December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone.

Slides:



Advertisements
Similar presentations
Chapter 20 Oracle Secure Backup.
Advertisements

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Lesson 4: Configuring File and Share Access
1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 2: Logging in and out of OBIEE This course, Introduction.
Chapter 5 Database Application Security Models
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions
Chapter 7 WORKING WITH GROUPS.
Chapter 5 File and Printer Services
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Chapter 7: WORKING WITH GROUPS
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
Copyright 2000 eMation SECURITY - Controlling Data Access with
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Module 4 Managing Access to Resources in Active Directory ® Domain Services.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
December 4, Repository/Web Catalog Migration Tips and Caching Melinda Rojo Dan Malone.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
The New MR Repository & Security Authorization Model Ben Naphtali WebFOCUS Product Manager Architecture and Security May 2010 Copyright 2009, Information.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
December 5, Repository Metadata: Tips and Tricks Peggy Rodriguez, Kathy Kimball.
13 Copyright © 2009, Oracle. All rights reserved. Integrating with Oracle Business Intelligence Enterprise Edition (OBI EE)
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Managing User Roles: A How-To Guide
New MR Repository & Security Universal Object Access Brian A Suter VP WebFOCUS Product Development November 16, 2015 Copyright 2009, Information Builders.
Chapter 8 Configuring and Managing Shared Folder Security.
Page 1 NTFS and Share Permissions Lecture 6 Hassan Shuja 10/26/2004.
3 Copyright © 2004, Oracle. All rights reserved. Working in the Forms Developer Environment.
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
1 Introduction to NTFS Permissions Assign NTFS permissions to specify Which users and groups can gain access to folders and files What they can do with.
23 Copyright © 2009, Oracle. All rights reserved. Oracle Business Intelligence Answers: Advanced Features.
24 October 2007 Fernando Lucas Rodriguez Adaptation of HyperNews for the NICE (SSO) authentication.
ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.
21 Copyright © 2009, Oracle. All rights reserved. Working with Oracle Business Intelligence Answers.
Module 4: Managing Access to Resources. Overview Overview of Managing Access to Resources Managing Access to Shared Folders Managing Access to Files and.
Configuring and Managing Resource Access Lecture 5.
Oracle Business Intelligence Foundation – Testing and Deploying OBI Repository.
29 Copyright © 2009, Oracle. All rights reserved. Administering the Oracle Business Intelligence Presentation Catalog.
1 Introduction to Shared Folders Shared folders provide network users access to files. Users connect to the shared folder over the network. Users must.
5 Copyright © 2008, Oracle. All rights reserved. Testing and Validating a Repository.
Introduction to SQL Server  Working with MS SQL Server and SQL Server Management Studio.
AA207: Designing a Security Policy in Laserfiche 8 Connie Anderson, Technical Writer.
1 Copyright © 2008, Oracle. All rights reserved. Repository Basics.
9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Introduction to NTFS Permissions
Lesson 4: Configuring File and Share Access
Security Schedule: Timing Topic 40 minutes Lecture 70 minutes Practice
Intermediate Security Topics in SQL SERver
Managing Data by Using NTFS
Links Launch Outlook Launch Skype Place Skype on Do Not Disturb.
Presentation transcript:

December 5, OBIEE Technical Conference Security Overview Dan Malone

December 5, Session Overview This is such a big topic that we have devoted 2 sessions to it. We will discuss how PeopleSoft security is used to drive security in the data warehouse and OBI. We will discuss OBI privileges and object permissions and how we modeled our security for Dashboards and Answers. We will also provide a brief overview on how we implemented CAS authentication and Single Sign On.

December 5, Security From 30,000 Feet ■ Identification ■ Authentication ■ Authorization ■ Audit

December 5, Consistent Security Across Applications ■ PeopleSoft ■ Data Warehouse ■ OBIEE – BI Server – Presentation Services » Answers » Dashboards

December 5, Identification/Authentication ■ Identification – Common USERNAME across all ■ Authentication – Web Single Sign-On (CAS) » PeopleSoft » OBIEE Presentation Services

December 5, CAS Integration with OBI ■ Need slides from David K.

