Professional Documents
Culture Documents
BI Applications Workshop
Fanny Cai
Platform Technology Solutions
2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Agenda
3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
BIEE 11g Security Architecture
4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Security Terminology
Authentication
– User credentials (typically login / password validation)
Authorization
– Obtaining users application roles using supported
mechanisms
Object Security
– RPD subject area permissions
– Webcat Permissions
Data Security
– Data filters used in RPD for DW data security
5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
BIEE 11g Authentication / Authorization
Out of box integration with Fusion Middleware
Authentication and Authorization are managed by Weblogic
– Weblogic pluggable security architecture leveraged by BIEE
– RPD does not contains users etc
Weblogic Authentication
– Default “Weblogic Embedded LDAP” authenticator
– Can be configured to use OID, SSO, Active Directory or other
supported authenticators
Weblogic Authorization
– Default is OPSS XML store containing “Application Roles”
– OPSS OID store can be used as alternative
6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Application Roles
FMW “Application Roles” are the foundation of BI object and data
security
– Application roles carry RPD and WebCat permissions
– Application roles carry data filters
Application Role Lifecycle
– Defined and managed using FMW tools
– Visible and consumed by BIEE
7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Tools for Configuring Security in a Default
Installation
8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 8
Relationship with the Default Security Providers
9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 9
BIApps PS1 Security
10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Security - PS1 Release Summary
11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
BIApps Role Based Security
RPD
– RPD Subject Area permission assigned to “Application Role(s)”
– RPD Data Filters associated with “Application Role(s)”
Webcat
– Webcat folder permissions assigned to “Application Role(s)”
RPD Admin Tool
– “Application Role(s)” are visible in Admin Tool
Runtime
– Users runtime “Application Role(s)” can be seen under “My Account”
12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
OBIA Catalog & Data Security
End User
Security Groups
HR Reports
PO Reports
BIA DW
13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 13
Application Roles -
Visible In Admin Tool
14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Role Based Object Security
15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Role Based Data Security
16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Webcat Security – By BI Role
Product / Functional Module security is granted using corresponding duty roles
17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Webcat Security – BIEE Permissions
OBIA duty roles by default are assigned to BIEE BI Author privilege. The permissions for BI Author can
be reviewed/modified using Manage Privileges page
18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Users Runtime Roles
19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
BIEE 10g V/S BIEE 11g
20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
BIEE 10g/11g Security
Comparison
Area 10g 11g
21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
11g Security – 10g Support
22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
11g – Upgrade from 10g
Upgrade process from 10g to 11g supports smother migration to
11g by doing following steps
Supported for default “Weblogic Embedded LDAP”
RPD users are added as users in embedded LDAP
RPD groups are added as groups in embedded LDAP
groups used in security are created as “application roles”
Object and data security is migrated to “application roles”
“Catalog Groups” are not processed by upgrade –they are
retained in 11g but should be deprecated manually
23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
PS1 Application Role Lifecycle
24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Application Roles Lifecycle
Roles are defined as FMW seed metadata
Roles are deployed in BIEE environment
Roles can be managed using “Enterprise Manager”
– New tool available out of box for BIEE11g
Roles are seen in RPD and Webcat
RPD and Webcat security is developed using roles
25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Enterprise Manager
26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
RPD Role Sync Up
Roles can be made visible in RPD in 2 ways
Role first added in FMW
– Define role using Enterprise Manager
– When BI Server starts, roles references are copied into RPD
– RPD then retains role information in offline mode as well – enabling
offline security development
Role first added in RPD
– Role can be defined in RPD for security development
– Same role (with *** MATCHING *** name) must be added using
Enterprise Manager
– When RPD is brought online, the FMW and RPD role will match, enabling
security for the role
27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Webcat Role Sync Up
28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Role Modifications/Deletions
29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
How does User gets Application Roles
30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
11g Security Provisioning
31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
User/Role Association - 10g Style
10g style – still works in 11g
– Supported for backward compatibilities
– Use cases like EBS Integrated Deployment
Use init block to get users roles from source system
– E.g. Query EBS responsibilities
– Populate GROUP variable with query outcome
– Init block “AUTHORIZATION” used for this purpose
BIEE assigns roles with same name to user
32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Data Security for EBS Data
Security
Example: Inventory Org Based Security in Oracle BI
Oracle
E-Business
Suite
2
33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
