Obiee 简明教程

OBIEE – Security

OBIEE 安全性通过使用基于角色的访问控制模型来定义。它在术语中定义,这些术语与不同的目录 server groups and users 保持一致。在本章中,我们将讨论构成 security policy 所定义的组件。

OBIEE security is defined by the use of a role-based access control model. It is defined in terms of roles that are aligned to different directory server groups and users. In this chapter, we will be discussing the components defined to compose a security policy.

可以使用以下组件定义 Security structure

One can define a Security structure with the following components

  1. The directory Server User and Group managed by the Authentication provider.

  2. The application roles managed by the Policy store provide Security policy with the following components: Presentation catalog, repository, policy store.

obiee security

Security Providers

为了获取安全信息,调用了安全提供程序。OBIEE 使用以下类型的安全提供程序 −

Security provider is called in order to get the security information. Following types of security providers are used by OBIEE −

  1. Authentication provider to authenticate users.

  2. Policy store provider is used to give privileges on all applications except for BI Presentation Services.

  3. Credential store provider is used to store credentials used internally by the BI application.

Security Policy

OBIEE 的安全策略分为以下组件:

Security policy in OBIEE is divided into the following components −

  1. Presentation Catalog

  2. Repository

  3. Policy Store

Presentation Catalog

它定义了目录对象和 Oracle BI 表示服务功能。

It defines the catalog objects and Oracle BI Presentation Services functionality.

Oracle BI Presentation Services Administration

它允许您设置用户访问诸如编辑视图和创建代理和提示等功能和特性的权限。

It enables you to set privileges for users to access features and functions such as editing views and creating agents and prompts.

表示目录权限访问权限对话中定义的表示目录对象。

Presentation Catalog privileges access to presentation catalog objects defined in the Permission dialog.

表示服务管理没有自己的身份验证系统,它依赖于它从 Oracle BI Server 继承的身份验证系统。所有登录表示服务的用户都可以获得已验证用户角色以及在 Fusion Middleware Control 中分配给他们的任何其他角色。

Presentation Services administration does not have its own authentication system and it relies on the authentication system that it inherits from the Oracle BI Server. All users who sign in to Presentation Services are granted the Authenticated User role and any other roles that they were assigned in Fusion Middleware Control.

您可以通过以下任一方式分配权限:

You can assign permissions in one of the following ways −

  1. To application roles − Most recommended way of assigning permissions and privileges.

  2. To individual users − This is difficult to manage where you can assign permissions and privileges to specific users.

  3. To Catalog groups − It was used in previous releases for backward compatibility maintenance.

Repository

这定义了哪些应用程序角色和用户可以访问存储库中哪些元数据项。Oracle BI Administration Tool 通过安全管理器使用,使您能够执行以下任务:

This defines which application roles and users have access to which items of metadata within the repository. The Oracle BI Administration Tool through the security manager is used and enables you to perform the following tasks −

  1. Set permissions for business models, tables, columns, and subject areas.

  2. Specify database access for each user.

  3. Specify filters to limit the data accessible by users.

  4. Set authentication options.

Policy Store

它定义了 BI Server、BI Publisher 和实时决策功能,由给定的用户或具有给定应用程序角色的用户访问。

It defines BI Server, BI Publisher, and Real Time Decisions functionality that can be accessed by given users or users with given Application Roles.

Authentication and Authorization

Authentication

Oracle WebLogic Server 域中的用户身份验证提供程序用于用户身份验证。此身份验证提供程序访问 Oracle Business Intelligence 的 Oracle WebLogic Server 域中的 LDAP 服务器中存储的用户和组信息。

Authenticator Provider in Oracle WebLogic Server domain is used for user authentication. This authentication provider accesses users and group information stored in the LDAP server in the Oracle Business Intelligence’s Oracle WebLogic Server domain.

要在 LDAP 服务器中创建和管理用户和组,可以使用 Oracle WebLogic Server 管理控制台。您还可以选择为替代目录配置身份验证提供程序。在这种情况下,Oracle WebLogic Server 管理控制台使您能够查看目录中的用户和组;但是,您需要继续使用适当的工具对目录进行任何修改。

To create and manage users and groups in an LDAP server, Oracle WebLogic Server Administration Console is used. You can also choose to configure an authentication provider for an alternative directory. In this case, Oracle WebLogic Server Administration Console enables you to view the users and groups in your directory; however, you need to continue to use the appropriate tools to make any modifications to the directory.

示例 - 如果将 Oracle Business Intelligence 重新配置为使用 OID,您可以在 Oracle WebLogic Server Administration Console 中查看用户和组,但您必须在 OID Console 中对其进行管理。

Example − If you reconfigure Oracle Business Intelligence to use OID, you can view users and groups in Oracle WebLogic Server Administration Console but you must manage them in OID Console.

Authorization

完成认证后,安全的下一步是确保用户可以执行并查看他们被授权执行和查看的操作。Oracle Business Intelligence 11g 的授权由应用程序角色方面的安全策略进行管理。

Once authentication is done, the next step in security is to ensure that the user can do and see what they are authorized to do. Authorization for Oracle Business Intelligence 11g is managed by a security policy in terms of Applications Roles.

Application Roles

安全通常以分配给目录服务器用户和组的应用程序角色来定义。示例:默认应用程序角色为 BIAdministratorBIConsumerBIAuthor

Security is normally defined in terms of Application roles that are assigned to directory server users and groups. Example: the default Application roles are BIAdministrator, BIConsumer, and BIAuthor.

应用程序角色被定义为分配给用户的职能角色,它赋予该用户执行该角色所需的权限。示例:Marketing Analyst 应用程序角色可能授予用户查看、编辑和创建公司营销渠道报告的权限。

Application roles are defined as functional role assigned to a user, which gives that user the privileges required to perform that role. Example: Marketing Analyst Application role might grant a user access to view, edit and create reports on a company’s marketing pipeline.

应用程序角色与目录服务器用户、组之间的这种通信允许管理员定义应用程序角色和策略,而无需在 LDAP 服务器中创建其他用户或组。应用程序角色允许商业智能系统在开发、测试和生产环境之间轻松移动。

This communication between Application roles and directory server users and groups allows the administrator to define the Application roles and policies without creating additional users or groups in LDAP server. Application roles allows business intelligence system to be easily moved between development, test and production environments.

这不需要对安全策略进行任何更改,所需要做的就是将应用程序角色分配给目标环境中的用户和组。

This doesn’t require any change in security policy and all that is required is to assign the Application roles to the users and groups available in the target environment.

application roles

名为“BIConsumers”的组包含 user1、user2 和 user3。组“BIConsumers”中的用户被分配了应用程序角色“BIConsumer”,该角色使用户能够查看报告。

The group named 'BIConsumers' contains user1, user2, and user3. Users in the group 'BIConsumers' are assigned the Application role 'BIConsumer', which enables the users to view reports.

名为“BIAuthors”的组包含 user4 和 user5。组“BIAuthors”中的用户被分配了应用程序角色“BIAuthor”,该角色使用户能够创建报告。

The group named 'BIAuthors' contains user4 and user5. Users in the group 'BIAuthors' are assigned the Application role 'BIAuthor', which enables the users to create reports.

名为“BIAdministrators”的组包含 user6、user7、user 8。组“BIAdministrators”中的用户被分配了应用程序角色“BIAdministrator”,该角色使用户能够管理存储库。

The group named 'BIAdministrators' contains user6 and user7, user 8. Users in the group 'BIAdministrators' are assigned the Application role 'BIAdministrator', which enables the users to manage repositories.