When you are deploying Oracle Business Intelligence Enterprise Edition, how you handle identity management is as important as query speed and the quality of your data. A well-architected identity management solution ensures that your users are set up automatically when they first join the organization, that they can quickly access applications and data appropriate for their varied roles, and that personal details and access privileges can be easily managed.
This article focuses on integrating Oracle Business Intelligence Enterprise Edition with two of Oracle's flagship identity management tools: Oracle Internet Directory and Oracle Application Server Single Sign-On. You'll see how to combine the security features of Oracle Business Intelligence Enterprise Edition and Oracle Identity Management to provide granular, secure access to data.Identity Management in Focus
User identity has its own lifecycle, beginning with the initial hire, continuing through promotions and changes of department or role, and ending when the staff member leaves and that person's application access is removed. Over time, employees typically need access to multiple systems, and their requirement for data access will change with their roles.
Oracle Identity Management is a broad set of products that provides standards-based identity management tools, including Oracle Access Manager, Oracle Application Server Single Sign- On, Oracle Enterprise Single Sign-On Suite, Oracle Identity Federation, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory, and Oracle Web Services Manager. Oracle Internet Directory is an LDAP v.3 directory that leverages the scalability and high availability of Oracle Database to store user and group profiles. Oracle Internet Directory is widely used within Oracle's own applications and middleware tools to provide a single store of identity information. (For an overview of identity management concepts and Oracle Identity Management, see "Access Granted" in the July/August 2006 issue of Oracle Magazine.)
Oracle Business Intelligence Enterprise Edition has its own security infrastructure for user and group management and control of access to datasources, but it can also be integrated with numerous other industry-standard identity management implementations, including Oracle Identity Management.
Oracle Business Intelligence Enterprise Edition includes Oracle Business Intelligence Server, Oracle Business Intelligence Presentation Services, and the Oracle Business Intelligence Administration Tool, plus several other server and desktop applications.
Oracle Business Intelligence Server has a local repository that contains information about the many datasources (data warehouses, data marts, packaged applications, and so on) that business users will have access to via Oracle Business Intelligence Interactive Dashboards.
Oracle Business Intelligence Presentation Services has its own separate security infrastructure of users and groups stored in a separate repository, known as the Web Catalog. Oracle Business Intelligence Interactive Dashboard is the main user interface provided by Oracle Business Intelligence Presentation Services.
When users log in to their respective dashboards, Oracle Business Intelligence Server authenticates their credentials. If an account does not already exist in the Web Catalog, one is created for them. If a user is a member of any groups that have corresponding Web Catalog entries, the user is granted access to these Web Catalog groups and any dashboards to which that person has access.
As you'll see later in this article, the user and group information contained in Oracle Internet Directory can be used to facilitate the same access scenarios.
Oracle Business Intelligence Server makes it possible for privileged users to "impersonate" other users—this functionality is used by Oracle Business Intelligence Presentation Services to implement single-sign-on functionality in various scenarios, including one demonstrated later in this article.
For more information, see Oracle Business Intelligence Presentation Services Administration Guide (chapter 8) and Oracle Business Intelligence Server Administration Guide (chapter 15), available on Oracle Technology Network.Bringing Identity Management Together
Organizations that have deployed Oracle Identity Management can easily use it to provide Oracle Business Intelligence Enterprise Edition with an integrated, scalable identity management solution across all their reporting needs. This article provides three integration scenarios that demonstrate how to take advantage of powerful features in both products.
Example 1: Leverage Oracle Internet Directory for Oracle Business Intelligence Interactive Dashboard Security steps you through enabling users of Oracle Business Intelligence Interactive Dashboard to connect to their dashboards by using their Oracle Internet Directory logins and passwords.
Example 2: Augment Oracle Internet Directory User Identity with Oracle Business Intelligence Server Security Features shows you how the features in Oracle Business Intelligence Server can provide granular, row-level control over report data to users authenticated with Oracle Internet Directory.
Example 3: Streamline Access to Oracle Business Intelligence by Using Oracle Single Sign-On steps you through configuring Oracle Business Intelligence Enterprise Edition to leverage Oracle Application Server Single Sign-On as a partner application. Business users will then be able to access Oracle Business Intelligence Server functionality by using the same user account as for other applications and will be able to access their Oracle Business Intelligence Server dashboards based on group membership.
