KPI Partners Confidential Oracle BI Application Security
KPI Partners Confidential
Oracle BI Application Security
KPI Partners Confidential2
Agenda
Oracle Business Intelligence
Security- Authentication- Authorization
•Object security•Data Security
Integrating OBIEE with E-Business Suite
Configuration Steps to Integrate OBIEE with EBS
Configuration Steps to Enable Action Links
KPI Partners Confidential
Oracle Business Intelligence
© 2006 Oracle Corporation – Proprietary and
Confidential
Oracle BI Suite Enterprise EditionUnified Business Intelligence Infrastructure
Ad-hoc Analysis
ProactiveDetectionand Alerts
MS OfficePlug-in
Reporting & Publishing
Interactive Dashboards
DisconnectedAnalytics
Oracle
BI Server
OLTP & ODSSystems
Data WarehouseData Mart
SAP, OraclePeopleSoft, Siebel,
Custom Apps
FilesExcelXML
BusinessProcess
Multidimensional Calculation and Integration Engine
Intelligent Caching Services
Enterprise Business Model and Abstraction Layer
Intelligent Request Generation and Optimized Data Access Services
WebServices
Oracle BI ApplicationsSingle- and multi-source Analytic Apps Built on BI Suite EE
Oracle BI Suite EE Plus
Ad-hoc Analysis
ProactiveDetectionand Alerts
MS OfficePlug-in
Reporting & Publishing
Interactive Dashboards
DisconnectedAnalytics
WebServices
Oracle BI Applications
Sales
Service
&
Contact
Center
Marketing
Supply
Chain &
Order
Management
Procurement
and
Spend
Human
Resources
PackagedETL Maps
UniversalAdapters
Other Data Sources& OperationalSystems
DW Schema
ProjectsFinance
KPI Partners Confidential6
Oracle Business Intelligence (OBIEE) Architecture
.
KPI Partners Confidential
SECURITY
KPI Partners Confidential8
Security: Different Aspects
Authentication: Who should get access?
Authorization: What data may be accessed?
Integration:Does a common security model need to apply between your OBIEE deployment and EBS implementation?
Encryption: Is sensitive data protected?
KPI Partners Confidential9
Security Classification
Security can be classified broadly into three different categories :
1. User Security (Authentication)
2. Object Security (Authorization)
3. Data Security (Authorization)
KPI Partners Confidential10
Authorization
Authorization Source
LDAP
A. Login B. Request
C. Authenticate D. Validate
E. Authorize F. Groups, etc.
G. Result SetH. Formatted Results
Pre
sen
tati
on
Se
rve
r
Ora
cle
BI S
erv
er
KPI Partners Confidential
AUTHENTICATION
KPI Partners Confidential12
User Security
USER SECURITY : How do I get in ?
• Process by which Oracle BIEE verifies that a user has the right to log in to the application
Verification through user name and passwordAuthenticated users are then given appropriate authorization
to access Oracle BI Presentation Services (OBIPS)
• OBIPS does not have its own authentication system; it relies on the authentication system built into the Oracle BI Server
KPI Partners Confidential13
User Security
1. Login via OBIEE Presentation Services 2. Login via EBS to OBIEE Presentation
Services
KPI Partners Confidential14
User Security
3. Login directly to OBIEE Presentation Services where Single Sign-On has been enabled with EBS Application
KPI Partners Confidential15
Methods of Authenticating Users
Methods of authenticating users
1. Oracle BI EE Security Based AuthenticationDefines and stores user information in the metadata
2. LDAP AuthenticationStores information from the LDAP server in session variables
3. External Table AuthenticationMaintains list of users in an external database
4. Database AuthenticationAuthenticates users through database logins
5. Single Sign-On (SSO)Provides an open interface to enable web integration with SSO products Used for EBS based authentication also
UserSecurity
KPI Partners Confidential16
1. OBIEE Security Based Authentication
Oracle BI EE Security Based Authentication The easiest and most basic way to set someone up with a Username and
Password is via the Security Manager.
