

  38. Become Another User • See what a dashboard looks like when a different user logs in • Don’t as for their password! • All security is now based on session variables coming from Oracle tables • When a user logs in we can change everything about them • Exceptions • Cannot change a persons username • Object owner always has full control

  39. PAUSE – Session Variables Tables Groups v Other Variables Display Name Email Address Session Variables v HRDEPTIDs Session Variables Security Override FinanceDEPTIDs Finance FUNDs

  40. Security Override Table • Simple table with two columns • CP_USERNAME • BECOME_CP_USERNAME

  41. Become Another User: Demo DEMO

  42. Security Audit • WARNING http://propellerheadhats.com/

  43. Security Audit – Requirements • Need an easy way to find differences between two web catalogs • Users • Groups • Permissions • Privileges • Check ownership of Web Catalog Objects • We want to know why it works the way it does

  44. Security Audit – Has it been done before? • Built-In? • NO! • Consultants • “That’s been an internal challenge for us and we haven't been able to locate the files where that is stored” • Google • No Luck…

  45. Security Audit • Web Catalog is just files and folders on the OS file system • File/Folder name is based on OBI display name • URL encoded and lower case • Object Name => object+name • Every file and folder of the catalog has an associated “.atr” file • object+name • object+name.atr

  46. Security Audit • Binary Files • Linux command to hex dump a binary file • xxd $xxd presentation+server+administrators 0000000: 0200 017c bc61 aacd bb2a 8a ...\|.a...*. $xxd presentation+server+administrators.atr 0000000: 8000 0c00 2200 0000 7072 6573 656e 7461 ...."...presenta 0000010: 7469 6f6e 2073 6572 7665 7220 6164 6d69 tion server admi 0000020: 6e69 7374 7261 746f 7273 0600 01ff ffff nistrators...... 0000030: ffff ffff ff01 0001 feff ffff ffff ffff ................ 0000040: 0300 0000 0e00 0000 6163 636f 756e 7469 ........accounti 0000050: 6e64 6578 2131 0200 0000 0000 0000 ndex!1........

  47. Security Audit – Users and Groups • Users • <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu • <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu.atr • Groups • <catalog_root>/system/security/groups/523/presentation+server+administrators • <catalog_root>/system/security/groups/523/presentation+server+administrators.atr • Account IDs • <catalog_root>/system/accountids/699/32539c1d5ffdb65b • <catalog_root>/system/accountids/699/32539c1d5ffdb65b.atr

  48. Security Audit – Privileges • <catalog root>/system/privs • /catalog • /changepermissionsprivilege • /changepermissionsprivilege.atr • /maintenancemodeprivilege • /maintenancemodeprivilege.atr • /generalprivs • /global+admin • /global+admin.atr • /global+answers • /global+answers.atr • /global+portal • /global+portal.atr • /security • /administerprivs • /administerprivs.atr • /takeownershipprivs • /takeownershipprivs.atr • /… • /…

  49. Security Audit – Privileges • privilege file • The number of accounts granted this privilege is located at byte 12. • The account list starts at byte 13. • Each account listed contains 13 bytes • The first 2 bytes always seems to be 00 01 • The next 8 bytes are the HEX ID of the account • The next 2 bytes determine if the privilege is granted or explicitly denied • FF FF - Granted (for the first entry in the list) • 01 00 - Granted (for other entries in the list) • 00 00 - Explicitly denied • The next byte always seems to be 00 • privilege.atr file • Byte 5 contains the length of the display name. • Byte 9 is where the display name starts.

  50. Security Audit – Permissions • object+name.atr file • Byte 4 Contains the length of the object name that starts on Byte 8 • Byte 8 Start of the name of the object in nice form, including caps and spaces. • Byte (11 + value of Byte 4) - Contains the HEX ID of the owner of this object - 8 Bytes • Byte (19 + value of Byte 4) - Contains the number of permissions that have been assigned, in our case to groups. • Next, each of the permission is represented in a 13 byte block. • The first 2 bytes seems to always be 00 01 • The next 8 bytes of the 12 byte block contains the HEX ID of the user or group. • The next 2 bytes of the 12 byte block contains the permission granted. • FF FF - Full Control • 0F 00 - Change/Modify • 03 00 - Read • 02 00 - Traverse • 00 00 - No Access • The last byte seems to always be 00

More Related