December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone.
Post on 24-Dec-2015
218 Views
Preview:
Transcript
December 5, 2008 1
OBIEE Technical Conference
Security Overview
Dan Malone
December 5, 2008 2
Session Overview
This is such a big topic that we have devoted 2 sessions to it. We will discuss how PeopleSoft
security is used to drive security in the data warehouse and OBI. We will discuss OBI
privileges and object permissions and how we modeled our security for Dashboards and
Answers. We will also provide a brief overview on how we implemented CAS authentication
and Single Sign On.
December 5, 2008 3
Security From 30,000 Feet
■ Identification■ Authentication■ Authorization■ Audit
December 5, 2008 4
Consistent Security Across Applications
■ PeopleSoft■ Data Warehouse■ OBIEE
– BI Server – Presentation Services
» Answers» Dashboards
December 5, 2008 5
Identification/Authentication
■ Identification– Common USERNAME across all
■ Authentication– Web Single Sign-On (CAS)
» PeopleSoft» OBIEE Presentation Services
December 5, 2008 6
CAS Integration with OBI
■ Need slides from David K.
December 5, 2008 7
CAS Integration
OC4J Servlet Container
Soulwing CAS Client
http://www.soulwing.org/Gets USERNAME into Session
Cal Poly Developed FilterCopies Session USERNAME
into Request Header
REMOTE_USER
OBI Single Sign-OnTells OBI to get
REMOTE_USER
from Request Header
December 5, 2008 8
Single Sign-On
■ Create Impersonator Admin account in Repository
■ USER Session Variable■ Session Initialization Blockselect lower(':USER') from dual
December 5, 2008 9
Issues with Web Single Sign-On
■ Can not use database security– Proxy User
■ How to perform administrative tasks– Include a local Role in Presentation Server
Administrators– Method to login as Administrator user
» Password on URLhttps://server/analytics/saw.dll?nquser=Administrator&nqpassword=<password>
December 5, 2008 10
Authorization
■ Privileges■ Web Catalog
– Objects– Permissions
■ Groups
December 5, 2008 11
Authorization: Privileges
■ Access■ Admin■ Catalog■ Dashboards■ Answers■ My Account■ Subject Area XXXX■ View XXXX
December 5, 2008 12
Privileges: Things to Remember
■ Most default to Everyone■ Don’t remove Personal Storage before
creating a default Dashboard■ New Subject Area will not show up until
someone starts Answers■ Privileges can not be migrated
December 5, 2008 14
Authorization: Web Catalog Objectsfor Dashboards
■ Folder– Dashboard
» Page
■ Request
December 5, 2008 15
Authorization: Web Catalog Objectsfor Answers
■ Subject Area■ Folder■ Request
December 5, 2008 16
Authorization: Web Catalog Permissions
■ No Access■ Traverse■ Read■ Change/Delete■ Full Control
December 5, 2008 17
Authorization: Groups
■ BI Server/Repository Security– Groups
■ Presentation Services Security– Web Groups
December 5, 2008 18
Authorization: Groups
PeopleSoft
Finance
Roles
PeopleSoft
HCM
Roles
Other
Application
Roles
Consolidated
Roles
Tables
Data
Warehouse
Roles
BI Server
Groups
Presentation
Services
Web Groups
December 5, 2008 19
Groups via Session Variables: Step 1
■ Set up Oracle Table/View for Groups
CP_USERNAME NAME VALUE
dbrothwe@calpoly.edu DISPLAYNAME Debbie
dbrothwe@calpoly.edu EMAIL dbrothwe@calpoly.edu
dbrothwe@calpoly.edu GROUP ALL_FINANCIAL_TABLES_RL
dbrothwe@calpoly.edu GROUP ALL_RSOL_TABLES_RL
dbrothwe@calpoly.edu GROUP BI_REQUEST_DEVELOPER_FIN_RL
dbrothwe@calpoly.edu GROUP WAREHOUSE_USER
gyelland@calpoly.edu DISPLAYNAME George
gyelland@calpoly.edu EMAIL gyelland@calpoly.edu
gyelland@calpoly.edu GROUP ALL_FINANCIAL_TABLES_RL
gyelland@calpoly.edu GROUP POLYDATA_SUPPORT_RL
gyelland@calpoly.edu GROUP WAREHOUSE_USER
December 5, 2008 20
PAUSE – Session Variables Tables
Groups
Other VariablesDisplay Name
Email AddressSession
Variables
v
December 5, 2008 21
Groups via Session Variables: Step 2
■ Session Initialization Block– Row-wise initialization– No Caching– Execution Precedence
select name, value from dwadmin.obiee_session_variables where cp_username = lower(':USER')
December 5, 2008 22
Session Variables Initialization Block
December 5, 2008 23
