This appendix describes legacy security administration options included for backward compatibility with upgraded systems and are not considered a best practice.
Note:
For any particular user, both authentication and authorization must be performed either by the Oracle Fusion Middleware security model or using the legacy mechanisms. You cannot mix the two. So a user cannot perform authentication using Oracle Fusion Middleware security and then authorization using initialization blocks.
If you are using legacy authentication options such as session variables in initialization blocks to get the user ID and group, you must disable lightweight SSO. Legacy authentication cannot use SSO through Oracle WebLogic.
You might need to revert to the previous login page, if you are using the NQUser
and NQPassword
query parameters to log in to SSO. NQUser
and NQPassword
login parameters were used as optional parameters for the Oracle BI Presentation Services Go URL. If you must continue to use the NQUser
and NQPassword
login parameters, you must disable lightweight SSO.
Lightweight SSO is implemented by default in Oracle BI EE release 12.2.1.3.0. Users are not prompted to login when moving between Classic Oracle BI EE and Visual Analyzer, or moving between the Classic Home page to the New Home Page.
To continue to use the NQUser
and NQPassword
login parameters, disable lightweight SSO using the WLST disableSingleSignOn
command. See Enabling and Disabling SSO Authentication Using WLST Commands in Security Guide for Oracle Business Intelligence Enterprise Edition. Users are redirected to the Oracle BI security login when lightweight SSO is disabled.
You can implement other SSO options in your environment.
Several Oracle Business Intelligence legacy authentication options are still supported for backward compatibility.
The best practice for upgrading systems is to begin implementing authentication using an identity store and authentication provider as provided by the default security model. An embedded directory server is configured as the default identity store and authentication provider during installation or upgrade and is available for immediate use.
See Introduction to Security in Oracle Business Intelligence and Understanding the Default Security Configuration.
Authentication is the process by which the user name and password presented during login is verified to ensure the user has the necessary credentials to log in to the system. The BI Server authenticates each connection request it receives. The following legacy authentication methods are supported by the BI Server for backward compatibility in this release:
External LDAP-based directory server.
External initialization block authentication.
Table-based.
This section contains the following topics:
You can set up the Oracle BI Server to pass user credentials to an external LDAP server for authentication.
The legacy LDAP authentication method uses Oracle Business Intelligence session variables that you define using the Variable Manager in the Oracle BI Administration Tool. See Using Variables in the Oracle BI Repository in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Create an LDAP Server as follows:
Select Manage then Identity in the Administration Tool to launch the Identity Manager.
Select Directory Servers from the left pane in Identity Manager.
Right-click in the right pane in Identity Manager and select New LDAP Server. The LDAP Server dialog is displayed.
Create the LDAP server by completing the fields.
Create an LDAP initialization block and associate it with an LDAP server.
Define a system variable named USER and assign the USER variable to an LDAP attribute, for example, uid, sAMAccountName, cn.
Session variables get their values when a user begins a session by logging on. Certain session variables, called system session variables, have special uses. The system session variable USER is used with authentication.
If applicable, delete users from the repository file.
Associate the USER system variable with the LDAP initialization block.
Note:
When using secure LDAP you must restart the Administration Tool before testing if you have done the following: set the key file name and password, tested the LDAP parameter setting successfully in the Administration Tool, and then changed the key file name and password again.
For instances of Oracle Business Intelligence that use Active Directory Service Interfaces (ADSI) as the authentication method, use the following options when setting up the Active Directory instance:
In Log On To, select All Computers, or if you list some computers, include the Active Directory server as a Logon workstation.
Ensure that User must change password at next logon is not selected.
In the Administration Tool, the CN user used for the BIND DN in the LDAP Server section must have both ldap_bind
and ldap_search
authority.
Note:
The BI Server uses cleartext passwords in LDAP authentication. Make sure your LDAP Servers are set up to allow this.
To set up LDAP authentication using initialization blocks, you define a system session variable called USER and associate it with an LDAP initialization block that is associated with an LDAP server.
When a user logs in to the BI Server, the user name and password are passed to the LDAP server for authentication. After the user is authenticated successfully, other session variables for the user could also be populated from information returned by the LDAP server.
Note:
If the user exists in both an external LDAP server using the legacy method and in an LDAP-based identity store based on Oracle Platform Security Services, the user definition in the identity store takes precedence. The legacy LDAP mechanism is only attempted if authentication fails against Oracle Platform Security Services.
The information in this section assumes that an LDAP initialization block has been defined.
For users not defined in an LDAP-based identity store, the presence of the defined system variable USER determines that external authentication is performed. Associating USER with an LDAP initialization block determines that the user is authenticated by LDAP. To provide other forms of authentication, associate the USER variable with an initialization block associated with an external database.