December 5, CAS Integration OC4J Servlet Container Soulwing CAS Client Gets USERNAME into Session Cal Poly Developed Filter Copies Session USERNAME into Request Header REMOTE_USER OBI Single Sign-On Tells OBI to get REMOTE_USER from Request Header

December 5, Single Sign-On ■ Create Impersonator Admin account in Repository ■ USER Session Variable ■ Session Initialization Block select lower(':USER') from dual

December 5, Issues with Web Single Sign-On ■ Can not use database security – Proxy User ■ How to perform administrative tasks – Include a local Role in Presentation Server Administrators – Method to login as Administrator user » Password on URL

December 5, Authorization ■ Privileges ■ Web Catalog – Objects – Permissions ■ Groups

December 5, Authorization: Privileges ■ Access ■ Admin ■ Catalog ■ Dashboards ■ Answers ■ My Account ■ Subject Area XXXX ■ View XXXX

December 5, Privileges: Things to Remember ■ Most default to Everyone ■ Don’t remove Personal Storage before creating a default Dashboard ■ New Subject Area will not show up until someone starts Answers ■ Privileges can not be migrated

December 5, Privileges: Demo DEMO

December 5, Authorization: Web Catalog Objects for Dashboards ■ Folder – Dashboard » Page ■ Request

December 5, Authorization: Web Catalog Objects for Answers ■ Subject Area ■ Folder ■ Request

December 5, Authorization: Web Catalog Permissions ■ No Access ■ Traverse ■ Read ■ Change/Delete ■ Full Control

December 5, Authorization: Groups ■ BI Server/Repository Security – Groups ■ Presentation Services Security – Web Groups

December 5, Authorization: Groups PeopleSoft Finance Roles PeopleSoft HCM Roles Other Application Roles Consolidated Roles Tables Data Warehouse Roles BI Server Groups Presentation Services Web Groups

December 5, Groups via Session Variables: Step 1 ■ Set up Oracle Table/View for Groups CP_USERNAMENAMEVALUE GROUPALL_FINANCIAL_TABLES_RL GROUPALL_FINANCIAL_TABLES_RL

December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address Session Variables v

December 5, Groups via Session Variables: Step 2 ■ Session Initialization Block – Row-wise initialization – No Caching – Execution Precedence select name, value from dwadmin.obiee_session_variables where cp_username = lower(':USER')

December 5, Session Variables Initialization Block

December 5, Groups via Session Variables: Step 3 ■ Create OBI Groups – BI Server » Group – Presentation Services » Web Group

December 5, Groups: Things to Remember ■ Do not manually grant BI Server Groups to Users ■ Group and Web Group must be exactly the same name

December 5, Groups: Demo DEMO

December 5, Authorization: Dashboards ■ Create a folder for each Subject Area ■ Create a sub-folder for each Page – Requests ■ Each Dashboard has the same permissions ■ Each Page on the Dashboard has the same permissions

December 5, Authorization: Things to Remember ■ Object Owner ALWAYS has Full Control – Set Owner to Administrator ■ Permission Inheritance… Sort of. ■ Apply changes to sub-folders – Web Based Tool Default: YES – Windows Based Tool Default: NO ■ Special user: System Account

December 5, Recommendations ■ Keep it simple! ■ Assign permissions to groups only ■ Assign permissions at the folder level – Everything in a folder has the same permissions

December 5, Authorization: Demo DEMO

December 5, Row Level Security ■ What data drives Row Level Security? – PeopleSoft DEPTID

December 5, Row Level Security: Step 1 ■ Create Oracle Table/View for DEPTIDs CP_USERNAMENAMEVALUE GROUPALL_FINANCIAL_TABLES_RL

December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address HR DEPTIDs Session Variables v Finance DEPTIDs Finance FUNDs

December 5, Session Variables Table CP_USERNAMENAMEVALUE GROUPALL_FINANCIAL_TABLES_RL

December 5, Row Level Security: Step 2 ■ Session Initialization Block – Same initialization block that we used for GROUPS – If done this way, the initialization block does not need to change

December 5, Row Level Security: Step 3 ■ Open the Logical Data Source – In the business model layer, not the physical layer

December 5, Row Level Security: Step 4 ■ Add the appropriate where statement to limit rows based on the new session variable. – Use the expression builder to generate the code. – Since the HR_DEPTID is a dynamic session variable, it does not show up in the list of available variables. – Select the USER variable to generate the code, then change the variable name to HR_DEPTID.

