Вы находитесь на странице: 1из 34

www.deliverbi.co.

uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Delivering World Class BI Solutions

OBIEE
INTRODUCTION TO BASIC SECURITY SETUP
– 11G VS 10G

Authors: co founders of DELIVER BI


Krishna Mohan (Projects Director)
Shahed Munir (Technical Director)
18th August 2010

Page 1 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Overview
This paper briefly explains the enforcement of basic security in OBIEE 10g and presents the
steps to be carried out on OBIEE 11g to achieve the same results.

In OBIEE 10g the setup consists of creating users & groups where as in OBIEE 11g, setup
consists of creating users, groups & roles.

The focus of this paper is the introduction of the basic security aspects of OBIEE 11g using
10g as a starting point. Steps required to create users, organise them into groups and
enforcing data security are addressed in this paper using the following theme

• Create two users


• Create two groups
• Setup group level filters to restrict the data (using single Answers report) depending on
the user region

The standard ‘Paint’ RPD that comes with OBIEE 10g and 11g is used to explain the security
setup.

In OBIEE 10g, the basic security can be enforced from within the RPD where as in OBIEE
11g the security is enforced in the Oracle Weblogic Server 11g Administration Console
(hence forth referred as Weblogic Server) as well as the Oracle Enterprise Manager 11g
Fusion Middleware Control (hence forth referred as OEM) and BI Administrator (hence forth
referred as RPD).

• OBIEE 11g users & groups are created on the Weblogic Server
• Users represent the individuals logging into OBIEE
• A selection of users is represented by Group
• Role is a new concept introduced in OBIEE 11g that can enforce security within the RPD and
the Presentation Catalog. Roles do not replace Groups but can co-exist. It should be noted that
a Role is a mandatory building block to enforce security in OBIEE 11g
• Though usage of Groups is optional in OBIEE 11g, it is strongly recommended to rely on
Groups in association with roles to avoid re-starting OEM multiple times

Page 2 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

OBIEE 10g Setup Steps

Step 1: Creation of Group(s)

Login to Oracle BI Administration tool in offline mode and follow the navigation Manage 
Security

Page 3 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Create two new users following the navigation Action  New  User

Page 4 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Create two new Groups following the navigation Action  New  Group
Once the Group is created, use the Add button at the bottom of the screen to associate the
User created in the earlier step

Page 5 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Click on the Permissions button in the above picture and navigate to Filters tab

Page 6 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Click on Add button to add a filter and should see a screen given below

Page 7 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Apply filter of type Logical Table Level and select ‘Region’ field from Markets dimension and
click on Select

Click on the three dots under the field Business Model Filter to open up Expression Builder

Page 8 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Below is the Expression Builder.

Type in the text ‘CENTRAL REGION’

Click on OK

Page 9 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

After you have clicked ok you will see the below.

Similarly pick up Western Region Group and create filter with text ‘WESTERN REGION’ for
Region field with in Markets dimension

Page 10 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Start the BI servers and login to OBIEE as Central_U1 user

Page 11 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Create simple answers report

The data filter is applied at group level to Central regions only to retrieve restricted data.

When logged in as Western_U1, the data filter is applied to bring data related to Western
Region only

This security setup will restrict the data retrieved by all OBIEE components like analysis
reports / Dash Boards for any user associated with the Group.

Now will move on to OBIEE 11G and see how we can get the same result.

Page 12 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

OBIEE 11g Setup Steps

User Name for this installation is weblogic and can be used to login into all 3 server instances listed
below.

Setup URL
WebLogic Console http://oraclepc:7001/console
Oracle Enterprise Manager http://oraclepc:7001/em
Business Intelligence Enterprise Edition http://oraclepc:9704/analytics

Weblogic Server Administration Console 11g

Note : Users and Groups are setup in the Weblogic server administrator console 11g.

Login to Weblogic Server

Page 13 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Once logged into the Weblogic server click on Security Realms as displayed in picture below.
Options visible in the left hand side panel once logged in. 4th Option Down.

You will be presented with a screen to select a security realm, the default realm is myreal.
Click on myrealm to continue onto next screen.

Page 14 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

This is the screen where we can click on the tabs to set up users and groups for myrealm. Click on the
User and Groups tab.

Click on the Groups tab. We can start setting up a group. The default security provider we will need
here is Default Authenticator. You can create as many groups as you like as in “central group”,
“northern group” etc. Groups are containers to hold users. Click on New to create a group.

Page 15 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Fill in the relevant details to create a group. Name of a group could be anything but we went with
Centralgroup to control users who are eligible to see certain data sets or dashboards, reports etc.
When the required details are entered.

Click OK and you will return to earlier screen and you will see the Users tab. Click on the Users tab.
This is where we can set up users that can access Dashboards and Reports etc. Click on new to
create a new user.

Page 16 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Here you can create a user.

Remember a user can login to OBIEE whether they are in a group or not. Fill in user name / password
etc. click OK,

Page 17 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

You will arrive back at the previous screen. Click on Users Tab.

Page 18 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Click on the user name you created. This will take you to a user settings screen. On this screen click
on the groups tab and assign the group you created earlier. You can keep creating as many users as
you like and assign them to this group. Even if you do not assign users to a group, they will still work in
OBIEE. But it will make life a lot easier if you utilise groups when it comes to setting up the OEM
Authentication further on in this paper. Click Save.