Authentication
in the Name field.USER
in the Name field.You can maintain lists of users and their passwords in an external database table and use this table for authentication purposes.
The external database table contains user names and passwords, and could contain other information, including group membership and display names used for Oracle BI Presentation Services users. The table could also contain the names of specific database catalogs or schemas to use for each user when querying data.
Note:
If a user belongs to multiple groups, the group names should be included in the same column, separated by semicolons. This only applies if you are not using row wise variable for groups or roles.
External table authentication uses session variables that you define using the Variable Manager in the Administration Tool. See Using Variables in the Oracle BI Repository in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Session variables get their values when a user begins a session by logging on. Certain session variables, called system variables, have special uses. The variable USER is a system variable that is used with external table authentication.
To set up external table authentication, you define a system variable called USER and associate it with an initialization block that is associated with an external database table. Whenever a user logs in, the user ID and password are authenticated using SQL that queries this database table for authentication. The initialization block uses the database connection in the physical layer to connect to the database. The connection in the physical layer contains the log in information. After the user is authenticated successfully, other session variables for the user could also be populated from the results of this SQL query.
The presence of the defined system variable USER determines that external authentication is performed. Associating USER with an external database table initialization block determines that the user is authenticated using the information in this table. To provide other forms of authentication, associate the USER system variable with an initialization block associated with a LDAP server or XML source. See Setting Up LDAP Authentication Using Initialization Blocks.
Oracle BI Scheduler Server runs Oracle BI Delivers jobs for users without accessing or storing their passwords.
Using a process called impersonation, Oracle BI Scheduler uses one user name and password with Oracle Business Intelligence administrative privileges that can act on behalf of other users. Oracle BI Scheduler initiates an Agent by logging on to Oracle BI Presentation Services with the Oracle Business Intelligence administrative name and password.
For Delivers, you must perform all database authentication in only one connection pool. The connection pool is only selectable in an initialization block for the USER system session variable. The initialization block is usually called the Authentication initialization block. When impersonation is used, the Authentication initialization block is skipped. All other initialization blocks must use connection pools that do not use database authentication.
Important:
An authentication initialization block is the only initialization block where it is acceptable to use a connection pool with :USER and :PASSWORD are passed to a physical database.
For other initialization blocks, SQL statements can use :USER and :PASSWORD. However, because Oracle BI Scheduler Server does not store user passwords, the WHERE
clause must be constructed as shown in the following example:
SELECT username, groupname, dbname, schemaname FROM users WHERE username=':USER' NQS_PASSWORD_CLAUSE(and pwd=':PASSWORD')NQS_PASSWORD_CLAUSE
When impersonation is used, everything in the parentheses is extracted from the SQL statement at runtime.
See the Oracle BI Delivers examples in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
The BI Server populates session variables using the initialization blocks in the desired order that are specified by the dependency rules defined in the initialization blocks.
If the server finds the USER session variable, the server performs authentication against an LDAP server or an external database table depending on the configuration of the initialization block with which the USER variable is associated.
Authentication against the identity store configured in Oracle WebLogic Server Administration Console occurs first, and if that fails, then initialization block authentication is used.
You can create a customized authentication module using initialization blocks.
An authenticator
is a dynamic link library (DLL), or shared object on UNIX, written by a customer or developer that conforms to the Oracle BI Authenticator API Specification. You can use the authenticator
with the BI Server to perform authentication and other tasks at run time. The authentication module is a BI Server module with a cache layer that uses the authenticator and performs related tasks at run time.
You can find sample custom authenticator code in the Oracle BI EE Sample Application downloadable from Oracle Technology Network (OTN).
After you create an authentication object (authenticator plug-in) and specify a set of parameters for the authentication module such as the configuration file path, number of cache entries, and cache expiration time, you must associate the authentication object with an initialization block. You can associate the required USER variable and other variables with the initialization blocks.
When a user logs in, if the authentication is successful, a list of variables is populated as specified in the initialization block.
A custom authenticator is an object in the repository that represents a custom C
authenticator plug-in. This object is used with an authentication init
block to enable the BI Server component to authenticate users against the custom authenticator. The recommended method for authentication is to use Oracle WebLogic Server's embedded LDAP server. You can continue to use a custom authenticators.
In the Administration Tool, select Manage, then Identity. Select Custom Authenticators from the navigation tree. Select from the following options:
Right-click in the right pane and select New Custom Authenticator to create a new custom authenticator.
Double-click the name to edit a custom authenticator.
In the Custom Authenticator dialog, complete the necessary fields.
Authenticator plug-in: The path and name of the plug-in DLL for this custom authenticator.
