Applying the Custom BI Applications Security Manager

Set up Endeca security for interoperability with Oracle BI Applications and Oracle WebLogic. This process requires assigning required BI roles, creating the Endeca credential store and including the files required by the Oracle BI Applications Security Manager, defining new users in Endeca Studio, and other optional security configurations you can make to enhance Endeca Server performance or user experience.

Assigning BIImpersonator Role to an OBIEE user

The Oracle BI Applications Security Manager requires an Oracle BI Enterprise Edition user with administrator and impersonator roles, which is used to obtain information necessary to apply security filters in an Endeca Application.

If you don’t have an impersonator user defined, you must create a user in the security realm associated with OBIEE and assign the user a name, such as BIImpersonator. In the Enterprise Manager tool launched on the WebLogic Admin server associated with OBIEE, give this user the permission of type oracle.security.jps.permission for the resource called oracle.bi.server.impersonateUser. Find detailed instructions in Credentials for Connecting to the Oracle BI Presentation Catalog.

To add the impersonator role to an existing Oracle BI EE administrator account:

  1. Log in to Oracle Business Intelligence's Enterprise Manager with Administrator privileges.
  2. Expand Business Intelligence in the left-hand pane.
  3. Right-click coreapplication and select Security, then Application Roles to navigate to the Application Roles page.

    By default, the obi application stripe is selected and the default application roles are displayed.

  4. Search for the Role Names with a prefix of BI.
  5. In the Members list, click the BIImpersonator role, then click Edit.
  6. Click Add.
  7. In the Add Principal dialog box, search for Type of User and locate an administrative user.

Creating and Setting Up the Credential Store in Endeca Studio

The Oracle BI Enterprise Edition account credentials with administrator and impersonator roles is saved locally in the Endeca Studio Domain's Credential Store. The BI Applications Security Manager obtains the password information from the Credential Store to connect to Oracle BI Enterprise Edition using JDBC.

Endeca Information Discovery Studio Documentation

Complete doc set

To set up the credential store, follow the steps below, which assume WebLogic has already been installed and occur before creating an Endeca Studio domain. It is possible to extend an existing domain to include Enterprise Manager.

  1. Verify that Oracle Application Development Framework was installed as part of the Endeca Server installation.

    ADF may already be available if Endeca Studio is installed on the same WebLogic Server.

  2. When creating the Endeca Studio Domain for the first time, select Oracle Enterprise Manager.

    JRF is automatically included. If a Studio Domain has already been created, the existing domain can be extended to include Enterprise Manager.

  3. Start WebLogic and create a Credential Store to save the OBIEE credential information using Enterprise Manager.
  4. Log in to Enterprise Manager and, in the WebLogic Domain, right-click endeca_studio_domain, Security, then Credentials.

    Create a new map (for example, oracle.bi.enterprise) and key (for example, repository.OBIA), then save the OBIEE user name and password information.

    Note:

    The password assigned to the map and key must match the OBIEE account with administrator and impersonator roles assigned to it.

Including the Oracle BI Applications Security Manager Related Files

The Oracle BI Enterprise Edition account credentials with administrator and impersonator roles are saved locally in the Endeca Studio Domain's Credential Store. The BI Applications Security Manager obtains the password information from the Credential Store to connect to Oracle BI Enterprise Edition using JDBC.

To set up the credential store, follow the steps below, which assume WebLogic has already been installed and occur before creating an Endeca Studio domain. It is possible to extend an existing domain to include Enterprise Manager.

For the WebLogic version of Endeca Studio 3.1, the custom BI Applications Security Manager .jar files need to be added to the .ear installation file. Decompress the .ear file using a utility, then copy the .jar files into the \APP-INF\lib\ directory. To copy the files:

  1. Save a copy of the Endeca Studio installation .ear file with a different file name, for example, OBIA-endeca-portal-weblogic-3.1.13849.ear.
  2. Add OBIAMDEXSecurityManager.jar and bijdbc.jar to Endeca Studio's .ear file under \APP-INF\lib\ using a compression utility.
  3. Deploy the .ear into WebLogic following the installation instructions.

    For information about deploying the .ear, refer to Deploying Studio to the WebLogic domain. If there is an existing Endeca Studio deployment, be sure to undeploy it first. Note the name used for the deployment, as this value will be used when modifying the system-jazn-data.xml. A typical name for the deployment is OBIA-endeca-portal-weblogic-3.

  4. Add directories on the WebLogic server named XML and User_Input under $MW_HOME\user_projects\domains\endeca_studio_domain.
  5. Add or create the config.properties file in the User_Input directory.

    Set the parameters as follows. A sample file is available in MW_HOME\Oracle_BI1\biapps\admin\provisioning\endeca\OracleBIApps_Endeca.zip (OBIAMDEXSecurityManager/User_Input/.

    OBIEE_HOST=<OBIEE hostname>
OBIEE_USERID=<OBIEE username with Admin and Impersonator Roles assigned>
OBIEE_JDBC_PORT=<port number, usually 9703>
OBIEE_USERID_MAP=<Credential Store Map Name>
OBIEE_USERID_KEY=<Credential Store Key Name>
  6. Add or create the securitycolumns.csv file in the User_Input directory.

    A sample file is available in MW_Home\Oracle_BI1\biapps\admin\provisioning\endeca\OracleBIApps_Endeca.zip(OBIAMDEXSecurityManager/User_Input/ . This .csv file has three columns, Endeca Server Connection ID, Collection Name, and Security Columns, used to relate the security columns.

