Task 9 - Stop Alternative Methods of Authentication

You must remove the USER variable and may need to update initialization blocks in the semantic model.

Note:

Oracle Analytics Server initialization block authentication has been deprecated and is no longer enabled for any use other than integrating with Oracle E-Business Suite Applications. You can use the information in this topic to update your existing initialization blocks.

Oracle Analytics Server allows various forms of authentication methods to be applied at once. While some can see this as a desirable feature it also comes with security risks. To implement a single source of authentication, you must remove the authentication methods that use initialization blocks from the semantic model.

You stop access through initialization blocks using the Model Administration Tool. Successful authentication requires a user name, and initialization blocks populate user names using the USER system session variable.

1. Remove the USER system variable from the semantic model.
2. Ensure that initialization blocks in the semantic model have the Required for authentication check box cleared.
3. Check that initialization blocks in the semantic model that set the PROXY and PROXYLEVEL system session variables do not allow users to bypass security.

   The PROXY and PROXYLEVEL system variables allow connected users to impersonate other users with their security profile. This method is acceptable when the impersonated user account has less privileges, but if the account has more privileges it can be a security issue.

4. Disable or remove initialization blocks associated with the following system session variables: USER, GROUP, and ROLES.

If you disable an initialization block, then any dependent initialization blocks are also disabled.

You can now be sure that any attempted access using initialization block authentication cannot be successful. However, you must check all of your initialization blocks.