www.deliverbi.co.uk +44 (0)203 005 5244 Email : training@deliverbi.co.


Delivering World Class BI Solutions


Authors: co founders of DELIVER BI

Krishna Mohan (Projects Director) Shahed Munir (Technical Director)
18th August 2010

Page 1 of 34

www.deliverbi.co.uk +44 (0)203 005 5244 Email : training@deliverbi.co.uk

This paper briefly explains the enforcement of basic security in OBIEE 10g and presents the steps to be carried out on OBIEE 11g to achieve the same results. In OBIEE 10g the setup consists of creating users & groups where as in OBIEE 11g, setup consists of creating users, groups & roles. The focus of this paper is the introduction of the basic security aspects of OBIEE 11g using 10g as a starting point. Steps required to create users, organise them into groups and enforcing data security are addressed in this paper using the following theme

• Create two users • Create two groups • Setup group level filters to restrict the data (using single Answers report) depending on the user region The standard ‘Paint’ RPD that comes with OBIEE 10g and 11g is used to explain the security setup. In OBIEE 10g, the basic security can be enforced from within the RPD where as in OBIEE 11g the security is enforced in the Oracle Weblogic Server 11g Administration Console (hence forth referred as Weblogic Server) as well as the Oracle Enterprise Manager 11g Fusion Middleware Control (hence forth referred as OEM) and BI Administrator (hence forth referred as RPD).

• • • •

OBIEE 11g users & groups are created on the Weblogic Server Users represent the individuals logging into OBIEE A selection of users is represented by Group Role is a new concept introduced in OBIEE 11g that can enforce security within the RPD and the Presentation Catalog. Roles do not replace Groups but can co-exist. It should be noted that a Role is a mandatory building block to enforce security in OBIEE 11g Though usage of Groups is optional in OBIEE 11g, it is strongly recommended to rely on Groups in association with roles to avoid re-starting OEM multiple times

Page 2 of 34

www.deliverbi.co.uk +44 (0)203 005 5244 Email : training@deliverbi.co.uk

OBIEE 10g Setup Steps
Step 1: Creation of Group(s) Login to Oracle BI Administration tool in offline mode and follow the navigation Manage Security

Page 3 of 34

uk +44 (0)203 005 5244 Email : training@deliverbi.uk Create two new users following the navigation Action New User Page 4 of 34 .co.www.deliverbi.co.

use the Add button at the bottom of the screen to associate the User created in the earlier step Page 5 of 34 .uk Create two new Groups following the navigation Action New Group Once the Group is created.deliverbi.co.co.www.uk +44 (0)203 005 5244 Email : training@deliverbi.

uk Click on the Permissions button in the above picture and navigate to Filters tab Page 6 of 34 .www.co.deliverbi.uk +44 (0)203 005 5244 Email : training@deliverbi.co.

co.uk Click on Add button to add a filter and should see a screen given below Page 7 of 34 .deliverbi.co.www.uk +44 (0)203 005 5244 Email : training@deliverbi.

deliverbi.co.uk Apply filter of type Logical Table Level and select ‘Region’ field from Markets dimension and click on Select Click on the three dots under the field Business Model Filter to open up Expression Builder Page 8 of 34 .www.uk +44 (0)203 005 5244 Email : training@deliverbi.co.

deliverbi. Type in the text ‘CENTRAL REGION’ Click on OK Page 9 of 34 .co.co.www.uk +44 (0)203 005 5244 Email : training@deliverbi.uk Below is the Expression Builder.

co.deliverbi.uk After you have clicked ok you will see the below.uk +44 (0)203 005 5244 Email : training@deliverbi.co.www. Similarly pick up Western Region Group and create filter with text ‘WESTERN REGION’ for Region field with in Markets dimension Page 10 of 34 .

uk Start the BI servers and login to OBIEE as Central_U1 user Page 11 of 34 .uk +44 (0)203 005 5244 Email : training@deliverbi.co.co.www.deliverbi.