    Column Name Description

    Endeca Server Connection ID column

    Indicate the Endeca Server Connection ID of the Endeca Studio Application that uses OBIEE security.

    Collection Name

    Indicate the Data Set name of the Endeca Studio Application that uses OBIEE security.

    Security
    Indicate the logical table name on which the row-level Security is applied. For example: 
    Endeca Server Connection ID,Collection Name,Security Columns OEID_Financials_AR_Balance,Fact_Fins_AR_Balance,"""Core"".""Dim - Date Fiscal Calendar"".""Fiscal Year"""
  7. Start and log in to Endeca Studio.

    From the Control Panel, select Framework Settings and set df.mdexSecurityManager from com.endeca.portal.data.security.DefaultMDEXSecurityManager to com.endeca.portal.extensions.OBIAMDEXSecurityManager.

  8. Click Update Settings.
  9. Shut down the WebLogic Server.
  10. Add the following entry to the system-jazn-data.xml file found in $DOMAIN_HOME\config\fmwconfig, under the <system-policy> and <jazn-policy> tags.

    This includes permissions for Studio to access the Credential Store.

    <grant>
<grantee>
<codesource>
<url>file:${oracle.deployed.app.dir}/<appName>${oracle.deployed.app.ext}</url>
</codesource>
</grantee>
<permissions>
<permission>
<class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
<name>context=SYSTEM,mapName=<mapName>,keyName=<keyName></name>
<actions>*</actions>
</permission>
</permissions>
</grant>

    Examples of values include:

    • appName=OBIA-endeca-portal-weblogic-3

    • mapName=oracle.bi.enterprise

    • keyName=repository.OBIA

  11. Restart the WebLogic Endeca Studio Server with the new custom Security Manager applied and in use by Endeca Studio.

Optional: Increasing WebLogic Server Heap Space to Improve Endeca Studio Performance

Update the setDomainEnv script file, which is named setDomainEnv.cmd in Windows environments and setDomainEnv.sh in Linux.

The file is located in the bin subdirectory of the domain directory, MiddlewareHomeDirectory/user_projects/domains/endeca_studio_domain/bin/.

  1. Search for the following in the setDomainEnv.cmd file:

    if NOT "%USER_MEM_ARGS%"=="" (

    set MEM_ARGS=%USER_MEM_ARGS%

    )

  2. Before the above IF statement, add the following, which sets a higher -Xmx or maximum memory heap size:

    set MEM_ARGS=-Xms128m -Xmx1280m %MEM_DEV_ARGS% %MEM_MAX_PERM_SIZE%

Optional: Enabling Verbose Debugger Logging

You can enable logging of debugging messages in the log file located in $MW_HOME\user_projects\domains\endeca_studio_domain\eid-studio.log.

  1. Select Server Administration in the Control Panel, then select the Log Levels tab.
  2. Select the Add Category tab and enter:

    • com.endeca.portal.extensions.OBIAMDEXSecurityManager (DEBUG)

    • com.endeca.portal.extensions.OBIAMDEXSecurityManager.BIHandlers (DEBUG)

  3. Log out, then log back in to enable the changes.

    This step has to be repeated if the Endeca Studio server is restarted.

Overriding Screen Name Validator in Endeca Studio

By default, Endeca Studio does not allow screen names to contain underscores. The screen name validator must be changed from the DefaultScreenNameValidator to the LiberalScreenNameValidator.

  1. Shut down Endeca Studio.
  2. Open the portal-ext.properties file under %WLS_HOME\user_projects\domains\endeca_studio_domain\eid\studio.

    Back up the existing portal-ext.properties file.

  3. Add the following at the bottom of the file and save it:
    users.screen.name.validator=com.liferay.portal.security.auth.LiberalScreenNameValidator
  4. Start Endeca Studio.

Defining New Users in Endeca Studio and Adding Users to Studio Applications

The Custom Oracle BI Applications Security Manager applies filters in Endeca based on the user's application role information set in Oracle Business Intelligence Enterprise Edition and the security columns defined in securitycolumns.csv.

For an Oracle BI EE user, a new user account must be created in Endeca Studio where the screen name matches its BI EE user ID. For information about how to create a new user in Endeca Studio, refer to Creating and Editing Users in Studio in the Endeca Information Discovery Studio Administration and Customization Guide.

Important

The BI EE user must belong to a BI Applications Application role, for example, AR Analyst. The data filter must be defined for that role. If it's defined for this BI EE user, it doesn't work in the Endeca Studio.

Optionally, you can also change the default behavior, which is to have Endeca users log in using their email addresses, so that logins are consistent with Oracle BI Enterprise Edition. For information on administration tasks for Endeca Information Discovery Studio, see Endeca Information Discovery Studio Administration and Customization Guide.

Adding Users and Managing Studio Applications Permissions in Endeca Studio

Users must be added to a Studio Application to enable them to view it.

Documentation Resources

Endeca Information Discovery Studio Administration and Customization Guide

  • For information about how add users to Studio Applications in Endeca Studio, refer to Adding and removing application members.

  • By default, users are able to create new applications. To prevent this ability for a user, remove the Power User role. For information about removing this role, refer to the section titled, Preventing a user from creating applications.

  • The application type determines whether an application is visible to users on the Discovery Applications page, and can be set to either Public or Private. To change this value, refer to the section titled, Configuring the application type.

  • You can also control the visibility of pages within an application. To manage page visibility, refer to the section titled, Configuring the visibility type for a page.