Groups via Session Variables: Step 3
■ Create OBI Groups– BI Server
» Group
– Presentation Services» Web Group
December 5, 2008 24
Groups: Things to Remember
■ Do not manually grant BI Server Groups to Users
■ Group and Web Group must be exactly the same name
December 5, 2008 26
Authorization: Dashboards
■ Create a folder for each Subject Area■ Create a sub-folder for each Page
– Requests
■ Each Dashboard has the same permissions
■ Each Page on the Dashboard has the same permissions
December 5, 2008 27
Authorization: Things to Remember
■ Object Owner ALWAYS has Full Control– Set Owner to Administrator
■ Permission Inheritance… Sort of.■ Apply changes to sub-folders
– Web Based Tool Default: YES– Windows Based Tool Default: NO
■ Special user: System Account
December 5, 2008 28
Recommendations
■ Keep it simple!■ Assign permissions to groups only■ Assign permissions at the folder level
– Everything in a folder has the same permissions
December 5, 2008 30
Row Level Security
■ What data drives Row Level Security?– PeopleSoft DEPTID
December 5, 2008 31
Row Level Security: Step 1
■ Create Oracle Table/View for DEPTIDs
CP_USERNAME NAME VALUE
dbrothwe@calpoly.edu DISPLAYNAME Debbie
dbrothwe@calpoly.edu EMAIL dbrothwe@calpoly.edu
dbrothwe@calpoly.edu GROUP ALL_FINANCIAL_TABLES_RL
dbrothwe@calpoly.edu GROUP ALL_RSOL_TABLES_RL
dbrothwe@calpoly.edu GROUP BI_REQUEST_DEVELOPER_FIN_RL
dbrothwe@calpoly.edu GROUP WAREHOUSE_USER
dbrothwe@calpoly.edu HR_DEPTID 100100
dbrothwe@calpoly.edu HR_DEPTID 100200
dbrothwe@calpoly.edu HR_DEPTID 100300
dbrothwe@calpoly.edu HR_DEPTID 100400
dbrothwe@calpoly.edu HR_DEPTID 100500
December 5, 2008 32
PAUSE – Session Variables Tables
Groups
Other VariablesDisplay Name
Email Address
HRDEPTIDs
Session
Variables
v
FinanceDEPTIDs
Finance
FUNDs
December 5, 2008 33
Session Variables Table
CP_USERNAME NAME VALUE
dbrothwe@calpoly.edu DISPLAYNAME Debbie
dbrothwe@calpoly.edu EMAIL dbrothwe@calpoly.edu
dbrothwe@calpoly.edu GROUP ALL_FINANCIAL_TABLES_RL
dbrothwe@calpoly.edu GROUP ALL_RSOL_TABLES_RL
dbrothwe@calpoly.edu GROUP BI_REQUEST_DEVELOPER_FIN_RL
dbrothwe@calpoly.edu GROUP WAREHOUSE_USER
dbrothwe@calpoly.edu HR_DEPTID 100100
dbrothwe@calpoly.edu HR_DEPTID 100200
dbrothwe@calpoly.edu FINANCE_DEPTID 122900
dbrothwe@calpoly.edu FINANCE_DEPTID 122901
dbrothwe@calpoly.edu FINANCE_FUND GA002
December 5, 2008 34
Row Level Security: Step 2
■ Session Initialization Block– Same initialization block that we used for GROUPS– If done this way, the initialization block does not
need to change
December 5, 2008 35
Row Level Security: Step 3
■ Open the Logical Data Source– In the business model layer, not the physical layer
December 5, 2008 36
Row Level Security: Step 4
■ Add the appropriate where statement to limit rows based on the new session variable.– Use the expression builder
to generate the code.– Since the HR_DEPTID is a
dynamic session variable, it does not show up in the list of available variables.
– Select the USER variable to generate the code, then change the variable name to HR_DEPTID.
December 5, 2008 38
Become Another User
■ See what a dashboard looks like when a different user logs in– Don’t as for their password!
■ All security is now based on session variables coming from Oracle tables
■ When a user logs in we can change everything about them
■ Exceptions– Cannot change a persons username– Object owner always has full control
December 5, 2008 39
PAUSE – Session Variables Tables
Groups
Other VariablesDisplay Name
Email Address
HRDEPTIDs
FinanceDEPTIDs
Finance
FUNDs
Session
Variables
Security
Override
Session
Variablesv v
December 5, 2008 40
Security Override Table
■ Simple table with two columns– CP_USERNAME– BECOME_CP_USERNAME
December 5, 2008 42
Security Audit
■ WARNING
http://propellerheadhats.com/
December 5, 2008 43
Security Audit – Requirements
■ Need an easy way to find differences between two web catalogs– Users– Groups– Permissions– Privileges
■ Check ownership of Web Catalog Objects■ We want to know why it works the way it does
December 5, 2008 44
Security Audit – Has it been done before?
