OBIEE - Authorization
Authorization process in an OBIEE context.
The object authorization are specified with the help of :
- Permissions in the BI Server
- and Privileges in the BI Presentation Service
This process is first restrictive Ie, you can do anything and a user is granted some permissions/privileges with the help of a group.
The Oracle BI Server allows you to create groups and then grant membership in them to users or other groups.
Group Inheritance: Privileges granted explicitly to a user have precedence over privileges granted through groups, and privileges granted explicitly to the group take precedence over any privileges granted through other groups.
You can think of a group as a set of security attributes.
The Oracle BI Server groups are similar to:
- groups in Windows NT and Windows 2000,
- and to groups or roles in database management systems (DBMS).
Like Windows NT and Windows 2000, and database groups or roles, Oracle BI Server groups can allow access to objects. Additionally, Oracle BI Server groups can explicitly deny particular security attributes to its members.
Groups can simplify administration of large numbers of users. You can grant or deny sets of privileges to a group and then assign membership in that group to individual users. Any subsequent modifications to that group will affect all users who belong to it.
In 10G, GROUP need to be manually created in OBIEE repository. However, if the users are externally defined (LDAP servers ,…) , the group membership information must be obtained from a database table and set up in the GROUP session variable.