| Oracle Product Lifecycle Analytics Security Guide Release 3.5 E70278-01 |
|
 Previous |
 Next |
Oracle Product Lifecycle Analytics (OPLA) includes security features to provide data protection.
These features include:
Authentication allows only permitted individuals to get access to the system and data.
Access Control (Authorization) provides authorized individuals access control to system privileges and data.
Audit allows Administrators to detect attempted breaches of authorization and attempted (or successful) breaches of access control.
Table 5-1 provides a high level overview of the various OPLA security features.
Table 5-1 Overview of Security Features
| Security Features/Technology Stack | Authentication | Access Control (Authorization) | Audit | |
|---|---|---|---|---|
| Web Browser (Desktop Tier) | Default Security Feature | Default Security Feature | Default Security Feature | |
|
Application Layer |
OBIEE |
Default OBIEE authentication |
No out of box access control provided. Object level security Model. Refer to security model Object level security Data level security is provided. Refer to security model: Data Level security |
Default OBIEE audit feature Refer to section "Configuring and Using Security Audit" |
|
ODI |
Default ODI authentication |
Default ODI access control |
Default ODI feature |
|
|
Configurator |
Default DB authentication based on DataMartConfig.properties |
Default access control provided at DB level |
Audit details are captured at OPLA Install Home/logs/Configurator.log Detailed logging is enabled in ETL level for ODI and PL/SQL code. |
|
|
Data Layer |
Default Oracle DB authentication. Default file based authentication for external csv files |
Access to source is based on DB link. Access to Staging Objects is based on Synonyms. Specific privileges are provided to Staging and Target users Access to external csv files are controlled by access privileges to folder at which OPLA is deployed. |
Default Oracle DB audit feature Default OS audit feature at file level for external csv files |
|
A password policy is a set of rules dictating how to use passwords. Some of the rules a password policy sets are:
The maximum length of time a password is valid
The minimum number of characters in a password
The mandatory number of numeric characters in a password
Password policies play an important role when attempting to access a directory. The directory server ensures that the password entered adheres to the password policy.
Oracle Product Lifecycle Analytics (OPLA) is dependent on Oracle Business Intelligence Enterprise Edition (OBIEE) password policy.
If you are using the OBIEE 11.x.x.x version, you automatically adhere to the Oracle password policy. Use the Oracle Internet Directory to set passwords. For more information, see the Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1.
|
Note: You must secure Oracle Fusion Middleware components using SSL version 3 or TLS version 1. For more information, see Oracle® Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition 11g |
In today's environment it is critical to have a properly secured computing infrastructure. A secured infrastructure strikes a balance between:
Exposure risk
Security costs
Value of the information to protect (monetary or other)
Oracle Product Lifecycle Analytics (OPLA) achieves this balance and protects information by using a three-level hierarchy model. See the OPLA Security Hierarchy figure for a better understanding.
Data level security is a restricted security status. Restriction, or access, is based on access control permissions given by an Administrator. The security level determines (through the Administrator) who gets to see particular data, and if they can access it.For example, you can restrict a user's access to project analysis to only their product lines.
Object level security controls and restricts the visibility to business logic objects by user role. For example, object level security for dashboards can be set up based on subject areas and roles.
User level security is the authentication and confirmation of a user's identity based on the credentials provided. This is your basic login and password at the lowest level. At higher levels, it can consist of a number of authentications and confirmations (at various degrees of encryption).
Oracle Product Lifecycle Analytics (OPLA) supports both of the following high-level authentication configurations:
OPLA authentication at ETL layer
OPLA authentication at OBIEE layer
You can change or modify your password after installing Oracle Product Lifecycle Analytics (OPLA). At the ETL layer different methods are used for changing different passwords.You change the password for the Staging Schema connection details in the Physical Repository of ODI Topology Manager. For more information, see the Oracle Data Integrator Installation and Configuration Guide.You can change the OPLA Configurator password using OPLA encryption methods.You can change the password for the ODI repositories using the ODI Agent.
You can change the passwords for the OPLA Configurator using OPLA encryption methods.
To change passwords:
From the command prompt navigate to <OPLA_Home>\bin\.
For Windows: Type, DMEncoder.bat <new password> For Linux: Type, DMEncoder.sh <new password>
The system generates an encoded password. Copy the encoded password, and exit the command prompt.
