KPI Partners Blog

The Primary Differences Between OBIEE 10g & 11g Security Models

Posted by KPI Partners News Team on Thu, Jan 03, 2013 @ 12:56 PM

by Shiva Molabanti

What are the primary differences between the OBIEE 10g and 11g security models and what happens during upgrade?

Security Task/Object OBIEE 10g OBIEE 11g What happens during upgrade from 10g to 11g?
Define Users and Groups in RPD file using OBIEE Admin Tool Default N/A. By default, users are defined in embedded WLS LDAP via FMW EM Console, or alternatively, in external LDAP. By default, existing users and groups migrated to embedded WLS LDAP. Existing groups are automatically mapped to an Application role.
Defining security policies Policies in the catalog and repository can be defined to reference groups within a directory. Policies are defined in terms of application roles, which map to users and groups in a directory. 10g catalog groups are automatically migrated in the upgraded catalog and assigned the same privileges, access and membership.
“Administrator” user Unique user with full administrative privileges. No single user named tor full administrative privileges. Administration can be performed by any user who is member of BIAdministrators group. “Administrator” user automatically added as member of “BIAdministrators” group in embedded WLS LDAP and granted Administrator role. The user specified during OBIEE 11g installation (i.e. “weblogic”, “biadmin”) is also a member of the BIAdministrators group.
Repository Encryption Available on sensitive elements only - i.e. user passwords, connection pool passwords, etc. Entire RPD encrypted via a password. Prompted to set a repository password while running the upgrade assistant. Do not lose this password as there is no feature to recover a lost password.
External Authentication and OBIEE Initialization (Init) Blocks Init blocks are required for external PDAP or external table authentication. Init blocks not required for WLS embedded LDAP. Init blocks are required for external LDAP or external table authentication. Upgraded RPD will continue to point to 10g LDAP or external tables. Initblocks may need to be modified to ensure that depreciated, or reserved word, variable names are renamed. NOTE: If you intend to use another LDAP server, such at Oracle Identity Management (OID), then you must upgrade to the embedded LDAP server. Please see Upgrade Guide for further details.
Catalog Groups Defined in Presentation Server Administration link Available for backward compatibility. Use of Application Roles in FMW EM Console recommended. Existing groups will be migrated. Recommendation is to use application roles instead. Privileges on catalog objects may be granted to an application role via BI Presentation server Administration link.
SA System Subject Area Optional Available for backward compatibility and requires init blocks and external tables. Use of Embedded LDAP is recommended. Upgraded 10g RPD will point to external tables, Initblocks may need to be modified to ensure that depreciated, or reserved word, variable names are renamed.
“Everyone” Presentation Server Group Default Replaced with AuthenticatedUser role. “Everyone” group migrated to AuthenticatedUser role.



molabantishiva 128

Shiva Molabanti is a Manager and Senior Architect at KPI Partners.  He is a business intelligence enthusiast who likes blogging about acquisitions in the BI space, technical workings of BI tools, and Oracle Business Intelligence.  Visit Shiva at his personal blog:

Tags: OBIEE, Shiva Molabanti, Oracle BI, Blog

Subscribe to the KPI Blog