December 5, OBIEE Technical Conference Security Overview Dan Malone
December 5, Session Overview This is such a big topic that we have devoted 2 sessions to it. We will discuss how PeopleSoft security is used to drive security in the data warehouse and OBI. We will discuss OBI privileges and object permissions and how we modeled our security for Dashboards and Answers. We will also provide a brief overview on how we implemented CAS authentication and Single Sign On.
December 5, Security From 30,000 Feet ■ Identification ■ Authentication ■ Authorization ■ Audit
December 5, Consistent Security Across Applications ■ PeopleSoft ■ Data Warehouse ■ OBIEE – BI Server – Presentation Services » Answers » Dashboards
December 5, Identification/Authentication ■ Identification – Common USERNAME across all ■ Authentication – Web Single Sign-On (CAS) » PeopleSoft » OBIEE Presentation Services
December 5, CAS Integration with OBI ■ Need slides from David K.
December 5, CAS Integration OC4J Servlet Container Soulwing CAS Client Gets USERNAME into Session Cal Poly Developed Filter Copies Session USERNAME into Request Header REMOTE_USER OBI Single Sign-On Tells OBI to get REMOTE_USER from Request Header
December 5, Single Sign-On ■ Create Impersonator Admin account in Repository ■ USER Session Variable ■ Session Initialization Block select lower(':USER') from dual
December 5, Issues with Web Single Sign-On ■ Can not use database security – Proxy User ■ How to perform administrative tasks – Include a local Role in Presentation Server Administrators – Method to login as Administrator user » Password on URL
December 5, Authorization ■ Privileges ■ Web Catalog – Objects – Permissions ■ Groups
December 5, Authorization: Privileges ■ Access ■ Admin ■ Catalog ■ Dashboards ■ Answers ■ My Account ■ Subject Area XXXX ■ View XXXX
December 5, Privileges: Things to Remember ■ Most default to Everyone ■ Don’t remove Personal Storage before creating a default Dashboard ■ New Subject Area will not show up until someone starts Answers ■ Privileges can not be migrated
December 5, Privileges: Demo DEMO
December 5, Authorization: Web Catalog Objects for Dashboards ■ Folder – Dashboard » Page ■ Request
December 5, Authorization: Web Catalog Objects for Answers ■ Subject Area ■ Folder ■ Request
December 5, Authorization: Web Catalog Permissions ■ No Access ■ Traverse ■ Read ■ Change/Delete ■ Full Control
December 5, Authorization: Groups ■ BI Server/Repository Security – Groups ■ Presentation Services Security – Web Groups
December 5, Authorization: Groups PeopleSoft Finance Roles PeopleSoft HCM Roles Other Application Roles Consolidated Roles Tables Data Warehouse Roles BI Server Groups Presentation Services Web Groups
December 5, Groups via Session Variables: Step 1 ■ Set up Oracle Table/View for Groups CP_USERNAMENAMEVALUE GROUPALL_FINANCIAL_TABLES_RL GROUPALL_FINANCIAL_TABLES_RL
December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address Session Variables v
December 5, Groups via Session Variables: Step 2 ■ Session Initialization Block – Row-wise initialization – No Caching – Execution Precedence select name, value from dwadmin.obiee_session_variables where cp_username = lower(':USER')
December 5, Session Variables Initialization Block
December 5, Groups via Session Variables: Step 3 ■ Create OBI Groups – BI Server » Group – Presentation Services » Web Group
December 5, Groups: Things to Remember ■ Do not manually grant BI Server Groups to Users ■ Group and Web Group must be exactly the same name
December 5, Groups: Demo DEMO
December 5, Authorization: Dashboards ■ Create a folder for each Subject Area ■ Create a sub-folder for each Page – Requests ■ Each Dashboard has the same permissions ■ Each Page on the Dashboard has the same permissions
December 5, Authorization: Things to Remember ■ Object Owner ALWAYS has Full Control – Set Owner to Administrator ■ Permission Inheritance… Sort of. ■ Apply changes to sub-folders – Web Based Tool Default: YES – Windows Based Tool Default: NO ■ Special user: System Account
December 5, Recommendations ■ Keep it simple! ■ Assign permissions to groups only ■ Assign permissions at the folder level – Everything in a folder has the same permissions
December 5, Authorization: Demo DEMO
December 5, Row Level Security ■ What data drives Row Level Security? – PeopleSoft DEPTID
December 5, Row Level Security: Step 1 ■ Create Oracle Table/View for DEPTIDs CP_USERNAMENAMEVALUE GROUPALL_FINANCIAL_TABLES_RL
December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address HR DEPTIDs Session Variables v Finance DEPTIDs Finance FUNDs
December 5, Session Variables Table CP_USERNAMENAMEVALUE GROUPALL_FINANCIAL_TABLES_RL
December 5, Row Level Security: Step 2 ■ Session Initialization Block – Same initialization block that we used for GROUPS – If done this way, the initialization block does not need to change
December 5, Row Level Security: Step 3 ■ Open the Logical Data Source – In the business model layer, not the physical layer
December 5, Row Level Security: Step 4 ■ Add the appropriate where statement to limit rows based on the new session variable. – Use the expression builder to generate the code. – Since the HR_DEPTID is a dynamic session variable, it does not show up in the list of available variables. – Select the USER variable to generate the code, then change the variable name to HR_DEPTID.
