BIWA Summit - Day 2
December 4th, 2008 by Peter Scott
The second day has just ended, and now I am back in the hotel thinking of grabbing a bite to eat before the fun tasks of finishing a report for a customer and packing… just hope my stuff still fits my suitcase.
Conferences seem to start early here - and coupled with a 15 minute walk from the hotel to the Oracle Conference Center makes for a long day.
First up was the final keynote of the Summit, Jaun Loaiza speaking on Oracle Exadata. The rest of the day was in technical sessions. Bryan Wise speaking on Securing OBIEE was well worth listening to. Although I have set clients up with LDAP security before I learnt a couple of useful tips including how to use groups within the LDAP service; in the past I shied against this and preferred to manage groups through a database look-up (and that was still Bryan’s preferred method), the idea of writing a database function that uses a call to DBMS_LDAP to return a semicolon separated list of group memberships had not really struck me, he also gave the very sound piece of advice if you are implementing SSO, don’t activate it until you have tested your security model, as soon as SSO is on the repository security model is no longer usable - make a mistake and you, the administrator, can get locked out.
One thing I like doing is looking at things I don’t see on a day-to-day basis, so the talk on “Crystal Ball” was an interesting diversion for me; then thoughts of my current project beckoned so on to a talk on Master Data Management. Lunch was a ‘birds of a feather’ type of thing - I started on one of data warehouse tables before going to join one of the OWB tables.
Stayed in the same seat for another, but this time more technical talk on Exadata and the Oracle/HP DW machine, and still did not move for Maria Colgan’s talk ‘Oracle 11g Optimizer Uncovered’ - three of my big gripes from pre-11g data warehousing seem to have efficient resolutions in 11g; and to think of the hoops I had to go to get around them in Oracle 9.2 or 10g. Getting cardinalities right for correlated columns, keeping optimal query plans after patches / upgrades and quickly maintaining global stats on partitioned tables have been a major issue for me when I used to operate (and not just develop) data warehouses. Her other feature, bind peeking on skewed columns is less of a problem for me as mostly I don’t see bind variables in use.
Finished a long day with talks on SOA and unstructured data. All-in-all a great conference, I am already looking forward to the next one!
December 5th, 2008 at 3:16 pm
As a consultant for Initiate Systems (one of the major players in the MDM marketspace), I always find pieces such as this entertaining and informative.
Keep up the good work!
December 12th, 2008 at 5:36 pm
Peter, thanks so much for the post.
After reviewing Bryan Wise’s presentation for security in OBIEE, I see how username/password Authentication occurs from LDAP, but for Authorization he queries user and group database tables he created and is therefore required to manually maintain and update the user-to-group assignments table as users are added/removed from the LDAP directory. I was just wondering if there was another recommended way for authorization. When you mentioned:
“I learnt a couple of useful tips including how to use groups within the LDAP service; in the past I shied against this and preferred to manage groups through a database look-up (and that was still Bryan’s preferred method)…”
Are you referring to the user-to-group table scenario I mentioned above when you said “…how to use groups within the LDAP service”, or are you referring to something else I must have missed in the presentation? You mentioned you have “shied against this” in favor of “managing groups through a database look-up” that you also said was Bryan’s preferred method. Sorry I didn’t follow that particular point - would you be able to expound on it just a bit more for me Peter?
Many thanks and much appreciated,
Jeremy
December 12th, 2008 at 11:56 pm
@Jeremy: I think it was a passing remark from Bryan. The idea is to write a function in PL/SQL that takes the LDAP user_id and returns a list of OBIEE groups for the user. This function is used in an intitalization block to populate the groups. The function uses calls to the Oracle DBMS_LDAP to connect to the LDAP server and DBMS_LDAP_UTIL to find the group memberships. All this, of course, assumes that some attribute stored in LDAP is usable for OBIEE groups!
It gets a bit more complex if groups also belong to groups - you need to loop through the memberships in that case. I wrote about this recently on the OBIEE forum on OTN
In the past I have used the method that Bryan proposed in his presentation - a table in the database that held users and a list of groups (semicolon separated) This is robust but has a support overhead associated with people joining and moving groups. Using LDAP to supply the groups would probably need the “select users_ldap_groups(user) from dual;” approach I described above, that is using a custom function to return the group list (again separated with semicolons) the downside is that the LDAP admin people will probably need to setup and maintain a group attribute specifically for OBIEE as their current groups may not align to the OBIEE data visibility requirements