ldap and external table

8/3/2019 LDAP and External Table

1/16

In the last 2 training days event that we ran in Atlanta and Bangalore, we showed a demo of howthe BI EE 11g security works. One common question that we got out of both the events was howdo we use 10g model security in 11g. Though the BI EE 10g model security is notrecommended, there are quite a lot of companies who have built their process around this modelfor user provisioning etc. So, lets take a look at how we can use BI EE 11g to use the BI EE 10g

model of security.Before we go into BI EE 11g, lets do a quick recap on how the BI EE 10g security model works.Lets use the Active Directory as the underlying LDAP where users will be authenticated. In 10gfor authenticating & authorizing against LDAP, we will be using 2 init blocks. They are

1. Authentication Init Block: In this init block, USER variable will be defined as the variabletarget and a connection to the Active Directory LDAP server will be defined as shown below.


2/16

2. Authorization Init Block: BI EE 10g, had an issue in extracting the LDAP groups directly.

So for authorization there are a couple of alternative ways that are typically useda. Using DBMS_LDAP pl/sql and extract the Active Directory groups dynamically using an initblock. These groups will have to be manually defined in the repository as well.

b. Using an external database table to hold the user to group mapping. Then an init block will beused to extract the groups dynamically. Even in this case the Groups will have to be defined inthe repository.

In both the cases above, the important point to note is the dynamic assignment of Group(s) to anUser using Row-Wise initialization. An example is shown below showing the User to Groupassignment table in 10g (and also the corresponding Init Blocks)


3/16

After doing this, ifwe now log into BI EE 10g as each of these users, we should be able to look at the USER andGROUP session variables. For Pierre Houdan it will be 2 groups assigned and for CharlaMalinsky, it will be only one group as shown below.


4/16

This way 10g offered good flexibility of having dynamic USER toGROUP assignment. In BI EE 11g, since we have moved all the Users and Groups to WeblogicDefault Provider, we cannot use dynamic init block based assignment for Users and ApplicationRoles residing within Weblogic. There are other methods for doing dynamic user-groupassignment within weblogic Default provider. But for now, lets consider a method that we haveused before in the past i.e. 10g way of using Init Blocks.

In the article here, i had shown how we can replace the Default Provider with Active Directorywithin Weblogic. But even in that case, weblogic User-Group assignments are obtained directlyfrom Active Directory. Also, the Group/User to Application Role Mapping will have to be donemanually. To make it dynamic (from a database table) using init blocks, we cannot use that

method. So, we will have to follow the 10g method of authentication/authorization.To begin with, we need to ensure that we do not have overlapping users/groups in both theWeblogic Provider and Active Directory. After ensuring this, we start off with defining a serverconnection to Active Directory from within the BI EE 11g repository as shown below
http://www.rittmanmead.com/2010/11/01/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/http://www.rittmanmead.com/2010/11/01/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/http://www.rittmanmead.com/2010/11/01/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/


5/16

We then define aninitialization block to set the USER variable using the above defined LDAP server as shown

below.


6/16

To make it similarto what we have in 10g, lets create a database table containing the User to Group (ApplicationRole in 11g) mapping.


7/16

Create the 3 Groups(sfusers,sfmanagers & ManagementGroup) as Application Roles within BI EE 11g. The procedure fordefining the Application Roles is given here.

After defining the applicationroles, restart the BI Server so that the changes can be picked up by the BI Server.


8/16

In our repository we have 2subject areas, Sales Fact Sales & Sales Store Quality. Sales Fact Sales can be used by usersbelonging to sfusers & sfmanagers application roles. Sales Store Quality can be used by usersbelonging to ManagementGroup application role. So, lets define the security in the repository

accordingly. Also, the Staff Dimension in the Sales Fact Sales Subject area can be accessedonly by users belonging to sfusers group.


9/16


10/16

Before starting to create theInitialization blocks for authorization, lets try to understand how application roles in 11g work.Lets define a user in Active Directory called ADUser. For now, this user does not belong to anyapplication role. Also, no initialization blocks for authorization have been defined yet in therepository. If you go into the repository and look at the list of System Session Variables, thereare 2 variables now in 11g that determine Authorization. They are ROLES and GROUP.

Remember, even though we have a variable calledGROUP, this variable will actually affect the ROLES variable. ROLES variable cannot beupdated directly through an initialization block. To understand further, lets try to login as theADUser.


11/16

As you see, the user is not able to login. This isdifferent from a user defined in Weblogic Default Authenticator. For external AD users comingthrough an Init Block, the GROUP variable should have a value. And the value should matchwith atleast one of the Application Roles. So, to test this out, lets add the ADUser to the sfusersGroup in our authorization table. Also, lets define a new Authorization Init Block which will setthe GROUP variable from this database table.


12/16

If we now login asthe ADUser, we should now be able to login.


13/16

Though this user is able to login, this user still doesnot have the privilege to create new reports. To do that, lets add the ADUser to the BIAuthorrole as well in the database table.

If we now log backin as the ADUser again, this user should have access to create reports.

To make it a bit more interesting, lets make thefollowing changes to the permissions in the presentation layer. Lets provide access to sfusers &sfmanagers group to create reports. Also, lets provide them access to create reports on theirrespective subject areas as shown below


14/16

If we now login asPierre.Houdan, we should be able to create report out of both the Subject Areas available.

Also, if we go into the Sales Fact Salessubject area, the Dim Staffwill not be visible to this user as only sfusers group have access tothis.

If we login as Charla.Malinsky, we should be able to create report only out of the Sales FactSales subject area.


15/16

As you see both the Presentation Servicesprivileges and the RPD privileges get honored properly. Lets now create a report to look at theUSER and ROLES session variable values. Following is what we would get.

As you see, the values that wepushed into the GROUP variable (sfusers, sfmanagers, ManagementGroup etc) are now availablein the ROLES variable. Another important point to note is, whenever we setup the security in theabove method in 11g, we would be getting the warnings in the Admin Console as shown below.The reason for this is Weblogic will try to authenticate these users first in its defaultauthenticator before pushing it through the init blocks. So, its important to be aware of thisoverhead.


16/16

ldap and external table

Documents