Setting Up ODI Security

Introduction to ODI Security Navigator

Using the Security Navigator tab, you can manage security in ODI. The Security Navigator
module allows ODI users and profiles to be created. It is used to assign user rights for
methods (edit, delete, and so on) on generic objects (data server, data types, and so on), and
to fine-tune these rights on the object instances (Server 1, Server 2, and so on).
The Security Navigator stores this information in a Master repository. This information can be
used by all the other modules.

Introduction to Security Navigator (continued)

Security Navigator objects available to the current user are organized by these tree views:
- The objects, describing each ODI elements type (datastore, model, and so on)
- The users’ profiles, users, and their authorizations
• You can perform the following operations in each tree view:
- Insert or import root objects to the tree view by clicking the appropriate button in
the frame title.
- Expand and collapse nodes by clicking them.
- Activate the methods associated with the objects (Edit, Delete, and so on) through
the pop-up menus.
- Edit objects by double-clicking them or by dragging them on the Workbench.
• The windows for the object being edited or displayed appear in the Workbench
Note: Each tree view appears in floatable frames that may be docked to the sides of the main
window. These frames can also be stacked up. When several frames are stacked up, tabs
appear at the bottom of the frame window to access each frame of the stack. Tree view
frames can be moved, docked, and stacked by selecting and dragging the frame title or tab.
To lock the position of views, select Lock window layout from the Windows menu. If a tree

view frame does not appear in the main window or has been closed, it can be opened by
using the Windows > Show View menu.

Overview of Security Concepts

Objects, instances, and methods:
• Object: The representation of an element that can be
handled through ODI (agents, models, datastores)
• Instance (object instance): Is attached to an object type
(an object). For example, the MY_PROJ_1 project is an
instance of the project object type.
• Method: Type of action that can be performed on an object
• A profile represents a generic rights model for working with
ODI. An authorization by profile is placed on an object’s
method for a given profile.
• User: An ODI user who corresponds to the login name
used for connecting to a repository
Overview of Security Concepts
• Objects are the visible part of ODI object components (Java classes). It is necessary to
combine the notions of object and object instance (or instances), which in ODI are
similar to object-oriented programming notions.
• An example of an instance, MY_PROJ_1, is an instance of the project object type.
Similarly, another instance of a project-type object is YOUR_PROJ_2.
• Each object has a series of methods that are specific to it. The notion of method in Data
Integrator is similar to the one in object-oriented programming.
• One or more profiles can be assigned to a user. An authorization by profile is placed on
an object’s method for a given profile. It allows a user with this profile to be given—either
optionally or automatically—the right to this object through the method. The presence of
an authorization by profile for a method, under an object in the tree of a profile, shows
that a user with this profile is entitled (either optionally or automatically) to this object’s
instances through this method. The absence of authorization by profile shows that a user
with this profile cannot, under any circumstance, invoke the method on an instance of
the object.

Overview of Security Concepts (continued)

• A user in the Security Navigator module represents an ODI user and corresponds to the
login name used for connecting to a repository. A user inherits the following rights:
- The profile rights he or she already has
- Rights on objects
- Rights on instances
An authorization by the user is placed on a method of an object for a given user. It
allows the user to be given, either optionally or automatically, the right to this object
through the method.
Note: Objects and methods are predefined in ODI and must not be changed.

Defining Security Policies

1. Create appropriate profiles for your working methods, and
give them generic rights to objects.
2. Create the users.
3. Give the users the generic profiles.
4. Optionally, you can define a password policy to encourage
users to use a secured password.
Creating a New Profile
To create a new profile:
1. Select Profiles to display the tree. Right-click and select New profile.
2. Enter the name. Click the Save button.
3. Verify that your new profiles have been added to the tree view.
The profile is displayed in the tree.
Note: To delete a profile:
1. Select the profile to be deleted.
2. Right-click and select Delete. Click OK. The profile disappears from the tree.

