In part one I shared with you the first section of the Oracle white paper on integrating 11g with AD.
Following it to the letter worked fine, but there were a couple of glitches.
The only groups we wanted to match into Application Roles were those with OBIEE in their name. Setting a filter on the ‘All Groups Filter’ of (|(cn=*OBIEE*)(cn=*obiee*)) did the trick of only listing those groups that we wanted, in Weblogic.
The objective for the client was to restrict access to the system only to users who were members of any group with OBIEE in the name.
The natural place to make this happen, for me at least, was in the user filters in the provider settings. This did the trick, like groups, of restricting the users list in Weblogic.
So far so good.
We now ask a user to log in who is not a member of any obiee goup.
Strangely enough they are able to log in no problem.
So the BI system authenticated them because they were in AD, but ignored the filters altogether!
The good news is that they had no permission to do anything (I had sorted out the (application Role) privileges to remove the default ones – I don’t think the default ones are useful so replaced them all).
BTW, there are no extra init blocks for authentication and authorisation. The application roles work fine so no real need for extra authorisation effort.
The other annoying glitch was that if you entered an ‘All Users’ filter, then there was no way of un-setting it. This led us to re-create the Provider again.
Next time, creating Windows services of 11g JVM’s.
@drian
Link to Document: https://supporthtml.oracle.com/ep/faces/secure/km/DocumentDisplay.jspx?id=1274953.1
I was wondering if you could show the All Users filter that was used to limit only the users who were members of any group with OBIEE in the name. I wish to do the same, but I’m struggling with the syntax.
I will try to dig it out.
In the end I removed the filter as there is a bug in the system, which effectively means that the filter is ignored anyway.