Oracle BI Application Security...Oracle BI EE Security Based Authentication The easiest and most basic way to set someone up with a Username and Password is via the Security Manager.

KPI Partners Confidential

Oracle BI Application Security

KPI Partners Confidential2

Agenda

Oracle Business Intelligence

Security- Authentication- Authorization

•Object security•Data Security

Integrating OBIEE with E-Business Suite

Configuration Steps to Integrate OBIEE with EBS

Configuration Steps to Enable Action Links


Oracle Business Intelligence

© 2006 Oracle Corporation – Proprietary and

Confidential

Oracle BI Suite Enterprise EditionUnified Business Intelligence Infrastructure

Ad-hoc Analysis

ProactiveDetectionand Alerts

MS OfficePlug-in

Reporting & Publishing

Interactive Dashboards

DisconnectedAnalytics

Oracle

BI Server

OLTP & ODSSystems

Data WarehouseData Mart

SAP, OraclePeopleSoft, Siebel,

Custom Apps

FilesExcelXML

BusinessProcess

Multidimensional Calculation and Integration Engine

Intelligent Caching Services

Enterprise Business Model and Abstraction Layer

Intelligent Request Generation and Optimized Data Access Services

WebServices

Oracle BI ApplicationsSingle- and multi-source Analytic Apps Built on BI Suite EE

Oracle BI Suite EE Plus

Ad-hoc Analysis

ProactiveDetectionand Alerts

MS OfficePlug-in

Reporting & Publishing

Interactive Dashboards

DisconnectedAnalytics

WebServices

Oracle BI Applications

Sales

Service

&

Contact

Center

Marketing

Supply

Chain &

Order

Management

Procurement

and

Spend

Human

Resources

PackagedETL Maps

UniversalAdapters

Other Data Sources& OperationalSystems

DW Schema

ProjectsFinance

http://www.peoplesoft.com/corp/en/public_index.jsp


Oracle Business Intelligence (OBIEE) Architecture

.


SECURITY


Security: Different Aspects

Authentication: Who should get access?

Authorization: What data may be accessed?

Integration:Does a common security model need to apply between your OBIEE deployment and EBS implementation?

Encryption: Is sensitive data protected?


Security Classification

Security can be classified broadly into three different categories :

1. User Security (Authentication)

2. Object Security (Authorization)

3. Data Security (Authorization)


Authorization

Authorization Source

LDAP

A. Login B. Request

C. Authenticate D. Validate

E. Authorize F. Groups, etc.

G. Result SetH. Formatted Results

Pre

sen

tati

on

Se

rve

r

Ora

cle

BI S

erv

er


AUTHENTICATION


User Security

USER SECURITY : How do I get in ?

• Process by which Oracle BIEE verifies that a user has the right to log in to the application

Verification through user name and passwordAuthenticated users are then given appropriate authorization

to access Oracle BI Presentation Services (OBIPS)

• OBIPS does not have its own authentication system; it relies on the authentication system built into the Oracle BI Server


User Security

1. Login via OBIEE Presentation Services 2. Login via EBS to OBIEE Presentation

Services


User Security

3. Login directly to OBIEE Presentation Services where Single Sign-On has been enabled with EBS Application


Methods of Authenticating Users

Methods of authenticating users

1. Oracle BI EE Security Based AuthenticationDefines and stores user information in the metadata

2. LDAP AuthenticationStores information from the LDAP server in session variables

3. External Table AuthenticationMaintains list of users in an external database

4. Database AuthenticationAuthenticates users through database logins

5. Single Sign-On (SSO)Provides an open interface to enable web integration with SSO products Used for EBS based authentication also

UserSecurity


1. OBIEE Security Based Authentication

Oracle BI EE Security Based Authentication The easiest and most basic way to set someone up with a Username and

Password is via the Security Manager.

Once a user is set up in this manner, their Username (:USER) and Password (:PASSWORD) are stored on the Oracle BI Server. If the Username and Password entered in the Logon Screen match what’s stored on the Oracle BI Server, they are granted access to the tool.

