Oracle BI EE 11g - Security Auditing Venkatakrishnan J
Agenda Overview of BI EE Security Authentication Authorization Security Endpoints Overview Weblogic & EM BI Server Presentation Server - How is Web Catalog Security stored? - Account Structure - ACL Structure - Decompiling Security in.atr files Security Audit What is a Security Audit? How to do a Security Audit? Demo of a custom Application
What Are We Talking About, When We Talk About Security? Security encompasses a wide area and set of tasks in OBIEE Aspects of security include: Users logging in and out User and group directories, internal and external to OBIEE User and group membership administration Job roles, rights and permissions Permissions on BI objects (reports, dashboards, KPIs etc) Application permissions (to use Answers, to create filters etc)
OBIEE 11g Security and Oracle Fusion Middleware 11g OBIEE 11g delegates security to Oracle Fusion Middleware 11g Leverages Oracle Platform Security Services Users and Groups in RPD now moved to embedded WLS LDAP Server RPD and Webcat groups replaced by FMW11g Application Roles Comprehensive SSL and Credentials Management Encrypted RPD Flexible authorization model through WLS and OPSS Still backwards compatible with LDAP model in OBIEE 10g Applications Middleware Database Infrastructure & Management
OBIEE 11g Security Administration Tools WebLogic Server Admin Server (LDAP Server, Security Providers) Fusion Middleware Control (Application Roles) BI Administration tool (subject-area, and row-level security) Catalog Manager, and Presentation Services Catalog View (object permissions) Presentation Services Administration Page (PS functional permissions)
WLS Embedded LDAP Server By default, OBIEE 11g users and groups are now held in the WLS LDAP Server More robust directory for storing user details Recommended for <1000 users WLS Admin Server Console now used for creating and maintaining users BI Server outsources all authentication, authorization to FMW11g WLS LDAP Server can be swapped out for alternative directories (MS AD etc)
Oracle BI EE 11g - Weblogic Console & EM
Weblogic Console & EM Access to Console & EM Controlled through Weblogic Default Roles Important to provision only Admin users for access - Assign to Administrators group - Add user to Admin Role Audit Use WLST to extract roles & members JMX API to extract roles & members
Oracle BI EE 11g - BI Server Security
BI Server - Security End Points Security controlled through BI Administrator Column and Subject Area based Security Init Block based Security (deprecated in 11g) Database Table LDAP Custom Authenticators Data level Security Permissions tab in Manage Identity LTS Content Connection Pool based Security - SSO into external sources (like Essbase) - VPD Connection scripts
Subject Area & Column Level Security Applied within the repository Applied directly in Presentation Area Applied directly in Permissions tab of User/Role Default Privileges is applied as READ Can be changed through a setting in NQSConfig.ini New 11g feature Permissions report Can be saved as a CSV for auditing
Init Block Based Security Authentication & Authorization through init blocks Does not work in 11.1.1.3 Works in 11.1.1.5 Deprecated in 11g Supported primarily for backward compatibility Assumes all security is done through - Web Catalog Groups (WEBGROUP) - BI Server Roles (GROUP) Switch over to 10g security mode completely - For using this feature - Potential Web Catalog permissions issue
Data Level Security Applied at Logical Table Sources Content Tab A bit difficult to audit Can be difficult to maintain with mutiple LTS Applied at the Permissions tab of User/Role General good practice Data Level security directly tied to the security - object Easy to Audit through XUDML or the new XML - API
Oracle BI EE 11g - BI Presentation Server Security
BI Presentation Server - Security End Points 2 main security end points Presentation Catalog level security - Accounts - ACL - Attributes Presentation Privilege level security Very important Security behaviour has changed across releases More important to Audit - Chances of Permissions not being applied properly
Web Catalog Security 10g Web Catalog Security Web Catalog Groups stored in Web Catalog Cannot use RPD groups No concept of GUIDs User based security also possible 11g Web Catalog Security Application Roles Web Catalog Groups (only for backward compatibility) User based security Completely based on GUIDs Very important to understand web catalog migration
Web Catalog - Catalog Permissions Catalog - Nothing but a set of folders Catalog security based on Permissions 6 different types of Permissions Full Control Modify Open Traverse No Access Custom - Read - Traverse - Write - Delete - Change Permissions - Set Ownership - Run BIP Report - Schedule BIP Report - View BIP Output
Web Catalog - Permissions ACL Structure All Permissions stored internally within BI EE as ACL Access Control List Very similar to binary unix representation (777,775 etc) Uses 16 digit binary representation - All bits 0 means No Access Future Use Future Use Future Use Future Use Future Use Future Use Future Use View BIP Report Schedul e BIP Report Run BIP Report Set OwnerS hip Change Permissi ons Delete Write Traverse Read 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Web Catalog - Permissions ACL Structure Default Permission Values Though a binary representation numbers used in Web Services ACL Value (stored internally) - Is the number itself Permission Stored ACL Value Binary Representation Full Control 65535 B1111111111111111 Modify 15 B0000000000001111 Traverse 2 B0000000000000010 Open 3 B0000000000000011 No Access 0 B0000000000000000 Custom 0-65535 BXXXXXXXXXXXXXXXXX
Web Catalog - Account Structure Each Folder/Report/Dashboard Can have a User level Permission Can have an Application Role Permission Can have a Web Catalog Group Permission Accounts Stored internally as Object Properties Binary representation 7 bits in total All Pattern Search App Role(s) Pattern Search Catalog Group(s) Pattern Search User(s) Pattern Search App Role Catalog Group User 6 5 4 3 2 1 0
