Successfully reported this slideshow.

Oracle Analytics Security Everything you always wanted to know

1 of 85
1 of 85

Oracle Analytics Security Everything you always wanted to know

Download to read offline

Most analytics professionals sooner or later touch one part or another of Oracle Analytics Security but almost never mange to acquaint themselves with every single aspect of it. With the advent of the cloud vs on-premises split of the product line the topic has become even more of an interesting territory as the options branch out. This Oracle Analytics Security deep dive will cover detailed security topics in OAC and OAS, their usage and application, as well as compare what is different between them and new since OBIEE 12c.

Most analytics professionals sooner or later touch one part or another of Oracle Analytics Security but almost never mange to acquaint themselves with every single aspect of it. With the advent of the cloud vs on-premises split of the product line the topic has become even more of an interesting territory as the options branch out. This Oracle Analytics Security deep dive will cover detailed security topics in OAC and OAS, their usage and application, as well as compare what is different between them and new since OBIEE 12c.

More Related Content

Oracle Analytics Security Everything you always wanted to know

  1. 1. www.dimensionality.ch @Nephentur freenode | obihackers slide 1 Oracle Analytics Security Everything you always wanted to know Episode 2 – May 4th-6th 2020 – The ACEs Strike Back
  2. 2. www.dimensionality.ch @Nephentur freenode | obihackers slide 2 SECURITY
  3. 3. www.dimensionality.ch @Nephentur freenode | obihackers slide 3 • Oracle ACE Director Business Analytics • Oracle Analytics since 2001 • Speaker at OpenWorld, KScope, User Groups and open-source conferences • Blogger on Analytics, DWH, Data Science http://dimensionality.ch • Telegram/IRC #obihackers moderator • ODC and OCCC community advocate • Trainer for Oracle University since 2006 Christian Berg
  4. 4. www.dimensionality.ch @Nephentur freenode | obihackers slide 4 • Wife; Mother of 3 (ages 18, 15, and 11); • ODTUG Analytics Community Leader / ODTUG Board Director • Oracle ACE • Managing Director of Analytics at US-Analytics • 15+ years in IT • Email: bwagner@us-analytics.com • Twitter: @Bec_Wagner • LinkedIn: https://www.linkedin.com/in/becky-wagner/ • IRC Channel (Telegram): #obihackers • http://bec-wagner.com Becky Wagner
  5. 5. www.dimensionality.ch @Nephentur freenode | obihackers slide 5 Becky Wagner
  6. 6. 3 Membership Tiers • Oracle ACE Director • Oracle ACE • Oracle ACE Associate bit.ly/OracleACEProgram 500+ Technical Experts Helping Peers Globally Connect: Nominate yourself or someone you know: acenomination.oracle.com @oracleace Facebook.com/oracleaces oracle-ace_ww@oracle.com
  7. 7. www.dimensionality.ch @Nephentur freenode | obihackers slide 7 Outline • Global Context • Covered Products and Areas • Security Concepts • IDCS added to the mix • Nit-picking: Technical deep-dive SSO with OAC
  8. 8. www.dimensionality.ch @Nephentur freenode | obihackers slide 8 Outline • Global Context • Covered Products and Areas • Security Concepts • IDCS added to the mix • Nit-picking: Technical deep-dive SSO with OAC
  9. 9. www.dimensionality.ch @Nephentur freenode | obihackers slide 9 Global Context https://www.google.com/search?q=vast+and+complex
  10. 10. www.dimensionality.ch @Nephentur freenode | obihackers slide 10 Global Context Less options On / Off Very high level (Too) Many options Highly configurable Every single object/entity Competitors vs Oracle – What do you choose? Departmental / user focus Corporate, 3rd Party, Department, User
  11. 11. www.dimensionality.ch @Nephentur freenode | obihackers slide 11 Historical growth
  12. 12. www.dimensionality.ch @Nephentur freenode | obihackers slide 12 NQuire era 1997 - 2001 • Core BI Server • Core BI Presentation Server • Administration Tool with the RPD • Catalog Manager with the presentation catalog • Scheduler and Agents • Core APIs runcat, admintool.exe, NQS calls • Core list of supported sources
  13. 13. www.dimensionality.ch @Nephentur freenode | obihackers slide 13 Siebel era 2001 - 2006 • Catalog Groups • Marketing integration • Action Framework • Source extensions