This approach should only be taken if just a few people need access to the tool. Adding an entire organization of people in this manner is tedious, time consuming, and difficult to maintain.


1. OBIEE Security Based Authentication

Oracle BI EE Security Based Authentication


2. LDAP Authentication

Registering an LDAP server in OBIEE In Oracle BI repository, go to manage security.



Define a new LDAP server in OBIEE Security Manager



With the help from your network security group/administration, fill out the following information



Next in the Advanced tab, based on the kind of LDAP server you have and its configuration, make the necessary changes.

For Microsoft ADSI (Active Directory Service Interface), choose ADSI and for all others leave it unchecked.

Most of the time, the Username attribute would be automatically generated. For Microsoft ADSI It is sAMAccountName

for most of the LDAP servers it is UID or CN.

Check with your network security group/administrator on what is the username attribute for your LDAP server.

Make a note of the user name attribute you will need it later.





Now we need to create an Authentication initialization block. In administration tool, under Manage go to Variables.

Under Action, go to New -> Session -> Initialization Block



Configure the session initialization block.

Give it a name and click on Edit Data Source.

In the pop up window, choose LDAP from the drop down box and then click on Browse. You can also configure a LDAP server here by clicking on “New”.

In the browse pop up window choose the LDAP server you would like to use.



Next we need to create variables. User and email are the common variables normally utilized.

Upon clicking on ‘OK’, a warning pops up on the usage of User session variable. (The User session variable has a special purpose.)

Are you sure you want to use this name). Click yes.

Next enter the LDAP variable for username. sAMAccountName in the case of ADSI as configured in the LDAP.



• Next following similar steps create a

variable for Email.

• Depending on you need, you can

bring additional variables from the

LDAP server.


3. External Table Authentication

External Table Authentication

Database tables are created as part of this security model

OBIEE_SYS_USER



OBIEE_SYS_GROUP

OBIEE_SYS_USER_GROUP



Repository Configuration – System Session Variables

SELECT

DISTINCT GROUP_CONCAT(A.USER_ID,’DATA’) DATA_SECURITY_GROUP,

GROUP_CONCAT(A.USER_ID,’WEB_’) WEB_GROUP,

DISPLAY_NAME ,

EMAIL_ID ,

DECODE(LOG_LEVEL , NULL , 0 , LOG_LEVEL) LOG_LEVEL

FROM

OBIEE_SYS_USER A,

OBIEE_SYS_USER_GROUP B,

OBIEE_SYS_GROUP C

WHERE

A.ID = B.USER_ID AND

B.GROUP_ID = C.GROUP_ID AND

A.USER_ID = ':USER'


4. Database Authentication

Database Authentication

1. Create users in the repository named identically to the users in a database. Passwords are not stored in the repository.



2. Assign the permissions (including group memberships, if any) you want the users to have.

3. UserC, UserN -> Users (A-M)UserSC -> Special Group



4. Specify the authentication database in the Security section of the NQSConfig.INI file



5. Create a DSN for the database.

6. Import the database into the Physical layer. You do not need to import the physical table objects. The database name in the Physical layer has to match the database name in the NQSConfig.INI file

7. Set up the connection pool without a shared logon.

When a user logs on to the Oracle BI Server, the server attempts to use the logon name and password to connect to the authentication database using the first connection pool associated with it.

If this connection succeeds, the user is considered to be authenticated successfully.


5. Single Sign-On Authentication

Single Sign-On

Authentication

In an environment where OBIEE has been integrated with EBS, we will be able to navigate to the dashboards without having to re-enter the user credentials.


AUTHORIZATION


OBJECT SECURITY

OBJECT SECURITY : What parts of the application can you see ?

Authorization is defined as the process of granting or denying security privileges to users.

