Oracle Analytics Security Everything you always wanted to know

www.dimensionality.ch @Nephentur freenode | obihackers slide 1
Oracle Analytics Security
Everything you always wanted to know
Episode 2 – May 4th-6th 2020 – The ACEs Strike Back

SECURITY

• Oracle ACE Director Business Analytics
• Oracle Analytics since 2001
• Speaker at OpenWorld, KScope,
User Groups and open-source conferences
• Blogger on Analytics, DWH, Data Science
http://dimensionality.ch
• Telegram/IRC #obihackers moderator
• ODC and OCCC community advocate
• Trainer for Oracle University since 2006
Christian Berg

• Wife; Mother of 3 (ages 18, 15, and 11);
• ODTUG Analytics Community Leader / ODTUG Board Director
• Oracle ACE
• Managing Director of Analytics at US-Analytics
• 15+ years in IT
• Email: bwagner@us-analytics.com
• Twitter: @Bec_Wagner
• LinkedIn: https://www.linkedin.com/in/becky-wagner/
• IRC Channel (Telegram): #obihackers
• http://bec-wagner.com
Becky Wagner

Becky Wagner

3 Membership Tiers
• Oracle ACE Director
• Oracle ACE
• Oracle ACE Associate
bit.ly/OracleACEProgram
500+ Technical Experts
Helping Peers Globally
Connect:
Nominate yourself or someone you know: acenomination.oracle.com
@oracleace
Facebook.com/oracleaces
oracle-ace_ww@oracle.com

Outline
• Global Context
• Covered Products and Areas
• Security Concepts
• IDCS added to the mix
• Nit-picking: Technical deep-dive SSO with OAC

Outline
• Global Context

Global Context
https://www.google.com/search?q=vast+and+complex

Global Context
Less options
On / Off
Very high level
(Too) Many
options
Highly
configurable
Every single
object/entity
Competitors vs Oracle – What do you choose?
Departmental
/ user focus
Corporate, 3rd Party,
Department, User

Historical growth

NQuire era 1997 - 2001
• Core BI Server
• Core BI Presentation Server
• Administration Tool with the RPD
• Catalog Manager with the presentation catalog
• Scheduler and Agents
• Core APIs runcat, admintool.exe, NQS calls
• Core list of supported sources

Siebel era 2001 - 2006
• Catalog Groups
• Marketing integration
• Action Framework
• Source extensions

Oracle era 2006 - today
• BI Publisher integration
• Web Services
• MBeans
• Weblogic integration
• Essbase + other Hyperion products
• Scorecarding and Strategy Management
• Source extensions
• Dat Visualization (ex Visual Analyzer)
• Data Flows
• Data Engineering
• External Data Sets (XSA)
• ...

Outline
• Global Context

Covered Products
* 12.2.1.4 * OAC 5.5 * OAS 5.5

Covered Areas
• Basic OA* Security Concepts
• Corporate Security to App Security
• “Back-end” and “front-end” parts
• Details galore

How deep can we actually go with this

Outline
• Global Context

Security Concepts Simplified
Authentication
Component Access
Object-level Access
Functional Access
Metadata-level
Access
Data-level
Access

Security Principals Simplified
Users
Groups
Application
Roles

Catalog groups (for completeness)
• The “other application role”
– OBIEE 10g
– Siebel Analytics 7.x and 6.x
• Existed for backwards
compatibility.
• Dead and buried!
• Please upgrade ASAP

Authentication

Authentication
TO THE APPLICATION WORLD
WLS
LDAP
any
LDAP
DB tables
=
=
Application
Corporate
Weblogic “principals”

“Back-end” vs “front-end”
Turning structure into access and action
Productizing security
+
Structural, base-line

Component Access
“Which parts of the platform am I allowed to use?”
• Several places
– Enterprise Manager: Application Policies
– Application Administration
– Historical reasons
• IDCS too, for cloud
• Never think “one place rules all”

Application roles

Application Policies

Application Policy Control
• Only WLS principals can be tied to policies
• RPD Management
• Essbase (since 11.1.1.7 and dropped after 12c)
• BI Publisher
• Data Visualization (initially Visual Analyzer)
• Data Flows
• Don’t forget these!
• IDCS does things a little bit differently again

Functional Access
+

Functional Access

Functional and Data Access - Hybrid
“Based on which data am I allowed to BUILD things?”

