Presentation is loading. Please wait.

Presentation is loading. Please wait.

December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone.

Published byBaldric Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone."— Presentation transcript:

1 December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone

2 December 5, 2008 2 Session Overview This is such a big topic that we have devoted 2 sessions to it. We will discuss how PeopleSoft security is used to drive security in the data warehouse and OBI. We will discuss OBI privileges and object permissions and how we modeled our security for Dashboards and Answers. We will also provide a brief overview on how we implemented CAS authentication and Single Sign On.

3 December 5, 2008 3 Security From 30,000 Feet ■ Identification ■ Authentication ■ Authorization ■ Audit

4 December 5, 2008 4 Consistent Security Across Applications ■ PeopleSoft ■ Data Warehouse ■ OBIEE – BI Server – Presentation Services » Answers » Dashboards

5 December 5, 2008 5 Identification/Authentication ■ Identification – Common USERNAME across all ■ Authentication – Web Single Sign-On (CAS) » PeopleSoft » OBIEE Presentation Services

6 December 5, 2008 6 CAS Integration with OBI ■ Need slides from David K.

7 December 5, 2008 7 CAS Integration OC4J Servlet Container Soulwing CAS Client http://www.soulwing.org/ Gets USERNAME into Session Cal Poly Developed Filter Copies Session USERNAME into Request Header REMOTE_USER OBI Single Sign-On Tells OBI to get REMOTE_USER from Request Header

8 December 5, 2008 8 Single Sign-On ■ Create Impersonator Admin account in Repository ■ USER Session Variable ■ Session Initialization Block select lower(':USER') from dual

9 December 5, 2008 9 Issues with Web Single Sign-On ■ Can not use database security – Proxy User ■ How to perform administrative tasks – Include a local Role in Presentation Server Administrators – Method to login as Administrator user » Password on URL https://server/analytics/saw.dll?nquser=Administrator&nqpassword=

10 December 5, 2008 10 Authorization ■ Privileges ■ Web Catalog – Objects – Permissions ■ Groups

11 December 5, 2008 11 Authorization: Privileges ■ Access ■ Admin ■ Catalog ■ Dashboards ■ Answers ■ My Account ■ Subject Area XXXX ■ View XXXX

12 December 5, 2008 12 Privileges: Things to Remember ■ Most default to Everyone ■ Don’t remove Personal Storage before creating a default Dashboard ■ New Subject Area will not show up until someone starts Answers ■ Privileges can not be migrated

13 December 5, 2008 13 Privileges: Demo DEMO

14 December 5, 2008 14 Authorization: Web Catalog Objects for Dashboards ■ Folder – Dashboard » Page ■ Request

15 December 5, 2008 15 Authorization: Web Catalog Objects for Answers ■ Subject Area ■ Folder ■ Request

16 December 5, 2008 16 Authorization: Web Catalog Permissions ■ No Access ■ Traverse ■ Read ■ Change/Delete ■ Full Control

17 December 5, 2008 17 Authorization: Groups ■ BI Server/Repository Security – Groups ■ Presentation Services Security – Web Groups

18 December 5, 2008 18 Authorization: Groups PeopleSoft Finance Roles PeopleSoft HCM Roles Other Application Roles Consolidated Roles Tables Data Warehouse Roles BI Server Groups Presentation Services Web Groups

19 December 5, 2008 19 Groups via Session Variables: Step 1 ■ Set up Oracle Table/View for Groups CP_USERNAMENAMEVALUE dbrothwe@calpoly.eduDISPLAYNAMEDebbie dbrothwe@calpoly.eduEMAILdbrothwe@calpoly.edu GROUPALL_FINANCIAL_TABLES_RL dbrothwe@calpoly.eduGROUPALL_RSOL_TABLES_RL dbrothwe@calpoly.eduGROUPBI_REQUEST_DEVELOPER_FIN_RL dbrothwe@calpoly.eduGROUPWAREHOUSE_USER gyelland@calpoly.eduDISPLAYNAMEGeorge gyelland@calpoly.eduEMAILgyelland@calpoly.edu GROUPALL_FINANCIAL_TABLES_RL gyelland@calpoly.eduGROUPPOLYDATA_SUPPORT_RL gyelland@calpoly.eduGROUPWAREHOUSE_USER

20 December 5, 2008 20 PAUSE – Session Variables Tables Groups Other Variables Display Name Email Address Session Variables v

21 December 5, 2008 21 Groups via Session Variables: Step 2 ■ Session Initialization Block – Row-wise initialization – No Caching – Execution Precedence select name, value from dwadmin.obiee_session_variables where cp_username = lower(':USER')

22 December 5, 2008 22 Session Variables Initialization Block

23 December 5, 2008 23 Groups via Session Variables: Step 3 ■ Create OBI Groups – BI Server » Group – Presentation Services » Web Group

24 December 5, 2008 24 Groups: Things to Remember ■ Do not manually grant BI Server Groups to Users ■ Group and Web Group must be exactly the same name

