Professional Documents
Culture Documents
December 5, 2008
Session Overview
This is such a big topic that we have devoted 2 sessions to it. We will discuss how PeopleSoft security is used to drive security in the data warehouse and OBI. We will discuss OBI privileges and object permissions and how we modeled our security for Dashboards and Answers. We will also provide a brief overview on how we implemented CAS authentication and Single Sign On.
December 5, 2008
December 5, 2008
December 5, 2008
Identification/Authentication
Identification
Common USERNAME across all
Authentication
Web Single Sign-On (CAS)
PeopleSoft OBIEE Presentation Services
December 5, 2008
December 5, 2008
CAS Integration
December 5, 2008
Single Sign-On
Create Impersonator Admin account in Repository USER Session Variable Session Initialization Block
select lower(':USER') from dual
December 5, 2008
December 5, 2008
Authorization
Privileges Web Catalog
Objects Permissions
Groups
December 5, 2008
10
Authorization: Privileges
Access Admin Catalog Dashboards Answers My Account Subject Area XXXX View XXXX
December 5, 2008
11
December 5, 2008
12
Privileges: Demo
DEMO
December 5, 2008
13
Request
December 5, 2008
14
December 5, 2008
15
Authorization: Web Catalog Permissions No Access Traverse Read Change/Delete Full Control
December 5, 2008
16
Authorization: Groups
BI Server/Repository Security
Groups
December 5, 2008
17
Authorization: Groups
PeopleSoft Finance Roles PeopleSoft HCM Roles Other Application Roles Consolidated Roles Tables BI Server Groups
December 5, 2008
18
December 5, 2008
19
Other Variables
Display Name Email Address
Session Variables v
December 5, 2008
20
December 5, 2008
21
December 5, 2008
22
Presentation Services
Web Group
December 5, 2008
23
December 5, 2008
24
Groups: Demo
DEMO
December 5, 2008
25
Authorization: Dashboards
Create a folder for each Subject Area Create a sub-folder for each Page
Requests
Each Dashboard has the same permissions Each Page on the Dashboard has the same permissions
December 5, 2008
26
December 5, 2008
27
Recommendations
Keep it simple! Assign permissions to groups only Assign permissions at the folder level
Everything in a folder has the same permissions
December 5, 2008
28
Authorization: Demo
DEMO
December 5, 2008
29
December 5, 2008
30
December 5, 2008
31
Other Variables
Display Name Email Address
Session Variables v
HR DEPTIDs
Finance DEPTIDs
Finance FUNDs
December 5, 2008
32
CP_USERNAME dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu dbrothwe@calpoly.edu
NAME DISPLAYNAME EMAIL GROUP GROUP GROUP GROUP HR_DEPTID HR_DEPTID FINANCE_DEPTID FINANCE_DEPTID FINANCE_FUND
VALUE Debbie dbrothwe@calpoly.edu ALL_FINANCIAL_TABLES_RL ALL_RSOL_TABLES_RL BI_REQUEST_DEVELOPER_FIN_RL WAREHOUSE_USER 100100 100200 122900 122901 GA002
December 5, 2008
33
December 5, 2008
34
December 5, 2008
35
December 5, 2008
36
DEMO
December 5, 2008
37
All security is now based on session variables coming from Oracle tables When a user logs in we can change everything about them Exceptions
Cannot change a persons username Object owner always has full control
December 5, 2008
38
Other Variables
Display Name Email Address
HR DEPTIDs
Finance DEPTIDs
Finance FUNDs
December 5, 2008
39
December 5, 2008
40
DEMO
December 5, 2008
41
Security Audit
WARNING
http://propellerheadhats.com/
December 5, 2008
42
Check ownership of Web Catalog Objects We want to know why it works the way it does
December 5, 2008
43
Consultants
Thats been an internal challenge for us and we haven't been able to locate the files where that is stored
Google
No Luck
December 5, 2008
44
Security Audit
Web Catalog is just files and folders on the OS file system File/Folder name is based on OBI display name
URL encoded and lower case
Object Name => object+name
Every file and folder of the catalog has an associated .atr file
object+name object+name.atr
December 5, 2008
45
Security Audit
Binary Files
Linux command to hex dump a binary file
xxd
$xxd presentation+server+administrators 0000000: 0200 017c bc61 aacd bb2a 8a $xxd presentation+server+administrators.atr 0000000: 8000 0c00 2200 0000 7072 6573 656e 0000010: 7469 6f6e 2073 6572 7665 7220 6164 0000020: 6e69 7374 7261 746f 7273 0600 01ff 0000030: ffff ffff ff01 0001 feff ffff ffff 0000040: 0300 0000 0e00 0000 6163 636f 756e 0000050: 6e64 6578 2131 0200 0000 0000 0000 ...\|.a...*.
December 5, 2008
46
Groups
<catalog_root>/system/security/groups/523/presentation+server+administrators <catalog_root>/system/security/groups/523/presentation+server+administrators.atr
Account IDs
<catalog_root>/system/accountids/699/32539c1d5ffdb65b <catalog_root>/system/accountids/699/32539c1d5ffdb65b.atr
December 5, 2008
47
/generalprivs
/security
/
/
December 5, 2008
48
privilege.atr file
Byte 5 contains the length of the display name. Byte 9 is where the display name starts.
December 5, 2008
49
December 5, 2008
50
December 5, 2008
51
December 5, 2008
52
DEMO
December 5, 2008
53
Questions?
December 5, 2008
54
Contact
OBIEE Technical Conference:
http://polydata.calpoly.edu/dashboards/obiee_conf/index.html
Email: polydata@calpoly.edu
December 5, 2008
56