1 Introduction to Security in Oracle Business Intelligence

This chapter introduces the Oracle Business Intelligence security model, discusses the tools used to configure security, and provides a detailed roadmap for configuring security in Oracle Business Intelligence.

Note:

For a high-level roadmap for setting up security, see Section 1.1, "High-level Roadmap for Setting Up Security In Oracle Business Intelligence".

This chapter contains the following sections:

1.1 High-level Roadmap for Setting Up Security In Oracle Business Intelligence

To set up security in Oracle Business Intelligence, you must do the following:

  1. Read the rest of this chapter 'Introduction to Security in Oracle Business Intelligence' to get an overview of security concepts, tools, and terminology.

  2. Learn about the default set of Users, Groups, and Application Roles that are installed out-of-the-box by reading the summary in Section 2.2, "Working with the default Users, Groups, and Application Roles Installed Out-Of-The-Box".

  3. Decide which Authentication Provider to use to authenticate users.

  4. Set up the required Users and Groups.

  5. Set up the required Application Roles.

  6. Map each Group to an appropriate Application Role.

  7. Fine tune the permissions that Users and Groups have in the Oracle BI repository (that is, the RPD file).

  8. Fine tune the permissions that Users and Groups have in the Oracle BI Presentation Catalog.

  9. If required, configure Single Sign-On (SSO).

  10. If required, configure Secure Sockets Layer (SSL).

For a detailed list of setup steps, see Section 1.8, "Detailed List of Steps for Setting Up Security In Oracle Business Intelligence".

1.2 Overview of Security in Oracle Business Intelligence

Oracle Business Intelligence 11g is tightly integrated with the Oracle Fusion Middleware Security architecture and delegates core security functionality to components of that architecture. Specifically, any Oracle Business Intelligence installation makes use of the following types of security providers:

  • An authentication provider that knows how to access information about the users and groups accessible to Oracle Business Intelligence and is responsible for authenticating users.

  • A policy store provider that provides access to Application Roles and Application Policies, which forms a core part of the security policy and determines what users can and cannot see and do in Oracle Business Intelligence.

  • A credential store provider that is responsible for storing and providing access to credentials required by Oracle Business Intelligence.

By default, an Oracle Business Intelligence installation is configured with an authentication provider that uses the Oracle WebLogic Server embedded LDAP server for user and group information. The Oracle Business Intelligence default policy store provider and credential store provider store Credentials, Application Roles and Application Policies in files in the domain.

After installing Oracle Business Intelligence you can reconfigure the domain to use alternative security providers, if desired. For example, you might want to reconfigure your installation to use an Oracle Internet Directory, Oracle Virtual Directory, Microsoft Active Directory, or another LDAP server for authentication. You might also decide to reconfigure your installation to use Oracle Internet Directory, rather than files, to store Credentials, Application Roles, and Application Policies.

1.3 About Authentication

Each Oracle Business Intelligence 11g installation has an associated Oracle WebLogic Server domain. Oracle Business Intelligence delegates user authentication to the first authentication provider configured for that domain.

The default authentication provider accesses user and group information stored in the LDAP server embedded in the Oracle Business Intelligence's Oracle WebLogic Server domain. The Oracle WebLogic Server Administration Console can be used to create and manage users and groups in the embedded LDAP server.

You might choose to configure an authentication provider for an alternative directory. In this case, Oracle WebLogic Server Administration Console enables you to view the users and groups in your directory. However, you need to continue to use the appropriate tools to make any modifications to the directory. For example, if you reconfigure Oracle Business Intelligence to use OID, you can view users and groups in Oracle WebLogic Server Administration Console but you must manage them in OID Console.

For more information about managing users and groups in the embedded LDAP server, see Chapter 2, "Managing Security Using the Default Security Configuration".

For more information about Oracle WebLogic Server domains and authentication providers, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

1.4 About Authorization

After a user has been authenticated, the next critical aspect of security is ensuring that the user can do and see what they are authorized to do and see. Authorization for Oracle Business Intelligence release 11g is controlled by a security policy defined in terms of applications roles.

1.4.1 About Application Roles

Instead of defining the security policy in terms of users in groups in a directory server, Oracle Business Intelligence uses a role-based access control model. Security is defined in terms of Application Roles that are mapped to directory server groups and users. For example, the Application Roles BIAdministrator, BIConsumer, and BIAuthor are installed out-of-the-box.

