Escolar Documentos
Profissional Documentos
Cultura Documentos
Security Overview
Dan Malone
December 5, 2008 1
Session Overview
December 5, 2008 2
Security From 30,000 Feet
■ Identification
■ Authentication
■ Authorization
■ Audit
December 5, 2008 3
Consistent Security Across Applications
■ PeopleSoft
■ Data Warehouse
■ OBIEE
– BI Server
– Presentation Services
» Answers
» Dashboards
December 5, 2008 4
Identification/Authentication
■ Identification
– Common USERNAME across all
■ Authentication
– Web Single Sign-On (CAS)
» PeopleSoft
» OBIEE Presentation Services
December 5, 2008 5
CAS Integration with OBI
■ Need slides from David K.
December 5, 2008 6
CAS Integration
Soulwing CAS Client Cal Poly Developed Filter OBI Single Sign-On
http://www.soulwing.org/ Copies Session USERNAME Tells OBI to get
Gets USERNAME into Session into Request Header REMOTE_USER
REMOTE_USER from Request Header
December 5, 2008 7
Single Sign-On
■ Create Impersonator Admin account in
Repository
■ USER Session Variable
■ Session Initialization Block
select lower(':USER') from dual
December 5, 2008 8
Issues with Web Single Sign-On
■ Can not use database security
– Proxy User
■ How to perform administrative tasks
– Include a local Role in Presentation Server
Administrators
– Method to login as Administrator user
» Password on URL
https://server/analytics/saw.dll?nquser=Administrator&nqpassword=<password>
December 5, 2008 9
Authorization
■ Privileges
■ Web Catalog
– Objects
– Permissions
■ Groups
December 5, 2008 10
Authorization: Privileges
■ Access
■ Admin
■ Catalog
■ Dashboards
■ Answers
■ My Account
■ Subject Area XXXX
■ View XXXX
December 5, 2008 11
Privileges: Things to Remember
■ Most default to Everyone
■ Don’t remove Personal Storage before
creating a default Dashboard
■ New Subject Area will not show up until
someone starts Answers
■ Privileges can not be migrated
December 5, 2008 12
Privileges: Demo
DEMO
December 5, 2008 13
Authorization: Web Catalog Objects
for Dashboards
■ Folder
– Dashboard
» Page
■ Request
December 5, 2008 14
Authorization: Web Catalog Objects
for Answers
■ Subject Area
■ Folder
■ Request
December 5, 2008 15
Authorization: Web Catalog Permissions
■ No Access
■ Traverse
■ Read
■ Change/Delete
■ Full Control
December 5, 2008 16
Authorization: Groups
■ BI Server/Repository Security
– Groups
■ Presentation Services Security
– Web Groups
December 5, 2008 17
Authorization: Groups
PeopleSoft
Finance Data
Roles Warehouse
Roles
PeopleSoft Consolidated
HCM Roles
Roles Tables
Presentation
BI Server
Other Services
Groups
Application Web Groups
Roles
December 5, 2008 18
Groups via Session Variables: Step 1
■ Set up Oracle Table/View for Groups
CP_USERNAME NAME VALUE
dbrothwe@calpoly.edu DISPLAYNAME Debbie
dbrothwe@calpoly.edu EMAIL dbrothwe@calpoly.edu
dbrothwe@calpoly.edu GROUP ALL_FINANCIAL_TABLES_RL
dbrothwe@calpoly.edu GROUP ALL_RSOL_TABLES_RL
dbrothwe@calpoly.edu GROUP BI_REQUEST_DEVELOPER_FIN_RL
dbrothwe@calpoly.edu GROUP WAREHOUSE_USER
gyelland@calpoly.edu DISPLAYNAME George
gyelland@calpoly.edu EMAIL gyelland@calpoly.edu
gyelland@calpoly.edu GROUP ALL_FINANCIAL_TABLES_RL
gyelland@calpoly.edu GROUP POLYDATA_SUPPORT_RL
gyelland@calpoly.edu GROUP WAREHOUSE_USER
December 5, 2008 19
PAUSE – Session Variables Tables
Groups
Other Variables
Display Name
Email Address
Session
Variables
v
December 5, 2008 20
Groups via Session Variables: Step 2
■ Session Initialization Block
– Row-wise initialization
– No Caching
– Execution Precedence
select name, value from
dwadmin.obiee_session_variables
where cp_username = lower(':USER')
December 5, 2008 21
Session Variables Initialization Block
December 5, 2008 22
Groups via Session Variables: Step 3
■ Create OBI Groups
– BI Server
» Group
– Presentation Services
» Web Group
December 5, 2008 23
Groups: Things to Remember
■ Do not manually grant BI Server Groups
to Users
■ Group and Web Group must be exactly
the same name
December 5, 2008 24
Groups: Demo
DEMO
December 5, 2008 25
Authorization: Dashboards
■ Create a folder for each Subject Area
■ Create a sub-folder for each Page
– Requests
■ Each Dashboard has the same
permissions
■ Each Page on the Dashboard has the
same permissions
December 5, 2008 26
Authorization: Things to Remember
■ Object Owner ALWAYS has Full Control
– Set Owner to Administrator
■ Permission Inheritance… Sort of.