When logged in as Western_U1.deliverbi.uk +44 (0)203 005 5244 Email : training@deliverbi.uk Create simple answers report The data filter is applied at group level to Central regions only to retrieve restricted data.www. the data filter is applied to bring data related to Western Region only This security setup will restrict the data retrieved by all OBIEE components like analysis reports / Dash Boards for any user associated with the Group. Page 12 of 34 . Now will move on to OBIEE 11G and see how we can get the same result.co.co.

deliverbi.uk +44 (0)203 005 5244 Email : training@deliverbi.uk OBIEE 11g Setup Steps User Name for this installation is weblogic and can be used to login into all 3 server instances listed below.www. Setup URL WebLogic Console http://oraclepc:7001/console Oracle Enterprise Manager http://oraclepc:7001/em Business Intelligence Enterprise Edition http://oraclepc:9704/analytics Weblogic Server Administration Console 11g Note : Users and Groups are setup in the Weblogic server administrator console 11g.co.co. Login to Weblogic Server Page 13 of 34 .

www. the default realm is myreal. Options visible in the left hand side panel once logged in. 4th Option Down. You will be presented with a screen to select a security realm.uk +44 (0)203 005 5244 Email : training@deliverbi. Click on myrealm to continue onto next screen.deliverbi. Page 14 of 34 .uk Once logged into the Weblogic server click on Security Realms as displayed in picture below.co.co.

The default security provider we will need here is Default Authenticator. “northern group” etc. You can create as many groups as you like as in “central group”.uk This is the screen where we can click on the tabs to set up users and groups for myrealm.www. We can start setting up a group. Click on the Groups tab. Groups are containers to hold users. Click on New to create a group.co.co. Page 15 of 34 .uk +44 (0)203 005 5244 Email : training@deliverbi.deliverbi. Click on the User and Groups tab.

reports etc.uk +44 (0)203 005 5244 Email : training@deliverbi.co. Click OK and you will return to earlier screen and you will see the Users tab.deliverbi. Click on new to create a new user. Click on the Users tab. Page 16 of 34 .co.uk Fill in the relevant details to create a group. When the required details are entered.www. Name of a group could be anything but we went with Centralgroup to control users who are eligible to see certain data sets or dashboards. This is where we can set up users that can access Dashboards and Reports etc.

deliverbi. click OK. Fill in user name / password etc.co.uk Here you can create a user.www. Page 17 of 34 . Remember a user can login to OBIEE whether they are in a group or not.co.uk +44 (0)203 005 5244 Email : training@deliverbi.

Page 18 of 34 .uk You will arrive back at the previous screen.uk +44 (0)203 005 5244 Email : training@deliverbi.www.co.co. Click on Users Tab.deliverbi.

It is as simple as setting up a user and assigning the user to a group.uk +44 (0)203 005 5244 Email : training@deliverbi. Click Save. This will take you to a user settings screen. Next steps are to set up a role. A role is visible at RPD level so that you can filter data etc and is also available at the Catalogue level so that you can control security on dashboards and reports etc. That’s it you have set up users and groups.deliverbi. The good thing about the Weblogic server is once you have setup users and groups you don’t have to stop or start the BI Services. You can keep creating as many users as you like and assign them to this group. But it will make life a lot easier if you utilise groups when it comes to setting up the OEM Authentication further on in this paper. they will still work in OBIEE.co. Even if you do not assign users to a group. Page 19 of 34 . On this screen click on the groups tab and assign the group you created earlier.uk Click on the user name you created.www.co.

www.deliverbi.uk +44 (0)203 005 5244 Email : training@deliverbi. restart bi services.uk OEM Enterprise Manager Goto http://oraclepc:7001/em This could be the default URL for Your OEM The enterprise manager console is used to upload a RPD.co. create roles (Roles that can be accessed in the RPD and catalogues) as well as other administration tasks.co. Login to OEM (Oracle Enterprise Manager Fusion Edition) Page 20 of 34 .

Here you can see you are on the overview tab.www.uk Once logged in you will see a panel on the far left of the screen click on + on Business intelligence this will drop down and display core application. You will be presented with the screen below. Page 21 of 34 . Click on Restart services this will restart your services. make sure its coming back with 100% once all services have started as in screenshot below.deliverbi.co.co.uk +44 (0)203 005 5244 Email : training@deliverbi. You can start and stop BI services from here.

deliverbi.uk Now that services are ok and refreshed we can click on the security tab.uk +44 (0)203 005 5244 Email : training@deliverbi.www. Page 22 of 34 .co. Once clicked this will bring up a screen where we can start setting up roles.co. Here you will see a small navigation link called configure and manage application roles. Click on configure and manage application roles.

So add a group and the users can be added at weblogic server level to the Group so no restart is needed.co.uk As you can see all the default roles are displayed.. But I can tell you that BI Consumer is given to all users by default. Page 23 of 34 . Note the BI Server will require a restart every time a role(s) are created.deliverbi. This is where our group that we set up in the weblogic server comes in handy. But you don’t want to restart the server every time you add a user. We can cover default roles at a later date.co.www. A role can be assigned to a user or a group...uk +44 (0)203 005 5244 Email : training@deliverbi. Once you Click on Create. Click on Create. a screen will open where we can create a new role..

