security overview peoplesoft
DESCRIPTION
PeopleSoft & OBIEETRANSCRIPT
![Page 1: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/1.jpg)
December 5, 2008 1
OBIEE Technical Conference
Security Overview
Dan Malone
![Page 2: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/2.jpg)
December 5, 2008 2
Session Overview
This is such a big topic that we have devoted 2 sessions to it. We will discuss how PeopleSoft
security is used to drive security in the data warehouse and OBI. We will discuss OBI
privileges and object permissions and how we modeled our security for Dashboards and
Answers. We will also provide a brief overview on how we implemented CAS authentication
and Single Sign On.
![Page 3: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/3.jpg)
December 5, 2008 3
Security From 30,000 Feet
■ Identification■ Authentication■ Authorization■ Audit
![Page 4: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/4.jpg)
December 5, 2008 4
Consistent Security Across Applications
■ PeopleSoft■ Data Warehouse■ OBIEE
– BI Server – Presentation Services
» Answers» Dashboards
![Page 5: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/5.jpg)
December 5, 2008 5
Identification/Authentication
■ Identification– Common USERNAME across all
■ Authentication– Web Single Sign-On (CAS)
» PeopleSoft» OBIEE Presentation Services
![Page 6: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/6.jpg)
December 5, 2008 6
CAS Integration with OBI
■ Need slides from David K.
![Page 7: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/7.jpg)
December 5, 2008 7
CAS Integration
OC4J Servlet Container
Soulwing CAS Client
http://www.soulwing.org/Gets USERNAME into Session
Cal Poly Developed FilterCopies Session USERNAME
into Request Header
REMOTE_USER
OBI Single Sign-OnTells OBI to get
REMOTE_USER
from Request Header
![Page 8: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/8.jpg)
December 5, 2008 8
Single Sign-On
■ Create Impersonator Admin account in Repository
■ USER Session Variable■ Session Initialization Blockselect lower(':USER') from dual
![Page 9: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/9.jpg)
December 5, 2008 9
Issues with Web Single Sign-On
■ Can not use database security– Proxy User
■ How to perform administrative tasks– Include a local Role in Presentation Server
Administrators– Method to login as Administrator user
» Password on URLhttps://server/analytics/saw.dll?nquser=Administrator&nqpassword=<password>
![Page 10: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/10.jpg)
December 5, 2008 10
Authorization
■ Privileges■ Web Catalog
– Objects– Permissions
■ Groups
![Page 11: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/11.jpg)
December 5, 2008 11
Authorization: Privileges
■ Access■ Admin■ Catalog■ Dashboards■ Answers■ My Account■ Subject Area XXXX■ View XXXX
![Page 12: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/12.jpg)
December 5, 2008 12
Privileges: Things to Remember
■ Most default to Everyone■ Don’t remove Personal Storage before
creating a default Dashboard■ New Subject Area will not show up until
someone starts Answers■ Privileges can not be migrated
![Page 14: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/14.jpg)
December 5, 2008 14
Authorization: Web Catalog Objectsfor Dashboards
■ Folder– Dashboard
» Page
■ Request
![Page 15: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/15.jpg)
December 5, 2008 15
Authorization: Web Catalog Objectsfor Answers
■ Subject Area■ Folder■ Request
![Page 16: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/16.jpg)
December 5, 2008 16
Authorization: Web Catalog Permissions
■ No Access■ Traverse■ Read■ Change/Delete■ Full Control
![Page 17: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/17.jpg)
December 5, 2008 17
Authorization: Groups
■ BI Server/Repository Security– Groups
■ Presentation Services Security– Web Groups
![Page 18: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/18.jpg)
December 5, 2008 18
Authorization: Groups
PeopleSoft
Finance
Roles
PeopleSoft
HCM
Roles
Other
Application
Roles
Consolidated
Roles
Tables
Data
Warehouse
Roles
BI Server
Groups
Presentation
Services
Web Groups
![Page 19: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/19.jpg)
December 5, 2008 19
Groups via Session Variables: Step 1
■ Set up Oracle Table/View for Groups
CP_USERNAME NAME VALUE
[email protected] DISPLAYNAME Debbie
[email protected] EMAIL [email protected]
[email protected] GROUP ALL_FINANCIAL_TABLES_RL
[email protected] GROUP ALL_RSOL_TABLES_RL
[email protected] GROUP BI_REQUEST_DEVELOPER_FIN_RL
[email protected] GROUP WAREHOUSE_USER
[email protected] DISPLAYNAME George
[email protected] EMAIL [email protected]
[email protected] GROUP ALL_FINANCIAL_TABLES_RL
[email protected] GROUP POLYDATA_SUPPORT_RL
[email protected] GROUP WAREHOUSE_USER
![Page 20: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/20.jpg)
December 5, 2008 20
PAUSE – Session Variables Tables
Groups
Other VariablesDisplay Name
Email AddressSession
Variables
v
![Page 21: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/21.jpg)
December 5, 2008 21
Groups via Session Variables: Step 2
■ Session Initialization Block– Row-wise initialization– No Caching– Execution Precedence
select name, value from dwadmin.obiee_session_variables where cp_username = lower(':USER')
![Page 22: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/22.jpg)