Application Roles represent a functional role that a User has, which gives that User the privileges required to perform that role. For example, having the Sales Analyst Application Role might grant a User access to view, edit and create reports on a company's sales pipeline.

This indirection between Application Roles and directory server users and groups allows the administrator for Oracle Business Intelligence to define the Application Roles and policies without creating additional users or groups in the corporate LDAP server. Instead, the administrator defines Application Roles that meet the authorization requirements and maps those roles to pre-existing users and groups in the corporate LDAP server.

In addition, the indirection afforded by Application Roles allows the artifacts of a business intelligence system to be easily moved between development, test and production environments. No change to the security policy is needed and all that is required is to map the Application Roles to the users and groups available in the target environment.

The Figure 1-1 shows an example using the default set of Users, Groups, Application Roles.

Figure 1-1 Example Users, Groups, Application Roles, and Permissions

This diagram is described in surrounding text.

Figure 1-1 shows the following:

  • The Group named 'BIConsumers' contains User1, User2, and User3. Users in the Group 'BIConsumers' are assigned the Application Role 'BIConsumer', which enables the users to view reports.

  • The Group named 'BIAuthors' contains User4 and User5. Users in the Group 'BIAuthors' are assigned the Application Role 'BIAuthors', which enables the users to create reports.

  • The Group named 'BIAdministrators' contains User6 and User7. Users in the Group 'BIAdministrators' are assigned the Application Role 'BIAdministrator', which enables the users to manage responsibilities.

1.4.2 About the Security Policy

In Oracle Business Intelligence release 11g, the security policy definition is split across the following components:

  • Presentation Catalog – This defines the catalog objects and Oracle BI Presentation Services functionality that the Users with specific Application Roles can access. Access to functionality is defined in the Managing Privileges page in terms of Presentation Catalog privileges and access to presentation catalog objects is defined in the Permission dialog.

  • Repository – This defines which Application Roles and users have access to which items of metadata within the repository. The Oracle BI Administration Tool is used to define this security policy.

  • Policy Store – This defines which Oracle BI Server, BI Publisher, and Real Time Decisions functionality can be accessed by given users or users with given Application Roles. In the default Oracle Business Intelligence configuration, the policy store is managed using Oracle Enterprise Manager Fusion Middleware Control. For more information about the policy store, see Oracle Fusion Middleware Security Guide.

To find out about using these components, see Section 1.7, "Example: Looking at the Installed Users, Groups, and Application Roles".

1.5 About the Users, Groups, and Application Roles Installed Out-Of-The-Box

When you install Oracle Business Intelligence, you get a number of preconfigured Users, Groups, and Application Roles that you can use to deploy Oracle Business Intelligence (for more information, see Section 2.2, "Working with the default Users, Groups, and Application Roles Installed Out-Of-The-Box").

1.6 What tools do I use to configure security in Oracle Business Intelligence?

To configure security in Oracle Business Intelligence, you use the following tools:

Note:

To see an example of using the Oracle Business Intelligence tools to configure the installed Users, Groups, and Application Roles, see Section 2.3, "An Example Security Setup Using the Installed Groups and Application Roles".

The figure below summarizes the tools used to configure security in a default installation Oracle Business Intelligence using the embedded WebLogic LDAP Server.

Figure 1-2 Summary of Tools for Configuring Security in a Default Installation

This diagram is described in surrounding text.

1.6.1 Oracle WebLogic Server Administration Console

You use Oracle WebLogic Server Administration Console to manage the embedded directory server that is used to authenticate Users and Groups.

The example screen shot below shows the Users and Groups\Users page in Oracle WebLogic Server Administration Console displaying a list of Users in Oracle Business Intelligence.

This screenshot is described in surrounding text.

Note: If you use Oracle Internet Directory as the Authentication Provider instead of the default the embedded WebLogic LDAP Server, then you use OID Console to manage Users and Groups.

1.6.2 Oracle Fusion Middleware Control

You use Oracle Fusion Middleware Control to create and manage the Application Roles and Application Policies that control access to Oracle Business Intelligence resources.

The example screen shot below shows the Application Roles page in Oracle Fusion Middleware Control displaying the default Application Roles named BIAdministrator, BIAuthor, and BIConsumer.

This screenshot is described in surrounding text.

1.6.3 Oracle BI Administration Tool

You use the Oracle BI Administration Tool to configure privileges in the metadata repository (that is, the RPD file).

