OBIEE 10g and 11g: Comparing Repository And Catalog Security Models And Changes With Upgrade

Errors and warnings after upgrade to 11G from OBIEE 10g
August 2, 2012
OBIEE 10g (10.1.3.4.2) And Microsoft IIS 7
August 12, 2012

Applies to:

Business Intelligence Suite Enterprise Edition – Version: 10.1.3.2 to 11.1.1.5.0 [1308] – Release: 10g to 11g
Business Intelligence Suite Enterprise Edition – Version: 10.1.3.2 to 11.1.1.5.0 [1308]   [Release: 10g to 11g]
Information in this document applies to any platform.

Purpose

This document highlights the security features in Oracle Business Intelligence Enterprise Edition (OBIEE) and compares and contrasts features found in OBIEE 10g and 11g.

Questions and Answers

What documentation describes the security model for the Repository (RPD) and Catalog in OBIEE 10g?

OBIEE 10g security and repository access control are described in the Oracle Business Intelligence Server Administration Guide.

Web Catalog security and access control is described in the Oracle Business Intelligence Presentation Services Administration Guide.

What documentation describes the security model for the RPD and catalog  in OBIEE 11g?

OBIEE 11g security is described primarily in two places:

How are security settings enabled / controlled in OBIEE 10g and 11g?

In OBIEE 10g, security is controlled at the following points: permissions on the OBIEE Presentation catalog, via the repository (users and passwords) and optionally via an external LDAP, or external tables.

In OBIEE 11g, the security policy is split across the OBIEE presentation catalog, repository and default 11g identity store (embedded WLS LDAP), or external LDAP (i.e. OID or other if used).


What are the primary differences between the OBIEE 10g and 11g security models and what happens during upgrade?

Security Task/Object OBIEE 10g OBIEE 11g What happens during 10g upgrade to 11g?
Define Users and Groups in RPD file using OBIEE Admin Tool Default N/A. By default, users are defined in embedded WLS LDAP via FMW EM Console, or alternatively, in external LDAP. By default, existing users and groups migrated to embedded WLS LDAP. Existing groups are automatically mapped to an Application role.
Defining security policies Policies in the catalog and repository can be defined to reference groups within a directory Policies are defined in terms of application roles, which map to users and groups in a directory. 10g catalog groups are automatically migrated in the upgraded catalog and assigned the same privileges, access, and membership.
“Administrator” user Unique user with full administrative privileges No single user named for full administrative privileges. Administration can be performed by any user who is member of BIAdministrators group. “Administrator” user automatically added as member of “BIAdministrators” group in embedded WLS LDAP and granted Administrator role. The user specified during OBIEE 11g installation (i.e. “weblogic”, “biadmin”) is also a member of the BIAdministrators group.
Repository encryption Available on sensitive elements only – i.e. user passwords, connection pool passwords, etc. Entire RPD encrypted via a password. Prompted to set a repository password while running the upgrade assistant. Do not lose this password as there is no feature to recover a lost password.
External Authentication and OBIEE Initialization (Init) Blocks Init blocks are required for external LDAP or external table authentication. Init blocks not required for WLS embedded LDAP. Init blocks are required for external LDAP or external table authentication. Upgraded RPD will continue to point to 10g LDAP or external tables. Initblocks may need to be modified to ensure that deprecated, or reserved word, variable names are renamed.
NOTE: If you intend to use another LDAP server, such as Oracle Identity Management (OID), then you must upgrade to the embedded LDAP server first, then
migrate to the production LDAP server. Please see Upgrade Guide for further details.
Catalog Groups Defined in Presentation Server Administration link Available for backward compatibility. Use of Application Roles in FMW EM Console recommended. Existing groups will be migrated. Recommendation is to use application roles instead. Privileges on catalog objects may be granted to an application role via BI Presentation server Administration link.
SA System Subject Area Optional Available for backward compatibility and requires init blocks and external tables. Use of Embedded LDAP is recommended. Upgraded 10g RPD will point to external tables. Initblocks may need to be modified to ensure that deprecated, or reserved word, variable names are renamed.
“Everyone” Presentation Server Group Default Replaced with AuthenticatedUser role “Everyone” group migrated to AuthenticatedUser role.

Show Related Information Related

Leave a Reply