To optimize the maintenance of privileges, users are collectively assigned to groups and the privileges are themselves managed for the various groups

• OBIEE Authorization is managed in two areas

– OBIEE Server SecurityManaged in OBIEE Admin Tool

– OBIEE Presentation Server SecurityManaged in Web Admin


Groups

BI Server/Repository Security

Groups

Presentation Services Security

Web Groups


Groups


Groups

Bill belonging to the ‘Financial Analyst’ group has access to the ‘Financials’ Dashboard.


Groups

Shiv belonging to the ‘Human Resource -Analyst’ Group has access to the ‘Human Resources’ dashboard.


Configuring Object Security(RPD)

Configuration steps in the RPD for a user belonging to EXP_IT_HRMS_Manager in EBS Application

Open the RPD and Navigate to Manage > Security



Create a New security group 'EXP_IT_HRMS_Manager' and click 'ok'.





Scroll UP for 'Human Resource Analyst' security group .Double Click and then click on 'ADD' and scroll to the right to find 'EXP_IT_HRMS_Manager' group we just created .Select this group and click on add.



Once Added Click on ‘OK’ and Save your changes a new window will open up asking you to 'check global consistency ' click on ‘YES’.


Configuring Object Security(WEB)

Login to the OBIEE Presentation Services>Settings>Administration>Manage Presentation Catalog Groups and Users>Create a new Catalog Group.(Note: The user should have “Presentation Server Administrator’ Privileges to Navigate to the above path)

Create a new web group EXP_OBIEE_USER. The Name of the Web Group should be same as created in the RPD



Navigate to Settings>Administration>Manage Presentation Catalog > Click on the Permissions icon of Human Resources Catalog.



This is where you can select one of the options like ‘Read’ ,’No Access’ ,’Full Control’ . Set ‘Everyone’ = ‘No Access’

Set ‘EXP_OBIEE_USER’ = ‘Full Control’

After doing these changes all the users who belong to ‘EXP_OBIEE_USER’ group will have an access to the ‘Human Resources’ Dashboard.


Best Practice on Object Security(WEB)

If we would like to create a EXP_OBIEE_SUPERUSER group who has the administrator (Full Control) privileges’ to any given Dashboard , this user should not belong to any other group (responsibility) which is restricted from viewing the same Dashboard. If this happens although the User belongs to the ‘EXP_OBIEE_SUPERUSER’ he will not be able to view the DASHBOARD.

Grant Permissions to Groups Only and assign users to groups

Do not explicitly grant permissions to the groups “Authenticated Users” and “Everyone”

For each Subject Area grant “Read” permissions to the corresponding Subject Area folder within the Request folder

Explicitly deny access to Subject Area Folders for groups that should be restricted from the subject area


Object Security in Oracle BI Application

Oracle BI Applications aligns a user’s security profile consistent with their security profiles in the source applications. The alignment is done via:

1.Creating Security groups in the Oracle Business Intelligence application repository with the same names as some existing Responsibilities or groups in the source applications.

Or

2.Adding new Oracle Business Intelligence specific Responsibilities in the source applications, making sure their names match the object security groups in Oracle Business Intelligence Applications, and assigning OLTP users to these new groups.


DATA SECURITY


Data Security

Authorization(Data Security): What data can you see ? Controls access to content that appears in end-user objects, such as Dashboard

reports and Answers

– Configured in OBIEE Administration Tool

• Example: Monthly sales report viewed by two different users

– Columns for the reports are the same but the data is different


Data Security

Data Security Design Features

• Personalized reports

– Users at different levels of the Position hierarchy can use the same Position-based reports but with each user seeing the data corresponding to his or her level. In such reports, Position is a dynamic column. For example, if a report is defined as:

• select Position, Revenue from RevenueStar

– The logical query for the user at the top level of the hierarchy will be:

• select Top Level Position, Revenue from RevenueStar

– The logical query for the user at the next level of the hierarchy will be:

• select Level@Position, Revenue from RevenueStar


Oracle BI Apps Data Security with E-Business Suite

AuthorizationThe Oracle BI Apps 7.9.5 release supports the following data security with EBS.