Using Generic and Nongeneric Profiles

• Generic Profiles
– Have the Generic privilege option selected for all object
methods
– A user with such a profile is by default authorized for all
methods of all instances of an object.
• Nongeneric Profiles
– Are not default authorized for all methods of all instances of
an object
– The administrator must grant the user the rights on the
methods for each instance.

Using Generic and Nongeneric profiles

If the security administrator wants a user to have the rights on no instance by default, but
wants to grant the rights by instance, the user must be given a nongeneric profile.
If the security administrator wants a user to have the rights on all instances of an object type
by default, the user must be given a generic profile.

Built-in Profiles
• CONNECT: To connect to Oracle Data Integrator
• DESIGNER: To perform development operations
• METADATA_ADMIN: To manage metadata
• OPERATOR: To manage run-time objects (for production
users)
• REPOSITORY_EXPLORER: To view objects
• SECURITY_ADMIN: To edit security (for security
administrators)
• TOPOLOGY_ADMIN: To edit Topology (for ODI
administrators)
• VERSION_ADMIN: To create, restore, and edit versions
and solutions
Built-in Profiles
ODI has some built-in profiles that the security administrator can assign to the users he
creates. This slide shows some built-in profiles delivered with ODI. For a complete list of builtin
profiles, see Oracle Fusion Middleware Developer's Guide for Oracle Data Integrator 11g
Release 1 (11.1.1).
• CONNECT must be granted with another profile.
• DESIGNER: Use this profile for users who will work mainly on projects.
• METADATA_ADMIN: Use this profile for users who work mainly on models.
• OPERATOR :Use this profile for production users.
• REPOSITORY_EXPLORER: Use this profile for users who do not need to modify
objects.
• SECURITY_ADMIN: Use this profile for security administrators.
• TOPOLOGY_ADMIN: Use this profile for system or Oracle Data Integrator
administrators.
• VERSION_ADMIN: Use this profile for those entitled to perform version management
operations.

Creating a New User

To create a new user:
1. Open the Users tab. Click the New User icon, and select New User.
2. Enter the name, the initials, and the user’s password (by clicking the Enter a password
button).
3. Click OK, and then click the Save icon. Verify that your new user appeared in the tree
view.
The user icon and information are displayed in the tree.
Note: To delete a user:
1. Select the user to be deleted.
2. Right-click and select Delete.
3. Click OK.
The user icon and information disappear from the tree.
Assigning a Profile to a User
To assign a profile to a user:
1. Expand the tree to display the user that you want to assign the profile to.
2. Select the profile that you want to assign, then drag it onto the user branch in the tree.
3. Click Yes to confirm creating this profile for the user. Click the Save icon.
4. Expand the user’s node and verify that the new profile was added under the Profiles
node.
The profile is assigned to the user.
Note: To remove a profile from a user:
1. Expand the tree to display the profile that you want to delete, under the user branch.
2. Select the profile (under the user) to be deleted from the tree.
3. Right-click and select Delete.
4. Click OK.
The profile is removed from the user.

Assigning an Authorization by Profile or User

To assign an authorization by profile or by user:
1. Expand the tree to display the user or the profile you want to assign the authorization to.
2. Under the object, select the method you want to assign, then drag it onto the user or the
profile.
3. Click Yes, and then click the Save icon
4. Verify that the new method is assigned to the user or profile.
The authorization is assigned to the user or the profile.
To assign authorizations on all the methods of an object to a profile or a user:
1. Expand the tree to display the user or the profile you want to assign the authorization to.
2. Select the object to which you want to assign all the methods, then drag it onto the user
or the profile.
3. Click Yes.
The authorizations on all the methods of this object are assigned to the user or the profile.
To delete an authorization by profile or user:
1. Select the method you want to delete under the user or profile branch.
2. 2. Right-click and select Delete.
3. 3. Click Yes.
4. The authorization is removed from the user or the profile.

