Go to primary content
Oracle Product Lifecycle Analytics Security Guide
Release 3.5
E70278-01
  Go To Table Of Contents
Contents

Previous
Previous
 
Next
Next
 

5 Security Features

Oracle Product Lifecycle Analytics (OPLA) includes security features to provide data protection.

These features include:

Table 5-1 provides a high level overview of the various OPLA security features.

Table 5-1 Overview of Security Features

Security Features/Technology Stack Authentication Access Control (Authorization) Audit
Web Browser (Desktop Tier) Default Security Feature Default Security Feature Default Security Feature

Application Layer

OBIEE

Default OBIEE authentication

No out of box access control provided.

Object level security Model.

Refer to security model Object level security

Data level security is provided. Refer to security model: Data Level security

Default OBIEE audit feature

Refer to section "Configuring and Using Security Audit"

ODI

Default ODI authentication

Default ODI access control

Default ODI feature

Configurator

Default DB authentication based on DataMartConfig.properties

Default access control provided at DB level

Audit details are captured at OPLA Install Home/logs/Configurator.log

Detailed logging is enabled in ETL level for ODI and PL/SQL code.

Data Layer

Default Oracle DB authentication.

Default file based authentication for external csv files

Access to source is based on DB link.

Access to Staging Objects is based on Synonyms.

Specific privileges are provided to Staging and Target users

Access to external csv files are controlled by access privileges to folder at which OPLA is deployed.

Default Oracle DB audit feature

Default OS audit feature at file level for external csv files


5.1 Password Policy

A password policy is a set of rules dictating how to use passwords. Some of the rules a password policy sets are:

  • The maximum length of time a password is valid

  • The minimum number of characters in a password

  • The mandatory number of numeric characters in a password

Password policies play an important role when attempting to access a directory. The directory server ensures that the password entered adheres to the password policy.

Oracle Product Lifecycle Analytics (OPLA) is dependent on Oracle Business Intelligence Enterprise Edition (OBIEE) password policy.

If you are using the OBIEE 11.x.x.x version, you automatically adhere to the Oracle password policy. Use the Oracle Internet Directory to set passwords. For more information, see the Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1.


Note:

You must secure Oracle Fusion Middleware components using SSL version 3 or TLS version 1. For more information, see Oracle® Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition 11g

5.2 Security Model

In today's environment it is critical to have a properly secured computing infrastructure. A secured infrastructure strikes a balance between:

  • Exposure risk

  • Security costs

  • Value of the information to protect (monetary or other)

Oracle Product Lifecycle Analytics (OPLA) achieves this balance and protects information by using a three-level hierarchy model. See the OPLA Security Hierarchy figure for a better understanding.

Figure 5-1 OPLA Security Hierarchy

Surrounding text describes Figure 5-1 .

5.2.1 Data-Level Security

Data level security is a restricted security status. Restriction, or access, is based on access control permissions given by an Administrator. The security level determines (through the Administrator) who gets to see particular data, and if they can access it.For example, you can restrict a user's access to project analysis to only their product lines.

5.2.2 Object Level Security

Object level security controls and restricts the visibility to business logic objects by user role. For example, object level security for dashboards can be set up based on subject areas and roles.

5.2.3 User-Level Security (User Authentication)

User level security is the authentication and confirmation of a user's identity based on the credentials provided. This is your basic login and password at the lowest level. At higher levels, it can consist of a number of authentications and confirmations (at various degrees of encryption).

5.3 Configuring and Using Authentication in OPLA

Oracle Product Lifecycle Analytics (OPLA) supports both of the following high-level authentication configurations:

  1. OPLA authentication at ETL layer

  2. OPLA authentication at OBIEE layer

5.3.1 Authentication at ETL Layer

You can change or modify your password after installing Oracle Product Lifecycle Analytics (OPLA). At the ETL layer different methods are used for changing different passwords.You change the password for the Staging Schema connection details in the Physical Repository of ODI Topology Manager. For more information, see the Oracle Data Integrator Installation and Configuration Guide.You can change the OPLA Configurator password using OPLA encryption methods.You can change the password for the ODI repositories using the ODI Agent.

5.3.2 Authentication at the ETL Layer using OPLA Encryption Methods

You can change the passwords for the OPLA Configurator using OPLA encryption methods.

