Business Intelligence Suite Enterprise Edition – Version: 10.1.3.2 to 126.96.36.199.0  – Release: 10g to 11g
Business Intelligence Suite Enterprise Edition – Version: 10.1.3.2 to 188.8.131.52.0  [Release: 10g to 11g]
Information in this document applies to any platform.
This document highlights the security features in Oracle Business Intelligence Enterprise Edition (OBIEE) and compares and contrasts features found in OBIEE 10g and 11g.
OBIEE 10g security and repository access control are described in the Oracle Business Intelligence Server Administration Guide.
Web Catalog security and access control is described in the Oracle Business Intelligence Presentation Services Administration Guide.
OBIEE 11g security is described primarily in two places:
- Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence 11g Release 1 (11.1.1)
- Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1).
NOTE: Unlike OBIEE 10g, there are not separate documents for the BI Server and BI Presentation Server. For OBIEE 11g, both the RPD and catalog security are described in the Security Guide.
In OBIEE 10g, security is controlled at the following points: permissions on the OBIEE Presentation catalog, via the repository (users and passwords) and optionally via an external LDAP, or external tables.
In OBIEE 11g, the security policy is split across the OBIEE presentation catalog, repository and default 11g identity store (embedded WLS LDAP), or external LDAP (i.e. OID or other if used).
What are the primary differences between the OBIEE 10g and 11g security models and what happens during upgrade?
|Security Task/Object||OBIEE 10g||OBIEE 11g||What happens during 10g upgrade to 11g?|
|Define Users and Groups in RPD file using OBIEE Admin Tool||Default||N/A. By default, users are defined in embedded WLS LDAP via FMW EM Console, or alternatively, in external LDAP.||By default, existing users and groups migrated to embedded WLS LDAP. Existing groups are automatically mapped to an Application role.|
|Defining security policies||Policies in the catalog and repository can be defined to reference groups within a directory||Policies are defined in terms of application roles, which map to users and groups in a directory.||10g catalog groups are automatically migrated in the upgraded catalog and assigned the same privileges, access, and membership.|
|“Administrator” user||Unique user with full administrative privileges||No single user named for full administrative privileges. Administration can be performed by any user who is member of BIAdministrators group.||“Administrator” user automatically added as member of “BIAdministrators” group in embedded WLS LDAP and granted Administrator role. The user specified during OBIEE 11g installation (i.e. “weblogic”, “biadmin”) is also a member of the BIAdministrators group.|
|Repository encryption||Available on sensitive elements only – i.e. user passwords, connection pool passwords, etc.||Entire RPD encrypted via a password.||Prompted to set a repository password while running the upgrade assistant. Do not lose this password as there is no feature to recover a lost password.|
|External Authentication and OBIEE Initialization (Init) Blocks||Init blocks are required for external LDAP or external table authentication.||Init blocks not required for WLS embedded LDAP. Init blocks are required for external LDAP or external table authentication.||Upgraded RPD will continue to point to 10g LDAP or external tables. Initblocks may need to be modified to ensure that deprecated, or reserved word, variable names are renamed.
NOTE: If you intend to use another LDAP server, such as Oracle Identity Management (OID), then you must upgrade to the embedded LDAP server first, then
migrate to the production LDAP server. Please see Upgrade Guide for further details.
|Catalog Groups||Defined in Presentation Server Administration link||Available for backward compatibility. Use of Application Roles in FMW EM Console recommended.||Existing groups will be migrated. Recommendation is to use application roles instead. Privileges on catalog objects may be granted to an application role via BI Presentation server Administration link.|
|SA System Subject Area||Optional||Available for backward compatibility and requires init blocks and external tables. Use of Embedded LDAP is recommended.||Upgraded 10g RPD will point to external tables. Initblocks may need to be modified to ensure that deprecated, or reserved word, variable names are renamed.|
|“Everyone” Presentation Server Group||Default||Replaced with AuthenticatedUser role||“Everyone” group migrated to AuthenticatedUser role.|