Once a user is set up in this manner, their Username (:USER) and Password (:PASSWORD) are stored on the Oracle BI Server. If the Username and Password entered in the Logon Screen match what’s stored on the Oracle BI Server, they are granted access to the tool.
This approach should only be taken if just a few people need access to the tool. Adding an entire organization of people in this manner is tedious, time consuming, and difficult to maintain.
KPI Partners Confidential17
1. OBIEE Security Based Authentication
Oracle BI EE Security Based Authentication
KPI Partners Confidential18
2. LDAP Authentication
Registering an LDAP server in OBIEE In Oracle BI repository, go to manage security.
KPI Partners Confidential19
2. LDAP Authentication
Define a new LDAP server in OBIEE Security Manager
KPI Partners Confidential20
2. LDAP Authentication
With the help from your network security group/administration, fill out the following information
KPI Partners Confidential21
2. LDAP Authentication
Next in the Advanced tab, based on the kind of LDAP server you have and its configuration, make the necessary changes.
For Microsoft ADSI (Active Directory Service Interface), choose ADSI and for all others leave it unchecked.
Most of the time, the Username attribute would be automatically generated. For Microsoft ADSI It is sAMAccountName
for most of the LDAP servers it is UID or CN.
Check with your network security group/administrator on what is the username attribute for your LDAP server.
Make a note of the user name attribute you will need it later.
KPI Partners Confidential22
2. LDAP Authentication
KPI Partners Confidential23
2. LDAP Authentication
Now we need to create an Authentication initialization block. In administration tool, under Manage go to Variables.
Under Action, go to New -> Session -> Initialization Block
KPI Partners Confidential24
2. LDAP Authentication
Configure the session initialization block.
Give it a name and click on Edit Data Source.
In the pop up window, choose LDAP from the drop down box and then click on Browse. You can also configure a LDAP server here by clicking on “New”.
In the browse pop up window choose the LDAP server you would like to use.
KPI Partners Confidential25
2. LDAP Authentication
Next we need to create variables. User and email are the common variables normally utilized.
Upon clicking on ‘OK’, a warning pops up on the usage of User session variable. (The User session variable has a special purpose.)
Are you sure you want to use this name). Click yes.
Next enter the LDAP variable for username. sAMAccountName in the case of ADSI as configured in the LDAP.
KPI Partners Confidential26
2. LDAP Authentication
• Next following similar steps create a
variable for Email.
• Depending on you need, you can
bring additional variables from the
LDAP server.
KPI Partners Confidential27
3. External Table Authentication
External Table Authentication
Database tables are created as part of this security model
OBIEE_SYS_USER
KPI Partners Confidential28
3. External Table Authentication
OBIEE_SYS_GROUP
OBIEE_SYS_USER_GROUP
KPI Partners Confidential29
3. External Table Authentication
Repository Configuration – System Session Variables
SELECT
DISTINCT GROUP_CONCAT(A.USER_ID,’DATA’) DATA_SECURITY_GROUP,
GROUP_CONCAT(A.USER_ID,’WEB_’) WEB_GROUP,
DISPLAY_NAME ,
EMAIL_ID ,
DECODE(LOG_LEVEL , NULL , 0 , LOG_LEVEL) LOG_LEVEL
FROM
OBIEE_SYS_USER A,
OBIEE_SYS_USER_GROUP B,
OBIEE_SYS_GROUP C
WHERE
A.ID = B.USER_ID AND
B.GROUP_ID = C.GROUP_ID AND
A.USER_ID = ':USER'
KPI Partners Confidential30
4. Database Authentication
Database Authentication
1. Create users in the repository named identically to the users in a database. Passwords are not stored in the repository.
