Integrating Oracle Business Intelligence and Oracle Identity Management
When you are deploying Oracle Business Intelligence Enterprise Edition, how you handle identity management is as important as query speed and the quality of your data. A well-architected identity management solution ensures that your users are set up automatically when they first join the organization, that they can quickly access applications and data appropriate for their varied roles, and that personal details and access privileges can be easily managed.
This article focuses on integrating Oracle Business Intelligence Enterprise Edition with two of Oracle's flagship identity management tools: Oracle Internet Directory and Oracle Application Server Single Sign-On. You'll see how to combine the security features of Oracle Business Intelligence Enterprise Edition and Oracle Identity Management to provide granular, secure access to data.
Identity Management in Focus
User identity has its own lifecycle, beginning with the initial hire, continuing through promotions and changes of department or role, and ending when the staff member leaves and that person's application access is removed. Over time, employees typically need access to multiple systems, and their requirement for data access will change with their roles.
Oracle Identity Management is a broad set of products that provides standards-based identity management tools, including Oracle Access Manager, Oracle Application Server Single Sign- On, Oracle Enterprise Single Sign-On Suite, Oracle Identity Federation, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory, and Oracle Web Services Manager. Oracle Internet Directory is an LDAP v.3 directory that leverages the scalability and high availability of Oracle Database to store user and group profiles. Oracle Internet Directory is widely used within Oracle's own applications and middleware tools to provide a single store of identity information. (For an overview of identity management concepts and Oracle Identity Management, see "Access Granted" in the July/August 2006 issue of Oracle Magazine.)
Oracle Business Intelligence Enterprise Edition has its own security infrastructure for user and group management and control of access to datasources, but it can also be integrated with numerous other industry-standard identity management implementations, including Oracle Identity Management.
Oracle Business Intelligence Enterprise Edition includes Oracle Business Intelligence Server, Oracle Business Intelligence Presentation Services, and the Oracle Business Intelligence Administration Tool, plus several other server and desktop applications.
Oracle Business Intelligence Server has a local repository that contains information about the many datasources (data warehouses, data marts, packaged applications, and so on) that business users will have access to via Oracle Business Intelligence Interactive Dashboards.
Oracle Business Intelligence Presentation Services has its own separate security infrastructure of users and groups stored in a separate repository, known as the Web Catalog. Oracle Business Intelligence Interactive Dashboard is the main user interface provided by Oracle Business Intelligence Presentation Services.
When users log in to their respective dashboards, Oracle Business Intelligence Server authenticates their credentials. If an account does not already exist in the Web Catalog, one is created for them. If a user is a member of any groups that have corresponding Web Catalog entries, the user is granted access to these Web Catalog groups and any dashboards to which that person has access.
As you'll see later in this article, the user and group information contained in Oracle Internet Directory can be used to facilitate the same access scenarios.
Oracle Business Intelligence Server makes it possible for privileged users to "impersonate" other users—this functionality is used by Oracle Business Intelligence Presentation Services to implement single-sign-on functionality in various scenarios, including one demonstrated later in this article.
For more information, see Oracle Business Intelligence Presentation Services Administration Guide (chapter 8) and Oracle Business Intelligence Server Administration Guide (chapter 15), available on Oracle Technology Network.
Bringing Identity Management Together
Organizations that have deployed Oracle Identity Management can easily use it to provide Oracle Business Intelligence Enterprise Edition with an integrated, scalable identity management solution across all their reporting needs. This article provides three integration scenarios that demonstrate how to take advantage of powerful features in both products.
Example 1: Leverage Oracle Internet Directory for Oracle Business Intelligence Interactive Dashboard Security steps you through enabling users of Oracle Business Intelligence Interactive Dashboard to connect to their dashboards by using their Oracle Internet Directory logins and passwords.
Example 2: Augment Oracle Internet Directory User Identity with Oracle Business Intelligence Server Security Features shows you how the features in Oracle Business Intelligence Server can provide granular, row-level control over report data to users authenticated with Oracle Internet Directory.
Example 3: Streamline Access to Oracle Business Intelligence by Using Oracle Single Sign-On steps you through configuring Oracle Business Intelligence Enterprise Edition to leverage Oracle Application Server Single Sign-On as a partner application. Business users will then be able to access Oracle Business Intelligence Server functionality by using the same user account as for other applications and will be able to access their Oracle Business Intelligence Server dashboards based on group membership.
The examples in this article are based on these specific releases:
* Oracle Business Intelligence Enterprise Edition 10.1.3.2, installed with the Advanced Security option, which enables the necessary components (Web Bridge servlet, JMX Bean Server, and Oracle Business Intelligence Publisher) to be installed in Oracle Application Server 10.1.3 (rather than the default Oracle Containers for J2EE [OC4J]). In general, Oracle Application Server is recommended for Oracle Business Intelligence Enterprise Edition running in production environments.
* Oracle Identity Management and Oracle Application Server Metadata Repository, installed as part of an Oracle Application Server 10.1.2 infrastructure deployment. (Oracle Identity Management 10.1.4.0.1 includes many enhancements and bug fixes and is bundled as a single download of all installation components—Oracle Application Server infrastructure, Oracle Database Server, and so on.)
In addition to the required products, note these other requirements:
* Servers on which the various components are installed must have fully qualified domain names (FQDNs) to support the single-sign-on scenario.
* If you are using dynamic host configuration protocol (DHCP) for network addresses on Microsoft Windows platforms, be sure to configure the Microsoft Loopback Network Adapter before installing any of the software. See the respective product installation guides for details.
* Before making changes to existing configuration files (instanceconfig.xml, for example) as described in any of the examples, make a backup of the file for safekeeping.