Web Catalog Object Security - Propagation 3 ways to apply permissions in a Catalog Object Apply access directly to the user on the catalog Object Apply access directly to an application role(s) - One or more application roles Apply access to an application role(s) - Hierarchical Permission Propagation
Web Catalog Security - Security Example 1 No Access Privilege - Takes precedence when only role based security is assigned User A is a member of AppRole 1 and AppRole 2 AppRole 1 No Access Catalog Object User A Effective Permission No Access AppRole 2 Full Control Member Of Assigned Privilege
Web Catalog Security - Security Example 2 Highest Access Privilege - Takes precedence when multiple roles based access is assigned. But no role should have No Access Privilege User A is a member of AppRole 1 and AppRole 2 AppRole 1 Read Catalog Object User A Effective Permission Full Control AppRole 2 Full Control Member Of Assigned Privilege
Web Catalog Security - Security Example 3 Direct User Assignment - Takes precedence over anything else User A is a member of AppRole 1 and AppRole 2 AppRole 1 No Access Catalog Object User A Read Effective Permission Read AppRole 2 Full Control Member Of Assigned Privilege
Web Catalog Security - Group Inheritance Example 1 Group Inheritance automatically gets applied at the User Level User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 AppRole 1 User A Effective Permission Full Control Catalog Object AppRole 2 Full Control Member Of Assigned Privilege
Web Catalog Security - Group Inheritance Example 2 Group inheritance works similarly to multiple group assignments User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 No Access AppRole 1 User A Effective Permission No Access Catalog Object AppRole 2 Full Control Member Of Assigned Privilege
Web Catalog Security - Group Inheritance Example 3 Group inheritance works similarly to multiple group assignments User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 Read AppRole 1 User A Effective Permission Full Control Catalog Object AppRole 2 Full Control Member Of Assigned Privilege
Web Catalog Security - Group Inheritance Example 4 Direct User Assignment - Takes precedence over anything else User A is a member of AppRole 1 AppRole 1 is a member of AppRole 2 Read AppRole 1 User A Effective Permission Write Write Catalog Object AppRole 2 Full Control Member Of Assigned Privilege
Web Catalog Object Security - Propagation Security Propagation Folder/item when assigned only to roles (no inheritance) - No Access to a folder if one of the roles have No Access - Highest Privilege access to a folder if none of the roles have No Access Folder/item when assigned to roles (with inheritance) - Inheritance works as long as just one role (part of the parentage) is assigned access - Inheritance will work as folder based security if multiple roles as part of the inheritance are assigned - No Access to a folder if one role has No Access - Highest Privilege access if none of the roles have No Access User assigned directly - Takes precedence over everything else - Even when a role has no access assigned
Catalog Access Type 2 access types in 11g Windows Mode Linux Mode Default - Windows Mode Windows Mode To access a folder, no traverse access is required for all parent folders Linux Mode To access a folder, traverse access is required for all parent folders InstanceConfig.xml setting MustHaveTraverseAccessToParent
Web Catalog - Security Files Catalog Object Security Stored at the Object level as a.atr file ATR file structure is pure binary All properties applied through catalog manager - Stored in this file Use a HEX editor - Identify byte code - Identify HEX code
Web Catalog - Interpreting Security Files Permissions stored as HEX Application role stored as ASCII
Web Catalog - Interpreting Security Files Permissions stored as HEX Stored alongside the application role
Full Control Full Control Dec: 65535 Bin: 111111111111111 HEX: FFFF
Open Open Dec: 3 Bin: 0000000000000011 HEX: 0003
Web Catalog - Interpreting Security Files Catalog Groups & Users Stored in encrypted format
Web Catalog - Interpreting Security Files Encrypted Users & Groups Present under /system/security/accountids/xxx/
Web Catalog - Interpreting Security Files Byte Code of Encrypted User/Catalog Stores the name
Oracle BI EE 11g - HEX Editor Demo
Presentation Server Privilege Security - Basics 3 important points Privilege when assigned only to roles (no inheritance) - Least Access Privilege access to the user User assigned directly - Takes precedence over everything else - Even when a role has Denied access
Security Audit Security Audit Its a means of finding out which user has access to what. Its a means of finding out any possible security holes Its a means of finding out whether security is being applied properly Very critical Since BI Systems expose most critical data For SOX compliance For various local government security audit compliance
What to Audit? Weblogic Console Native Users and Groups Access to Console & EM User-Group Membership Enterprise Manager Application Roles Application Policies Application Role Membership BI Server Column & Subject Area level Security Data Level Security
What to Audit? BI Presentation Server Catalog level Security - Object level Access Control - Object level Permissions Privilege level Security - Granular UI access control - Administration Access control
How to Audit? Weblogic Console & EM WLST JMX API BI Server XML API XUDML Web Services BI Presentation Server Web Services Catalog Manager API - Native Java - Newly introduced CLI
Custom Application - Rittman Mead Does a complete automated audit of an existing 11g system Automated Program using documented APIs Prebuilt reports/dashboards Search for all objects a user has access to - Direct Association - Indirect Association Privilege report A complete audit report Also provides ability Incremental security change - during WC migration
Oracle BI EE 11g - Security Auditing Venkatakrishnan J