1. Operating Unit-Based security against Oracle EBS

2. Company Org-based security against Oracle EBS

3. Ledger-based security against Oracle EBS

4. Business Group Org-based Security against Oracle EBS

5. Primary Employee / Position Hierarchy-based Security against Oracle EBS – HRMS application



AuthorizationThe authorization process of Oracle Business Intelligence Applications:

fetches a user's responsibilities from source Oracle EBS applications,

matches them with all Oracle Business Intelligence Applications security groups, and

determine the user's applicable object security during a user's session.

The initialization block Authorization is used to fetch responsibilities and assign the result set to a special session variable called GROUP.





AuthorizationThe initialization block SQL is :

SELECT DISTINCT

'GROUP',

RESPONSIBILITY_NAME

FROM

FND_USER ,FND_USER_RESP_GROUPS, FND_RESPONSIBILITY_VL

WHERE

FND_USER.user_id=FND_USER_RESP_GROUPS.user_id AND FND_USER_RESP_GROUPS.RESPONSIBILITY_ID = FND_RESPONSIBILITY_VL.RESPONSIBILITY_ID AND FND_USER_RESP_GROUPS.RESPONSIBILITY_APPLICATION_ID = FND_RESPONSIBILITY_VL.APPLICATION_ID AND

FND_USER_RESP_GROUPS.START_DATE < SYSDATE AND

(CASE WHEN FND_USER_RESP_GROUPS.END_DATE IS NULL THEN SYSDATE ELSE TO_DATE(FND_USER_RESP_GROUPS.end_Date) END) >= SYSDATE AND FND_USER.user_id = (SELECT USER_ID FROM FND_USER WHERE USER_NAME = ':USER')

The SQL Fetches the RESPONSIBILITY of the Logged in user from the EBS source tables like FND_USER_RESP_GROUPS, FND_RESPONSIBILITY_VL and assign it to a variable called ‘GROUP’


Operating unit- Based Security

1. Operating Unit-Based Security The sequence for Operating Unit-Based Security With Oracle EBS:

i). When a user logs in to Oracle Business Intelligence Applications, the session

variable below is set automatically.

-USER (System variable)

ii) The 'EBS Single Sign-on Integration' session variable is initialized in the 'EBS

Single Sign-on Integration' initialization block:

-EBS_SSO_INTEGRATION_MODE

This session can be initialized with two possible values, 'Integrated' or 'Not Integrated', to indicate whether Oracle Business Intelligence Applications is integrated with EBS SSO or not.



iii) The 'EBS Security Context' initialization block then populates these session variables:

– OLTP_EBS_RESP_ID

• The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS;

• otherwise it is defaulted to a random value, which will be ignored.

– OLTP_EBS_RESP_APPL_ID

• The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS;

• otherwise it is defaulted to a random value, which will be ignored.

iv) The Oracle Business Intelligence Server will get the set of books corresponding to the USER from FND_USER_RESP_GROUPS. The following session variable is set automatically:

– OU_ORG (Row-wise variable)



SELECT DISTINCT 'OU_ORG',

TO_CHAR(PER_ORGANIZATION_LIST.ORGANIZATION_ID)

FROM PER_ORGANIZATION_LIST,

(SELECT

FND_PROFILE.VALUE_SPECIFIC('XLA_MO_SECURITY_PROFILE_LE

VEL', USER_ID, RESPONSIBILITY_ID,

RESPONSIBILITY_APPLICATION_ID) PROFILE_ID FROM (SELECT

USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID

FROM FND_USER_RESP_GROUPS WHERE START_DATE <

SYSDATE AND (CASE WHEN END_DATE IS NULL THEN SYSDATE

ELSE TO_DATE(END_DATE) END) >= SYSDATE AND USER_ID =

(SELECT USER_ID FROM FND_USER WHERE USER_NAME =

':USER‘) AND RESPONSIBILITY_ID = (CASE WHEN

VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE) =

'Integrated' THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID)

