OBIEE Security: Repositories and RPD File Security
The OBIEE repository database, known as a RPD file because of its file extension, defines the entire OBIEE application. It contains all the metadata, security rules, database connection information and SQL used by an OBIEE application. The RPD file is password protected and the whole file is encrypted. Only the Oracle BI Administration tool can create or open RPD files and BI Administration tool runs only on Windows. To deploy an OBIEE application, the RPD file must be uploaded to Oracle Enterprise Manager. After uploading the RPD, the PRD password then must be entered into Enterprise Manager.
From a security assessment perspective, who has physical access to the RPD file and the RPD password is critical. If multiple OBIEE applications are being used, the RPD passwords should all be different. It is also recommended that the RDP password be rotated per whatever policy governs critical database accounts and that production RPD passwords be different than non-production RPD passwords.
Once deployed through WebLogic, RPD file (version 11g) is located here:
Figure 1 Repository (RDP) File Define OBIEE Solutions
Figure 2 Windows based OBIEE BI Admin Tool
If you have questions, please contact us at firstname.lastname@example.org
-Michael Miller, CISSP-ISSMP