■ Apply changes to sub-folders
– Web Based Tool Default: YES
– Windows Based Tool Default: NO
■ Special user: System Account
December 5, 2008 27
Recommendations
■ Keep it simple!
■ Assign permissions to groups only
■ Assign permissions at the folder level
– Everything in a folder has the same
permissions
December 5, 2008 28
Authorization: Demo
DEMO
December 5, 2008 29
Row Level Security
■ What data drives Row Level Security?
– PeopleSoft DEPTID
December 5, 2008 30
Row Level Security: Step 1
■ Create Oracle Table/View for DEPTIDs
CP_USERNAME NAME VALUE
dbrothwe@calpoly.edu DISPLAYNAME Debbie
dbrothwe@calpoly.edu EMAIL dbrothwe@calpoly.edu
dbrothwe@calpoly.edu GROUP ALL_FINANCIAL_TABLES_RL
dbrothwe@calpoly.edu GROUP ALL_RSOL_TABLES_RL
dbrothwe@calpoly.edu GROUP BI_REQUEST_DEVELOPER_FIN_RL
dbrothwe@calpoly.edu GROUP WAREHOUSE_USER
dbrothwe@calpoly.edu HR_DEPTID 100100
dbrothwe@calpoly.edu HR_DEPTID 100200
dbrothwe@calpoly.edu HR_DEPTID 100300
dbrothwe@calpoly.edu HR_DEPTID 100400
dbrothwe@calpoly.edu HR_DEPTID 100500
December 5, 2008 31
PAUSE – Session Variables Tables
Groups
Other Variables
Display Name
Email Address
Session
Variables
HR
v
DEPTIDs
Finance
DEPTIDs
Finance
FUNDs
December 5, 2008 32
Session Variables Table
December 5, 2008 33
Row Level Security: Step 2
December 5, 2008 34
Row Level Security: Step 3
■ Open the Logical Data Source
– In the business model layer, not the physical layer
December 5, 2008 35
Row Level Security: Step 4
■ Add the appropriate where
statement to limit rows based
on the new session variable.
– Use the expression builder
to generate the code.
– Since the HR_DEPTID is a
dynamic session variable, it
does not show up in the list
of available variables.
– Select the USER variable to
generate the code, then
change the variable name to
HR_DEPTID.
December 5, 2008 36
Row Level Security: Demo
DEMO
December 5, 2008 37
Become Another User
■ See what a dashboard looks like when a
different user logs in
– Don’t as for their password!
■ All security is now based on session variables
coming from Oracle tables
■ When a user logs in we can change
everything about them
■ Exceptions
– Cannot change a persons username
– Object owner always has full control
December 5, 2008 38
PAUSE – Session Variables Tables
Groups
Other Variables
Display Name
Email Address
Session
Variables
HR Session
v v
DEPTIDs Variables
Security
Override
Finance
DEPTIDs
Finance
FUNDs
December 5, 2008 39
Security Override Table
■ Simple table with two columns
– CP_USERNAME
– BECOME_CP_USERNAME
December 5, 2008 40
Become Another User: Demo
DEMO
December 5, 2008 41
Security Audit
■ WARNING
http://propellerheadhats.com/
December 5, 2008 42
Security Audit – Requirements
■ Need an easy way to find differences between
two web catalogs
– Users
– Groups
– Permissions
– Privileges
■ Check ownership of Web Catalog Objects
■ We want to know why it works the way it does
December 5, 2008 43
Security Audit – Has it been done before?
■ Built-In?
– NO!
■ Consultants
– “That’s been an internal challenge for us
and we haven't been able to locate the files
where that is stored”
■ Google
– No Luck…
December 5, 2008 44
Security Audit
■ Web Catalog is just files and folders on the
OS file system
■ File/Folder name is based on OBI display
name
– URL encoded and lower case
» Object Name => object+name
■ Every file and folder of the catalog has an
associated “.atr” file
– object+name
– object+name.atr
December 5, 2008 45
Security Audit
■ Binary Files
– Linux command to hex dump a binary file
» xxd
$xxd presentation+server+administrators
0000000: 0200 017c bc61 aacd bb2a 8a ...\|.a...*.
