by Shiva Molabanti
What are the primary differences between the OBIEE 10g and 11g security models and what happens during upgrade?
Security Task/Object | OBIEE 10g | OBIEE 11g | What happens during upgrade from 10g to 11g? |
---|---|---|---|
Define Users and Groups in RPD file using OBIEE Admin Tool | Default | N/A. By default, users are defined in embedded WLS LDAP via FMW EM Console, or alternatively, in external LDAP. | By default, existing users and groups migrated to embedded WLS LDAP. Existing groups are automatically mapped to an Application role. |
Defining security policies | Policies in the catalog and repository can be defined to reference groups within a directory. | Policies are defined in terms of application roles, which map to users and groups in a directory. | 10g catalog groups are automatically migrated in the upgraded catalog and assigned the same privileges, access and membership. |
“Administrator” user | Unique user with full administrative privileges. | No single user named tor full administrative privileges. Administration can be performed by any user who is member of BIAdministrators group. | “Administrator” user automatically added as member of “BIAdministrators” group in embedded WLS LDAP and granted Administrator role. The user specified during OBIEE 11g installation (i.e. “weblogic”, “biadmin”) is also a member of the BIAdministrators group. |
Repository Encryption | Available on sensitive elements only - i.e. user passwords, connection pool passwords, etc. | Entire RPD encrypted via a password. | Prompted to set a repository password while running the upgrade assistant. Do not lose this password as there is no feature to recover a lost password. |
External Authentication and OBIEE Initialization (Init) Blocks | Init blocks are required for external PDAP or external table authentication. | Init blocks not required for WLS embedded LDAP. Init blocks are required for external LDAP or external table authentication. | Upgraded RPD will continue to point to 10g LDAP or external tables. Initblocks may need to be modified to ensure that depreciated, or reserved word, variable names are renamed. NOTE: If you intend to use another LDAP server, such at Oracle Identity Management (OID), then you must upgrade to the embedded LDAP server. Please see Upgrade Guide for further details. |
Catalog Groups | Defined in Presentation Server Administration link | Available for backward compatibility. Use of Application Roles in FMW EM Console recommended. | Existing groups will be migrated. Recommendation is to use application roles instead. Privileges on catalog objects may be granted to an application role via BI Presentation server Administration link. |
SA System Subject Area | Optional | Available for backward compatibility and requires init blocks and external tables. Use of Embedded LDAP is recommended. | Upgraded 10g RPD will point to external tables, Initblocks may need to be modified to ensure that depreciated, or reserved word, variable names are renamed. |
“Everyone” Presentation Server Group | Default | Replaced with AuthenticatedUser role. | “Everyone” group migrated to AuthenticatedUser role. |
Thanks,
Shiva
Shiva Molabanti is a Manager and Senior Architect at KPI Partners. He is a business intelligence enthusiast who likes blogging about acquisitions in the BI space, technical workings of BI tools, and Oracle Business Intelligence. Visit Shiva at his personal blog: http://shivabizint.wordpress.com/ |