1. Administering Oracle Analytics Publisher in Oracle Analytics Server
  2. Alternative Security Options
  3. Integrate with Microsoft Active Directory

Integrate with Microsoft Active Directory

Microsoft Active Directory supports the LDAP interface and therefore can be configured with Publisher using LDAP Security.

Configure the Active Directory

Configure support for Active Directory by adding users and system groups.

  1. Add users who must access Publisher.
    Add the users under "Users" or any other organization unit in the Domain Root.
  2. Add the Publisher system groups. The Scope of the groups must be Domain Local.
    • XMLP_ADMIN - The administrator role for Publisher. You must assign the Administrator account used to access your LDAP server the XMLP_ADMIN group.
    • XMLP_DEVELOPER - Allows users to create and edit reports and data models.
    • XMLP_SCHEDULER - Allows users to schedule reports.
    • XMLP_TEMPLATE_DESIGNER - Allows users to connect toPublisher from the Template Builder for Word and to upload and download templates. Allows users to design layouts using the Publisher Layout Editor.
  3. Grant Publisher system groups to global groups or users.
    You can grant Publisher system groups directly to users or through global groups.

Example 3-1 Grant Users the Publisher Administrator Role

  1. Under the Active Directory User and Computers, open the XMLP_ADMIN group and click the Members tab.
  2. Click Add to add users who need Publisher Administrator privileges.

Example 3-2 Grant Users Access to Scheduling Reports

The "HR Manager" global group is defined under "Users". All users in this group need to schedule reports.

To achieve this, add HR Manager as a Member of the XMLP_SCHEDULER group.

Configure Publisher

You configure Publisher on the Administration page.

To configure Publisher:

  1. On the Administration page, click Security Configuration.
  2. Set up a Local Superuser if one has not been configured. This is very important in case the security configuration fails, you must still be able to log in to Publisher using the Superuser credentials.
  3. In the Authorization region of the page, select LDAP from the Security Model list.
  4. Enter the details for the Active Directory server, as described in Configure Publisher to Recognize the LDAP Server, noting the following specific information for Active Directory:

    • Set Group Search Filter objectclass to "group"

    • Set Member of Group Member Attribute Name to "memberOf" (Group Member Attribute Name can be left blank).

    • Set Attribute used for Login Username to "sAMAccountName".

    • If you're using LDAP over SSL note the following:

      • the protocol is ldaps

      • the default port is 636

      An example URL would be: ldaps://example.com:636/

    The figure below shows an example configuration highlighting the recommendations stated above.


    Description of xdo11g_sec_ldap_ad.gif follows
    Description of the illustration xdo11g_sec_ldap_ad.gif

  5. Click Apply. Restart the Publisher application.

If you're configuring Publisher to use LDAP over SSL, then you must also configure Java keystore to add the server certificate to JVM. For more information, see Configure Publisher for Secure Socket Layer (SSL) Communication.

Log In to Publisher Using the Active Directory Credentials

The User login name defined in Active Directory Users and Computers >User Properties >Account is used for the Publisher login name.

Add the Domain to the user name to log in to Publisher. For example: "scott_tiger@domainname.com".

Note the following:

  • The Attribute used for Login Username can be sAMAccountName instead of userPrincipalName.

  • User names must be unique across all organization units.

Assign Data Access and Catalog Permissions to Roles

You assign data access and catalog permissions to roles on the Administration page.

Note:

  • The XMLP_X roles are not shown because these are controlled through the Active Directory interface.

  • The Users tab is no longer available under the Security Center because users are now managed through Active Directory.

  • Roles are not updatable in the Publisher interface, except for adding data sources.

  1. Log in to Publisher as a user assigned the XMLP_ADMIN role in Active Directory.
  2. On the Administration page, click Roles and Permissions.

    You see the roles that you created in Active Directory to which you assigned the XMLP_ roles.

  3. Click Add Data Sources to add Publisher data sources to the role. A role must be assigned access to a data source to run reports from that data source or to build data models from the data source. For more information see Grant Data Access.
  4. Grant catalog permissions to roles. See About Catalog Permissions and Grant Catalog Permissions for details on granting catalog permissions to roles.