$xxd presentation+server+administrators.atr
0000000: 8000 0c00 2200 0000 7072 6573 656e 7461 ...."...presenta
0000010: 7469 6f6e 2073 6572 7665 7220 6164 6d69 tion server admi
0000020: 6e69 7374 7261 746f 7273 0600 01ff ffff nistrators......
0000030: ffff ffff ff01 0001 feff ffff ffff ffff ................
0000040: 0300 0000 0e00 0000 6163 636f 756e 7469 ........accounti
0000050: 6e64 6578 2131 0200 0000 0000 0000 ndex!1........
December 5, 2008 46
Security Audit – Users and Groups
■ Users
– <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu
– <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu.atr
■ Groups
– <catalog_root>/system/security/groups/523/presentation+server+administrators
– <catalog_root>/system/security/groups/523/presentation+server+administrators.atr
■ Account IDs
– <catalog_root>/system/accountids/699/32539c1d5ffdb65b
– <catalog_root>/system/accountids/699/32539c1d5ffdb65b.atr
December 5, 2008 47
Security Audit – Privileges
■ <catalog root>/system/privs
– /catalog
» /changepermissionsprivilege
» /changepermissionsprivilege.atr
» /maintenancemodeprivilege
» /maintenancemodeprivilege.atr
– /generalprivs
» /global+admin
» /global+admin.atr
» /global+answers
» /global+answers.atr
» /global+portal
» /global+portal.atr
– /security
» /administerprivs
» /administerprivs.atr
» /takeownershipprivs
» /takeownershipprivs.atr
– /…
» /…
December 5, 2008 48
Security Audit – Privileges
■ privilege file
– The number of accounts granted this privilege is located at byte 12.
– The account list starts at byte 13.
» Each account listed contains 13 bytes
» The first 2 bytes always seems to be 00 01
» The next 8 bytes are the HEX ID of the account
» The next 2 bytes determine if the privilege is granted or explicitly denied
◊ FF FF - Granted (for the first entry in the list)
◊ 01 00 - Granted (for other entries in the list)
◊ 00 00 - Explicitly denied
» The next byte always seems to be 00
■ privilege.atr file
– Byte 5 contains the length of the display name.
– Byte 9 is where the display name starts.
December 5, 2008 49
Security Audit – Permissions
■ object+name.atr file
– Byte 4 Contains the length of the object name that starts on Byte 8
– Byte 8 Start of the name of the object in nice form, including caps and
spaces.
– Byte (11 + value of Byte 4) - Contains the HEX ID of the owner of this object
- 8 Bytes
– Byte (19 + value of Byte 4) - Contains the number of permissions that have
been assigned, in our case to groups.
– Next, each of the permission is represented in a 13 byte block.
» The first 2 bytes seems to always be 00 01
» The next 8 bytes of the 12 byte block contains the HEX ID of the user or group.
» The next 2 bytes of the 12 byte block contains the permission granted.
◊ FF FF - Full Control
◊ 0F 00 - Change/Modify
◊ 03 00 - Read
◊ 02 00 - Traverse
◊ 00 00 - No Access
» The last byte seems to always be 00
December 5, 2008 50
Security Audit – Perl saves the day
■ Script traverses the ‘important’ branches of
the web catalog
■ Parses and collects security information
■ Loads into Oracle tables
– obiee_security_aud_accounts
– obiee_security_aud_group_mem
– obiee_security_aud_objects
– obiee_security_aud_object_perm
– obiee_security_aud_privs
December 5, 2008 51
Security Audit – Queries
■ Objects without proper ownership
■ Differences between two catalogs
– Users and Groups
– Group memberships
– Object differences
– Object Permissions
– Privileges
December 5, 2008 52
Security Audit: Demo
DEMO
December 5, 2008 53
Questions?
December 5, 2008 54
PAUSE – Session Variables Tables
Groups
Other Variables
Display Name
Email Address
Session
Variables
HR Session
v v
DEPTIDs Variables
Security
Override
Finance
DEPTIDs
Finance
FUNDs
December 5, 2008 55
Contact
■ OBIEE Technical Conference:
http://polydata.calpoly.edu/dashboards/obiee_conf/index.html
■ Email: polydata@calpoly.edu
December 5, 2008 56