December 5, 2008 22
Session Variables Initialization Block
![Page 23: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/23.jpg)
December 5, 2008 23
Groups via Session Variables: Step 3
■ Create OBI Groups– BI Server
» Group
– Presentation Services» Web Group
![Page 24: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/24.jpg)
December 5, 2008 24
Groups: Things to Remember
■ Do not manually grant BI Server Groups to Users
■ Group and Web Group must be exactly the same name
![Page 26: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/26.jpg)
December 5, 2008 26
Authorization: Dashboards
■ Create a folder for each Subject Area■ Create a sub-folder for each Page
– Requests
■ Each Dashboard has the same permissions
■ Each Page on the Dashboard has the same permissions
![Page 27: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/27.jpg)
December 5, 2008 27
Authorization: Things to Remember
■ Object Owner ALWAYS has Full Control– Set Owner to Administrator
■ Permission Inheritance… Sort of.■ Apply changes to sub-folders
– Web Based Tool Default: YES– Windows Based Tool Default: NO
■ Special user: System Account
![Page 28: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/28.jpg)
December 5, 2008 28
Recommendations
■ Keep it simple!■ Assign permissions to groups only■ Assign permissions at the folder level
– Everything in a folder has the same permissions
![Page 30: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/30.jpg)
December 5, 2008 30
Row Level Security
■ What data drives Row Level Security?– PeopleSoft DEPTID
![Page 31: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/31.jpg)
December 5, 2008 31
Row Level Security: Step 1
■ Create Oracle Table/View for DEPTIDs
CP_USERNAME NAME VALUE
[email protected] DISPLAYNAME Debbie
[email protected] EMAIL [email protected]
[email protected] GROUP ALL_FINANCIAL_TABLES_RL
[email protected] GROUP ALL_RSOL_TABLES_RL
[email protected] GROUP BI_REQUEST_DEVELOPER_FIN_RL
[email protected] GROUP WAREHOUSE_USER
[email protected] HR_DEPTID 100100
[email protected] HR_DEPTID 100200
[email protected] HR_DEPTID 100300
[email protected] HR_DEPTID 100400
[email protected] HR_DEPTID 100500
![Page 32: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/32.jpg)
December 5, 2008 32
PAUSE – Session Variables Tables
Groups
Other VariablesDisplay Name
Email Address
HRDEPTIDs
Session
Variables
v
FinanceDEPTIDs
Finance
FUNDs
![Page 33: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/33.jpg)
December 5, 2008 33
Session Variables Table
CP_USERNAME NAME VALUE
[email protected] DISPLAYNAME Debbie
[email protected] EMAIL [email protected]
[email protected] GROUP ALL_FINANCIAL_TABLES_RL
[email protected] GROUP ALL_RSOL_TABLES_RL
[email protected] GROUP BI_REQUEST_DEVELOPER_FIN_RL
[email protected] GROUP WAREHOUSE_USER
[email protected] HR_DEPTID 100100
[email protected] HR_DEPTID 100200
[email protected] FINANCE_DEPTID 122900
[email protected] FINANCE_DEPTID 122901
[email protected] FINANCE_FUND GA002
![Page 34: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/34.jpg)
December 5, 2008 34
Row Level Security: Step 2
■ Session Initialization Block– Same initialization block that we used for GROUPS– If done this way, the initialization block does not
need to change
![Page 35: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/35.jpg)
December 5, 2008 35
Row Level Security: Step 3
■ Open the Logical Data Source– In the business model layer, not the physical layer
![Page 36: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/36.jpg)
December 5, 2008 36
Row Level Security: Step 4
■ Add the appropriate where statement to limit rows based on the new session variable.– Use the expression builder
to generate the code.– Since the HR_DEPTID is a
dynamic session variable, it does not show up in the list of available variables.
– Select the USER variable to generate the code, then change the variable name to HR_DEPTID.
![Page 38: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/38.jpg)
December 5, 2008 38
Become Another User
■ See what a dashboard looks like when a different user logs in– Don’t as for their password!
■ All security is now based on session variables coming from Oracle tables
■ When a user logs in we can change everything about them
■ Exceptions– Cannot change a persons username– Object owner always has full control
![Page 39: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/39.jpg)
December 5, 2008 39
PAUSE – Session Variables Tables
Groups
Other VariablesDisplay Name
Email Address
HRDEPTIDs
FinanceDEPTIDs
Finance
FUNDs
Session
Variables
Security
Override
Session
Variablesv v
![Page 40: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/40.jpg)
December 5, 2008 40
Security Override Table
■ Simple table with two columns– CP_USERNAME– BECOME_CP_USERNAME
![Page 42: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/42.jpg)
December 5, 2008 42
Security Audit
■ WARNING
http://propellerheadhats.com/
![Page 43: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/43.jpg)
December 5, 2008 43
Security Audit – Requirements
■ Need an easy way to find differences between two web catalogs– Users– Groups– Permissions– Privileges
■ Check ownership of Web Catalog Objects■ We want to know why it works the way it does
![Page 44: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/44.jpg)
December 5, 2008 44
Security Audit – Has it been done before?