  14. 14. www.dimensionality.ch @Nephentur freenode | obihackers slide 14 Oracle era 2006 - today • BI Publisher integration • Web Services • MBeans • Weblogic integration • Essbase + other Hyperion products • Scorecarding and Strategy Management • Source extensions • Dat Visualization (ex Visual Analyzer) • Data Flows • Data Engineering • External Data Sets (XSA) • ...
  15. 15. www.dimensionality.ch @Nephentur freenode | obihackers slide 15 Outline • Global Context • Covered Products and Areas • Security Concepts • IDCS added to the mix • Nit-picking: Technical deep-dive SSO with OAC
  16. 16. www.dimensionality.ch @Nephentur freenode | obihackers slide 16 Covered Products * 12.2.1.4 * OAC 5.5 * OAS 5.5
  17. 17. www.dimensionality.ch @Nephentur freenode | obihackers slide 17 Covered Areas • Basic OA* Security Concepts • Corporate Security to App Security • “Back-end” and “front-end” parts • Details galore
  18. 18. www.dimensionality.ch @Nephentur freenode | obihackers slide 18 How deep can we actually go with this
  19. 19. www.dimensionality.ch @Nephentur freenode | obihackers slide 19 Outline • Global Context • Covered Products and Areas • Security Concepts • IDCS added to the mix • Nit-picking: Technical deep-dive SSO with OAC
  20. 20. www.dimensionality.ch @Nephentur freenode | obihackers slide 20 Security Concepts Simplified Authentication Component Access Object-level Access Functional Access Metadata-level Access Data-level Access
  21. 21. www.dimensionality.ch @Nephentur freenode | obihackers slide 21 Security Principals Simplified Users Groups Application Roles
  22. 22. www.dimensionality.ch @Nephentur freenode | obihackers slide 22 Catalog groups (for completeness) • The “other application role” – OBIEE 10g – Siebel Analytics 7.x and 6.x • Existed for backwards compatibility. • Dead and buried! • Please upgrade ASAP
  23. 23. www.dimensionality.ch @Nephentur freenode | obihackers slide 23 Authentication
  24. 24. www.dimensionality.ch @Nephentur freenode | obihackers slide 24 Authentication
  25. 25. www.dimensionality.ch @Nephentur freenode | obihackers slide 25 Authentication TO THE APPLICATION WORLD WLS LDAP any LDAP DB tables = = Application Corporate Weblogic “principals”
  26. 26. www.dimensionality.ch @Nephentur freenode | obihackers slide 26 “Back-end” vs “front-end” Turning structure into access and action Productizing security + Structural, base-line
  27. 27. www.dimensionality.ch @Nephentur freenode | obihackers slide 27 Component Access “Which parts of the platform am I allowed to use?” • Several places – Enterprise Manager: Application Policies – Application Administration – Historical reasons • IDCS too, for cloud • Never think “one place rules all”
  28. 28. www.dimensionality.ch @Nephentur freenode | obihackers slide 28 Application roles
  29. 29. www.dimensionality.ch @Nephentur freenode | obihackers slide 29 Application Policies
  30. 30. www.dimensionality.ch @Nephentur freenode | obihackers slide 30 Application Policy Control • Only WLS principals can be tied to policies • RPD Management • Essbase (since 11.1.1.7 and dropped after 12c) • BI Publisher • Data Visualization (initially Visual Analyzer) • Data Flows • Don’t forget these! • IDCS does things a little bit differently again
  31. 31. www.dimensionality.ch @Nephentur freenode | obihackers slide 31 Functional Access +
  32. 32. www.dimensionality.ch @Nephentur freenode | obihackers slide 32 Functional Access
  33. 33. www.dimensionality.ch @Nephentur freenode | obihackers slide 33 Functional and Data Access - Hybrid “Based on which data am I allowed to BUILD things?”
  34. 34. www.dimensionality.ch @Nephentur freenode | obihackers slide 34 Functional Access Summary • What the user is allowed to access as functionality inside of OBIEE • Exception: data security related to each subject area permission – Double security with the RPD presentation layer – Defines for which subject areas a principal can create new content (analyses, filters, KPIs, prompts etc.) • Only 2 values: – Deny: no access at all to the feature – Grant: allow user to access the feature • Pay attention to not wrongly use the system role “authenticated- user”!
  35. 35. www.dimensionality.ch @Nephentur freenode | obihackers slide 35 Functional Access Summary • “Deny” is stronger than “Grant” – If multiple conflicting rights are defined (users associated with multiple application roles with different privileges) you DO NOT have access (keep this one in mind of later…) • By default (if not defined) it’s a “Deny”