Defining Password Policies

The password policy consists of a set of rules applied on user passwords. This set of rules is
checked when the password is defined by the user.
To define the password policy:
1. In Security Navigator, click the ―Connect navigator‖ button, and then select Password
policy. The ―Password policies‖ window appears. In this window, a list of rules is
displayed.
2. Click the Add a policy button. A new ―Policy definition‖ window appears. A rule is a set
of conditions that are checked on passwords.
3. Set a name and a description for this new rule. Click the Add rule button.

4. Add conditions on the password value or length. You can define, for example, a
minimum length for the passwords from this window. Select if you want at least one
condition or all of them to be valid to consider that the password meets the rule. Click
OK. You can add as many policies as necessary, and select the check boxes of the
rules that you want active in your current policy. Only the passwords meeting all the
rules are considered valid for the current policy.
5. You can also define a period of validity for the passwords. Passwords older than this
number of days will automatically expire. The users will have to change them. Click OK
to update the password policy

Setting User Parameters

ODI saves user parameters such as default directories, windows positions, and so on.
To set user parameters:
1. Select User Parameters from the ODI menu.
2. In the Editing User Parameters window, change the value of parameters as required.
3. Click OK to save and close the window.
Note: A list of the possible user parameters is available in the reference manual: Oracle
Fusion Middleware Developer’s Guide for Oracle Data Integrator Release 11g (11.1.1).

Overview of ODI Security Integration

• Implementing External Authentication (OPSS)
• Implementing External Password Storage
– JPS Integration

Overview of ODI Security Integration

Oracle Data Integrator stores by default all the user information as well as the users’ privileges
into the Master repository. A user who logs to Oracle Data Integrator logs against the Master
repository. This authentication method is called Internal Authentication. Oracle Data Integrator
can optionally use Oracle Platform Security Services (OPSS) to authenticate its users against
an external Identity Store, which contains enterprise users and passwords. Such an identity
store is used at the enterprise level by all applications, in order to have centralized user and
passwords definitions and Single Sign-On (SSO). In such a configuration, the repository
contains only references to these enterprise users. This authentication method is called
External Authentication.
Oracle Data Integrator stores by default all security information in the Master repository. This
password storage option is called Internal Password Storage. Oracle Data Integrator can
optionally use JPS for storing critical security information. If you are using Java Provisioning
Service (JPS) with Oracle Data Integrator, the data server passwords and contexts are stored
in the JPS Credential Store Framework (CSF). This password storage option is called
External Password Storage.

Implementing External Authentication (OPSS)

• Configuring ODI Components for External Authentication
• Setting the Authentication Mode
– Setting up When Creating the Master Repository
– Switching the Authentication Mode

Implementing External Authentication (OPSS)

Configuring ODI Components for External Authentication
• To use the External Authentication option, you need to configure an Enterprise Identity
Store (LDAP, Oracle Internet Directory, and so forth), and have this identity store
configured for each Oracle Data Integrator component to refer by default to it. The
configuration to connect and use the identity store is contained in an OPSS configuration
file called jps-config.xml file. Refer to the Oracle Fusion Middleware Security Guide,
11g Release 1 (11.1.1) for more information. Copy this file into the
ODI_HOME/client/odi/bin/ directory. The Studio reads the identity store
configuration and authenticates it against the configured identity store.
• Oracle Data Integrator components deployed in a container (Java EE Agent, Oracle
Data Integrator Console) do not require a specific configuration. They use the
configuration of their container. Refer to the Oracle Fusion Middleware Security Guide,
11g Release 1 (11.1.1) for more information about an OPSS configuration in a Java EE
context.
Implementing External Authentication (OPSS) (continued)
Setting the Authentication Mode
• You can set or modify the password storage in two ways:
- Creating the Master repository enables you to define the authentication mode.
- Switching the Authentication Mode modifies the authentication mode for an existing
Master repository.
Note: When you perform a password storage recovery, context and data server passwords
are lost and need to be reentered manually in Topology Navigator. If you are using External
Authentication, users and password are externalized. Oracle Data Integrator privileges remain
within the repository. Data servers and context passwords also remain in the Master
repository. You can externalize data server and context passwords by using the External
Password Storage feature.