■ Built-In?– NO!
■ Consultants– “That’s been an internal challenge for us
and we haven't been able to locate the files where that is stored”
■ Google– No Luck…
![Page 45: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/45.jpg)
December 5, 2008 45
Security Audit
■ Web Catalog is just files and folders on the OS file system
■ File/Folder name is based on OBI display name– URL encoded and lower case
» Object Name => object+name
■ Every file and folder of the catalog has an associated “.atr” file– object+name– object+name.atr
![Page 46: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/46.jpg)
December 5, 2008 46
Security Audit
■ Binary Files– Linux command to hex dump a binary file
» xxd
$xxd presentation+server+administrators
0000000: 0200 017c bc61 aacd bb2a 8a ...\|.a...*.
$xxd presentation+server+administrators.atr
0000000: 8000 0c00 2200 0000 7072 6573 656e 7461 ...."...presenta
0000010: 7469 6f6e 2073 6572 7665 7220 6164 6d69 tion server admi
0000020: 6e69 7374 7261 746f 7273 0600 01ff ffff nistrators......
0000030: ffff ffff ff01 0001 feff ffff ffff ffff ................
0000040: 0300 0000 0e00 0000 6163 636f 756e 7469 ........accounti
0000050: 6e64 6578 2131 0200 0000 0000 0000 ndex!1........
![Page 47: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/47.jpg)
December 5, 2008 47
Security Audit – Users and Groups
■ Users– <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu– <catalog_root>/system/security/users/154/dmalone@calpoly%2eedu.atr
■ Groups– <catalog_root>/system/security/groups/523/presentation+server+administrators– <catalog_root>/system/security/groups/523/presentation+server+administrators.atr
■ Account IDs– <catalog_root>/system/accountids/699/32539c1d5ffdb65b– <catalog_root>/system/accountids/699/32539c1d5ffdb65b.atr
![Page 48: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/48.jpg)
December 5, 2008 48
■ <catalog root>/system/privs– /catalog
» /changepermissionsprivilege» /changepermissionsprivilege.atr» /maintenancemodeprivilege» /maintenancemodeprivilege.atr
– /generalprivs» /global+admin» /global+admin.atr» /global+answers» /global+answers.atr» /global+portal» /global+portal.atr
– /security» /administerprivs» /administerprivs.atr» /takeownershipprivs» /takeownershipprivs.atr
– /…» /…
Security Audit – Privileges
![Page 49: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/49.jpg)
December 5, 2008 49
Security Audit – Privileges
■ privilege file– The number of accounts granted this privilege is located at byte 12. – The account list starts at byte 13.
» Each account listed contains 13 bytes » The first 2 bytes always seems to be 00 01 » The next 8 bytes are the HEX ID of the account » The next 2 bytes determine if the privilege is granted or explicitly denied
◊ FF FF - Granted (for the first entry in the list) ◊ 01 00 - Granted (for other entries in the list) ◊ 00 00 - Explicitly denied
» The next byte always seems to be 00 ■ privilege.atr file
– Byte 5 contains the length of the display name. – Byte 9 is where the display name starts.
![Page 50: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/50.jpg)
December 5, 2008 50
Security Audit – Permissions
■ object+name.atr file– Byte 4 Contains the length of the object name that starts on Byte 8– Byte 8 Start of the name of the object in nice form, including caps and
spaces.– Byte (11 + value of Byte 4) - Contains the HEX ID of the owner of this object
- 8 Bytes– Byte (19 + value of Byte 4) - Contains the number of permissions that have
been assigned, in our case to groups.– Next, each of the permission is represented in a 13 byte block.
» The first 2 bytes seems to always be 00 01 » The next 8 bytes of the 12 byte block contains the HEX ID of the user or group. » The next 2 bytes of the 12 byte block contains the permission granted.
◊ FF FF - Full Control ◊ 0F 00 - Change/Modify ◊ 03 00 - Read ◊ 02 00 - Traverse ◊ 00 00 - No Access
» The last byte seems to always be 00
![Page 51: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/51.jpg)
December 5, 2008 51
Security Audit – Perl saves the day
■ Script traverses the ‘important’ branches of the web catalog
■ Parses and collects security information■ Loads into Oracle tables
– obiee_security_aud_accounts– obiee_security_aud_group_mem– obiee_security_aud_objects– obiee_security_aud_object_perm– obiee_security_aud_privs
![Page 52: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/52.jpg)
December 5, 2008 52
Security Audit – Queries
■ Objects without proper ownership■ Differences between two catalogs
– Users and Groups– Group memberships– Object differences– Object Permissions– Privileges
![Page 54: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/54.jpg)
December 5, 2008 54
Questions?
![Page 55: Security Overview PeopleSoft](https://reader035.vdocuments.site/reader035/viewer/2022081413/54671e11b4af9f5d3f8b5643/html5/thumbnails/55.jpg)
December 5, 2008 56
Contact
■ OBIEE Technical Conference:http://polydata.calpoly.edu/dashboards/obiee_conf/index.html
■ Email: [email protected]