  36. 36. www.dimensionality.ch @Nephentur freenode | obihackers slide 36 Object-level Access “Which analytical objects am I allowed to CRUD?” • Web catalog permissions • Secure structure and content – Folders – Contained objects • File system permissions • Note: OAS and OAC store the catalog in the DB!
  37. 37. www.dimensionality.ch @Nephentur freenode | obihackers slide 37 Object-level Access • Very detailed permissions – Read (Open) – Traverse – Write – Delete – Change Permissions – Set Ownership – Run Publisher Report – Schedule Publisher Report – View Publisher Output
  38. 38. www.dimensionality.ch @Nephentur freenode | obihackers slide 38 Object-level Access Predefined groups of permissions
  39. 39. www.dimensionality.ch @Nephentur freenode | obihackers slide 39 Object-level Access • “No access” always wins – Overwrites any explicit access granted otherwise – Even “Full Control” for BI Administrator loses – Yes, you can lock yourself out of parts of the catalog! • In all other cases, more permissive wins – “Write” plus “Read/Open” = “Write”
  40. 40. www.dimensionality.ch @Nephentur freenode | obihackers slide 40 DV Object-level Access – Projects
  41. 41. www.dimensionality.ch @Nephentur freenode | obihackers slide 41 DV Object-level Access – Data Sets • OAC Data Sets are another hybrid • Line between object and data gets blurred • Often the price to pay with self-service • Expect more of this blurring!
  42. 42. www.dimensionality.ch @Nephentur freenode | obihackers slide 42 Metadata-level Access • Controlled in Presentation Layer • Only 4 values – Read – Read/Write (require setup in BMM) – No access – Default (see next slide) • “Read” stronger than “No access” – Conflicts resolve to more permissive • Warning: Opposite of front-end behaviour • Where RPD may let you through, front-end cuts you off
  43. 43. www.dimensionality.ch @Nephentur freenode | obihackers slide 43 Metadata-level Access • “Default” for Subject Areas: – Same permission as “Authenticated User” • All other objects – Inherit from parent object
  44. 44. www.dimensionality.ch @Nephentur freenode | obihackers slide 44 Metadata-level Access
  45. 45. www.dimensionality.ch @Nephentur freenode | obihackers slide 45 Data-level Access What people think of…
  46. 46. www.dimensionality.ch @Nephentur freenode | obihackers slide 46 Data-level Access What it really is… • Dynamic • Fully baked in • Security-based • Rules, rules, rules rules • Pretty much all in the RPD
  47. 47. www.dimensionality.ch @Nephentur freenode | obihackers slide 47 Data-level Access RPD data filters for application roles and users Not even the filter criteria is static!
  48. 48. www.dimensionality.ch @Nephentur freenode | obihackers slide 48 Data-level Access – RPD data filters Objects are focus. Everything else follows.
  49. 49. www.dimensionality.ch @Nephentur freenode | obihackers slide 49 Data-level Access – RPD data filters • Data filters – Can filter on any presentation layer or business model layer object – Can hence force inclusion of filtered dimensions in any object build on a given subject area even if that object does not reference the dimension at all
  50. 50. www.dimensionality.ch @Nephentur freenode | obihackers slide 50 Data-level Access – RPD data filters • Query limits – Temporal restrictions – Limitations on returned rows – Maximum execution times – Direct Database Request permissions – Detailed permissions managed here win over system-wide permissions and default settings
  51. 51. www.dimensionality.ch @Nephentur freenode | obihackers slide 51 Data-level Access Logical Table Source filters Dynamic Criteria But inescapably added to ALL queries
  52. 52. www.dimensionality.ch @Nephentur freenode | obihackers slide 52 Data-level Access Physical options • VPD • Essbase filters • Named user credentials • Connection Scripts We can *use* these Outside of our control
  53. 53. www.dimensionality.ch @Nephentur freenode | obihackers slide 53 Data-level Access – Connection Scripts • Yes you can code things • We declare, we don’t code • Very hidden • Impact invisible in the most query logs • You need your DBA • Least good choice
  54. 54. www.dimensionality.ch @Nephentur freenode | obihackers slide 54 Data-level Access – DV
