Friday, August 27, 2010

OBIEE interview- Security

One interview question that is always asked in an OBIEE Interview is regarding security. The question is asked in different manners e.g. Tell me how you implemented security in your recent project? Or Have you configured external table security in any project? Or In how many ways you can implement security in OBIEE? Or Have you configured an LDAP server for security in OBIEE? The answers below relate to OBIEE 10g.

Security is an important aspect of an OBIEE implementation project, and I have been involved in strategizing security in all the projects I worked on. There are various ways in which we can define security in OBIEE.
  1. Define security in the repository.
  2. External table authentication.
  3. LDAP authentication.
  4. Database authentication.
  5. Custom authentication.
Define security in the repository: In the Oracle BI Administration tool we can create users and groups to define permissions and authentication. We then grant permissions to users and groups.

Note: The privileges which are exclusively granted to a user have precedence over group’s privileges. Also, in case of a conflict the least restrictive privileges apply.

LDAP Authentication: I have implemented LDAP (Lightweight Directory Access Protocol) server authentication in my recent project. We used ADSI (Active Directory Service Interface) in this project.

When asked about how LDAP is set up you can say that, in the security manager create an LDAP server. For this in security manager we go to Action> New> LDAP Server. This brings us to LDAP Server dialog box, where we fill in the parameters like Name, Host Name, Port No., LDAP Version (Default 3), Base DN, Bind DN in general settings. We also define settings in Advanced tab where we fill in Connection Time-Out, Domain Identifier, Enable/Disable SSL etc.

We then created an LDAP initialization block, which was associated with the LDAP Server. Here, we define USER as our system variable which is mapped to LDAP uid.

Note: We can also use LDAP server only to import user and group definitions. This is used when we don’t want external authentication by LDAP.

External Table Authentication:  I have used External Table Authentication in my projects. To implement this we have to create a table in the database which will have columns to define users, password, and groups, log level, display name, etc. information to define security and privileges. To use this table for authentication in OBIEE we created a new connection pool in the physical layer to connect to this db/table. Then we created an initialization block using the newly defined connection pool for this table. We then defined the initialization string (e.g. select username, password, lognumber, groupname from auth_table where username = ‘:USER’ and password = ‘:PASSWORD’). We then defined the corresponding variables (e.g. USER, PASSWORD, LOGLEVEL, GROUP etc.). We have to make sure that the order of variables is same as the initialize.

Database Authentication: I have not used this type of authentication in my projects. We first make changes in our NQSConfig.ini file. In the security section, we specify our authentication database. Then we create users in the repository which are same as the users in our database. We assign these users privileges. We import this database in the physical layer of our repository using the DSN of that particular database. For this particular connection pool we set up a non shared logon.  This connection pool will now be used to connect to the database. If you are able to connect, then you are authenticated successfully.

Custom Authentication:  I never came across a custom authentication in my career. John has written an article on custom authentication here.

In this article I tried to briefly describe the security types in available in OBIEE, this is not to much in detail but good pointers for an interview. Actual implementation will need a lot more information and details; refer Oracle BI Administration Guide; the links below might be helpful.

Kumar has very impressive articles on security visit


No comments:

Post a Comment