Navigate to <OPLA_Home>\bin\DataMartConfig.properties and open the DataMartConfig.properties file.
In the DataMartConfig.properties file navigate to the parameter whose password you want changed, and manually replace the old password with the new encoded password. Refer to the table below to locate the parameter you need to change.
Save and close the DataMartConfig.properties file
| To Change the Password for: | Parameter to Navigate to in the DataMartConfig.properties file |
|---|---|
| Agile PLM Source schema password | PLM_DB_PWD |
| Agile PLM for Process Source schema password | PLM4P_DB_USER_PWD |
| Data Mart Database sys schema password | SYS_USER_PASSWORD |
| Data Mart Database system schema password | DB_SYSTEM_PWD |
| Data Mart schema password | MDS_USER_PASSWORD |
| Source schema Password, if installed as a separate schema | ODM_USER_PASSWORD |
| Master Repository schema password | MASTER_PWD |
| Work Repository schema password | WORK_PWD |
| Work Repository password | WORK_REP_PWD |
You can also change passwords at the ETL layer employing the ODI Agent or the ODI Studio for the following:
Master Repository Database password
Work Repository Database password
ODI Work Repository password
To change passwords in ODI:
From the command prompt navigate to <ODI_HOME>\Oracle_ODI_1\oracledi\agent\bin.
For Windows: Type, encode.bat <new password> For Linux: Type, encode.sh <new password>
The Oracle Product Lifecycle Analytics (OPLA) application utilizes the Oracle Business Intelligence Enterprise Edition Layer (OBIEE) layer's platform authentication features. You change the password for the PLMAXX_11G.rpd repository file (where XX represents either Agile PLM or Agile PLM for Process) using the OBIEE Admin Tool. For more information, see the OBIEE Installation and Configuration Guide.
OPLA uses OBIEE authentication features. We recommend you use the authentication features in the order shown below:
LDAP authentication - We recommend that you configure the OPLA application to use LDAP authentication, only if your Agile PLM application is configured to LDAP authentication.
External table authentication - We recommend that you configure the OPLA application to use external table authentication, only if your Agile PLM application is configured to external table authentication.
Database authentication - We recommend that you configure the OPLA application to use database authentication, only if your Agile PLM application is configured to database authentication.
Oracle BI Server user authentication maintenance - We do not recommend using the Oracle BI Server authentication mechanism.
LDAP authentication is used as an alternative to storing user IDs and passwords in an Oracle BI repository.You can set up the Oracle BI Server to take the user ID and password, and have it then pass the user ID and password to an LDAP server for authentication. For LDAP authentication the server uses clear text passwords.
You can configure OBIEE to secure communications between different points in the network. OBIEE 11g supports SSL version 3, and TLS version 1. For more information on how to configure SSL,
Important You must configure your LDAP servers to allow this.
You can maintain lists of users and their passwords in an external database table, instead of storing user IDs and passwords in an Oracle BI repository. You can then use this table for authentication purposes. The external database table contains the following information:
User IDs
Passwords
Group membership
Display names (used for Oracle BI Presentation Services users)
Specific database catalog names
Schemas to use for individual users(when querying data)
You can also configure user level security with the user authentication information (stored in the external source system). For example, in Agile PLM the AgileUser table (stores encrypted user IDs and passwords).
The Oracle BI Server authenticates users through database logons. If a user has Read permission on a specified database, the Oracle BI Server trusts that user. This authentication method can also be applied for Oracle BI Presentation Services users.
Using the Administration Tool, you can maintain lists of users and their passwords in the Oracle BI repository. The Oracle BI Server authenticates users against this list when a user logs on (unless another authentication method has already been used, or a database authentication is specified in the NQSConfig.INI file).The Oracle BI Server user IDs are case insensitive and stored in a non-encrypted form in the Oracle BI repository. Whereas, Oracle BI Server passwords are case sensitive and stored in an encrypted form. If the user has the required access privileges, the Oracle BI Server user IDs can access any business model in a repository.
|
Important: User IDs are valid only for the repository in which they are set up. They do not span multiple repositories. |
For more information on password policy settings in OBIEE, see the Oracle® Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1)http://download.oracle.com/docs/cd/e14571_01/bi.1111/e10541/toc.htm.