  55. 55. www.dimensionality.ch @Nephentur freenode | obihackers slide 55 Data-level Access – DV • Much more limited • Possibilities depend on type • Should grow • Unsure if it reaches core “BI”
  56. 56. www.dimensionality.ch @Nephentur freenode | obihackers slide 56 Data-level Access – Data Sets
  57. 57. www.dimensionality.ch @Nephentur freenode | obihackers slide 57 Data-level Access – Data Sets • Everything file-based = pure object access • No additional safety net
  58. 58. www.dimensionality.ch @Nephentur freenode | obihackers slide 58 Data-level Access – Data Connections • “It depends” • List keeps growing • Check details each release and each type
  59. 59. www.dimensionality.ch @Nephentur freenode | obihackers slide 59 Data-level Access – Data Connections
  60. 60. www.dimensionality.ch @Nephentur freenode | obihackers slide 60 Data-level Access – Data Connections
  61. 61. www.dimensionality.ch @Nephentur freenode | obihackers slide 61 Outline • Global Context • Covered Products and Areas • Security Concepts • IDCS added to the mix • Nit-picking: Technical deep-dive SSO with OAC
  62. 62. www.dimensionality.ch @Nephentur freenode | obihackers slide 62 IDCS Security - Walkthrough
  63. 63. www.dimensionality.ch @Nephentur freenode | obihackers slide 63 IDCS Groups
  64. 64. www.dimensionality.ch @Nephentur freenode | obihackers slide 64 OAC Users and Roles
  65. 65. www.dimensionality.ch @Nephentur freenode | obihackers slide 65 The ugly bits
  66. 66. www.dimensionality.ch @Nephentur freenode | obihackers slide 66 Outline • Global Context • Covered Products and Areas • Security Concepts • IDCS added to the mix • Nit-picking: Technical deep-dive SSO with OAC
  67. 67. www.dimensionality.ch @Nephentur freenode | obihackers slide 67 Outline - Deep-Dive SSO with OAC • Customer Case • AD Bridge • SAML 2.0 ADFS • Direct SSO vs Link • Trouble Spots
  68. 68. www.dimensionality.ch @Nephentur freenode | obihackers slide 68 Outline • Customer Case • AD Bridge • SAML 2.0 ADFS • Direct SSO vs Link • Trouble Spots
  69. 69. www.dimensionality.ch @Nephentur freenode | obihackers slide 69 Customer Case - Enterprise worthy OAC • Global Financial Services Firm • Security is highest priority • Waited to start project until AD integration • VPNaaS to Palo Alto NextGen Firewalls • Private IP Ranges • Access from within network only • OAC with IDCS (Identity Cloud) • Migrating from OBIEE 11g to OAC • AD integration required (8000+ users, 14000+ groups) • SSO was highly desirable
  70. 70. www.dimensionality.ch @Nephentur freenode | obihackers slide 70 Outline • Customer Case • AD Bridge • SAML 2.0 ADFS • Direct SSO vs Link • Trouble Spots
  71. 71. www.dimensionality.ch @Nephentur freenode | obihackers slide 71 AD Bridge • Must install on Server joined to AD Domain • User with rights to install software • User with the following AD rights – Read for all users and groups in the domain – Read for all OUs • If you are using an AD user specifically setup for this AD Bridge, specific permissions can be found here: – https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/creating-bridge.html • Tutorial for AD Bridge – https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_id bridge_obe/idbridge.html
  72. 72. www.dimensionality.ch @Nephentur freenode | obihackers slide 72 AD Bridge - Roadmap 1. Download From IDCS 2. Install On Domain-Joined Server 3. Configure Users and Groups 4. Import in IDCS 5. Verify *Note: OAC comes with IDCS Foundation. AD Bridge is in IDCS Basic.
  73. 73. www.dimensionality.ch @Nephentur freenode | obihackers slide 73 AD Bridge - The More You Know • Becomes a service. Note that this service is running and starts automatically • Find the AD Bridge Config Utility in C:Program FilesIDBridgeIDBridgeUI.exe • Click on View Logs – Highly important to note log locations • Sync has a limit, will continue at the frequency until fully sync’d • Errors will have details in the logs, like missing email or some other attribute issue
  74. 74. www.dimensionality.ch @Nephentur freenode | obihackers slide 74 Outline • Customer Case • AD Bridge • SAML 2.0 ADFS • Direct SSO vs Link • Trouble Spots
  75. 75. www.dimensionality.ch @Nephentur freenode | obihackers slide 75 ADFS & SSO - SAML 101 Img from - https://developers.onelogin.com/assets/img/pages/saml/sso-diagram.svg