KPI Partners Confidential31
4. Database Authentication
2. Assign the permissions (including group memberships, if any) you want the users to have.
3. UserC, UserN -> Users (A-M)UserSC -> Special Group
KPI Partners Confidential32
4. Database Authentication
4. Specify the authentication database in the Security section of the NQSConfig.INI file
KPI Partners Confidential33
4. Database Authentication
5. Create a DSN for the database.
6. Import the database into the Physical layer. You do not need to import the physical table objects. The database name in the Physical layer has to match the database name in the NQSConfig.INI file
7. Set up the connection pool without a shared logon.
When a user logs on to the Oracle BI Server, the server attempts to use the logon name and password to connect to the authentication database using the first connection pool associated with it.
If this connection succeeds, the user is considered to be authenticated successfully.
KPI Partners Confidential34
5. Single Sign-On Authentication
Single Sign-On
Authentication
In an environment where OBIEE has been integrated with EBS, we will be able to navigate to the dashboards without having to re-enter the user credentials.
KPI Partners Confidential
AUTHORIZATION
KPI Partners Confidential36
OBJECT SECURITY
OBJECT SECURITY : What parts of the application can you see ?
Authorization is defined as the process of granting or denying security privileges to users.
To optimize the maintenance of privileges, users are collectively assigned to groups and the privileges are themselves managed for the various groups
• OBIEE Authorization is managed in two areas
– OBIEE Server SecurityManaged in OBIEE Admin Tool
– OBIEE Presentation Server SecurityManaged in Web Admin
KPI Partners Confidential37
Groups
BI Server/Repository Security
Groups
Presentation Services Security
Web Groups
KPI Partners Confidential38
Groups
KPI Partners Confidential39
Groups
Bill belonging to the ‘Financial Analyst’ group has access to the ‘Financials’ Dashboard.
KPI Partners Confidential40
Groups
Shiv belonging to the ‘Human Resource -Analyst’ Group has access to the ‘Human Resources’ dashboard.
KPI Partners Confidential41
Configuring Object Security(RPD)
Configuration steps in the RPD for a user belonging to EXP_IT_HRMS_Manager in EBS Application
Open the RPD and Navigate to Manage > Security
KPI Partners Confidential42
Configuring Object Security(RPD)
Create a New security group 'EXP_IT_HRMS_Manager' and click 'ok'.
KPI Partners Confidential43
Configuring Object Security(RPD)
KPI Partners Confidential44
Configuring Object Security(RPD)
Scroll UP for 'Human Resource Analyst' security group .Double Click and then click on 'ADD' and scroll to the right to find 'EXP_IT_HRMS_Manager' group we just created .Select this group and click on add.
KPI Partners Confidential45
Configuring Object Security(RPD)
Once Added Click on ‘OK’ and Save your changes a new window will open up asking you to 'check global consistency ' click on ‘YES’.
KPI Partners Confidential46
Configuring Object Security(WEB)
Login to the OBIEE Presentation Services>Settings>Administration>Manage Presentation Catalog Groups and Users>Create a new Catalog Group.(Note: The user should have “Presentation Server Administrator’ Privileges to Navigate to the above path)
Create a new web group EXP_OBIEE_USER. The Name of the Web Group should be same as created in the RPD
KPI Partners Confidential47
Configuring Object Security(WEB)
Navigate to Settings>Administration>Manage Presentation Catalog > Click on the Permissions icon of Human Resources Catalog.
KPI Partners Confidential48
Configuring Object Security(WEB)
This is where you can select one of the options like ‘Read’ ,’No Access’ ,’Full Control’ . Set ‘Everyone’ = ‘No Access’
Set ‘EXP_OBIEE_USER’ = ‘Full Control’
After doing these changes all the users who belong to ‘EXP_OBIEE_USER’ group will have an access to the ‘Human Resources’ Dashboard.
KPI Partners Confidential49
Best Practice on Object Security(WEB)
If we would like to create a EXP_OBIEE_SUPERUSER group who has the administrator (Full Control) privileges’ to any given Dashboard , this user should not belong to any other group (responsibility) which is restricted from viewing the same Dashboard. If this happens although the User belongs to the ‘EXP_OBIEE_SUPERUSER’ he will not be able to view the DASHBOARD.