25 December 5, 2008 25 Groups: Demo DEMO

26 December 5, 2008 26 Authorization: Dashboards ■ Create a folder for each Subject Area ■ Create a sub-folder for each Page – Requests ■ Each Dashboard has the same permissions ■ Each Page on the Dashboard has the same permissions

27 December 5, 2008 27 Authorization: Things to Remember ■ Object Owner ALWAYS has Full Control – Set Owner to Administrator ■ Permission Inheritance… Sort of. ■ Apply changes to sub-folders – Web Based Tool Default: YES – Windows Based Tool Default: NO ■ Special user: System Account

28 December 5, 2008 28 Recommendations ■ Keep it simple! ■ Assign permissions to groups only ■ Assign permissions at the folder level – Everything in a folder has the same permissions

29 December 5, 2008 29 Authorization: Demo DEMO

30 December 5, 2008 30 Row Level Security ■ What data drives Row Level Security? – PeopleSoft DEPTID

31 December 5, 2008 31 Row Level Security: Step 1 ■ Create Oracle Table/View for DEPTIDs CP_USERNAMENAMEVALUE dbrothwe@calpoly.eduDISPLAYNAMEDebbie dbrothwe@calpoly.eduEMAILdbrothwe@calpoly.edu GROUPALL_FINANCIAL_TABLES_RL dbrothwe@calpoly.eduGROUPALL_RSOL_TABLES_RL dbrothwe@calpoly.eduGROUPBI_REQUEST_DEVELOPER_FIN_RL dbrothwe@calpoly.eduGROUPWAREHOUSE_USER dbrothwe@calpoly.eduHR_DEPTID100100 dbrothwe@calpoly.eduHR_DEPTID100200 dbrothwe@calpoly.eduHR_DEPTID100300 dbrothwe@calpoly.eduHR_DEPTID100400 dbrothwe@calpoly.eduHR_DEPTID100500

32 December 5, 2008 32 PAUSE – Session Variables Tables Groups Other Variables Display Name Email Address HR DEPTIDs Session Variables v Finance DEPTIDs Finance FUNDs

33 December 5, 2008 33 Session Variables Table CP_USERNAMENAMEVALUE dbrothwe@calpoly.eduDISPLAYNAMEDebbie dbrothwe@calpoly.eduEMAILdbrothwe@calpoly.edu GROUPALL_FINANCIAL_TABLES_RL dbrothwe@calpoly.eduGROUPALL_RSOL_TABLES_RL dbrothwe@calpoly.eduGROUPBI_REQUEST_DEVELOPER_FIN_RL dbrothwe@calpoly.eduGROUPWAREHOUSE_USER dbrothwe@calpoly.eduHR_DEPTID100100 dbrothwe@calpoly.eduHR_DEPTID100200 dbrothwe@calpoly.eduFINANCE_DEPTID122900 dbrothwe@calpoly.eduFINANCE_DEPTID122901 dbrothwe@calpoly.eduFINANCE_FUNDGA002

34 December 5, 2008 34 Row Level Security: Step 2 ■ Session Initialization Block – Same initialization block that we used for GROUPS – If done this way, the initialization block does not need to change

35 December 5, 2008 35 Row Level Security: Step 3 ■ Open the Logical Data Source – In the business model layer, not the physical layer

36 December 5, 2008 36 Row Level Security: Step 4 ■ Add the appropriate where statement to limit rows based on the new session variable. – Use the expression builder to generate the code. – Since the HR_DEPTID is a dynamic session variable, it does not show up in the list of available variables. – Select the USER variable to generate the code, then change the variable name to HR_DEPTID.

37 December 5, 2008 37 Row Level Security: Demo DEMO

38 December 5, 2008 38 Become Another User ■ See what a dashboard looks like when a different user logs in – Don’t as for their password! ■ All security is now based on session variables coming from Oracle tables ■ When a user logs in we can change everything about them ■ Exceptions – Cannot change a persons username – Object owner always has full control

39 December 5, 2008 39 PAUSE – Session Variables Tables Groups Other Variables Display Name Email Address HR DEPTIDs Finance DEPTIDs Finance FUNDs Session Variables Security Override Session Variables v v

40 December 5, 2008 40 Security Override Table ■ Simple table with two columns – CP_USERNAME – BECOME_CP_USERNAME

41 December 5, 2008 41 Become Another User: Demo DEMO

42 December 5, 2008 42 Security Audit ■ WARNING http://propellerheadhats.com/

43 December 5, 2008 43 Security Audit – Requirements ■ Need an easy way to find differences between two web catalogs – Users – Groups – Permissions – Privileges ■ Check ownership of Web Catalog Objects ■ We want to know why it works the way it does

44 December 5, 2008 44 Security Audit – Has it been done before? ■ Built-In? – NO! ■ Consultants – “That’s been an internal challenge for us and we haven't been able to locate the files where that is stored” ■ Google – No Luck…

45 December 5, 2008 45 Security Audit ■ Web Catalog is just files and folders on the OS file system ■ File/Folder name is based on OBI display name – URL encoded and lower case » Object Name => object+name ■ Every file and folder of the catalog has an associated “.atr” file – object+name – object+name.atr