The examples in this article are based on these specific releases:
In addition to the required products, note these other requirements:
1. From a Web browser, navigate to the Oracle Identity Management Provisioning Console:
2. Click the Directory tab to activate the user setup page. Set up user accounts as necessary.
Example 1: Leverage Oracle Internet Directory for Oracle Business Intelligence Interactive Dashboard Security
In this first example, you connect Oracle Business Intelligence Server to Oracle Internet Directory, to enable your Oracle Business Intelligence Interactive Dashboard users to authenticate by using their Oracle Internet Directory login and password. At runtime, when a business user tries to access a report, Oracle Business Intelligence Presentation Services will retrieve the user's group membership information from Oracle Internet Directory.
This example is based on using Oracle Internet Directory exclusively to manage user IDs and group membership. You can, however, also use Oracle Security Manager to import details of users and groups directly into the Oracle Business Intelligence Server repository and then keep these details up to date through either the Oracle Security Manager LDAP Synchronization tool or Oracle Directory Integration Platform, provided with Oracle Internet Directory. (Oracle Directory Integration Platform enables you to create workflow that can add users to the Oracle Business Intelligence Server repository as soon as they are provisioned in Oracle Internet Directory.) See Oracle Business Intelligence Enterprise Edition Deployment Guide for more details about various other configuration options.
To enable authentication against Oracle Internet Directory, you must create an "initialization block" that runs when the user logs in, retrieving details from Oracle Internet Directory. The initialization block runs at the session level.
Oracle Business Intelligence Administration Tool Variable Manager enables you to define repository variables and session variables. We'll use the session variable to define a session-level initialization block.
To create the initialization block, use Oracle Business Intelligence Server Administration to launch Variable Manager, as follows:
1. Launch the Oracle Business Intelligence Administration Tool.
(For example, click Start -> Programs -> Oracle Business Intelligence -> Administration .)
2. From the Manage menu, select Variables... to launch Variable Manager.
3. In the left-hand pane, under Session , click Initialization Blocks.
4. In the right-hand pane of Variable Manager, right-click New Initialization Block... to display the Session Variable Initialization Block editor.
5. Name the variable Authenticator.
6. Click Edit Data Source... to create a new LDAP datasource.
7. Using the LDAP Server dialog box, enter the following connection details:
Host name = name of server hosting Oracle Internet Director Port = 389 Base DN = dc=<oid_domain_name>, dc=<oid_tld> Bind DN = cn=orcladmin Bind Password = <orcladmin_password> LDAP Version = 3
8. Click Test Connection to ensure that everything is working correctly.
After establishing the connection to Oracle Internet Directory, you must map Oracle Business Intelligence Server internal variables to Oracle Internet Directory LDAP variables, as follows:
1. Return to the Session Variable Initialization Block editor.
2. Click Edit Data Target....
3. Using the Session Variable Initialization Block Data Target dialog box, map these three Oracle Business Intelligence Server variables to their respective Oracle Internet Directory LDAP variables:
USER = uid GROUP = departmentnumber PASSWORD = userpassword
You can disregard the warning messages that appear when you are using the variable names USER and PASSWORD (password is optional). The warnings are generated because we are directly supplying values for these internal Oracle Business Intelligence Server variables—something you would never do in a production environment.
4. Click OK to save the variable target definition.
5. Click OK again to create the initialization block.
Note that instead of using the LDAP uid attribute to establish a user's identity, you can use the orclguid attribute, which guarantees uniqueness even when a user is deleted from Oracle Internet Directory and another one is created with the same name. However, for the example, we use the uid attribute, which makes Web Catalog paths a little more readable (at the risk of new users colliding with deleted users). You can also create additional variable bindings for the user's e-mail address (MAIL) or other LDAP attributes.
6. Click OK to redisplay the Server Variable Initialization Block dialog box.
7. Check the Required for Authentication check box to require all users (except for the administrator user) to authenticate via the Oracle Internet Directory server. (If you leave the check box deselected, users not held in Oracle Internet
Directory will still be able to authenticate if their details are present in the Oracle Business Intelligence Server repository.)
8. Restart Oracle Business Intelligence Server.
Test the setup, by having one of your users log on to Oracle Business Intelligence Interactive Dashboard by using his or her Oracle Internet Directory credentials. The user should be granted access to Oracle Business Intelligence Interactive Dashboard according to Oracle Business Intelligence Presentation Services Web Catalog group memberships listed in the Oracle Internet Directory profile.
Example 2: Augment Oracle Internet Directory User Identity with Oracle Business Intelligence Server Security Features
In this example, you create groups within Oracle Business Intelligence Server and apply row-level security to the groups so that users have role-based data access, regardless of how they log on (through Security Manager or through Oracle Internet Directory).
First, create the groups in Oracle Business Intelligence Server, by using the Oracle Business Intelligence Administration Tool.
1. From the Oracle Business Intelligence Administration Tool main menu, select Manage -> Security to launch Security Manager.
2. From within the left-hand pane of Security Manager, select Groups.
3. Add the name of a group that matches the group set up in Oracle Internet Directory.
4. Create groups that match the groups already created in the Oracle Business Intelligence Presentation Services Web Catalog and that match the group names used within Oracle Internet Directory.
5. Once you have created the groups, use the User Group/Permissions dialog box to create and apply one or more filters to the tables available to each group, thus limiting access.
For example, you can create a filter to limit members of the Eastern group so that they see data on customers from New York and Massachusetts only. Each filter defines the data the user can see. Filters are cumulative: users belonging to both the Northern and Eastern groups will see data for customers in states in the north and the east.
However, users without any filters applied to a specific table in the repository will be able to see all of the data in that table.
When someone from the Eastern group logs in, that person will see data for that region; if he or she also belongs to another group or other users log in who belong to a different group, they will see data for those particular states.
Example 3: Streamline Access to Oracle Business Intelligence Enterprise Edition by Using Oracle Application Server Single Sign-On
The single-sign-on (SSO) feature of Oracle Application Server enables users to have a single user ID and password that grants them access to Oracle applications. These applications can either be full participants in Oracle Application Server Single Sign-On (in which all user and profile management is handled by Oracle Internet Directory) or they can be partner applications that manage their own user profiles.
This example shows you how to configure Oracle Business Intelligence Enterprise Edition as an Oracle Application Server Single Sign-On partner application: users' single-sign-on user IDs are mapped to their equivalent Oracle Business Intelligence Enterprise Edition user IDs, so that they can access their data and reports.
Configuring Oracle Business Intelligence Enterprise Edition to work with Oracle Application Server Single Sign-On is a reasonably straightforward process if Oracle Business Intelligence Suite has been installed with the Advanced Security installation option.
To configure Oracle Business Intelligence Enterprise Edition to use SSO on the Microsoft Windows XP platform,
1. Open a command prompt.
2. Set the ORACLE_HOME environment variable to the Oracle home used by Oracle Application Server Identity Management:
3. Use the Oracle Internet Directory SSOREG utility to create a configuration file that points to your Oracle Business Intelligence Presentation Server URL (using just the hostname and the port number):
C:\> C:\oracle\OraHome_1\sso\bin\ssoreg.bat -oracle_home_path c:\oracle\OraHome_1 -config_mod_osso TRUE -site_name <bi host name>:<bi port number> -remote_midtier -config_file c:\oracle\OraHome_1\Apache\Apache\conf\osso\biosso.conf -mod_osso_url http://<bi host name>:<bi port number>
4. Copy the configuration file generated by the SSOREG utility to the Oracle Application Server 10.1.3 Oracle home (to which Oracle Business Intelligence Enterprise Edition was deployed). For example,
C:\> copy c:\oracle\OraHome_1\Apache\Apache\conf\osso\biosso.conf c:\oracle\OraHome_2\Apache\Apache\conf\osso\
5. Using a text editor, open the mod_osso.conf file in the Oracle Application Server 10.1.3 Oracle home (located in the ORACLE_HOME/Apache/Apache/conf directory), and add the following directive:
6. Add the following XML fragment to statically protect the Oracle Business Intelligence Presentation Server URL:
<IfModule mod_osso.c> <Location /analytics> OssoIpCheck off OssoIdleTimeout off Header unset Pragma OssoSendCacheHeaders off AuthType Basic require valid-user </Location> </IfModule>
7. Save the changes, and close the text editor. Within the same Oracle home, navigate to the /Apache/Apache/conf subdirectory:
8. Using a text editor, open the httpd.conf file and uncomment the following line:
9. If necessary, modify the name of the Oracle home referenced in the line so that it refers to the Oracle home used by Oracle Application Server 10.1.3. When the Apache server starts, it will read the mod_osso.conf file you modified.