Grant Permissions to Groups Only and assign users to groups
Do not explicitly grant permissions to the groups “Authenticated Users” and “Everyone”
For each Subject Area grant “Read” permissions to the corresponding Subject Area folder within the Request folder
Explicitly deny access to Subject Area Folders for groups that should be restricted from the subject area
KPI Partners Confidential50
Object Security in Oracle BI Application
Oracle BI Applications aligns a user’s security profile consistent with their security profiles in the source applications. The alignment is done via:
1.Creating Security groups in the Oracle Business Intelligence application repository with the same names as some existing Responsibilities or groups in the source applications.
Or
2.Adding new Oracle Business Intelligence specific Responsibilities in the source applications, making sure their names match the object security groups in Oracle Business Intelligence Applications, and assigning OLTP users to these new groups.
KPI Partners Confidential
DATA SECURITY
KPI Partners Confidential52
Data Security
Authorization(Data Security): What data can you see ? Controls access to content that appears in end-user objects, such as Dashboard
reports and Answers
– Configured in OBIEE Administration Tool
• Example: Monthly sales report viewed by two different users
– Columns for the reports are the same but the data is different
KPI Partners Confidential53
Data Security
Data Security Design Features
• Personalized reports
– Users at different levels of the Position hierarchy can use the same Position-based reports but with each user seeing the data corresponding to his or her level. In such reports, Position is a dynamic column. For example, if a report is defined as:
• select Position, Revenue from RevenueStar
– The logical query for the user at the top level of the hierarchy will be:
• select Top Level Position, Revenue from RevenueStar
– The logical query for the user at the next level of the hierarchy will be:
• select Level@Position, Revenue from RevenueStar
KPI Partners Confidential54
Oracle BI Apps Data Security with E-Business Suite
AuthorizationThe Oracle BI Apps 7.9.5 release supports the following data security with EBS.
1. Operating Unit-Based security against Oracle EBS
2. Company Org-based security against Oracle EBS
3. Ledger-based security against Oracle EBS
4. Business Group Org-based Security against Oracle EBS
5. Primary Employee / Position Hierarchy-based Security against Oracle EBS – HRMS application
KPI Partners Confidential55
Oracle BI Apps Data Security with E-Business Suite
AuthorizationThe authorization process of Oracle Business Intelligence Applications:
fetches a user's responsibilities from source Oracle EBS applications,
matches them with all Oracle Business Intelligence Applications security groups, and
determine the user's applicable object security during a user's session.
The initialization block Authorization is used to fetch responsibilities and assign the result set to a special session variable called GROUP.
KPI Partners Confidential56
Oracle BI Apps Data Security with E-Business Suite
KPI Partners Confidential57
Oracle BI Apps Data Security with E-Business Suite
AuthorizationThe initialization block SQL is :
SELECT DISTINCT
'GROUP',
RESPONSIBILITY_NAME
FROM
FND_USER ,FND_USER_RESP_GROUPS, FND_RESPONSIBILITY_VL
WHERE
FND_USER.user_id=FND_USER_RESP_GROUPS.user_id AND FND_USER_RESP_GROUPS.RESPONSIBILITY_ID = FND_RESPONSIBILITY_VL.RESPONSIBILITY_ID AND FND_USER_RESP_GROUPS.RESPONSIBILITY_APPLICATION_ID = FND_RESPONSIBILITY_VL.APPLICATION_ID AND
FND_USER_RESP_GROUPS.START_DATE < SYSDATE AND
(CASE WHEN FND_USER_RESP_GROUPS.END_DATE IS NULL THEN SYSDATE ELSE TO_DATE(FND_USER_RESP_GROUPS.end_Date) END) >= SYSDATE AND FND_USER.user_id = (SELECT USER_ID FROM FND_USER WHERE USER_NAME = ':USER')
The SQL Fetches the RESPONSIBILITY of the Logged in user from the EBS source tables like FND_USER_RESP_GROUPS, FND_RESPONSIBILITY_VL and assign it to a variable called ‘GROUP’
KPI Partners Confidential58
Operating unit- Based Security
1. Operating Unit-Based Security The sequence for Operating Unit-Based Security With Oracle EBS:
i). When a user logs in to Oracle Business Intelligence Applications, the session
variable below is set automatically.