  76. 76. www.dimensionality.ch @Nephentur freenode | obihackers slide 76 ADFS & SSO - Steps 1. Download ADFS Metadata File a. https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetatdata.xml b. XML files have tags, if browser doesn’t show them, right click and view source, then save 2. IDCS Identity Provider Setup a. Add SAML IDP b. Name, Next, Upload FederationMetadata.xml, Requested NameID – Email Addr, Next, Finish c. Don’t click Export – Use the following URL to download IDCS metadata XML d. https://MYTENANT.identity.oraclecloud.com/fed/v1/metadata?adfsmode=true Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
  77. 77. www.dimensionality.ch @Nephentur freenode | obihackers slide 77 ADFS & SSO - Steps cont. 1. In AD FS management console add a Relying Party Trust a. Import Metadata.xml, Next, Name, Next Next Next Next, Finish b. Add Claim Rules i. Send LDAP Attributes as Claims, Name - Email, Attribute Store - Active Directory, LDAP Attribute - Email Addresses and Outgoing Claim Type – Email Address ii. Transform an Incoming Claim, Name – Name ID, Incoming – Email Address, Outgoing claim – Name ID, Outgoing format – Email 2. IDCS Configuration a. Drop down – select Activate, Drop down again – select Show on Login Page b. IDP Policies – Click Default and then Assign new ADFS Tutorial: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
  78. 78. www.dimensionality.ch @Nephentur freenode | obihackers slide 78 Outline • Customer Case • AD Bridge • SAML 2.0 ADFS • Direct SSO vs Link • Trouble Spots
  79. 79. www.dimensionality.ch @Nephentur freenode | obihackers slide 79 Direct SSO vs Link Oracle Support Doc ID 2438952.1 OAC/OAAC: How To Disable IDCS Chooser Login Page and Get Redirected to Custom SSO Login Page Directly in Oracle Analytics Cloud(OAC) Once everything has been confirmed working for SSO link on login page: • IDP Policies – Remove ADFS from ‘Default Identity Provider Policy’ • Create new IDP Policy – Assign ADFS to Policy – Assign OAC Application(s) • Configure Application for Redirect URL – Can be any URL (www.oracle.com), and doesn’t actually affect behavior
  80. 80. www.dimensionality.ch @Nephentur freenode | obihackers slide 80 Outline • Customer Case • AD Bridge • SAML 2.0 ADFS • Direct SSO vs Link • Trouble Spots
  81. 81. www.dimensionality.ch @Nephentur freenode | obihackers slide 81 Trouble Spots and Lessons Learned ● Sometimes logs stop while still showing Active in IDCS and service shows running in Windows ● Logs path not in documentation, use ADBridge Application and View Logs. ● While checking OUs, be sure to expand and check lower levels (Default now) ● Username - Email ● IDCS uses SAML 2.0, for Win 2016 we had to get a different ADFS xml file ● Don’t download the Export IDCS metadata. ADFS needs a special format. Can get from URL: ● https://DOMAIN.oraclecloud. com/fed/v1/metadata?adfsmo de=true ● Security wants users to be authenticated by AD only ● EM, RPD Admin Tool, Weblogic Console, still direct login – Can’t use AD users ● Configure IDP Policy ● Sign Out redirects to OAC DV, still signed in. Can configure ADFS global sign-out then IDCS sign out URL
  82. 82. www.dimensionality.ch @Nephentur freenode | obihackers slide 82 Account Rename
  83. 83. www.dimensionality.ch @Nephentur freenode | obihackers slide 83 RECAP ● Security Sensitive ● IDCS Private IP ● Allows for AD and SSO integration ● Local AD Domain joined Server ● Find your logs ● Find your ADFS buddy ● Sign Out – redirects to DV ● Claim Rules only worked with Email ● Remove IDCS Chooser Page ● Still need local login for EM and Weblogic Console and RPD Admin Tool Getting Fancy: HA AD Bridge – Docker style https://www.oracle.com/technetwork/articles/idm/gutierrez-idcs-idbridge-3960710.html
  84. 84. www.dimensionality.ch @Nephentur freenode | obihackers slide 84 Resources • Full deck with videos – https://www.slideshare.net/secret/qERdzGtv9SZTpj • Blog about ADFS lab setup – http://bec-wagner.com/2018-10-26-ADFS-and-OAC-lab/ • AD Bridge Tutorial – https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_idbridge_ob e/idbridge.html • ADFS/SSO Tutorial – https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/ad fs.html • Direct Access Oracle Doc – Oracle Support Doc ID 2438952.1
  85. 85. www.dimensionality.ch @Nephentur freenode | obihackers slide 85 Thank You! What’s Next? bwagner@us-analytics.com @Bec_Wagner https://www.linkedin.com/in/becky- wagner/ Telegram: #obihackers christian.berg@dimensionality.ch @Nephentur Telegram: #obihackers

×