Friday, May 16, 2014

OBIEE - Multi-tenancy User Authentication and Authorization

To facilitate Multi-Tenancy in OBIEE, a few new roles have been introduced in OBIEE. A new layer has been added which allows for administration at a tenant level, and another one to define users/authors at the tenant.
  • BI Global Administrator
  • Tenant Administrator
  • Tenant User
Earlier posts in this series:
 OBIEE - Multi-Tenancy implementations - What is it
 OBIEE - Multi-Tenancy - Presentation Catalog

When OBIEE is configured for Multi-tenancy, there are two administration are available to configure the application. BI Global Administrator role (BIGlobalAdministrator) is used for overall global administration. This administrator controls privileges for all tenants and can access the Presentation Services Administration page, Oracle BI Administration Tool, Job Manager, Catalog Manager, and all content. This administrator is not associated with a specific tenant.

The new role, BITenantAdministrator have specific privileges that are granted in the Oracle BI Presentation Catalog for administering a tenant. Users in this role can perform. 

This role enables users to perform self-service administration tasks on one tenant. These administrators cannot access overall Presentation Services Administration page or the Privileges page. These administrators organize content for tenant users within the catalog by granting access to, creating, moving, and copying objects and folders.

Another User role, Tenant User, are equivalent to the BIAuthor and BIConsumer roles, but gives access to the artifacts within a particular tenant. 

Each Tenant in the system is assigned a GUID, and the users assigned to the tenant are also assigned GUID's to ensure that OBIEE sees them as distinct users and is shielded from name clashes and name changes. The user is based on the Tenant GUID. This GUID is also available as a session variable.

This way the user maintenance tasks are delegated to Administrators within each Tenant. Persons taking on this role should understand the OBIEE artifacts and the authorizations available 

Not all the features are Currently - multi-tenant - enabled. Here are a few:
  • Catalog groups
  • KPIs, scorecards, 
  • BI Mobile, 
  • BI Composer, 
  • Oracle BI for Microsoft Office, 
  • Act As functionality, 
  • Direct database requests.
  • Oracle RTD, BI Publisher, and Marketing Segmentation.
  • Full-text catalog search with Oracle SES and Oracle Endeca Server. The basic catalog search is available.
  • Oracle Essbase Components (including Financial Reporting, Calculation Manager, and Workspace).
These features are not available for BIGlobalAdminstrator for administration:
  • Oracle BI Administration Tool
  • Catalog Manager
  • Job Manager.
  • Usage tracking 
  • MapViewer
Other limitations:
  • Application Roles are defined system wide, and not tenant specific. Any roles defined will be available to all the tenants for selection through the dialogues.
  • There are no 'Tenant' Specific configurations in the instanceconfig.xml file. These changes include privileges in the catalog, skins, and front-end customization.

Multi-Tenancy is disabled by default. A few entries needs to be added to the configuration files and domain configuration files.

A detailed documentation can be found at: Configuring for Multiple Tenants


Sachin
Architect - Oracle Engineered Systems
Exalytics/Exalogic/Exadata
BuzzClan LLC

BuzzClan is a business consulting company collaborating to provide Oracle software advisory services & implementation services. BuzzClan LLC is committed to providing substantive business value on each and every client engagement. We do this through a combination of industry-specific business expertise, technical skills, proven project management methods and our “onsite - off site - offshore” delivery model. We strive to work in partnership with our customers to build high-performance teams and create business solutions that will last.

No comments:

What is Zero Trust Architecture?