-USER (System variable)
ii) The 'EBS Single Sign-on Integration' session variable is initialized in the 'EBS
Single Sign-on Integration' initialization block:
-EBS_SSO_INTEGRATION_MODE
This session can be initialized with two possible values, 'Integrated' or 'Not Integrated', to indicate whether Oracle Business Intelligence Applications is integrated with EBS SSO or not.
KPI Partners Confidential59
Operating unit- Based Security
iii) The 'EBS Security Context' initialization block then populates these session variables:
– OLTP_EBS_RESP_ID
• The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS;
• otherwise it is defaulted to a random value, which will be ignored.
– OLTP_EBS_RESP_APPL_ID
• The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS;
• otherwise it is defaulted to a random value, which will be ignored.
iv) The Oracle Business Intelligence Server will get the set of books corresponding to the USER from FND_USER_RESP_GROUPS. The following session variable is set automatically:
– OU_ORG (Row-wise variable)
KPI Partners Confidential60
Operating unit- Based Security
SELECT DISTINCT 'OU_ORG',
TO_CHAR(PER_ORGANIZATION_LIST.ORGANIZATION_ID)
FROM PER_ORGANIZATION_LIST,
(SELECT
FND_PROFILE.VALUE_SPECIFIC('XLA_MO_SECURITY_PROFILE_LE
VEL', USER_ID, RESPONSIBILITY_ID,
RESPONSIBILITY_APPLICATION_ID) PROFILE_ID FROM (SELECT
USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID
FROM FND_USER_RESP_GROUPS WHERE START_DATE <
SYSDATE AND (CASE WHEN END_DATE IS NULL THEN SYSDATE
ELSE TO_DATE(END_DATE) END) >= SYSDATE AND USER_ID =
(SELECT USER_ID FROM FND_USER WHERE USER_NAME =
':USER‘) AND RESPONSIBILITY_ID = (CASE WHEN
VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE) =
'Integrated' THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID)
ELSE RESPONSIBILITY_ID END) AND
RESPONSIBILITY_APPLICATION_ID = (CASE WHEN VALUEOF(NQ_
SESSION.EBS_SSO_INTEGRATION_MODE) = 'Integrated' THEN
VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID) ELSE
RESPONSIBILITY_APPLICATION_ID END)))
WHERE PER_ORGANIZATION_LIST.SECURITY_PROFILE_ID = PROFILE_ID
UNION
SELECT DISTINCT 'OU_ORG',
FND_PROFILE.VALUE_SPECIFIC('ORG_ID', USER_ID,
RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID)
ORGANIZATION_ID
FROM
(SELECT USER_ID, RESPONSIBILITY_ID,
RESPONSIBILITY_APPLICATION_ID FROM
FND_USER_RESP_GROUPS
WHERE START_DATE < SYSDATE
The SQL used within the initialization block 'Operating Unit Org' Fetches the Set of Books corresponding to the logged in user from the EBS source table FND_USER_RESP_GROUPS and assigns it to the server variable OU_ORG
KPI Partners Confidential61
Operating unit- Based Security
KPI Partners Confidential62
Company Org- Based Security
2. Company Org- Based Data Security
The sequence for Company Org-based security against Oracle EBS is:
i) When a user logs in to Oracle Business Intelligence Applications, the session variable below is set automatically.
– USER (System variable)
ii) The 'EBS Single Sign-on Integration' session variable is initialized in the 'EBS Single Sign-on Integration' initialization block:
– EBS_SSO_INTEGRATION_MODE
This session can be initialized with two possible values, 'Integrated' or 'Not Integrated' to indicate whether Oracle Business Intelligence Applications is integrated with EBS SSO or not.