User/Role Association - 11g Style
Users are present in a LDAP
Typically, customer also has defined “groups” for users
– E.g. Existing LDAP has users and groups defined by customer
– Associate out of box application roles to groups
BIApps also ships out of box sample groups
– These groups can be associated to users as desired
Link is “User” -> Group(s) -> Application Role(s)
Following Init Blocks are not used
– Authentication
– Authorization
34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Toolbox – Enterprise Manager
35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Toolbox - Weblogic Admin Console
Shipped out of box for 11g
Used to manage Weblogic Embedded LDAP (Shipped out of box)
Manages
– User
– Groups
– User – Group membership
Used to configure external authenticator
– Use customer LDAP instead of OOB Weblogic Embedded LDAP
When using external LDAP, other tools may be available
36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Enterprise Manager –
Application Role / Group Mapping
37 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
WLS Admin Console – Users
38 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
WLS Admin Console – Groups
39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
WLS Admin Console – Groups/User Mapping
40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Customer Deployment & Common Issues
41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Customer Deployment
Oracle ships duty roles and groups for all applications OOB
Oracle ships many data security roles that are mapped to one or
more application roles
Customers will always do following
– Define users (e.g. user names and passwords)
– Grant application role to a group or users
Customers can optionally do following
– Define new security roles for customer specific data & object
security
42 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 42
Error - User can not access Answers
Symptom
– User can run reports but can’t access Answers
Probable Cause
– Access to Answers is given to BIAuthor, which is granted to OBIA
Application roles
– User must inherit at least one OBIA Application roles
Fix
– Grant at least one OBIA Application roles to user
– Optionally grant BIAuthor to user or group (this will not provide
RPD access)
43 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 43
Error - “No access to any columns” when report is run
Symptom
Probable Cause
– Access to underlying subject areas is controlled by OBIA Application
roles
– User does not have the necessary OBIA Application roles
Fix
– Find out users BI roles.
– User needs to get the relevant OBIA Application roles.
44 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 44
Error - Issue with newly created user
Symptom
– A new user is added. It can not access a BI report that existing user
can access. E.g. user “Ravi Patel” can’t access a Projects
dashboard that user “Abraham Mason” can access
Probable Cause
– Users get access to BI reports via OBIA Application roles. The new
user is not getting the BI role that allows access to the report.
Fix
– Make sure new user gets same OBIA Application roles as existing
working user
45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 45
Integrating BIA with Oracle Applications
46 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Integrating BIA with Oracle Applications: EBS
47 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Integrating BIA with Oracle Applications: JD
Edwards EnterpriseOne
• Contextually within a transactional or inquiry view
48 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Integrating BIA with Oracle Applications: Siebel
Applications
• Contextually within a transactional view
49 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Integrating BIA with Oracle Applications:
PeopleSoft
50 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Flexfield and Value Set Integration
Key Flexfields (KFF)
– Pre-packaged mappings to
extract Key Flexfield data
– Mappings are flexible to handle
configuration performed on these
flexfields
– Out-of-the-box support to a
number of KFF’s
Value Set Hierarchy
– Extract hierarchical relationships
of Value Sets
– Out-of-the-box support to GL
Account Value Set Hierarchies
51 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Current Support - GL Account Hierarchy
Out-of-the-box Support for all 30
segments in Accounting Key Flexfields
(KFF)
– Pre-packaged mappings to extract
Accounting Key Flexfield data
– Mappings are flexible to handle
configuration performed on these
Flexfields
52 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Current Support - GL Value Set Hierarchy
Up to 20 levels of
GL Value Set
Hierarchy support
53 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Group Account Number Configuration
Why do we need it?
Oracle EBS General Ledger (GL) doesn’t contain business attributes
that represent a real world entity such as Supplier, Customer, and
Employee etc. This information generally resides in the sub ledgers.
Dimension Fact
GL Journal Entry
Journal# Period Account Combination Creation Date Amount
Dimension Fact
55 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Group Account Number Configuration
How it works
Out of the box Balance Sheet report Metadata repository (rpd file)
56 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Group Account Number Configuration
How it works
Metadata repository (rpd file)
57 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Group Account Number Configuration
How it works
Metadata repository (rpd file)
W_GL_BALANCE_F table
58 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Group Account Number Configuration
How it works
W_GL_BALANCE_F table
file_group_acct_codes_ora.csv
59 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
How to use Natural Account Segment of Chart
Of Account to Map Group Account Numbers
file_group_acct_codes_ora.csv
60 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Summary
61 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Q&A
62 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal