Category Archives: Security

How To Setup Session Timeout In Oracle BIEE

Thanks to the Oracle’s support I was able to find answer to my problem. How to make OBIEE more secure and log users off automatically to show users this page:

Here’s what I found:

List the three parameters which affects session timeout for BIEE user.

There are three types of timeout settings controls the user session :

BI                   Presentation                      User
Server -  (Link 1)   ->   Server    ->  (Link 2)   ->   Browser

Link 1:

The time of connection between the OracleBI Presentation Server and OracleBI Services can be configured using the following steps:
1. Edit the file instanceconfig.xml
2. Add the following line in the block

<ConnectionExpireMinutes>3</ConnectionExpireMinutes>

3. Restart services OracleBI Presentation Services
Notes:
1. The value of default is 3 minutes.
2. The connection between the OracleBI Server and OracleBI Presentation Services is closed and removed.
3. This setting does not affect the connection established between the OracleBI Presentation Services and the WebBrowser, which remains intact pending an activity from the user.

Link 2:

The time of connection between the OracleBI Presentation Services and the WebBrowser can be configured using the following steps:
1. Edit the file instanceconfig.xml
2. Add the following line in the block ServerInstance) ((/) ServerInstance

<ClientSessionExpireMinutes> 1440</ClientSessionExpireMinutes>

3. Restart services OracleBI Presentation Services
Notes:
1. The internal default value is 1440 minutes (24 hours).
2. The connection between the OracleBI Presentation Services and the WebBrowser is closed and removed.
3. This configuration forces logoff user outside the application, which should make logging into an application to work again.
4. All information and statements in it are lost.

Log User Off:

Then we can set the property to force the user out of the Logoff OracleBI Presentation Services.
This setting only applies to users who have not selected the option “remember my ID and password.
1. Edit the file instanceconfig.xml
2. Add the following line in the block

<LogOnExpireMinutes>180</LogOnExpireMinutes>

3. Restart services OracleBI Presentation Services
Notes:
1. The internal default value is 180 minutes (3 hours).
2. To disable this feature using a value larger than the value of ClientSessionExpireMinutes

Accessing Groups in LDAP for use in Oracle Business Intelligence

This one is useful if you’re trying to set-up BI to work with LDAP

Oracle BI allows for integration with LDAP servers for authentication and security
out-of-the-box. This document articulates the solution for retrieving Security Groups
defined within LDAP and reuses them within the context of Oracle BI repository
seamlessly. This document assumes that the users are using an Oracle Database and can
leverage the DBMS_LDAP package built into the Oracle Database for this
purpose.

Typically Organizations use LDAP servers as a central infrastructure for storing the
Users security credentials and use these servers to authenticate and authorize users
access to various applications within the organization. Tapping into this security
infrastructure helps the organization maintain its security in a central infrastructure.

Currently, OBI EE can connect to an LDAP server and authenticate a user with
user and password credentials, but it is limited in its ability to extract the groups
defined within the LDAP server and to leverage these groups in the repository.

Scope and Application

The work around suggested in this paper would allow the admin to reuse the
groups in the LDAP server using the DBMS_LDAP package available within the
Oracle Database.

Accessing Groups in LDAP for use in Oracle Business Intelligence

The goal is to allow access to the Users and Groups defined within LDAP Server,
without having to redefine these in a database. This allows the enterprise to
leverage a single common security infrastructure and allows OBI EE to plug into
this infrastructure.
The following are the high level steps to access the Groups defined within the
LDAP server.
1. Using the DBMS_LDAP package provided within the Oracle Database,
write a stored function to connect to the LDAP Server and expose the
Groups as a virtual table.
This PL/SQL package creates a virtual table within the database, which acts as
a gateway to LDAP server. It is now possible to write queries in standard SQL
form to this virtual table that would in turn be translated to the LDAP server.
2. Provide parameters needed to connect to LDAP for authentication. In
order to do this, open the Administration Tool used for managing the
OBI EE repository. From Manage -> Security -> LDAP Servers menu,
provide the necessary parameters needed to connect to the LDAP Server.
(for additional details follow the steps detailed in the Server Admin Guide
for OBI EE).

The above picture is a sample of properties required for connecting to a LDAP
server.
3. The next step is to create a Session Initialization Block within the OBI EE
Admin tool and wire the LDAP server property to this initialization block.
The user id defined in the LDAP server should be associated with the “USER”
session variable. USER is a system session variable within the Oracle BI stack
and is used to store the USER information entered during login from the
presentation server.

4. Next, create another initialization block within the OBI EE Admin tool to
store the Group information. The group information will be queried from
the Virtual Table (defined as part of stored procedure/function defined in
step 1) and to get the group information using row-wise initialization. This
Initialization block should be executed after the Initialization block
defined in the previous step.

The screen shot above shows an example of the SQL query being passed to
the Oracle DB where the PL/SQL stored procedure (from step 1) was created
and extracting the Group information stored in LDAP using row-wise
initialization.

LDAP Authentication against multiple servers

Someone asked the Oracle support if Siebel Analytics could use 2 LDAP servers for authentication. “We currently use one of the LDAP server for authentication and it works fine. We have some users from another LDAP server and want to add it to our authentication.”

Response was:
Siebel Analytics can only authenticate against on LDAP server at a time. If you define multiple LDAP servers, the 2nd LDAP server is not being looked at unless the connection to the 1st failed.

You define multiple LDAP server by putting the LDAP server names in a concatenated string and use space as delimiter in the Host Name entry, i.e. “ldap1.siebel.com ldap2.siebel.com:9872 ldap3.siebel.com” in AN78x release

In the latest Oracle Business Intelligence Enterprise Edition, you can define multiple LDAP server definitions in the Manage > Security > LDAP Server.

But Authentication tries the first LDAP server, if it fails then it uses the second LDAP server defined in the repository

“Product change request 12-HOAZ87 has been logged to ask for authentication against multiple LDAP servers simultaneously.”

ADSI Groups in OBIEE (LDAP)

This is official – you can’t get groups from ADSI! Hopefully, this can help someone who’s battling management in the beginning of the project. Sometimes Oracle salespeople are overly optimistic and provide an impression that OBIEE can do everything. But I’ll let it be a theme of another post.

Here’s the full text below:”

I am able to login to Analytics web using my Acitive Directory credentials. However, I need to be able to assign permissions to my self. How do I do that? Do I create an Analytics group named the same as an Active Directory group and assign permissions to the Analytics group?

Customer is able to login to Analytics web using my Acitive Directory credentials. However, he wants to assign permissions to my self. How do I do that? Do I create an Analytics group named the same as an Active Directory group and assign permissions to the Analytics group?

Resolution
After understanding the requirements of the customer it was determined that it is not possible to retrieve the Group name the way customer is trying.

Customer is trying to retrieve GROUP value from member of attribute.

memberOf attribute is an array which has multivalues for example

Here is an example:
CN=Siebel Administrator,OU=People,DC=d1,DC=us,DC=ts
memberOf=CN=Group Policy Creator Owners,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Domain Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Enterprise Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Schema Admins,CN=Users,DC=d1,DC=us,DC=ts
memberOf=CN=Administrators,CN=Builtin,DC=d1,DC=us,DC=ts

We do not support retrieving group dynamically for LDAP/ADSI validation.
I have logged Bug No# 5714777 as an Enhancement Request to support this feature.
Only way to retrieve the group name is to create an attribute “xyz” in ADSI and then populate with xyz:webadmin;siebeladmin then you can map it to Group variable. “