Most analytics professionals sooner or later touch one part or another of Oracle Analytics Security but almost never mange to acquaint themselves with every single aspect of it. With the advent of the cloud vs on-premises split of the product line the topic has become even more of an interesting territory as the options branch out. This Oracle Analytics Security deep dive will cover detailed security topics in OAC and OAS, their usage and application, as well as compare what is different between them and new since OBIEE 12c.
3. www.dimensionality.ch @Nephentur freenode | obihackers slide 3
• Oracle ACE Director Business Analytics
• Oracle Analytics since 2001
• Speaker at OpenWorld, KScope,
User Groups and open-source conferences
• Blogger on Analytics, DWH, Data Science
http://dimensionality.ch
• Telegram/IRC #obihackers moderator
• ODC and OCCC community advocate
• Trainer for Oracle University since 2006
Christian Berg
4. www.dimensionality.ch @Nephentur freenode | obihackers slide 4
• Wife; Mother of 3 (ages 18, 15, and 11);
• ODTUG Analytics Community Leader / ODTUG Board Director
• Oracle ACE
• Managing Director of Analytics at US-Analytics
• 15+ years in IT
• Email: bwagner@us-analytics.com
• Twitter: @Bec_Wagner
• LinkedIn: https://www.linkedin.com/in/becky-wagner/
• IRC Channel (Telegram): #obihackers
• http://bec-wagner.com
Becky Wagner
10. www.dimensionality.ch @Nephentur freenode | obihackers slide 10
Global Context
Less options
On / Off
Very high level
(Too) Many
options
Highly
configurable
Every single
object/entity
Competitors vs Oracle – What do you choose?
Departmental
/ user focus
Corporate, 3rd Party,
Department, User
12. www.dimensionality.ch @Nephentur freenode | obihackers slide 12
NQuire era 1997 - 2001
• Core BI Server
• Core BI Presentation Server
• Administration Tool with the RPD
• Catalog Manager with the presentation catalog
• Scheduler and Agents
• Core APIs runcat, admintool.exe, NQS calls
• Core list of supported sources
25. www.dimensionality.ch @Nephentur freenode | obihackers slide 25
Authentication
TO THE APPLICATION WORLD
WLS
LDAP
any
LDAP
DB tables
=
=
Application
Corporate
Weblogic “principals”
26. www.dimensionality.ch @Nephentur freenode | obihackers slide 26
“Back-end” vs “front-end”
Turning structure into access and action
Productizing security
+
Structural, base-line
27. www.dimensionality.ch @Nephentur freenode | obihackers slide 27
Component Access
“Which parts of the platform am I allowed to use?”
• Several places
– Enterprise Manager: Application Policies
– Application Administration
– Historical reasons
• IDCS too, for cloud
• Never think “one place rules all”
30. www.dimensionality.ch @Nephentur freenode | obihackers slide 30
Application Policy Control
• Only WLS principals can be tied to policies
• RPD Management
• Essbase (since 11.1.1.7 and dropped after 12c)
• BI Publisher
• Data Visualization (initially Visual Analyzer)
• Data Flows
• Don’t forget these!
• IDCS does things a little bit differently again
34. www.dimensionality.ch @Nephentur freenode | obihackers slide 34
Functional Access Summary
• What the user is allowed to access as functionality inside of OBIEE
• Exception: data security related to each subject area permission
– Double security with the RPD presentation layer
– Defines for which subject areas a principal can create new content
(analyses, filters, KPIs, prompts etc.)
• Only 2 values:
– Deny: no access at all to the feature
– Grant: allow user to access the feature
• Pay attention to not wrongly use the system role “authenticated-
user”!
35. www.dimensionality.ch @Nephentur freenode | obihackers slide 35
Functional Access Summary
• “Deny” is stronger than “Grant”
– If multiple conflicting rights are defined (users
associated with multiple application roles with
different privileges) you DO NOT have access
(keep this one in mind of later…)
• By default (if not defined) it’s a “Deny”
36. www.dimensionality.ch @Nephentur freenode | obihackers slide 36
Object-level Access
“Which analytical objects am I allowed to CRUD?”
• Web catalog permissions
• Secure structure and content
– Folders
– Contained objects
• File system permissions
• Note: OAS and OAC store the
catalog in the DB!
39. www.dimensionality.ch @Nephentur freenode | obihackers slide 39
Object-level Access
• “No access” always wins
– Overwrites any explicit access granted otherwise
– Even “Full Control” for BI Administrator loses
– Yes, you can lock yourself out of parts of the catalog!
