Dylan's BI Study Notes

My notes about Business Intelligence, Data Warehousing, OLAP, and Master Data Management

Data Security

BI Server from OBIEE provides the data security support. You can configure the repository file to meet your own data security requirements.

The term data security is to describe the requirement of securing data by rows. Your fact table may have 1000 records, a given user may only see 400 of them. Your HR organization dimension may 100 members, but a given user only see the 10 organization relevant to him.

I will describe the basic concept in this article. User Authentication is another subject and will not be covered. We will only discuss about how to secure the data a user can access, assuming the user is already authenticated.

1. To provide the data security, you need to have a way to identify the data set. It can be a dimension, a common attribute of dimensions, or a common fact attribute. For example, you may want to secure data by departments. The departments are defined as a dimension itself. When the user login to the application, they can only see their own department. Since the fact data are linked to the dimension, they will only see the fact records that are owned by the department.

2. Also, you need to have a place to hold the permissions. The permission data for data security basically describe what data set a user can see. Your permission data can be very complex from maintenance perspective. However, when it come down to configure the BI server, the idea is very simple. For a given user session, you need to describe to the BI server how to get the list of data set the user can access. In the above example, the data set will be identified by departments. For a given user, you will have one or a list of departments the user are permitted to view. You need to tell BI server where to fetch the list for a given user.

3. Another configuration point to define what dimension or fact tables are secured by the set.  Basically, what data are secured by the securing dimension or attributes.

Here are the implementation steps:

1.  Determine the securing attribute and make sure it is available in your warehouse schema.   If you want to secure data by departments.   How departments are represented.  Are they modeled as a dimension?
2.  Create an initialization block  to retrieve a list of the allowable values from your permission data source.  The list of values should be held as the dynamic session variables.

3. Assign the filter to objects in your warehouse and grant them to the users or groups.

In BI server, this is done via the Security Manager following the following steps:

  • Select a user or a group
  • Add permissions to the user or the group
  • Add filter

A filter is basically a where clause attached to the logical SQL.  They key is that the BI EE allos you to apply the ” = VAULEOF(NQ_SESSION.”<dynamic variable name>” to any logical table attribute.  Whenever the user query the logical tables, the predicate will be dynamically attached to the query.

Advertisements

One Response to “Data Security”

  1. cedricbourgeois said

    Hi Dylan !
    I am currently involved in setting up security in OBIEE, and my needs are close to what you describe. Still, I get stuck on the following problem:
    I wand to be able to filter on one or more brand, depending on the user (or on a group he’d belong to). But if I use a single session variable, I’ll be able to store only one brand in it. So it means I should have to set up a session variable for each brand I want to grant the user. I don’t think this is very clean, as it would limit the number of brands a user can be granted.
    Do you have any advice ?

    thanks.
    Cedric.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s