Implementing External Authentication (OPSS): Switching the Authentication Mode

Switching the authentication mode of the Oracle Data Integrator repository changes the way
users authenticate. This operation must be performed by a Supervisor user. Use the Switch
Authentication Mode wizard to change the user authentication mode. Before launching the
Switch Authentication Mode wizard, perform the following tasks:
1. Disconnect Oracle Data Integrator Studio from the repository. Shut down every
component that uses the Oracle Data Integrator repository. From the ODI main menu,
select Switch Authentication Mode. The Switch Authentication Mode wizard appears.
2. Specify the JDBC connectivity details of your Oracle Data Integrator Master repository
as defined when connecting to the Master repository. Click Next.
3. Click Finish. The Authentication mode is changed.
Note: When switching from an External to Internal authentication, user passwords are not
copied from the identity store to the repository. The passwords are nullified. All the user
accounts are marked as expired and must be reactivated by a SUPERVISOR that is created
during the switch. When switching from Internal to External authentication, the users that exist
in the repository and match a user in the identity store are automatically mapped. Users that
do not match a user in the identity store are disabled. A Supervisor must edit each
nonmatching user so that the user's name has a match in the identity store.

Implementing External Password Storage

There are four ways to set or modify password storage:
• Importing the Master repository enables you to change the
password storage.
• Creating the Master repository enables you to define the
password storage.
• Switching Password Storage modifies storage for an
existing Master repository.
• Recovering the Password Storage enables you to recover
from a credential store crash.

Implementing External Password Storage

Switching the Password Storage:
• Disconnect Oracle Data Integrator Studio from the
repository.
• From the ODI main menu, select Password Storage >
Switch.
• Specify the login details of your Oracle Data Integrator
Master repository.
• Select the Password storage mode (Internal/External).
Implementing External Password Storage (continued)
The login details of your Oracle Data Integrator Master repository are defined when
connecting to the Master repository.
Select the Password storage mode:
- Select Internal Password Storage if you want to store passwords in the Oracle
Data Integrator repository.
- Select External Password Storage if you want to use JPS Credential Store
Framework (CSF) to store the data server and context passwords.

Managing ODI Reports

The next section of this lesson examines the types of reports you can create in ODI.

Types of ODI Reports

With ODI you can create the following reports:
• Topology report
• Version comparison report
• ODI object report
• Execution simulation reports
• Diagram reports
Types of ODI Reports
In Oracle Data Integrator, you can print and share several types of reports with the PDF
generation feature:
• Topology reports of the physical architecture, the logical architecture, or the contexts
• Reports of the version comparison results
• Reports of an ODI object
• Execution simulation reports
• Diagram reports (for diagrams created with Common Format Designer). For more
information about this type of report, refer to Oracle Fusion Middleware Developer’s
Guide for Oracle Data Integrator Release 11g (11.1.1).

Generating Topology Reports

Using Oracle Data Integrator, you can generate Topology reports in PDF format of the
physical architecture, the logical architecture, or the contexts.
To generate a topology report:
1. In the Topology Navigator tab, click the ―Connect Navigator‖ icon. Select Generate
Report and then the type of report you want to generate:
Physical Architecture
Logical Architecture
Contexts
2. In the ―Report generation‖ editor, enter the output PDF file location for your PDF report.
Note that if no PDF file location is specified, the report in Adobe PDF format is generated
in your default directory for PDF generation specified in the user parameters.
3. If you want to view the PDF report after generation, select the Open file after the
―generation?‖ option.
5. Click Generate.

Generated Topology Report: Example

This screen shows an example of the physical architecture of the
ORACLE_ORCL_LOCAL.ORDERS physical schema. The table at the bottom shows each of
the three related logical schemas, in terms of the three available contexts.