The role will also be visible in the Catalogue Manager for dashboards etc.co.uk +44 (0)203 005 5244 Email : training@deliverbi.www. Once complete click OK. After a role is created you will need to restart the bi server so that the role is captured automatically when the BI server is restarting. Page 24 of 34 .deliverbi.co.uk In the create application role screen start creating a role. Fill in Role name and scroll down the page and add the group we created earlier on. Click OK Once the BI server has restarted the role(s) and users will be visible in the RPD in online Mode only. Below is an example in the administrator RPD on how we can control the data using a filter the same as OBIEE 10g. You can however check them out in online mode and check them in and they will be available in offline mode too within the BI Administrator.

uk Open BI Administrator IN ONLINE MODE (Blue Folder is online mode and fill in required connection information.deliverbi.) Page 25 of 34 .uk +44 (0)203 005 5244 Email : training@deliverbi.co.co.www.

www.uk Ensure the roles are visible in the BI Administrator by going to tool bar at top and selecting Manage → Identity → Click on Application Roles Tab As you can see the roles we created in the OEM have now appeared here after the BI Services were restarted.co.uk +44 (0)203 005 5244 Email : training@deliverbi. Users created in the Weblogic server can also be viewed in BI Administrator. Page 26 of 34 . Note Groups created in Weblogic cannot be viewed here.co. Best Practice is to use Roles.deliverbi.

co.co. The Group is associated with a Role in OEM. Note that BIConsumer is a default role as mentioned earlier. a user will be connected to a Role (through Group membership). for a User you can only see the affiliated Roles and will not be able to see Groups. In BI Admin. User Group Role Page 27 of 34 .www. Using these associations.deliverbi.uk Check users to see if they are assigned to the relevant roles that the groups were assigned to in OEM by double clicking the user in BI Administrator.uk +44 (0)203 005 5244 Email : training@deliverbi. Users are members of a Group created in weblogic. Click on cancel. Ensure that the appropriate roles are displayed with the tick for the chosen User.

As the roles are now visible in the RPD we can start creating filters on the role to condition the data.co. Double click the relevant role.uk +44 (0)203 005 5244 Email : training@deliverbi.co. Page 28 of 34 .deliverbi.www.uk We will arrive back to the users tab then click on the application roles tab. Click Yes as we need to edit the role to add a filter. It will ask you to check out .

uk +44 (0)203 005 5244 Email : training@deliverbi.deliverbi.www.co.uk Double click the role again and you can now click on the Permissions Tab Page 29 of 34 .co.

uk This will open a window which is used to create the filter similar to that of 10g just click on the green + and away you go.co. Page 30 of 34 .uk +44 (0)203 005 5244 Email : training@deliverbi.deliverbi. Add a field from Physical Table Layer by clicking on the green +.co.www.

uk Field has been added.co. Click onto the Data Filter field.co.deliverbi.uk +44 (0)203 005 5244 Email : training@deliverbi.www. Then click the Calculator style icon to start building the restriction in expression builder if required Page 31 of 34 .

These filters can be set in offline mode once your BI Server is down. While checking in your RPD if you get a ERROR NQS : 37005 Transactional update failed. Log back in ONLINE mode and then repeat the steps above to create your filters. Click OK and your filter has been set to restrict data at Role Level. Page 32 of 34 . close RPD and restart your BI services.co.co. Check Roles Back in to Online RPD. Keep clicking OK till you get back to the Main BI Administration screen.uk Fill in the condition required to restrict data. This should resolve the issue. Roles created can also be viewed within the Catalogue Manager in OBIEE. Remember : User has a group and group has a role you can now assign users to a group and your data in Analysis and dashboards will be filtered as in OBIEE 10g.www.uk +44 (0)203 005 5244 Email : training@deliverbi.deliverbi.

uk We can now login to OBIEE as the user we created centraluser and the data set will be restricted to only central regions.deliverbi. You now know how to set up a user. Page 33 of 34 . If we login as weblogic with no filters we can see all the data That’s it. group and role within OBIEE 11g and set up filters to restrict data.co.uk +44 (0)203 005 5244 Email : training@deliverbi.co.www.

CO.co. Any questions or queries : Email: training@deliverbi.co.uk Phone : +44 (0)203 0055244 Page 34 of 34 .UK Email us now for in depth training courses in OBIEE 11g .deliverbi.www.uk +44 (0)203 005 5244 Email : training@deliverbi.uk WWW.co.DELIVERBI.

Sign up to vote on this title
UsefulNot useful