That’s it you have set up users and groups. The good thing about the Weblogic server is once you
have setup users and groups you don’t have to stop or start the BI Services. It is as simple as setting
up a user and assigning the user to a group.

Next steps are to set up a role, A role is visible at RPD level so that you can filter data etc and is also
available at the Catalogue level so that you can control security on dashboards and reports etc.

Page 19 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

OEM Enterprise Manager

Goto http://oraclepc:7001/em This could be the default URL for Your OEM

The enterprise manager console is used to upload a RPD, restart bi services, create roles (Roles that
can be accessed in the RPD and catalogues) as well as other administration tasks.

Login to OEM (Oracle Enterprise Manager Fusion Edition)

Page 20 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Once logged in you will see a panel on the far left of the screen click on + on Business intelligence this
will drop down and display core application. You will be presented with the screen below. Here you
can see you are on the overview tab. You can start and stop BI services from here. Click on Restart
services this will restart your services, make sure its coming back with 100% once all services have
started as in screenshot below.

Page 21 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Now that services are ok and refreshed we can click on the security tab. Here you will see a small
navigation link called configure and manage application roles. Click on configure and manage
application roles. Once clicked this will bring up a screen where we can start setting up roles.

Page 22 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

As you can see all the default roles are displayed. We can cover default roles at a later date. But I can
tell you that BI Consumer is given to all users by default. Once you Click on Create... a screen will
open where we can create a new role. Note the BI Server will require a restart every time a role(s) are
created. This is where our group that we set up in the weblogic server comes in handy. A role can be
assigned to a user or a group. But you don’t want to restart the server every time you add a user. So
add a group and the users can be added at weblogic server level to the Group so no restart is needed.

Click on Create...

Page 23 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

In the create application role screen start creating a role. Fill in Role name and scroll down the page
and add the group we created earlier on. Once complete click OK. After a role is created you will need
to restart the bi server so that the role is captured automatically when the BI server is restarting. Click
OK

Once the BI server has restarted the role(s) and users will be visible in the RPD in online Mode only.
You can however check them out in online mode and check them in and they will be available in offline
mode too within the BI Administrator.

The role will also be visible in the Catalogue Manager for dashboards etc. Below is an example in the
administrator RPD on how we can control the data using a filter the same as OBIEE 10g.

Page 24 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Open BI Administrator IN ONLINE MODE (Blue Folder is online mode and fill in required connection
information.)

Page 25 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Ensure the roles are visible in the BI Administrator by going to tool bar at top and selecting Manage →
Identity → Click on Application Roles Tab

As you can see the roles we created in the OEM have now appeared here after the BI Services were
restarted.

Users created in the Weblogic server can also be viewed in BI Administrator. Note Groups created in
Weblogic cannot be viewed here. Best Practice is to use Roles.

Page 26 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Check users to see if they are assigned to the relevant roles that the groups were assigned to in OEM
by double clicking the user in BI Administrator.

Users are members of a Group created in weblogic. The Group is associated with a Role in OEM.
Using these associations, a user will be connected to a Role (through Group membership). In BI
Admin, for a User you can only see the affiliated Roles and will not be able to see Groups. Ensure that
the appropriate roles are displayed with the tick for the chosen User. Note that BIConsumer is a
default role as mentioned earlier. Click on cancel.

User  Group  Role

Page 27 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

We will arrive back to the users tab then click on the application roles tab.

As the roles are now visible in the RPD we can start creating filters on the role to condition the data.

Double click the relevant role, It will ask you to check out . Click Yes as we need to edit the role to add
a filter.

Page 28 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Double click the role again and you can now click on the Permissions Tab

Page 29 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

This will open a window which is used to create the filter similar to that of 10g just click on the green +
and away you go.

Add a field from Physical Table Layer by clicking on the green +.

Page 30 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Field has been added. Click onto the Data Filter field. Then click the Calculator style icon to start
building the restriction in expression builder if required

Page 31 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

Fill in the condition required to restrict data.

Click OK and your filter has been set to restrict data at Role Level. Keep clicking OK till you get back
to the Main BI Administration screen. Check Roles Back in to Online RPD.

While checking in your RPD if you get a ERROR NQS : 37005 Transactional update failed, close RPD
and restart your BI services. This should resolve the issue. Log back in ONLINE mode and then repeat
the steps above to create your filters. These filters can be set in offline mode once your BI Server is
down.

Remember : User has a group and group has a role you can now assign users to a group and
your data in Analysis and dashboards will be filtered as in OBIEE 10g.

Roles created can also be viewed within the Catalogue Manager in OBIEE.

Page 32 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

We can now login to OBIEE as the user we created centraluser and the data set will be restricted to
only central regions.

If we login as weblogic with no filters we can see all the data

That’s it. You now know how to set up a user, group and role within OBIEE 11g and set up filters to
restrict data.

Page 33 of 34
www.deliverbi.co.uk
+44 (0)203 005 5244
Email : training@deliverbi.co.uk

WWW.DELIVERBI.CO.UK

Email us now for in depth training courses in OBIEE 11g , Any questions or queries :

Email: training@deliverbi.co.uk

Phone : +44 (0)203 0055244

Page 34 of 34