Authorization primarily includes two processes:
Permitting only certain users to access, process, or alter data
Applying varying limitations on user access or actions.
Oracle Product Lifecycle Analytics (OPLA) supports access control at the folder and file level, as well as at the following configurations:
Access control at the data-level
Access control at the object-level security
Access control at the user-level security
Oracle Product Lifecycle Analytics (OPLA) uses host Operating System file permission features to control authentication of directories, executables, server software, data files, logs, external csv files. When OPLA is deployed appropriate access privileges are provided to the directories and folders. Files often contain sensitive and critical information, and must be protected from prying eyes, modification, or deletion.
Caution You must secure all Oracle PLA log files, external files, configurator files, product line security files (rpd) listed below. Not doing so can result in files being corrupted, destroyed, or rewritten.
Only Administrators should have Read, Write and Execute privileges for the DataMartConfig.properties file, located at <Oracle_PLA_Home>\bin\DataMartConfig.properties.
For both OPLA with Agile PLM and OPLA with Agile PLM for Process.
Make sure that the external (csv) files listed in the table below are secured. The files location is <OPLA_Home>\install\et\srcfiles.
| Administrator | User |
| Post-Installation File
Value |
Value |
| PPM_PRD_DEMAND.CSV
Read |
Read & Write |
| PPM_PRD_INV_QTY.CSV
Read |
Read & Write |
| PPM_PRD_INV_VALUE.CSV
Read |
Read & Write |
| PPM_PRD_INV_VALUE.CSV
Read |
Read & Write |
| PPM_PRD_UNIT_REC.CSV
Read |
Read & Write |
| PPM_PRD_UNIT_SHIP.CSV
Read |
Read & Write |
| PRJ_COST.CSV
Read |
Read & Write |
| PRJ_FORECAST.CSV
Read |
Read & Write |
Make sure that the log files listed in the table below are secured. Log files are located at <OPLA_Home>\logs.
| Administrator | User |
| Post-Installation File
Value |
Value |
| BI_DATA_DICT_PC_SD.log
Read |
Read, Write, Execute |
| BI_DATA_DICT_PPM_SD.log
Read |
Read, Write, Execute |
| BRIDGE_SD.log
Read |
Read, Write, Execute |
| ControlTables.log
Read |
Read, Write, Execute |
| install_logger4odm.log
Read |
Read, Write, Execute |
| LIST_DM_SD.log
Read |
Read, Write, Execute |
| MDS_COMMENT.log
Read |
Read, Write, Execute |
| MDS_DDL.log
Read |
Read, Write, Execute |
| MDS_IND.log
Read |
Read, Write, Execute |
| MDS_PROCS.log
Read |
Read, Write, Execute |
| MDS_SD.log
Read |
Read, Write, Execute |
| MDS_TEMP_DDL.log
Read |
Read, Write, Execute |
| MDS_VIEWS.log
Read |
Read, Write, Execute |
| ODM_DDL.log
Read |
Read, Write, Execute |
| ODM_PROC.log
Read |
Read, Write, Execute |
| PC_DDL.log
Read |
Read, Write, Execute |
| PPM_DDL.log
Read |
Read, Write, Execute |
| SEED_DATA_GLOBAL.log
Read |
Read, Write, Execute |
| SingleSchemaCreation.log
Read |
Read, Write, Execute |
| USERDEF_OBJ.log
Read |
Read, Write, Execute |
Make sure that the following rpd file is secure. Location for RPD file: <OPLA_Home>\olap\rpd. The RPD File name isPLMA_11G.rpd
Data-level security controls the visibility of data (content in subject areas, dashboards, Oracle BI Answers, and so on) based on the user's association to data in the transactional system.For example, restricting authorized users access to Project Analysis for their assigned Product Lines is provided in OPLA.
To extend data level security for repository objects:
Extend the physical table by adding the attribute by which the dimension, or fact, needs to be secured.
This step may result in a change to the data model.
For enabling existing out-of-the-box defined dimensions and measures without changing ETL Mapping you can map attributes in the OPLA Configurator.
For enabling new user-defined dimensions and measures by changing ETL mapping and BI repository, new user defined attributes can be added using Schema Enhancer that comes with OPLA Configurator
This step results in a change to the data model.