To change passwords:

  1. From the command prompt navigate to <OPLA_Home>\bin\.

  2. For Windows: Type, DMEncoder.bat <new password> For Linux: Type, DMEncoder.sh <new password>

  3. The system generates an encoded password. Copy the encoded password, and exit the command prompt.

  4. Navigate to <OPLA_Home>\bin\DataMartConfig.properties and open the DataMartConfig.properties file.

  5. In the DataMartConfig.properties file navigate to the parameter whose password you want changed, and manually replace the old password with the new encoded password. Refer to the table below to locate the parameter you need to change.

  6. Save and close the DataMartConfig.properties file

To Change the Password for: Parameter to Navigate to in the DataMartConfig.properties file
Agile PLM Source schema password PLM_DB_PWD
Agile PLM for Process Source schema password PLM4P_DB_USER_PWD
Data Mart Database sys schema password SYS_USER_PASSWORD
Data Mart Database system schema password DB_SYSTEM_PWD
Data Mart schema password MDS_USER_PASSWORD
Source schema Password, if installed as a separate schema ODM_USER_PASSWORD
Master Repository schema password MASTER_PWD
Work Repository schema password WORK_PWD
Work Repository password WORK_REP_PWD

5.3.3 Authentication at the ETL Layer using the ODI Agent

You can also change passwords at the ETL layer employing the ODI Agent or the ODI Studio for the following:

  • Master Repository Database password

  • Work Repository Database password

  • ODI Work Repository password

To change passwords in ODI:

  1. From the command prompt navigate to <ODI_HOME>\Oracle_ODI_1\oracledi\agent\bin.

  2. For Windows: Type, encode.bat <new password> For Linux: Type, encode.sh <new password>

5.3.4 Authentication at the Oracle Business Intelligence Enterprise Edition Layer

The Oracle Product Lifecycle Analytics (OPLA) application utilizes the Oracle Business Intelligence Enterprise Edition Layer (OBIEE) layer's platform authentication features. You change the password for the PLMAXX_11G.rpd repository file (where XX represents either Agile PLM or Agile PLM for Process) using the OBIEE Admin Tool. For more information, see the OBIEE Installation and Configuration Guide.

OPLA uses OBIEE authentication features. We recommend you use the authentication features in the order shown below:

  • LDAP authentication - We recommend that you configure the OPLA application to use LDAP authentication, only if your Agile PLM application is configured to LDAP authentication.

  • External table authentication - We recommend that you configure the OPLA application to use external table authentication, only if your Agile PLM application is configured to external table authentication.

  • Database authentication - We recommend that you configure the OPLA application to use database authentication, only if your Agile PLM application is configured to database authentication.

  • Oracle BI Server user authentication maintenance - We do not recommend using the Oracle BI Server authentication mechanism.

5.3.5 LDAP Authentication

LDAP authentication is used as an alternative to storing user IDs and passwords in an Oracle BI repository.You can set up the Oracle BI Server to take the user ID and password, and have it then pass the user ID and password to an LDAP server for authentication. For LDAP authentication the server uses clear text passwords.

You can configure OBIEE to secure communications between different points in the network. OBIEE 11g supports SSL version 3, and TLS version 1. For more information on how to configure SSL,

Important You must configure your LDAP servers to allow this.

5.3.6 External Table Authentication

You can maintain lists of users and their passwords in an external database table, instead of storing user IDs and passwords in an Oracle BI repository. You can then use this table for authentication purposes. The external database table contains the following information:

  • User IDs

  • Passwords

  • Group membership

  • Display names (used for Oracle BI Presentation Services users)

  • Specific database catalog names

  • Schemas to use for individual users(when querying data)

You can also configure user level security with the user authentication information (stored in the external source system). For example, in Agile PLM the AgileUser table (stores encrypted user IDs and passwords).

5.3.7 Database Authentication

The Oracle BI Server authenticates users through database logons. If a user has Read permission on a specified database, the Oracle BI Server trusts that user. This authentication method can also be applied for Oracle BI Presentation Services users.

5.3.8 Maintaining Oracle BI Server User Authentication

Using the Administration Tool, you can maintain lists of users and their passwords in the Oracle BI repository. The Oracle BI Server authenticates users against this list when a user logs on (unless another authentication method has already been used, or a database authentication is specified in the NQSConfig.INI file).The Oracle BI Server user IDs are case insensitive and stored in a non-encrypted form in the Oracle BI repository. Whereas, Oracle BI Server passwords are case sensitive and stored in an encrypted form. If the user has the required access privileges, the Oracle BI Server user IDs can access any business model in a repository.


Important:

User IDs are valid only for the repository in which they are set up. They do not span multiple repositories.

For more information on password policy settings in OBIEE, see the Oracle® Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1)http://download.oracle.com/docs/cd/e14571_01/bi.1111/e10541/toc.htm.