Configuration parameters: The parameters that have been explicitly exposed for configuration for this custom authenticator.
Encrypted parameter: The parameters that have been encrypted, such as passwords for this custom authenticator.
Cache persistence time: The interval at which the authentication cache entry for a logged on user is refreshed, for this custom authenticator.
Number of cache entries: The maximum number of entries in the authentication cache for this custom authenticator, pre-allocated when the Oracle BI Server starts. If the number of users exceeds this limit, cache entries are replaced using the LRU algorithm. If this value is 0, then the authentication cache is disabled.
Click OK.
System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables.
Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. See Using Variables in the Oracle BI Repository in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
The Administration Tool Session Manager is used in online mode to monitor activity.
The Session Manager shows all users logged in to the session, all current query requests for each user, and variables and their values for a selected session. Additionally, an administrative user can disconnect any users and terminate any query requests with the Session Manager.
How often the Session Manager data is refreshed depends on the amount of activity on the system. To refresh the display at any time, click Refresh.
The Session Manager contains an upper pane and a lower pane:
The top pane, the Session pane, shows users currently logged in to the BI Server. To control the update speed, from the Update Speed list, select Normal, High, or Low. Select Pause to keep the display from being refreshed.
The bottom pane contains two tabs:
The Request tab shows active query requests for the user selected in the Session pane.
The Variables tab shows variables and their values for a selected session. You can click the column headers to sort the data.
The tables describe the columns in the Session Manager dialog.
Column Name | Description |
---|---|
Client Type |
The type of client connected to the server. |
Last Active Time |
The time stamp of the last activity on the session. |
Logon Time |
The time stamp that shows when the session initially connected to the BI Server. |
Repository |
The logical name of the repository to which the session is connected. |
Session ID |
The unique internal identifier that the BI Server assigns each session when the session is initiated. |
User |
The name of the user connected. |
Column Name | Description |
---|---|
Last Active Time |
The time stamp of the last activity on the query. |
Request ID |
The unique internal identifier that the BI Server assigns each query when the query is initiated. |
Session ID |
The unique internal identifier that the BI Server assigns each session when the session is initiated. |
Start Time |
The time of the individual query request. |
See Using Variables in the Oracle BI Repository in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
In the Administration Tool, open a repository in online mode and select Manage then Sessions.
Select a session and click the Variables tab.
To refresh the view, click Refresh.
To close Session Manager, click Close.
Follow these steps to disconnect a user from a session.
In the Administration Tool, open a repository in online mode and select Manage then Sessions.
Select the user in the Session Manager top pane.
Click Disconnect.
The user session receives a message that indicates that the session was terminated by an administrative user. Any currently running queries are immediately terminated, and any outstanding queries to underlying databases are canceled.
To close the Session Manager, click Close.
Follow these steps to terminate an active query.
For backward capability, this release supports the ability to set application role membership for users using initialization blocks when authentication is performed by initialization blocks.
Note:
You cannot set application role membership using initialization blocks when authentication is performed by Oracle Platform Security Services.
This section contains the following topics:
If you have upgraded from a previous release, the best practice is to begin managing catalog privileges and catalog objects using application roles maintained in the policy store.
Oracle Business Intelligence uses the Oracle Fusion Middleware security model and its resources are protected by a role-based system. This has significance for upgrading users as the following security model changes affect privileges in the Oracle BI Presentation Catalog:
Authorization is now based on fine-grained JAAS permissions. Users are granted permissions by membership in corresponding application roles.
Users and groups are maintained in the identity store and are no longer maintained in the BI Server.
Privileges continue to be stored in the Oracle BI Presentation Catalog and cannot be accessed from the administrative interfaces used to manage the policy store.
The Everyone Catalog group is no longer available and has been replaced by the AuthenticatedUser application role. Members of the Everyone Catalog group automatically become members of AuthenticatedUser role after upgrade.
Use these steps to set application role membership for users using initialization blocks.
Initialization blocks to set ROLES or GROUP session variables only function when the user fails to authenticate through an authenticator configured in the WebLogic security realm, and the user instead authenticates through an initialization block.
You must set up an initialization block to set the values of ROLES or GROUP, enabling the BI Server to make the values of both variables the same.
When using an initialization block to set ROLES or GROUP session variables, set the values of the variables to match by name against one or more application roles configured using Fusion Middleware Control, for example, BIConsumer. Users are assigned these application roles and associated permissions during authentication.
See Managing Application Roles and Application Policies Using Fusion Middleware Control.
When using initialization blocks to set ROLES or GROUP session variables, the association of groups to application roles is performed using the logic previously described. Assignment of groups to application roles in the policy store is not used in this case.
See Using Variables in the Oracle BI Repository in the Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.