10. Save the changes, and close the text editor.
11. Restart Oracle HTTP Server, using the following command:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
To set up the delegated authentication, start the Oracle Business Intelligence Administration Tool again and create an "impersonation user," which Oracle Business Intelligence Presentation Server will use to create a connection to Oracle Business Intelligence Server on behalf of the authenticated user.
Within the Oracle Business Intelligence Administration Tool, select Manage -> Security and New -> User . Create a user with the name Impersonator and the password fakeuser (in production situations, choose a stronger password). Add the impersonation user to the Administrators group, and note the username and password.
Now you add the details of this impersonation user to the Oracle Business Intelligence Presentation Server credentials store, using the Presentation Server CRYPTOTOOLS utility:
1. Open a command prompt.
2. Navigate to the location of the Oracle Business Intelligence cryptography tools and credential store. The default location is in the \OracleBI\web\bin subdirectory of the Oracle Business Intelligence Suite installation. For example,
3. Enter the following command:
cryptotools credstore -add -infile c:/oracle/OracleBIData/web/config/ credentialstore.xml
You'll be prompted to enter the credential alias, username, password, and other details:
4. Enter impersonation for the credential alias.
5. Enter Impersonator for the username.
Next, you need to update the Oracle Business Intelligence Presentation Services configuration file (instanceconfig.xml) file, located in the data directory of the Oracle Business Intelligence Suite install. For example,
c:\oracle\OradleBIData\web\config\instanceconfig.xml11. Using a text editor, open the instanceconfig.xml file.
<CredentialStore> <CredentialStorage type="file" path="c:/oracle/OracleBIData/web/ config/credentialstore.xml" passphrase="storepassword"/> </CredentialStore>
13. Add the authorization XML fragment to the ServerInstance section of the file:
<Auth> <SSO enabled="true"> <ParamList> <!--IMPERSONATE param is used to get the authenticated user's username and is required --> <Param name="IMPERSONATE" source="serverVariable" nameInSource="REMOTE_USER"/> </ParamList> <LogoffUrl> http://<identity server host>:<identity server port> /pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http%3A%2F%2F <bi server host>:<bi server port>%2Fanalytics%2F </LogoffUrl> <LogonUrl> http://<identity server host>:<identity server port> /pls/orasso/orasso.wwsso_app_admin.ls_login </LogonUrl> </SSO> </Auth>
14. Save the instanceconfig.xml file.
15. Restart Oracle Business Intelligence Presentation Server.
Your users should now be able to log in to Oracle Business Intelligence Enterprise Edition by using Oracle Application Server Single Sign-On.
Full details on how to register Oracle Business Intelligence Enterprise Edition as an Oracle Application Server Single Sign-On partner application are provided in Section 11 of Oracle Business Intelligence Enterprise Edition Deployment Guide.Summary
When putting together an application based on Oracle Business Intelligence Enterprise Edition, how you handle the issue of identity management is as important as the quality of your data and the performance of your reports. Users should have a single profile within their organization that grants them access to both their applications and their reports, with a simple-to-administer provisioning process that handles their identity management lifecycle, from hiring to promotion to departure.
Oracle Application Server 10g, through the use of Oracle Identity Management tools—Oracle Internet Directory, Oracle Delegated Administration Services, and Oracle Application Server Single Sign-On—provides a solution based on widely used standards. Oracle Business Intelligence Enterprise Edition leverages these standards and enables you to create a single identity management solution across your line-of-business and reporting applications.
READ Oracle documentation
Photography by Ricardo Gomez, Unsplash