5.4 Configuring and Using Access Control

Authorization primarily includes two processes:

  1. Permitting only certain users to access, process, or alter data

  2. Applying varying limitations on user access or actions.

    Oracle Product Lifecycle Analytics (OPLA) supports access control at the folder and file level, as well as at the following configurations:

  3. Access control at the data-level

  4. Access control at the object-level security

  5. Access control at the user-level security

5.4.1 Access Control at the Folder and File Level

Oracle Product Lifecycle Analytics (OPLA) uses host Operating System file permission features to control authentication of directories, executables, server software, data files, logs, external csv files. When OPLA is deployed appropriate access privileges are provided to the directories and folders. Files often contain sensitive and critical information, and must be protected from prying eyes, modification, or deletion.

Caution You must secure all Oracle PLA log files, external files, configurator files, product line security files (rpd) listed below. Not doing so can result in files being corrupted, destroyed, or rewritten.

  1. Only Administrators should have Read, Write and Execute privileges for the DataMartConfig.properties file, located at <Oracle_PLA_Home>\bin\DataMartConfig.properties.

    For both OPLA with Agile PLM and OPLA with Agile PLM for Process.

  2. Make sure that the external (csv) files listed in the table below are secured. The files location is <OPLA_Home>\install\et\srcfiles.

    Administrator User
    Post-Installation File

    Value

    Value
    PPM_PRD_DEMAND.CSV

    Read

    Read & Write
    PPM_PRD_INV_QTY.CSV

    Read

    Read & Write
    PPM_PRD_INV_VALUE.CSV

    Read

    Read & Write
    PPM_PRD_INV_VALUE.CSV

    Read

    Read & Write
    PPM_PRD_UNIT_REC.CSV

    Read

    Read & Write
    PPM_PRD_UNIT_SHIP.CSV

    Read

    Read & Write
    PRJ_COST.CSV

    Read

    Read & Write
    PRJ_FORECAST.CSV

    Read

    Read & Write

  3. Make sure that the log files listed in the table below are secured. Log files are located at <OPLA_Home>\logs.

    Administrator User
    Post-Installation File

    Value

    Value
    BI_DATA_DICT_PC_SD.log

    Read

    Read, Write, Execute
    BI_DATA_DICT_PPM_SD.log

    Read

    Read, Write, Execute
    BRIDGE_SD.log

    Read

    Read, Write, Execute
    ControlTables.log

    Read

    Read, Write, Execute
    install_logger4odm.log

    Read

    Read, Write, Execute
    LIST_DM_SD.log

    Read

    Read, Write, Execute
    MDS_COMMENT.log

    Read

    Read, Write, Execute
    MDS_DDL.log

    Read

    Read, Write, Execute
    MDS_IND.log

    Read

    Read, Write, Execute
    MDS_PROCS.log

    Read

    Read, Write, Execute
    MDS_SD.log

    Read

    Read, Write, Execute
    MDS_TEMP_DDL.log

    Read

    Read, Write, Execute
    MDS_VIEWS.log

    Read

    Read, Write, Execute
    ODM_DDL.log

    Read

    Read, Write, Execute
    ODM_PROC.log

    Read

    Read, Write, Execute
    PC_DDL.log

    Read

    Read, Write, Execute
    PPM_DDL.log

    Read

    Read, Write, Execute
    SEED_DATA_GLOBAL.log

    Read

    Read, Write, Execute
    SingleSchemaCreation.log

    Read

    Read, Write, Execute
    USERDEF_OBJ.log

    Read

    Read, Write, Execute

  4. Make sure that the following rpd file is secure. Location for RPD file: <OPLA_Home>\olap\rpd. The RPD File name isPLMA_11G.rpd

5.4.2 Access Control at the Data-Level

Data-level security controls the visibility of data (content in subject areas, dashboards, Oracle BI Answers, and so on) based on the user's association to data in the transactional system.For example, restricting authorized users access to Project Analysis for their assigned Product Lines is provided in OPLA.

To extend data level security for repository objects:

  1. Extend the physical table by adding the attribute by which the dimension, or fact, needs to be secured.

    This step may result in a change to the data model.

    1. For enabling existing out-of-the-box defined dimensions and measures without changing ETL Mapping you can map attributes in the OPLA Configurator.

    2. For enabling new user-defined dimensions and measures by changing ETL mapping and BI repository, new user defined attributes can be added using Schema Enhancer that comes with OPLA Configurator

      This step results in a change to the data model.

      Populate the relevant attribute value for each row in the fact or dimension table.