KPI Partners Confidential63
Company Org- Based Security
iii) The 'EBS Security Context' initialization block then populates these session variables:
– OLTP_EBS_RESP_ID
The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.
– OLTP_EBS_RESP_APPL_ID
The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.
iv) The Oracle Business Intelligence Server will get the set of books corresponding to the USER and OLTP_EBS_RESP_ID from FND_USER_RESP_GROUPS. The following session variable is set automatically:
– COMPANY (Row-wise variable)
KPI Partners Confidential64
Company Org- Based Security
SELECT
DISTINCT 'COMPANY',
FND_PROFILE.VALUE_SPECIFIC('GL_SET_OF_BKS_ID',
USER_ID, RESPONSIBILITY_ID,
RESPONSIBILITY_APPLICATION_ID)
FROM
(SELECT USER_ID, RESPONSIBILITY_ID,
RESPONSIBILITY_APPLICATION_ID FROM
FND_USER_RESP_GROUPS WHERE START_DATE <
SYSDATE AND (CASE WHEN END_DATE IS NULL THEN
SYSDATE
ELSE TO_DATE(END_DATE) END) >= SYSDATE AND
USER_ID IN (SELECT USER_ID FROM FND_USER
WHERE USER_NAME = ':USER‘) AND
RESPONSIBILITY_ID = (CASE WHEN
VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MOD
E) = 'Integrated' THEN
VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID) ELSE
RESPONSIBILITY_ID END) AND
RESPONSIBILITY_APPLICATION_ID = (CASE WHEN
VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MOD
E) = 'Integrated'
THEN
VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID)
ELSE RESPONSIBILITY_APPLICATION_ID END))
The SQL used within the initialization block 'Companies' Fetches the Set of Books corresponding to the logged in USER and OLTP_EBS_RESP_ID from the EBS source table FND_USER_RESP_GROUPS and assigns it to the server variable COMPANY
KPI Partners Confidential65
Company Org- Based Security
KPI Partners Confidential66
Ledger- based Security
3. Ledger Based Security Ledger-based security against Oracle EBS was introduced Version 7.9.4. It
replaces the Company-based security to support the EBS GL set of books security model in E-Business Suite release 11i and the EBS Data Access Set model in E-Business Suite release 12. In Oracle EBS Release 11i, a set of books is essentially a reporting entity that defines the
reporting context including a chart of accounts, a functional currency, and an accounting calendar.
A set of books can be assigned to a user, a responsibility, or to the site as the default for all responsibilities. Each user is associated with a single set of books when they logon to the application under a given responsibility in Oracle Applications. The Ledger-based security filters data based on the set of books associated to the logged in user.
In Oracle EBS Release 12, the set of books is replaced by the ledger. A ledger determines the currency, chart of accounts, accounting calendar, ledger processing options and subledger accounting method.
KPI Partners Confidential67
Ledger- based Security
• The data access set assigned to the user’s responsibility controls what ledgers the user can access.
• A user may be able to access multiple ledgers from a responsibility.
• The Ledger-based security filters data based on the ledgers associated to the logged in user.
Source-Specific Steps for Oracle EBS
i) When a user logs in to Oracle Business Intelligence Applications, the session variable below is set automatically.
– USER (System variable)
ii) The 'EBS Single Sign-on Integration' session variable is initialized in the 'EBS Single Sign-on Integration' initialization block:
– EBS_SSO_INTEGRATION_MODE
This session can be initialized with two possible values, 'Integrated' or 'Not Integrated', to indicate whether Oracle Business Intelligence Applications is integrated with EBS SSO or not.
KPI Partners Confidential68
Ledger- based Security
iii) The 'EBS Security Context' initialization block then populates these session variables:
– OLTP_EBS_RESP_ID
• The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.