Populate the relevant attribute value for each row in the fact or dimension table.
This step results in a change to the ETL mapping.
Use the Oracle BI Administration Tool to create an initialization block. When a user logs into OPLA, the initialization block fetches the attribute values and populates them into a session variable. You can then create a target session variable for the initialization block. For detailed instructions, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
You can only create a target session variable if the initialization block is not a row-wise initialization block. This step results in a change to the Oracle BI repository.
Use the Oracle BI Administration Tool (in online mode) to set up data filters based on the new role for each of the fact and dimension tables that need to be secured by the attribute you added in Step 1.
This step results in a change to the Oracle BI Repository.
Use Presentation Services administration to set up the Presentation Services catalog privileges - based on the application role you created in step 4. For detailed instructions, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.
Note You can also leverage the existing OPLA security objects (when extending data-level security). To do this, copy existing security objects for secured dimensions, such as initialization blocks, and then modify them to apply to the additional dimensions.
You can enable object level security using the Oracle Business Intelligence Enterprise Edition Layer (OBIEE) platform features.Oracle Product Lifecycle Analytics (OPLA) tightly integrates with OBIEE, as well as the security model of the operational source system, to allow the right content to be shown to the right user.
|
Important: You should be thoroughly familiar with the security features of OBIEE before you begin working with OPLA. |
Security settings for OBIEE are made in the following Oracle Business Intelligence (Oracle BI) components:
Oracle BI Administration Tool
You can use the Oracle BI Administration Tool to perform tasks such as:
Setting permissions for business models, tables, columns, and subject areas
Specifying filters to limit data accessibility
Setting authentication options
For more detailed information, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition 11g.
Oracle BI Presentation Services Administration
You can use Oracle BI Presentation Services Administration to perform tasks such as setting permissions to Presentation Catalog objects (including dashboards and dashboard pages).
For more detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.
Oracle Enterprise Manager Fusion Middleware Control
You can use Fusion Middleware Control to manage the policy store, application roles, and permissions for determining functional access.
For detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.
Oracle WebLogic Server Administration Console
You can use the Administration Console to manage users and groups in the embedded Oracle WebLogic Server LDAP. You can also use the Administration Console to manage security realms, and to configure alternative authentication providers.
For detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.
User level security involves the authentication and confirmation of the user's identity - based on the credentials provided, such as username and password.By default, user level security is set up in the embedded Oracle WebLogic Server, the LDAP server, and the policy store.
See also Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.
This section explains how to enable the security audit feature in OPLA.
Oracle Business Intelligence Enterprise Edition (OBIEE) supports extensive audit features including, but not limited to, error events, informational events, and warning events. Some examples are, server starting and server shutdown, failed login attempts, and failed access control authorizations. In OBIEE 11g, security auditing is integrated into the Oracle Fusion Middleware Audit Framework in Oracle Fusion Middleware Application Security, and it provides a range of out-of-the-box reports that are accessible through Oracle Business Intelligence Publisher.
The reports are grouped according to the type of audit data they contain:
Common Audit Reports
Account Management
User Activities
Errors and Exceptions
Component-Specific Audit Reports
Oracle Fusion Middleware Audit Framework
Oracle HTTP Server
Oracle Internet Directory
Oracle Virtual Directory
Reports Server
Oracle Directory Integration Platform
Oracle Identity Federation
Oracle Platform Security Services
Oracle Web Services Manager
Oracle Web Cache
For more information, see the Oracle® Fusion Middleware Application Security Guide http://docs.oracle.com/cd/E21764_01/core.1111/e10043/toc.htm
Oracle Product Lifecycle Analytics (OPLA) comes with the OPLA Configurator tool. The OPLA Configurator provides the ability to map source columns to target columns (based on customer choice) in the data layer.
It is a standalone feature and uses independent encryption algorithms to connect with source and target Data Schema for Agile PLM 9 Schema
The following security features are implemented with OPLA:
Uses 3rd party software components XML Parser. This component is upgraded to latest patch. (From Xerces 2.9.0 to Xerces2 2.11.0).
|
Note: OPLA also provides the ability to map extended attributes with the MDS Layer for Agile PL M for Process source. Manual SQL scripts are supplied for updating the MDS schema. |
Uses default DB level authentication.