      This step results in a change to the ETL mapping.

  2. Use the Oracle BI Administration Tool to create an initialization block. When a user logs into OPLA, the initialization block fetches the attribute values and populates them into a session variable. You can then create a target session variable for the initialization block. For detailed instructions, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

    You can only create a target session variable if the initialization block is not a row-wise initialization block. This step results in a change to the Oracle BI repository.

  3. Use the Oracle BI Administration Tool (in online mode) to set up data filters based on the new role for each of the fact and dimension tables that need to be secured by the attribute you added in Step 1.

    This step results in a change to the Oracle BI Repository.

  4. Use Presentation Services administration to set up the Presentation Services catalog privileges - based on the application role you created in step 4. For detailed instructions, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.

    Note You can also leverage the existing OPLA security objects (when extending data-level security). To do this, copy existing security objects for secured dimensions, such as initialization blocks, and then modify them to apply to the additional dimensions.

5.4.3 Access Control at the Object-Level

You can enable object level security using the Oracle Business Intelligence Enterprise Edition Layer (OBIEE) platform features.Oracle Product Lifecycle Analytics (OPLA) tightly integrates with OBIEE, as well as the security model of the operational source system, to allow the right content to be shown to the right user.


Important:

You should be thoroughly familiar with the security features of OBIEE before you begin working with OPLA.

Security settings for OBIEE are made in the following Oracle Business Intelligence (Oracle BI) components:

  1. Oracle BI Administration Tool

    You can use the Oracle BI Administration Tool to perform tasks such as:

    • Setting permissions for business models, tables, columns, and subject areas

    • Specifying filters to limit data accessibility

    • Setting authentication options

      For more detailed information, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition 11g.

  2. Oracle BI Presentation Services Administration

    You can use Oracle BI Presentation Services Administration to perform tasks such as setting permissions to Presentation Catalog objects (including dashboards and dashboard pages).

    For more detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.

  3. Oracle Enterprise Manager Fusion Middleware Control

    You can use Fusion Middleware Control to manage the policy store, application roles, and permissions for determining functional access.

    For detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.

  4. Oracle WebLogic Server Administration Console

    You can use the Administration Console to manage users and groups in the embedded Oracle WebLogic Server LDAP. You can also use the Administration Console to manage security realms, and to configure alternative authentication providers.

    For detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.

5.4.4 Access Control at the User-Level

User level security involves the authentication and confirmation of the user's identity - based on the credentials provided, such as username and password.By default, user level security is set up in the embedded Oracle WebLogic Server, the LDAP server, and the policy store.

See also Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.

5.5 Configuring and Using Security Audit

This section explains how to enable the security audit feature in OPLA.

Oracle Business Intelligence Enterprise Edition (OBIEE) supports extensive audit features including, but not limited to, error events, informational events, and warning events. Some examples are, server starting and server shutdown, failed login attempts, and failed access control authorizations. In OBIEE 11g, security auditing is integrated into the Oracle Fusion Middleware Audit Framework in Oracle Fusion Middleware Application Security, and it provides a range of out-of-the-box reports that are accessible through Oracle Business Intelligence Publisher.

The reports are grouped according to the type of audit data they contain:

  • Common Audit Reports

    • Account Management

    • User Activities

    • Errors and Exceptions

  • Component-Specific Audit Reports

    • Oracle Fusion Middleware Audit Framework

    • Oracle HTTP Server

    • Oracle Internet Directory

    • Oracle Virtual Directory

    • Reports Server

    • Oracle Directory Integration Platform

    • Oracle Identity Federation

    • Oracle Platform Security Services

    • Oracle Web Services Manager

    • Oracle Web Cache

For more information, see the Oracle® Fusion Middleware Application Security Guide http://docs.oracle.com/cd/E21764_01/core.1111/e10043/toc.htm

5.5.1 Configuring and Using OPLA Configurator

Oracle Product Lifecycle Analytics (OPLA) comes with the OPLA Configurator tool. The OPLA Configurator provides the ability to map source columns to target columns (based on customer choice) in the data layer.

It is a standalone feature and uses independent encryption algorithms to connect with source and target Data Schema for Agile PLM 9 Schema

The following security features are implemented with OPLA:

Uses 3rd party software components XML Parser. This component is upgraded to latest patch. (From Xerces 2.9.0 to Xerces2 2.11.0).


Note:

OPLA also provides the ability to map extended attributes with the MDS Layer for Agile PL M for Process source. Manual SQL scripts are supplied for updating the MDS schema.

Uses default DB level authentication.