– OLTP_EBS_RESP_APPL_ID
• The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.
iv) Another init block, “Ledgers”, which gets the ledgers (which is essentially the set of books in EBS) corresponding to the USER and OLTP_EBS_RESP_ID and OLTP_EBS_RESP_APPL_ID, via table FND_USER_RESP_GROUPS and procedure FND_PROFILE. Row-wise variable:
-LEDGER (Row-wise variable)
KPI Partners Confidential69
Ledger- based Security
SELECT DISTINCT
'LEDGER',
TO_CHAR(GAL.LEDGER_ID)
FROM GL_ACCESS_SET_LEDGERS GAL, (SELECT FND_PROFILE.VALUE_SPECIFIC('GL_ACCESS_SET_ID',USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID) PROFILE_VALUE FROM (SELECT USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID FROM FND_USER_RESP_GROUPS WHERE START_DATE < SYSDATE AND (CASE WHEN END_DATE IS NULL THEN SYSDATE ELSE TO_DATE(END_DATE) END) >= SYSDATE AND USER_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated’ THEN VALUEOF(NQ_SESSION.OLTP_EBS_USER_ID) ELSE (SELECT USER_ ID FROM FND_USER WHERE USER_NAME = 'OPERATIONS') END) AND RESPONSIBILITY_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated’ THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID) ELSE RESPONSIBILITY_ID END) AND RESPONSIBILITY_APPLICATION_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated’ THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID) ELSE RESPONSIBILITY_APPLICATION_ID END)))WHERE GAL.ACCESS_SET_ID = PROFILE_VALUE
The SQL used within the initialization block 'Ledger' Fetches the Set of books or ledgers corresponding to the logged in USER and OLTP_EBS_RESP_ID from the EBS source table GL_ACCESS_SET_LEDGERS and assigns it to the server variable LEDGER
KPI Partners Confidential70
Ledger- based Security
KPI Partners Confidential71
Business Group – Org based Security
4. Business Group Org- Based Data Security
A Business Group is the highest level in the organization structure is usually used to represent the entire enterprise or a major division. A business group can have several sets of books.
The sequence for Business Group Org-based security against Oracle EBS is :
i) When a user logs in to Oracle Business Intelligence Applications, the session variable below is set automatically.
– USER (System variable)
ii) The 'EBS Single Sign-on Integration' session variable is initialized in the 'EBS Single Sign-on Integration' initialization block:
– EBS_SSO_INTEGRATION_MODE
This session can be initialized with two possible values, 'Integrated' or 'Not Integrated', to indicate whether Oracle Business Intelligence Applications is integrated with EBS SSO or not.
KPI Partners Confidential72
Business Group – Org based Security
iii) The 'EBS Security Context' initialization block then populates these session variables:
– OLTP_EBS_RESP_ID
• The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.
– OLTP_EBS_RESP_APPL_ID
• The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.
iv) The Oracle Business Intelligence Server will get the set of books corresponding to the USER and OLTP_EBS_RESP_ID from FND_USER_RESP_GROUPS. The following session variable is set automatically:
– BUSINESS_GROUP (Row-wise variable)
KPI Partners Confidential73
Business Group – Org based Security
SELECT DISTINCT
'BUSINESS_GROUP‘,
TO_CHAR(FND_PROFILE.VALUE_SPECIFIC('PER_BUSINESS_GROUP_ID‘, USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID))
FROM
(SELECT USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID FROM FND_USER_RESP_GROUPS WHERE START_DATE < SYSDATE AND (CASE WHEN END_DATE IS NULL THEN SYSDATE ELSE TO_ DATE(END_DATE) END) >= SYSDATE AND USER_ID = (SELECT USER_ID FROM FND_USER WHERE USER_NAME = ':USER‘) AND RESPONSIBILITY_ID = (CASE WHEN VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE) = 'Integrated' THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID) ELSE RESPONSIBILITY_ID END) AND RESPONSIBILITY_APPLICATION_ID = (CASE WHEN VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE) = 'Integrated' THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID) ELSE RESPONSIBILITY_APPLICATION_ID END))
The SQL used within the initialization block 'Business Groups' Fetches the Set of books corresponding to the logged in USER and OLTP_EBS_RESP_ID from the EBS source table FND_USER_RESP_GROUPS and assigns it to the server variable BUSINESS_GROUP
KPI Partners Confidential74
Business Group – Org based Security
KPI Partners Confidential75
Primary Employee/Position Hierarchy-based Security
5. Primary Employee/Position Hierarchy – Based Security Employee-based security restricts data visibility of the records to the
Owner of that record, and all employees he/she reports to in the company’s Employee hierarchy.