• In all other cases, more permissive wins
– “Write” plus “Read/Open” = “Write”
41. www.dimensionality.ch @Nephentur freenode | obihackers slide 41
DV Object-level Access – Data Sets
• OAC Data Sets are another hybrid
• Line between object and data gets blurred
• Often the price to pay with self-service
• Expect more of this blurring!
42. www.dimensionality.ch @Nephentur freenode | obihackers slide 42
Metadata-level Access
• Controlled in Presentation Layer
• Only 4 values
– Read
– Read/Write (require setup in BMM)
– No access
– Default (see next slide)
• “Read” stronger than “No access”
– Conflicts resolve to more permissive
• Warning: Opposite of front-end behaviour
• Where RPD may let you through, front-end cuts you off
43. www.dimensionality.ch @Nephentur freenode | obihackers slide 43
Metadata-level Access
• “Default” for Subject Areas:
– Same permission as “Authenticated User”
• All other objects
– Inherit from parent object
46. www.dimensionality.ch @Nephentur freenode | obihackers slide 46
Data-level Access
What it really is…
• Dynamic
• Fully baked in
• Security-based
• Rules, rules, rules rules
• Pretty much all in the RPD
47. www.dimensionality.ch @Nephentur freenode | obihackers slide 47
Data-level Access
RPD data filters for application roles and users
Not even the filter criteria is static!
49. www.dimensionality.ch @Nephentur freenode | obihackers slide 49
Data-level Access – RPD data filters
• Data filters
– Can filter on any presentation layer or business
model layer object
– Can hence force inclusion of filtered dimensions in
any object build on a given subject area even if
that object does not reference the dimension at
all
50. www.dimensionality.ch @Nephentur freenode | obihackers slide 50
Data-level Access – RPD data filters
• Query limits
– Temporal restrictions
– Limitations on returned rows
– Maximum execution times
– Direct Database Request permissions
– Detailed permissions managed here win over
system-wide permissions and default settings
51. www.dimensionality.ch @Nephentur freenode | obihackers slide 51
Data-level Access
Logical Table Source filters
Dynamic Criteria
But inescapably
added to ALL queries
52. www.dimensionality.ch @Nephentur freenode | obihackers slide 52
Data-level Access
Physical options
• VPD
• Essbase filters
• Named user credentials
• Connection Scripts
We can *use* these
Outside of our control
53. www.dimensionality.ch @Nephentur freenode | obihackers slide 53
Data-level Access – Connection Scripts
• Yes you can code things
• We declare, we don’t code
• Very hidden
• Impact invisible in the most
query logs
• You need your DBA
• Least good choice
55. www.dimensionality.ch @Nephentur freenode | obihackers slide 55
Data-level Access – DV
• Much more limited
• Possibilities depend on type
• Should grow
• Unsure if it reaches core “BI”
57. www.dimensionality.ch @Nephentur freenode | obihackers slide 57
Data-level Access – Data Sets
• Everything file-based = pure object access
• No additional safety net
58. www.dimensionality.ch @Nephentur freenode | obihackers slide 58
Data-level Access – Data Connections
• “It depends”
• List keeps growing
• Check details each release and each type
69. www.dimensionality.ch @Nephentur freenode | obihackers slide 69
Customer Case - Enterprise worthy OAC
• Global Financial Services Firm
• Security is highest priority
• Waited to start project until AD integration
• VPNaaS to Palo Alto NextGen Firewalls
• Private IP Ranges
• Access from within network only
• OAC with IDCS (Identity Cloud)
• Migrating from OBIEE 11g to OAC
• AD integration required (8000+ users, 14000+ groups)
• SSO was highly desirable
71. www.dimensionality.ch @Nephentur freenode | obihackers slide 71
AD Bridge
• Must install on Server joined to AD Domain
• User with rights to install software
• User with the following AD rights
– Read for all users and groups in the domain
– Read for all OUs
• If you are using an AD user specifically setup for this AD Bridge, specific permissions can
be found here:
– https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/creating-bridge.html
• Tutorial for AD Bridge
– https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_id
bridge_obe/idbridge.html
72. www.dimensionality.ch @Nephentur freenode | obihackers slide 72
AD Bridge - Roadmap
1. Download From IDCS
2. Install On Domain-Joined Server
3. Configure Users and Groups
4. Import in IDCS
5. Verify
*Note: OAC comes with IDCS Foundation. AD Bridge is in IDCS Basic.