* The examples assume that you have an Oracle Internet Directory instance installed and configured. To set up the connection between Oracle Business Intelligence Server authentication and Oracle Internet Directory, the user accounts must exist in Oracle Internet Directory. To create user accounts,
1. From a Web browser, navigate to the Oracle Identity Management Provisioning Console:
2. Click the Directory tab to activate the user setup page. Set up user accounts as necessary.
Example 1: Leverage Oracle Internet Directory for Oracle Business Intelligence Interactive Dashboard Security
In this first example, you connect Oracle Business Intelligence Server to Oracle Internet Directory, to enable your Oracle Business Intelligence Interactive Dashboard users to authenticate by using their Oracle Internet Directory login and password. At runtime, when a business user tries to access a report, Oracle Business Intelligence Presentation Services will retrieve the user's group membership information from Oracle Internet Directory.
This example is based on using Oracle Internet Directory exclusively to manage user IDs and group membership. You can, however, also use Oracle Security Manager to import details of users and groups directly into the Oracle Business Intelligence Server repository and then keep these details up to date through either the Oracle Security Manager LDAP Synchronization tool or Oracle Directory Integration Platform, provided with Oracle Internet Directory. (Oracle Directory Integration Platform enables you to create workflow that can add users to the Oracle Business Intelligence Server repository as soon as they are provisioned in Oracle Internet Directory.) See Oracle Business Intelligence Enterprise Edition Deployment Guide for more details about various other configuration options.
To enable authentication against Oracle Internet Directory, you must create an "initialization block" that runs when the user logs in, retrieving details from Oracle Internet Directory. The initialization block runs at the session level.
Oracle Business Intelligence Administration Tool Variable Manager enables you to define repository variables and session variables. We'll use the session variable to define a session-level initialization block.
To create the initialization block, use Oracle Business Intelligence Server Administration to launch Variable Manager, as follows:
1. Launch the Oracle Business Intelligence Administration Tool.
(For example, click Start -> Programs -> Oracle Business Intelligence -> Administration.)
2. From the Manage menu, select Variables... to launch Variable Manager.
3. In the left-hand pane, under Session, click Initialization Blocks.
4. In the right-hand pane of Variable Manager, right-click New Initialization Block... (see Figure 1) to display the Session Variable
Initialization Block editor.
5. Name the variable Authenticator.
6. Click Edit Data Source... to create a new LDAP datasource.
7. Using the LDAP Server dialog box, enter the following connection details:
Host name = name of server hosting Oracle Internet Director
Port = 389
Base DN = dc=, dc=
Bind DN = cn=orcladmin
Bind Password =
LDAP Version = 3
8. Click Test Connection to ensure that everything is working correctly.
After establishing the connection to Oracle Internet Directory, you must map Oracle Business Intelligence Server internal variables to Oracle Internet Directory LDAP variables, as follows:
1. Return to the Session Variable Initialization Block editor.
2. Click Edit Data Target....
3. Using the Session Variable Initialization Block Data Target dialog box, map these three Oracle Business Intelligence Server variables to their respective Oracle Internet Directory LDAP variables:
USER = uid
GROUP = departmentnumber
PASSWORD = userpassword
You can disregard the warning messages that appear when you are using the variable names USER and PASSWORD (password is optional). The warnings are generated because we are directly supplying values for these internal Oracle Business Intelligence Server variables—something you would never do in a production environment.
4. Click OK to save the variable target definition.
5. Click OK again to create the initialization block.
Note that instead of using the LDAP uid attribute to establish a user's identity, you can use the orclguid attribute, which guarantees uniqueness even when a user is deleted from Oracle Internet Directory and another one is created with the same name. However, for the example, we use the uid attribute, which makes Web Catalog paths a little more readable (at the risk of new users colliding with deleted users). You can also create additional variable bindings for the user's e-mail address (MAIL) or other LDAP attributes.
6. Click OK to redisplay the Server Variable Initialization Block dialog box.
7. Check the Required for Authentication check box to require all users (except for the administrator user) to authenticate via the Oracle Internet Directory server. (If you leave the check box deselected, users not held in Oracle Internet Directory will still be able to authenticate if their details are present in the Oracle Business Intelligence Server repository.)
8. Restart Oracle Business Intelligence Server.
Test the setup, by having one of your users log on to Oracle Business Intelligence Interactive Dashboard by using his or her Oracle Internet Directory credentials. The user should be granted access to Oracle Business Intelligence Interactive Dashboard according to Oracle Business Intelligence Presentation Services Web Catalog group memberships listed in the Oracle Internet Directory profile.
Example 2: Augment Oracle Internet Directory User Identity with Oracle Business Intelligence Server Security Features
In this example, you create groups within Oracle Business Intelligence Server and apply row-level security to the groups so that users have role-based data access, regardless of how they log on (through Security Manager or through Oracle Internet Directory).
First, create the groups in Oracle Business Intelligence Server, by using the Oracle Business Intelligence Administration Tool.
1. From the Oracle Business Intelligence Administration Tool main menu, select Manage -> Security to launch Security Manager.
2. From within the left-hand pane of Security Manager, select Groups.
3. Add the name of a group that matches the group set up in Oracle Internet Directory.
4. Create groups that match the groups already created in the Oracle Business Intelligence Presentation Services Web Catalog and that match the group names used within Oracle Internet Directory.
5. Once you have created the groups, use the User Group/Permissions dialog box to create and apply one or more filters to the tables available to each group, thus limiting access.
For example, you can create a filter to limit members of the Eastern group so that they see data on customers from New York and Massachusetts only (see Figure 2). Each filter defines the data the user can see. Filters are cumulative: users belonging to both the Northern and Eastern groups will see data for customers in states in the north and the east.