Integrating with Microsoft Active Directory

Microsoft Active Directory supports the LDAP interface and therefore can be configured with BI Publisher using LDAP Security.

• Configuring the Active Directory

• Configuring BI Publisher

• Logging In to BI Publisher Using the Active Directory Credentials

• Assigning Data Access and Catalog Permissions to Roles

Configuring the Active Directory

Configure support for Active Directory by adding users and system groups.

To configure the active directory:

1. Add users who must access BI Publisher.

   Add the users under "Users" or any other organization unit in the Domain Root.

2. Add the BI Publisher system groups. The Scope of the groups must be Domain Local.

   The table below describes the BI Publisher system groups that must be added.

   BI Publisher System Group	Description
   XMLP_ADMIN	The administrator role for the BI Publisher server. You must assign the Administrator account used to access your LDAP server the XMLP_ADMIN group.
   XMLP_DEVELOPER	Allows users to create and edit reports and data models.
   XMLP_SCHEDULER	Allows users to schedule reports.
   XMLP_TEMPLATE_DESIGNER	Allows users to connect to the BI Publisher server from the Template Builder for Word and to upload and download templates. Allows users to design layouts using the BI Publisher Layout Editor.

3. Grant BI Publisher system groups to global groups or users.

   You can grant BI Publisher system groups directly to users or through global groups.

Example 1: Grant Users the BI Publisher Administrator Role

1. Under the Active Directory User and Computers, open the XMLP_ADMIN group and click the Members tab.
2. Click Add to add users who need to BI Publisher Administrator privileges.

Example 2: Grant Users Access to Scheduling Reports

The "HR Manager" global group is defined under "Users".

All users in this group need to schedule reports.

To achieve this, add HR Manager as a Member of the XMLP_SCHEDULER group.

Configuring BI Publisher

You configure BI Publisher on the Administration page.

To configure BI Publisher:

1. On the Administration page, click Security Configuration.
2. Set up a Local Superuser if one has not been configured. This is very important in case the security configuration fails, you must still be able to log in to BI Publisher using the Superuser credentials.
3. In the Authorization region of the page, select LDAP from the Security Model list.
4. Enter the details for the Active Directory server, as described in Configuring the BI Publisher Server to Recognize the LDAP Server, noting the following specific information for Active Directory:

   • Set Group Search Filter objectclass to "group"

   • Set Member of Group Member Attribute Name to "memberOf" (Group Member Attribute Name can be left blank).

   • Set Attribute used for Login Username to "sAMAccountName".

   • If you are using LDAP over SSL note the following:

     • the protocol is ldaps

     • the default port is 636

     An example URL would be: ldaps://example.com:636/

   The figure below shows an example configuration highlighting the recommendations stated above.

   
   

   
   Description of the illustration GUID-3BD3DD24-A955-4F9B-AC61-07D9938C1C33-default.gif

   
   
5. Click Apply. Restart the BI Publisher application.

If you are configuring BI Publisher to use LDAP over SSL, then you must also configure Java keystore to add the server certificate to JVM. For more information, see Configuring BI Publisher for Secure Socket Layer (SSL) Communication.

Logging In to BI Publisher Using the Active Directory Credentials

The User login name defined in Active Directory Users and Computers >User Properties >Account is used for the BI Publisher login name.

Add the Domain to the user name to log in to BI Publisher. For example: "scott_tiger@domainname.com".

Note the following:

• The Attribute used for Login Username can be sAMAccountName instead of userPrincipalName.

• You must use sAMAccountName for the Attribute used for Login Username when the "User logon name (pre-Windows 2000)" is required to use for the BI Publisher login username.

• User names must be unique across all organization units.

Assigning Data Access and Catalog Permissions to Roles

You assign data access and catalog permissions to roles on the Administration page.

To assign data access and catalog permissions to roles:

1. Log in to BI Publisher as a user assigned the XMLP_ADMIN role in Active Directory.
2. On the Administration page, click Roles and Permissions.

   You see the roles that you created in Active Directory to which you assigned the XMLP_ roles. Note the following:

   • The XMLP_X roles are not shown because these are controlled through the Active Directory interface.

   • The Users tab is no longer available under the Security Center because users are now managed through Active Directory.

   • Roles are not updatable in the BI Publisher interface, except for adding data sources.

3. Click Add Data Sources to add BI Publisher data sources to the role. A role must be assigned access to a data source to run reports from that data source or to build data models from the data source. For more information see Granting Data Access.
4. Grant catalog permissions to roles. See About Catalog Permissions and Granting Catalog Permissions for details on granting catalog permissions to roles.