BI Server from OBIEE provides the data security support. You can configure the repository file to meet your own data security requirements.
The term data security is to describe the requirement of securing data by rows. Your fact table may have 1000 records, a given user may only see 400 of them. Your HR organization dimension may 100 members, but a given user only see the 10 organization relevant to him.
I will describe the basic concept in this article. User Authentication is another subject and will not be covered. We will only discuss about how to secure the data a user can access, assuming the user is already authenticated.
1. To provide the data security, you need to have a way to identify the data set. It can be a dimension, a common attribute of dimensions, or a common fact attribute. For example, you may want to secure data by departments. The departments are defined as a dimension itself. When the user login to the application, they can only see their own department. Since the fact data are linked to the dimension, they will only see the fact records that are owned by the department.
2. Also, you need to have a place to hold the permissions. The permission data for data security basically describe what data set a user can see. Your permission data can be very complex from maintenance perspective. However, when it come down to configure the BI server, the idea is very simple. For a given user session, you need to describe to the BI server how to get the list of data set the user can access. In the above example, the data set will be identified by departments. For a given user, you will have one or a list of departments the user are permitted to view. You need to tell BI server where to fetch the list for a given user.
3. Another configuration point to define what dimension or fact tables are secured by the set. Basically, what data are secured by the securing dimension or attributes.
Here are the implementation steps:
1. Determine the securing attribute and make sure it is available in your warehouse schema. If you want to secure data by departments. How departments are represented. Are they modeled as a dimension?
2. Create an initialization block to retrieve a list of the allowable values from your permission data source. The list of values should be held as the dynamic session variables.
3. Assign the filter to objects in your warehouse and grant them to the users or groups.
In BI server, this is done via the Security Manager following the following steps:
- Select a user or a group
- Add permissions to the user or the group
- Add filter
A filter is basically a where clause attached to the logical SQL. They key is that the BI EE allos you to apply the ” = VAULEOF(NQ_SESSION.”<dynamic variable name>” to any logical table attribute. Whenever the user query the logical tables, the predicate will be dynamically attached to the query.