73. www.dimensionality.ch @Nephentur freenode | obihackers slide 73
AD Bridge - The More You Know
• Becomes a service. Note that this service is running and starts automatically
• Find the AD Bridge Config Utility in C:Program FilesIDBridgeIDBridgeUI.exe
• Click on View Logs – Highly important to note log locations
• Sync has a limit, will continue at the frequency until fully sync’d
• Errors will have details in the logs, like missing email or some other attribute issue
76. www.dimensionality.ch @Nephentur freenode | obihackers slide 76
ADFS & SSO - Steps
1. Download ADFS Metadata File
a. https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetatdata.xml
b. XML files have tags, if browser doesn’t show them, right click and view source, then save
2. IDCS Identity Provider Setup
a. Add SAML IDP
b. Name, Next, Upload FederationMetadata.xml, Requested NameID – Email Addr, Next,
Finish
c. Don’t click Export – Use the following URL to download IDCS metadata XML
d. https://MYTENANT.identity.oraclecloud.com/fed/v1/metadata?adfsmode=true
Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
77. www.dimensionality.ch @Nephentur freenode | obihackers slide 77
ADFS & SSO - Steps cont.
1. In AD FS management console add a Relying Party Trust
a. Import Metadata.xml, Next, Name, Next Next Next Next, Finish
b. Add Claim Rules
i. Send LDAP Attributes as Claims, Name - Email, Attribute Store - Active Directory, LDAP
Attribute - Email Addresses and Outgoing Claim Type – Email Address
ii. Transform an Incoming Claim, Name – Name ID, Incoming – Email Address, Outgoing
claim – Name ID, Outgoing format – Email
2. IDCS Configuration
a. Drop down – select Activate, Drop down again – select Show on Login Page
b. IDP Policies – Click Default and then Assign new ADFS
Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
79. www.dimensionality.ch @Nephentur freenode | obihackers slide 79
Direct SSO vs Link
Oracle Support Doc ID 2438952.1
OAC/OAAC: How To Disable IDCS Chooser Login Page and Get Redirected to Custom SSO Login Page Directly in Oracle Analytics Cloud(OAC)
Once everything has been confirmed working for SSO link on login page:
• IDP Policies
– Remove ADFS from ‘Default Identity Provider Policy’
• Create new IDP Policy
– Assign ADFS to Policy
– Assign OAC Application(s)
• Configure Application for Redirect URL
– Can be any URL (www.oracle.com), and doesn’t actually affect behavior
81. www.dimensionality.ch @Nephentur freenode | obihackers slide 81
Trouble Spots and Lessons Learned
● Sometimes logs stop while
still showing Active in IDCS and
service shows running in
Windows
● Logs path not in
documentation, use ADBridge
Application and View Logs.
● While checking OUs, be sure
to expand and check lower
levels (Default now)
● Username - Email
● IDCS uses SAML 2.0, for Win
2016 we had to get a different
ADFS xml file
● Don’t download the Export
IDCS metadata. ADFS needs a
special format. Can get from
URL:
● https://DOMAIN.oraclecloud.
com/fed/v1/metadata?adfsmo
de=true
● Security wants users to be
authenticated by AD only
● EM, RPD Admin Tool,
Weblogic Console, still direct
login – Can’t use AD users
● Configure IDP Policy
● Sign Out redirects to OAC DV,
still signed in. Can configure
ADFS global sign-out then IDCS
sign out URL
83. www.dimensionality.ch @Nephentur freenode | obihackers slide 83
RECAP
● Security Sensitive
● IDCS Private IP
● Allows for AD and SSO integration
● Local AD Domain joined Server
● Find your logs
● Find your ADFS buddy
● Sign Out – redirects to DV
● Claim Rules only worked with Email
● Remove IDCS Chooser Page
● Still need local login for EM and Weblogic
Console and RPD Admin Tool
Getting Fancy: HA AD Bridge – Docker style
https://www.oracle.com/technetwork/articles/idm/gutierrez-idcs-idbridge-3960710.html
84. www.dimensionality.ch @Nephentur freenode | obihackers slide 84
Resources
• Full deck with videos – https://www.slideshare.net/secret/qERdzGtv9SZTpj
• Blog about ADFS lab setup – http://bec-wagner.com/2018-10-26-ADFS-and-OAC-lab/
• AD Bridge Tutorial –
https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_idbridge_ob
e/idbridge.html
• ADFS/SSO Tutorial –
https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/ad
fs.html
• Direct Access Oracle Doc – Oracle Support Doc ID 2438952.1