46 December 5, 2008 46 Security Audit ■ Binary Files – Linux command to hex dump a binary file » xxd $xxd presentation+server+administrators 0000000: 0200 017c bc61 aacd bb2a 8a...\|.a...*. $xxd presentation+server+administrators.atr 0000000: 8000 0c00 2200 0000 7072 6573 656e 7461...."...presenta 0000010: 7469 6f6e 2073 6572 7665 7220 6164 6d69 tion server admi 0000020: 6e69 7374 7261 746f 7273 0600 01ff ffff nistrators...... 0000030: ffff ffff ff01 0001 feff ffff ffff ffff................ 0000040: 0300 0000 0e00 0000 6163 636f 756e 7469........accounti 0000050: 6e64 6578 2131 0200 0000 0000 0000 ndex!1........

47 December 5, 2008 47 Security Audit – Users and Groups ■ Users – /system/security/users/154/dmalone@calpoly%2eedu – /system/security/users/154/dmalone@calpoly%2eedu.atr ■ Groups – /system/security/groups/523/presentation+server+administrators – /system/security/groups/523/presentation+server+administrators.atr ■ Account IDs – /system/accountids/699/32539c1d5ffdb65b – /system/accountids/699/32539c1d5ffdb65b.atr

48 December 5, 2008 48 ■ /system/privs – /catalog » /changepermissionsprivilege » /changepermissionsprivilege.atr » /maintenancemodeprivilege » /maintenancemodeprivilege.atr – /generalprivs » /global+admin » /global+admin.atr » /global+answers » /global+answers.atr » /global+portal » /global+portal.atr – /security » /administerprivs » /administerprivs.atr » /takeownershipprivs » /takeownershipprivs.atr – /… » /… Security Audit – Privileges

49 December 5, 2008 49 Security Audit – Privileges ■ privilege file – The number of accounts granted this privilege is located at byte 12. – The account list starts at byte 13. » Each account listed contains 13 bytes » The first 2 bytes always seems to be 00 01 » The next 8 bytes are the HEX ID of the account » The next 2 bytes determine if the privilege is granted or explicitly denied ◊ FF FF - Granted (for the first entry in the list) ◊ 01 00 - Granted (for other entries in the list) ◊ 00 00 - Explicitly denied » The next byte always seems to be 00 ■ privilege.atr file – Byte 5 contains the length of the display name. – Byte 9 is where the display name starts.

50 December 5, 2008 50 Security Audit – Permissions ■ object+name.atr file – Byte 4 Contains the length of the object name that starts on Byte 8 – Byte 8 Start of the name of the object in nice form, including caps and spaces. – Byte (11 + value of Byte 4) - Contains the HEX ID of the owner of this object - 8 Bytes – Byte (19 + value of Byte 4) - Contains the number of permissions that have been assigned, in our case to groups. – Next, each of the permission is represented in a 13 byte block. » The first 2 bytes seems to always be 00 01 » The next 8 bytes of the 12 byte block contains the HEX ID of the user or group. » The next 2 bytes of the 12 byte block contains the permission granted. ◊ FF FF - Full Control ◊ 0F 00 - Change/Modify ◊ 03 00 - Read ◊ 02 00 - Traverse ◊ 00 00 - No Access » The last byte seems to always be 00

51 December 5, 2008 51 Security Audit – Perl saves the day ■ Script traverses the ‘important’ branches of the web catalog ■ Parses and collects security information ■ Loads into Oracle tables – obiee_security_aud_accounts – obiee_security_aud_group_mem – obiee_security_aud_objects – obiee_security_aud_object_perm – obiee_security_aud_privs

52 December 5, 2008 52 Security Audit – Queries ■ Objects without proper ownership ■ Differences between two catalogs – Users and Groups – Group memberships – Object differences – Object Permissions – Privileges

53 December 5, 2008 53 Security Audit: Demo DEMO

54 December 5, 2008 54 Questions?

55 December 5, 2008 55 PAUSE – Session Variables Tables Groups Other Variables Display Name Email Address HR DEPTIDs Finance DEPTIDs Finance FUNDs Session Variables Security Override Session Variables v v

56 December 5, 2008 56 Contact ■ OBIEE Technical Conference: http://polydata.calpoly.edu/dashboards/obiee_conf/index.html ■ Email: polydata@calpoly.edu

Download ppt "December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone."

Similar presentations

Chapter 20 Oracle Secure Backup.

Chapter 20 Oracle Secure Backup.
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.

1 File systems security: Shared folders & NTFS permissions, EFS (Week 6, Monday 2/12/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
MIS 431 - Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.
Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.

Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 2: Logging in and out of OBIEE This course, Introduction.

1 Introduction to OBIEE: Learning to Access, Navigate, and Find Data in the SWIFT Data Warehouse Lesson 2: Logging in and out of OBIEE This course, Introduction.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Chapter 5 File and Printer Services

Chapter 5 File and Printer Services
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google