Here at Performance Architects we typically find ourselves perusing the Oracle Support blogs on a daily basis as they are a hotbed of new and interesting information. One article recently made the rounds of our company email because the content piqued some serious interest – and so, of course, we’re sharing our thoughts with you as well!
Oracle’s latest business analytics white paper, entitled “OBIEE to Essbase Authentication Methods,” covers all of the various means to provide access between Oracle Essbase and Oracle Business Intelligence Enterprise Edition (OBIEE).
The methods outlined range from a common shared user accessing the Essbase cubes, to security pass-through where OBIEE users are passed down to Essbase for authentication. Any flavor of the latter is our personal preference, as it allows Essbase to manage data security. This leverages the strengths of Essbase filters, and provides common security throughout the tools that access Essbase – like OBIEE, Smart View, or Hyperion Planning. But we digress – back to the article, and to different options!
The white paper reviews the following options:
- A hardcoded “Shared Username/Password” combination that allows all users to access OBIEE via one Essbase user. We find that this is great when testing those first time connections and doing basic development, but does not offer much of a data security model.
- A “BI Username/Password” pass-through, where the OBIEE username and password are sent down to Essbase to be authenticated against Shared Services. This works really well when both OBIEE and Essbase have access to the same LDAP directory. However, as the article highlights, the one downside is when trying to schedule content (via Agents) that acts on user security. Since the password is not preserved, it’s not an option.
- CSS token-based single sign-on (SSO), where SSO is configured across both environments using tokens, which involves making a series of configuration changes to both the EPM middleware instance and the OBI instance.
- The highlight of the article is the newest feature of Essbase impersonation using EssLoginAs. Using this method, OBIEE connects and calls the EssLoginAs API function using the Essbase Admin user, and then passes through the actual OBIEE username. This prompts Essbase to run the OBI query as the OBIEE user, without the need to store or capture the user’s password. This allows you to use Deliver content too! The EssLoginAs method is available as of 11.1.1.7, patch 141014 and later. It does not require any special setup on the Essbase server side. On the OBI side, the setup can be done via the connection pool used to connect to Essbase. Here, the administrator will provide shared administrator credentials and also check the “SSO” box:
Assuming the same OBI user is present in Essbase, the work is basically done. A quick check of the Essbase log confirms the impersonation (here, “WebLogic is the admin, “test_biauthor” is the desired user):
Once the connection pool expires, OBI will also make sure to log out the user:
Here is a link to the article: https://blogs.oracle.com/proactivesupportEPM/entry/new_whitepaper_obiee_to_essbase.
Authors: Tom Blakeley and Michael Bender, Performance Architects