ELSE RESPONSIBILITY_ID END) AND

RESPONSIBILITY_APPLICATION_ID = (CASE WHEN VALUEOF(NQ_

SESSION.EBS_SSO_INTEGRATION_MODE) = 'Integrated' THEN

VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID) ELSE

RESPONSIBILITY_APPLICATION_ID END)))

WHERE PER_ORGANIZATION_LIST.SECURITY_PROFILE_ID = PROFILE_ID

UNION

SELECT DISTINCT 'OU_ORG',

FND_PROFILE.VALUE_SPECIFIC('ORG_ID', USER_ID,

RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID)

ORGANIZATION_ID

FROM

(SELECT USER_ID, RESPONSIBILITY_ID,

RESPONSIBILITY_APPLICATION_ID FROM

FND_USER_RESP_GROUPS

WHERE START_DATE < SYSDATE

The SQL used within the initialization block 'Operating Unit Org' Fetches the Set of Books corresponding to the logged in user from the EBS source table FND_USER_RESP_GROUPS and assigns it to the server variable OU_ORG




Company Org- Based Security

2. Company Org- Based Data Security

The sequence for Company Org-based security against Oracle EBS is:

i) When a user logs in to Oracle Business Intelligence Applications, the session variable below is set automatically.

– USER (System variable)

ii) The 'EBS Single Sign-on Integration' session variable is initialized in the 'EBS Single Sign-on Integration' initialization block:

– EBS_SSO_INTEGRATION_MODE

This session can be initialized with two possible values, 'Integrated' or 'Not Integrated' to indicate whether Oracle Business Intelligence Applications is integrated with EBS SSO or not.





The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.


The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.

iv) The Oracle Business Intelligence Server will get the set of books corresponding to the USER and OLTP_EBS_RESP_ID from FND_USER_RESP_GROUPS. The following session variable is set automatically:

– COMPANY (Row-wise variable)



SELECT

DISTINCT 'COMPANY',

FND_PROFILE.VALUE_SPECIFIC('GL_SET_OF_BKS_ID',

USER_ID, RESPONSIBILITY_ID,

RESPONSIBILITY_APPLICATION_ID)

FROM

(SELECT USER_ID, RESPONSIBILITY_ID,

RESPONSIBILITY_APPLICATION_ID FROM

FND_USER_RESP_GROUPS WHERE START_DATE <

SYSDATE AND (CASE WHEN END_DATE IS NULL THEN

SYSDATE

ELSE TO_DATE(END_DATE) END) >= SYSDATE AND

USER_ID IN (SELECT USER_ID FROM FND_USER

WHERE USER_NAME = ':USER‘) AND

RESPONSIBILITY_ID = (CASE WHEN

VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MOD

E) = 'Integrated' THEN

VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID) ELSE

RESPONSIBILITY_ID END) AND

RESPONSIBILITY_APPLICATION_ID = (CASE WHEN

VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MOD

E) = 'Integrated'

THEN

VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID)

ELSE RESPONSIBILITY_APPLICATION_ID END))

The SQL used within the initialization block 'Companies' Fetches the Set of Books corresponding to the logged in USER and OLTP_EBS_RESP_ID from the EBS source table FND_USER_RESP_GROUPS and assigns it to the server variable COMPANY




Ledger- based Security

3. Ledger Based Security Ledger-based security against Oracle EBS was introduced Version 7.9.4. It

replaces the Company-based security to support the EBS GL set of books security model in E-Business Suite release 11i and the EBS Data Access Set model in E-Business Suite release 12. In Oracle EBS Release 11i, a set of books is essentially a reporting entity that defines the

reporting context including a chart of accounts, a functional currency, and an accounting calendar.

A set of books can be assigned to a user, a responsibility, or to the site as the default for all responsibilities. Each user is associated with a single set of books when they logon to the application under a given responsibility in Oracle Applications. The Ledger-based security filters data based on the set of books associated to the logged in user.