This security mechanism uses data from the data warehouse database, and shares the metadata components with other supported applications (Siebel CRM and PeopleSoft).
Out of the box, this type of security supports only HR Analytics facts.
KPI Partners Confidential76
Primary Employee/Position Hierarchy-based Security
KPI Partners Confidential
INTEGRATING OBIEE WITH E-BUSINESS SUITE
KPI Partners Confidential78
Integrating OBIEE with E-Business Suite
Integration Aspects
1. Single Sign-On / Authentication
2. Application Data Security
3. Drill to Transactions/Action Links
KPI Partners Confidential79
Authorization Via A Portal (i.e. Oracle EBS)
Authorization Source
LDAP
A. Login
E. Request
B. Authenticate
C. Validate
F. Authorize G. Groups, etc.
H. Result SetI. Formatted Results
Pre
sen
tati
on
Se
rve
r
Ora
cle
BI S
erv
er
Portal
D. Handshake
KPI Partners Confidential80
Single Sign-On Integration
• Single Sign-On / Authentication : is a method of access control that enables a user to log-in once and gain access to the resources of multiple software systems without being prompted to log in again.
KPI Partners Confidential81
Single Sign-On Integration
If the user is already logged in to the Single Sign-On server and then tries to access Oracle BI:
The user is redirected to the Single Sign-On server but is not challenged for credentials.
The SSO session cookie is used to validate the user identity.
The server passes an authentication token to Oracle BI.
BI Presentation Services then utilizes the BI Server Impersonation feature to create a connection to the BI Server on behalf of the authenticated end user.
Additional authorizations for the user takes place in the BI repository that determines, for example, the security groups associated to the user.
This in turn determines subject area access, presentation catalog access and data visibility that must be applied for the user.
KPI Partners Confidential82
Single Sign-On Integration
KPI Partners Confidential83
Single Sign-On Integration
When a web user tries to access Oracle BI with Oracle SSO enabled, the user is redirected to the Single Sign-On server and is challenged for credentials via a JSP login page.
After verifying the credentials in Oracle Internet Directory, the server sets an SSO session cookie and passes an authentication token to Oracle BI.
KPI Partners Confidential84
Drill to Transactions/Action Links
Action Links
– Seamless navigation from analytical information to transactional detail while maintaining context within Oracle EBS
KPI Partners Confidential
Further Reading
• Technical Note 682: Implementing Security for Oracle’s PeopleSoft Enterprise Applications in Oracle Business Intelligence Applications 7.9.3
• Technical Note 683: Implementing Data Security for Oracle E-Business Suite 11i in Oracle Business Intelligence Applications 7.9.3
• Technical Note 685: Position-Based Visibility and Team-Based Visibility Implementations in Oracle Business Intelligence Applications 7.9.3
Next Steps with KPI Partners
Come visit us at Oracle Open World
Training
One or Two-Day Health Check / Oracle BI Readiness Assessment
Quick Start Offerings
Hands-On Business User and Technical Workshops
Sid Goel, Partner & BI Architectemail: [email protected]: (650) 388-6657
Keith Weisz, Director, Business Development Mid-West Regionemail: [email protected]: (816) 304-1005
Jaime Seagraves, DirectorBusiness Development, NorthEastemail: [email protected]
CONTACT INFORMATION
Kusal Swarnakar, Partneremail: [email protected]: (925) 984-1371
Norman Dy, Director, Business DevelopmentCalifornia and Pacific North Westemail: [email protected]: (619) 245-5090