Wednesday, April 15, 2009

Authentication In OBIEE

The Oracle BI Enterprise Edition (OBIEE) supports the following authentication types:

Built in BI Server authentication

BI Server authentication stores credentials and other attributes in the repository file
• Good for testing and small installations but if users change often, might be a problem
• Users can not be shared across multiple repositories
• If a user exists here no other logon procedures will be used
• Users can be imported from an LDAP server and refreshed periodically
• Maintaining your passwords in many applications is also a difficult.

image

Database users Authentication

• Create named database users in the repository matching exactly users in the database
• Assign these users to groups if needed and grant permissions
• Specify that database authentication will be used, in the NQSConfig.ini file
• Set up a connection pool in the physical layer of the repository without shared login

image

NQSConfig.ini configuration changes
#----- 1 -----
#AUTHENTICATION_TYPE = NQS; // optional and default
#
#----- 2 -----
AUTHENTICATION_TYPE = DATABASE;
[ DATABASE ]
DATABASE = "asdb";
#
#----- 3 -----
#AUTHENTICATION_TYPE = BYPASS_NQS;


LDAP Authentication

• Create a new LDAP server entry in the Security Manager
• Create an Initialization Block to populate the security session variable USER
• Assign the LDAP unique username attribute to the USER variable
• Log in and see the with LDAP credentials

Setup LDAP server in repository

image

Configure Hostname and port for LDAP

image

Defined the unique identifier

image

Create a new initialization block

image

Assign data source to the block

image

image

Assign the data source to the target

image

Create new variable for user name

image

Map LDAP attribute to the USER variable

image

Enable required for authentication

image


‣ External tables Lookup

• Initialization block fires to authenticate the user based on a table lookup.
• The session variables USER and PASSWORD used to query an existing security table
• Other attributes can be picked up at the same time like email and groups.

The following table can be imported into the physical layer and used for authentication.

Select
username,
groups,
fullname,
From
obiee_users
Where username=‘:USER’
and password=‘:PASSWORD’

image

Enter the SQL in the initialization block as below.

image


‣ Custom Authenticators


• An API is defined in the administration guide
• A developer implements and delivers a library that exposes the API
• The BI Administrator defines a new Custom Authenticator using the custom library
• Then define an init block to execute the custom authentication and map to session variables
• Log in with the required credentials

• The BI server Hashes the supplied password and compares with the hash in the password file
• Initialization block populates the USER and GROUP variables

Create a new custom authenticator

image

Specify plug in and configuration password file.

image

Map to USER and GROUP variables

image

3 comments:

  1. in normally which type of authentication r using in Industry

    ReplyDelete
  2. It mainly depends on the customer requirements and their existing security model. I have seen all kinds of authentication/security beyond the scope of this doc. as well implemented at various clients, but mostly the popular ones are LDAP,EBS-sso, and custom authentication.

    ReplyDelete
  3. How to configure the database authentication ? i. e I want to login with my transactional database user account credentials.

    ReplyDelete