In Oracle EBS Release 12, the set of books is replaced by the ledger. A ledger determines the currency, chart of accounts, accounting calendar, ledger processing options and subledger accounting method.



• The data access set assigned to the user’s responsibility controls what ledgers the user can access.

• A user may be able to access multiple ledgers from a responsibility.

• The Ledger-based security filters data based on the ledgers associated to the logged in user.

Source-Specific Steps for Oracle EBS










• The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.


• The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.

iv) Another init block, “Ledgers”, which gets the ledgers (which is essentially the set of books in EBS) corresponding to the USER and OLTP_EBS_RESP_ID and OLTP_EBS_RESP_APPL_ID, via table FND_USER_RESP_GROUPS and procedure FND_PROFILE. Row-wise variable:

-LEDGER (Row-wise variable)



SELECT DISTINCT

'LEDGER',

TO_CHAR(GAL.LEDGER_ID)

FROM GL_ACCESS_SET_LEDGERS GAL, (SELECT FND_PROFILE.VALUE_SPECIFIC('GL_ACCESS_SET_ID',USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID) PROFILE_VALUE FROM (SELECT USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID FROM FND_USER_RESP_GROUPS WHERE START_DATE < SYSDATE AND (CASE WHEN END_DATE IS NULL THEN SYSDATE ELSE TO_DATE(END_DATE) END) >= SYSDATE AND USER_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated’ THEN VALUEOF(NQ_SESSION.OLTP_EBS_USER_ID) ELSE (SELECT USER_ ID FROM FND_USER WHERE USER_NAME = 'OPERATIONS') END) AND RESPONSIBILITY_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated’ THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID) ELSE RESPONSIBILITY_ID END) AND RESPONSIBILITY_APPLICATION_ID = (CASE WHEN 'VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE)' = 'Integrated’ THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID) ELSE RESPONSIBILITY_APPLICATION_ID END)))WHERE GAL.ACCESS_SET_ID = PROFILE_VALUE

The SQL used within the initialization block 'Ledger' Fetches the Set of books or ledgers corresponding to the logged in USER and OLTP_EBS_RESP_ID from the EBS source table GL_ACCESS_SET_LEDGERS and assigns it to the server variable LEDGER




Business Group – Org based Security

4. Business Group Org- Based Data Security

A Business Group is the highest level in the organization structure is usually used to represent the entire enterprise or a major division. A business group can have several sets of books.

The sequence for Business Group Org-based security against Oracle EBS is :










• The session variable is initialized with the responsibility of the user's session in Oracle EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.


• The session variable is initialized with the responsibility application of the user session in EBS if Oracle Business Intelligence Applications is integrated with EBS; otherwise it is defaulted to a random value, which will be ignored.

iv) The Oracle Business Intelligence Server will get the set of books corresponding to the USER and OLTP_EBS_RESP_ID from FND_USER_RESP_GROUPS. The following session variable is set automatically:

– BUSINESS_GROUP (Row-wise variable)



SELECT DISTINCT

'BUSINESS_GROUP‘,

TO_CHAR(FND_PROFILE.VALUE_SPECIFIC('PER_BUSINESS_GROUP_ID‘, USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID))

FROM

(SELECT USER_ID, RESPONSIBILITY_ID, RESPONSIBILITY_APPLICATION_ID FROM FND_USER_RESP_GROUPS WHERE START_DATE < SYSDATE AND (CASE WHEN END_DATE IS NULL THEN SYSDATE ELSE TO_ DATE(END_DATE) END) >= SYSDATE AND USER_ID = (SELECT USER_ID FROM FND_USER WHERE USER_NAME = ':USER‘) AND RESPONSIBILITY_ID = (CASE WHEN VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE) = 'Integrated' THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_ID) ELSE RESPONSIBILITY_ID END) AND RESPONSIBILITY_APPLICATION_ID = (CASE WHEN VALUEOF(NQ_SESSION.EBS_SSO_INTEGRATION_MODE) = 'Integrated' THEN VALUEOF(NQ_SESSION.OLTP_EBS_RESP_APPL_ID) ELSE RESPONSIBILITY_APPLICATION_ID END))