December 5, Row Level Security: Demo DEMO
December 5, Become Another User ■ See what a dashboard looks like when a different user logs in – Don’t as for their password! ■ All security is now based on session variables coming from Oracle tables ■ When a user logs in we can change everything about them ■ Exceptions – Cannot change a persons username – Object owner always has full control
December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address HR DEPTIDs Finance DEPTIDs Finance FUNDs Session Variables Security Override Session Variables v v
December 5, Security Override Table ■ Simple table with two columns – CP_USERNAME – BECOME_CP_USERNAME
December 5, Become Another User: Demo DEMO
December 5, Security Audit ■ WARNING
December 5, Security Audit – Requirements ■ Need an easy way to find differences between two web catalogs – Users – Groups – Permissions – Privileges ■ Check ownership of Web Catalog Objects ■ We want to know why it works the way it does
December 5, Security Audit – Has it been done before? ■ Built-In? – NO! ■ Consultants – “That’s been an internal challenge for us and we haven't been able to locate the files where that is stored” ■ Google – No Luck…
December 5, Security Audit ■ Web Catalog is just files and folders on the OS file system ■ File/Folder name is based on OBI display name – URL encoded and lower case » Object Name => object+name ■ Every file and folder of the catalog has an associated “.atr” file – object+name – object+name.atr
December 5, Security Audit ■ Binary Files – Linux command to hex dump a binary file » xxd $xxd presentation+server+administrators : c bc61 aacd bb2a 8a...\|.a...*. $xxd presentation+server+administrators.atr : c e "...presenta : f6e d69 tion server admi : 6e f ff ffff nistrators : ffff ffff ff feff ffff ffff ffff : e f 756e accounti : 6e ndex!
December 5, Security Audit – Users and Groups ■ Users – – ■ Groups – /system/security/groups/523/presentation+server+administrators – /system/security/groups/523/presentation+server+administrators.atr ■ Account IDs – /system/accountids/699/32539c1d5ffdb65b – /system/accountids/699/32539c1d5ffdb65b.atr
December 5, ■ /system/privs – /catalog » /changepermissionsprivilege » /changepermissionsprivilege.atr » /maintenancemodeprivilege » /maintenancemodeprivilege.atr – /generalprivs » /global+admin » /global+admin.atr » /global+answers » /global+answers.atr » /global+portal » /global+portal.atr – /security » /administerprivs » /administerprivs.atr » /takeownershipprivs » /takeownershipprivs.atr – /… » /… Security Audit – Privileges
December 5, Security Audit – Privileges ■ privilege file – The number of accounts granted this privilege is located at byte 12. – The account list starts at byte 13. » Each account listed contains 13 bytes » The first 2 bytes always seems to be » The next 8 bytes are the HEX ID of the account » The next 2 bytes determine if the privilege is granted or explicitly denied ◊ FF FF - Granted (for the first entry in the list) ◊ Granted (for other entries in the list) ◊ Explicitly denied » The next byte always seems to be 00 ■ privilege.atr file – Byte 5 contains the length of the display name. – Byte 9 is where the display name starts.
December 5, Security Audit – Permissions ■ object+name.atr file – Byte 4 Contains the length of the object name that starts on Byte 8 – Byte 8 Start of the name of the object in nice form, including caps and spaces. – Byte (11 + value of Byte 4) - Contains the HEX ID of the owner of this object - 8 Bytes – Byte (19 + value of Byte 4) - Contains the number of permissions that have been assigned, in our case to groups. – Next, each of the permission is represented in a 13 byte block. » The first 2 bytes seems to always be » The next 8 bytes of the 12 byte block contains the HEX ID of the user or group. » The next 2 bytes of the 12 byte block contains the permission granted. ◊ FF FF - Full Control ◊ 0F 00 - Change/Modify ◊ Read ◊ Traverse ◊ No Access » The last byte seems to always be 00
December 5, Security Audit – Perl saves the day ■ Script traverses the ‘important’ branches of the web catalog ■ Parses and collects security information ■ Loads into Oracle tables – obiee_security_aud_accounts – obiee_security_aud_group_mem – obiee_security_aud_objects – obiee_security_aud_object_perm – obiee_security_aud_privs
December 5, Security Audit – Queries ■ Objects without proper ownership ■ Differences between two catalogs – Users and Groups – Group memberships – Object differences – Object Permissions – Privileges
December 5, Security Audit: Demo DEMO
December 5, Questions?
December 5, PAUSE – Session Variables Tables Groups Other Variables Display Name Address HR DEPTIDs Finance DEPTIDs Finance FUNDs Session Variables Security Override Session Variables v v
December 5, Contact ■ OBIEE Technical Conference: ■