■ Built-In?– NO!
■ Consultants– “That’s been an internal challenge for us
and we haven't been able to locate the files where that is stored”
■ Google– No Luck…
December 5, 2008 45
Security Audit
■ Web Catalog is just files and folders on the OS file system
■ File/Folder name is based on OBI display name– URL encoded and lower case
» Object Name => object+name
■ Every file and folder of the catalog has an associated “.atr” file– object+name– object+name.atr
December 5, 2008 46
Security Audit
■ Binary Files– Linux command to hex dump a binary file
» xxd
$xxd presentation+server+administrators
0000000: 0200 017c bc61 aacd bb2a 8a ...\|.a...*.
$xxd presentation+server+administrators.atr
0000000: 8000 0c00 2200 0000 7072 6573 656e 7461 ...."...presenta
0000010: 7469 6f6e 2073 6572 7665 7220 6164 6d69 tion server admi
0000020: 6e69 7374 7261 746f 7273 0600 01ff ffff nistrators......
0000030: ffff ffff ff01 0001 feff ffff ffff ffff ................
0000040: 0300 0000 0e00 0000 6163 636f 756e 7469 ........accounti
0000050: 6e64 6578 2131 0200 0000 0000 0000 ndex!1........
December 5, 2008 47
Security Audit – Users and Groups
■ Users– <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu– <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu.atr
■ Groups– <catalog_root>/system/security/groups/523/presentation+server+administrators– <catalog_root>/system/security/groups/523/presentation+server+administrators.atr
■ Account IDs– <catalog_root>/system/accountids/699/32539c1d5ffdb65b– <catalog_root>/system/accountids/699/32539c1d5ffdb65b.atr
December 5, 2008 48
■ <catalog root>/system/privs– /catalog
» /changepermissionsprivilege» /changepermissionsprivilege.atr» /maintenancemodeprivilege» /maintenancemodeprivilege.atr
– /generalprivs» /global+admin» /global+admin.atr» /global+answers» /global+answers.atr» /global+portal» /global+portal.atr
– /security» /administerprivs» /administerprivs.atr» /takeownershipprivs» /takeownershipprivs.atr
– /…» /…
Security Audit – Privileges
December 5, 2008 49
Security Audit – Privileges
■ privilege file– The number of accounts granted this privilege is located at byte 12. – The account list starts at byte 13.
» Each account listed contains 13 bytes » The first 2 bytes always seems to be 00 01 » The next 8 bytes are the HEX ID of the account » The next 2 bytes determine if the privilege is granted or explicitly denied
◊ FF FF - Granted (for the first entry in the list) ◊ 01 00 - Granted (for other entries in the list) ◊ 00 00 - Explicitly denied
» The next byte always seems to be 00 ■ privilege.atr file
– Byte 5 contains the length of the display name. – Byte 9 is where the display name starts.
December 5, 2008 50
Security Audit – Permissions
■ object+name.atr file– Byte 4 Contains the length of the object name that starts on Byte 8– Byte 8 Start of the name of the object in nice form, including caps and
spaces.– Byte (11 + value of Byte 4) - Contains the HEX ID of the owner of this object
- 8 Bytes– Byte (19 + value of Byte 4) - Contains the number of permissions that have
been assigned, in our case to groups.– Next, each of the permission is represented in a 13 byte block.
» The first 2 bytes seems to always be 00 01 » The next 8 bytes of the 12 byte block contains the HEX ID of the user or group. » The next 2 bytes of the 12 byte block contains the permission granted.
◊ FF FF - Full Control ◊ 0F 00 - Change/Modify ◊ 03 00 - Read ◊ 02 00 - Traverse ◊ 00 00 - No Access
» The last byte seems to always be 00
December 5, 2008 51
Security Audit – Perl saves the day
■ Script traverses the ‘important’ branches of the web catalog
■ Parses and collects security information■ Loads into Oracle tables
– obiee_security_aud_accounts– obiee_security_aud_group_mem– obiee_security_aud_objects– obiee_security_aud_object_perm– obiee_security_aud_privs
December 5, 2008 52
Security Audit – Queries
■ Objects without proper ownership■ Differences between two catalogs
– Users and Groups– Group memberships– Object differences– Object Permissions– Privileges
December 5, 2008 54
Questions?
December 5, 2008 56
Contact
■ OBIEE Technical Conference:http://polydata.calpoly.edu/dashboards/obiee_conf/index.html
■ Email: polydata@calpoly.edu
top related