Functional Access Summary
• What the user is allowed to access as functionality inside of OBIEE
• Exception: data security related to each subject area permission
– Double security with the RPD presentation layer
– Defines for which subject areas a principal can create new content
(analyses, filters, KPIs, prompts etc.)
• Only 2 values:
– Deny: no access at all to the feature
– Grant: allow user to access the feature
• Pay attention to not wrongly use the system role “authenticated-
user”!

Functional Access Summary
• “Deny” is stronger than “Grant”
– If multiple conflicting rights are defined (users
associated with multiple application roles with
different privileges) you DO NOT have access
(keep this one in mind of later…)
• By default (if not defined) it’s a “Deny”

Object-level Access
“Which analytical objects am I allowed to CRUD?”
• Web catalog permissions
• Secure structure and content
– Folders
– Contained objects
• File system permissions
• Note: OAS and OAC store the
catalog in the DB!

Object-level Access
• Very detailed permissions
– Read (Open)
– Traverse
– Write
– Delete
– Change Permissions
– Set Ownership
– Run Publisher Report
– Schedule Publisher Report
– View Publisher Output

Object-level Access
Predefined groups of permissions

Object-level Access
• “No access” always wins
– Overwrites any explicit access granted otherwise
– Even “Full Control” for BI Administrator loses
– Yes, you can lock yourself out of parts of the catalog!
• In all other cases, more permissive wins
– “Write” plus “Read/Open” = “Write”

DV Object-level Access – Projects

DV Object-level Access – Data Sets
• OAC Data Sets are another hybrid
• Line between object and data gets blurred
• Often the price to pay with self-service
• Expect more of this blurring!

Metadata-level Access
• Controlled in Presentation Layer
• Only 4 values
– Read
– Read/Write (require setup in BMM)
– No access
– Default (see next slide)
• “Read” stronger than “No access”
– Conflicts resolve to more permissive
• Warning: Opposite of front-end behaviour
• Where RPD may let you through, front-end cuts you off

• “Default” for Subject Areas:
– Same permission as “Authenticated User”
• All other objects
– Inherit from parent object

Data-level Access
What people think of…

Data-level Access
What it really is…
• Dynamic
• Fully baked in
• Security-based
• Rules, rules, rules rules
• Pretty much all in the RPD

Data-level Access
RPD data filters for application roles and users
Not even the filter criteria is static!

Data-level Access – RPD data filters
Objects are focus. Everything else follows.

• Data filters
– Can filter on any presentation layer or business
model layer object
– Can hence force inclusion of filtered dimensions in
any object build on a given subject area even if
that object does not reference the dimension at
all

• Query limits
– Temporal restrictions
– Limitations on returned rows
– Maximum execution times
– Direct Database Request permissions
– Detailed permissions managed here win over
system-wide permissions and default settings

Data-level Access
Logical Table Source filters
Dynamic Criteria
But inescapably
added to ALL queries

Data-level Access
Physical options
• VPD
• Essbase filters
• Named user credentials
• Connection Scripts
We can *use* these
Outside of our control

Data-level Access – Connection Scripts
• Yes you can code things
• We declare, we don’t code
• Very hidden
• Impact invisible in the most
query logs
• You need your DBA
• Least good choice

Data-level Access – DV

Data-level Access – DV
• Much more limited
• Possibilities depend on type
• Should grow
• Unsure if it reaches core “BI”

Data-level Access – Data Sets

Data-level Access – Data Sets
• Everything file-based = pure object access
• No additional safety net

Data-level Access – Data Connections
• “It depends”
• List keeps growing
• Check details each release and each type

Outline
• Global Context

IDCS Security - Walkthrough

IDCS Groups

OAC Users and Roles

The ugly bits

Outline
• Global Context

Outline - Deep-Dive SSO with OAC
• Customer Case
• AD Bridge
• SAML 2.0 ADFS
• Direct SSO vs Link
• Trouble Spots