The SQL used within the initialization block 'Business Groups' Fetches the Set of books corresponding to the logged in USER and OLTP_EBS_RESP_ID from the EBS source table FND_USER_RESP_GROUPS and assigns it to the server variable BUSINESS_GROUP




Primary Employee/Position Hierarchy-based Security

5. Primary Employee/Position Hierarchy – Based Security Employee-based security restricts data visibility of the records to the

Owner of that record, and all employees he/she reports to in the company’s Employee hierarchy.

This security mechanism uses data from the data warehouse database, and shares the metadata components with other supported applications (Siebel CRM and PeopleSoft).

Out of the box, this type of security supports only HR Analytics facts.


Primary Employee/Position Hierarchy-based Security


INTEGRATING OBIEE WITH E-BUSINESS SUITE


Integrating OBIEE with E-Business Suite

Integration Aspects

1. Single Sign-On / Authentication

2. Application Data Security

3. Drill to Transactions/Action Links


Authorization Via A Portal (i.e. Oracle EBS)

Authorization Source

LDAP

A. Login

E. Request

B. Authenticate

C. Validate

F. Authorize G. Groups, etc.

H. Result SetI. Formatted Results

Pre

sen

tati

on

Se

rve

r

Ora

cle

BI S

erv

er

Portal

D. Handshake


Single Sign-On Integration

• Single Sign-On / Authentication : is a method of access control that enables a user to log-in once and gain access to the resources of multiple software systems without being prompted to log in again.



If the user is already logged in to the Single Sign-On server and then tries to access Oracle BI:

The user is redirected to the Single Sign-On server but is not challenged for credentials.

The SSO session cookie is used to validate the user identity.

The server passes an authentication token to Oracle BI.

BI Presentation Services then utilizes the BI Server Impersonation feature to create a connection to the BI Server on behalf of the authenticated end user.

Additional authorizations for the user takes place in the BI repository that determines, for example, the security groups associated to the user.

This in turn determines subject area access, presentation catalog access and data visibility that must be applied for the user.





When a web user tries to access Oracle BI with Oracle SSO enabled, the user is redirected to the Single Sign-On server and is challenged for credentials via a JSP login page.

After verifying the credentials in Oracle Internet Directory, the server sets an SSO session cookie and passes an authentication token to Oracle BI.


Drill to Transactions/Action Links

Action Links

– Seamless navigation from analytical information to transactional detail while maintaining context within Oracle EBS


Further Reading

• Technical Note 682: Implementing Security for Oracle’s PeopleSoft Enterprise Applications in Oracle Business Intelligence Applications 7.9.3

• Technical Note 683: Implementing Data Security for Oracle E-Business Suite 11i in Oracle Business Intelligence Applications 7.9.3

• Technical Note 685: Position-Based Visibility and Team-Based Visibility Implementations in Oracle Business Intelligence Applications 7.9.3

Next Steps with KPI Partners

Come visit us at Oracle Open World

Training

One or Two-Day Health Check / Oracle BI Readiness Assessment

Quick Start Offerings

Hands-On Business User and Technical Workshops

Sid Goel, Partner & BI Architectemail: [email protected]: (650) 388-6657

Keith Weisz, Director, Business Development Mid-West Regionemail: [email protected]: (816) 304-1005

Jaime Seagraves, DirectorBusiness Development, NorthEastemail: [email protected]

CONTACT INFORMATION

[email protected]

Kusal Swarnakar, Partneremail: [email protected]: (925) 984-1371

Norman Dy, Director, Business DevelopmentCalifornia and Pacific North Westemail: [email protected]: (619) 245-5090

mailto:[email protected]





Oracle BI Application Security...Oracle BI EE Security Based Authentication The easiest and most basic way to set someone up with a Username and Password is via the Security Manager.

Documents