December 5, Row Level Security: Demo DEMO

December 5, Become Another User ■ See what a dashboard looks like when a different user logs in – Don’t as for their password! ■ All security is now based on session variables coming from Oracle tables ■ When a user logs in we can change everything about them ■ Exceptions – Cannot change a persons username – Object owner always has full control

December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address HR DEPTIDs Finance DEPTIDs Finance FUNDs Session Variables Security Override Session Variables v v

December 5, Security Override Table ■ Simple table with two columns – CP_USERNAME – BECOME_CP_USERNAME

December 5, Become Another User: Demo DEMO

December 5, Security Audit ■ WARNING

December 5, Security Audit – Requirements ■ Need an easy way to find differences between two web catalogs – Users – Groups – Permissions – Privileges ■ Check ownership of Web Catalog Objects ■ We want to know why it works the way it does

December 5, Security Audit – Has it been done before? ■ Built-In? – NO! ■ Consultants – “That’s been an internal challenge for us and we haven't been able to locate the files where that is stored” ■ Google – No Luck…

December 5, Security Audit ■ Web Catalog is just files and folders on the OS file system ■ File/Folder name is based on OBI display name – URL encoded and lower case » Object Name => object+name ■ Every file and folder of the catalog has an associated “.atr” file – object+name – object+name.atr

December 5, Security Audit ■ Binary Files – Linux command to hex dump a binary file » xxd $xxd presentation+server+administrators : c bc61 aacd bb2a 8a...\|.a...*. $xxd presentation+server+administrators.atr : c e "...presenta : f6e d69 tion server admi : 6e f ff ffff nistrators : ffff ffff ff feff ffff ffff ffff : e f 756e accounti : 6e ndex!

December 5, Security Audit – Users and Groups ■ Users – – ■ Groups – /system/security/groups/523/presentation+server+administrators – /system/security/groups/523/presentation+server+administrators.atr ■ Account IDs – /system/accountids/699/32539c1d5ffdb65b – /system/accountids/699/32539c1d5ffdb65b.atr

December 5, ■ /system/privs – /catalog » /changepermissionsprivilege » /changepermissionsprivilege.atr » /maintenancemodeprivilege » /maintenancemodeprivilege.atr – /generalprivs » /global+admin » /global+admin.atr » /global+answers » /global+answers.atr » /global+portal » /global+portal.atr – /security » /administerprivs » /administerprivs.atr » /takeownershipprivs » /takeownershipprivs.atr – /… » /… Security Audit – Privileges

December 5, Security Audit – Privileges ■ privilege file – The number of accounts granted this privilege is located at byte 12. – The account list starts at byte 13. » Each account listed contains 13 bytes » The first 2 bytes always seems to be » The next 8 bytes are the HEX ID of the account » The next 2 bytes determine if the privilege is granted or explicitly denied ◊ FF FF - Granted (for the first entry in the list) ◊ Granted (for other entries in the list) ◊ Explicitly denied » The next byte always seems to be 00 ■ privilege.atr file – Byte 5 contains the length of the display name. – Byte 9 is where the display name starts.

December 5, Security Audit – Permissions ■ object+name.atr file – Byte 4 Contains the length of the object name that starts on Byte 8 – Byte 8 Start of the name of the object in nice form, including caps and spaces. – Byte (11 + value of Byte 4) - Contains the HEX ID of the owner of this object - 8 Bytes – Byte (19 + value of Byte 4) - Contains the number of permissions that have been assigned, in our case to groups. – Next, each of the permission is represented in a 13 byte block. » The first 2 bytes seems to always be » The next 8 bytes of the 12 byte block contains the HEX ID of the user or group. » The next 2 bytes of the 12 byte block contains the permission granted. ◊ FF FF - Full Control ◊ 0F 00 - Change/Modify ◊ Read ◊ Traverse ◊ No Access » The last byte seems to always be 00

December 5, Security Audit – Perl saves the day ■ Script traverses the ‘important’ branches of the web catalog ■ Parses and collects security information ■ Loads into Oracle tables – obiee_security_aud_accounts – obiee_security_aud_group_mem – obiee_security_aud_objects – obiee_security_aud_object_perm – obiee_security_aud_privs

December 5, Security Audit – Queries ■ Objects without proper ownership ■ Differences between two catalogs – Users and Groups – Group memberships – Object differences – Object Permissions – Privileges

December 5, Security Audit: Demo DEMO

December 5, Questions?

December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address HR DEPTIDs Finance DEPTIDs Finance FUNDs Session Variables Security Override Session Variables v v

December 5, Contact ■ OBIEE Technical Conference: ■