The screenshot below shows the Security Manager dialog, which enables you to manage Users and Application Roles.

This screenshot is described in surrounding text.

1.6.4 Administration Page in Oracle BI Presentation Catalog

You use the Administration Page in Oracle BI Presentation Catalog to configure privileges for Users.

The screenshot below shows the Manage Privileges dialog, which enables you to manage privileges and associated Application Roles.

This screenshot is described in surrounding text.

1.7 Example: Looking at the Installed Users, Groups, and Application Roles

This example takes a closer look at the installed Users, Groups, and Application Roles using the Oracle Business Intelligence tools. Follow the steps in this section to learn how to use the Oracle Business Intelligence tools to configure security options.

1.7.1 About Using Oracle WebLogic Server Administration Console

To display installed objects in Oracle WebLogic Server Administration Console:

  1. Log in to Oracle WebLogic Server Administration Console.

  2. In the Domain Structure tab at the left-hand side, select the Security Realms link.

  3. In the list of Realms, select the realm that you are configuring.

    For example, myrealm.

  4. Use the tabs and options on the Settings for <Realm name> dialog to configure Users and Groups.

    For example, display the Users and Groups tab to edit Users and Groups. In the example screenshot below, you can see the installed Groups named BIAdministrators, BIAuthors, and BIConsumers.

    This screenshot is described in surrounding text.

1.7.2 About using Oracle Enterprise Manager Fusion Middleware Control

To display installed objects in Oracle Enterprise Manager - Fusion Middleware Control:

  1. Log in to Oracle Enterprise Manager - Fusion Middleware Control.

  2. From the Home page, select the Business Intelligence link.

  3. Select the coreapplication link.

  4. Display the Security tab.

  5. Select the Configure and Manage Application Roles link.

    In the example screenshot below, you can see the installed Application Roles BIAdministrator, BIAuthor, and BIConsumer.

    This screenshot is described in surrounding text.

1.7.3 About Using Oracle BI Administration Tool

To display installed objects in Oracle BI Administration Tool:

  1. Log in to BI Administration Tool.

    Note: If you log in to BI Administration Tool in online mode, then you can view all users from the WebLogic Server. If you log in to BI Administration Tool in offline mode, then you can only view users that are stored in the catalog.

  2. Choose Manage, then Identity to display the Security Manager dialog.

    In the example screenshot below you can see the installed Application Roles BIAdministrator, BIAuthor, and BIConsumer.

    This screenshot is described in surrounding text.

    If you double-click the Application Role named 'Sales Admin' to display the Application Role <Name> dialog, then click Permissions, you can use the Object Permissions tab to set Read and Write permissions for that Application Role on objects and folders in the catalog.

    This screenshot is described in surrounding text.
  3. Close Security Manager.

  4. In the Presentation pane, expand the Paint folder, then right-click Markets to display the Presentation Table <Table name> dialog.

  5. Click Permissions to display the Permissions <Table name> dialog.

    In the example screenshot below, you can see the installed Application Roles BIAdministrator, BIAuthor, and BIConsumer, and the radio buttons Read, Read/Write, No Access, and Default that are used to set the permissions for the Application Roles.

    This screenshot is described in surrounding text.

1.7.4 About Using Administration Page in Oracle BI Presentation Catalog

To display installed objects in Administration Page in Oracle BI Presentation Catalog:

  1. Log in to BI EE with Administrator privileges.

  2. Select the Administration link to display the Administration page.

  3. Select the Manage Privileges link.

    In the example screenshot below, you can see the installed Application Roles BIAdministrator, BIAuthor, and BIConsumer listed against each of the privileges that they have been assigned.

    This screenshot is described in surrounding text.
  4. Select the BIAuthor link in the 'Access to Conditions' row, to display the Privilege <Privilege name> dialog.

    This screenshot is described in surrounding text.
  5. Click the Add users/roles icon (+) to display the Add Application Roles, Catalog Groups, and Users dialog.

    In the example screenshot below you can see the installed Application Roles BIAdministrator, BIAuthor, and BIConsumer, which can be assigned to this privilege.

    This screenshot is described in surrounding text.

1.8 Detailed List of Steps for Setting Up Security In Oracle Business Intelligence

This section explains how to set up security in a new installation of Oracle Business Intelligence. Some tasks are mandatory, some are optional, and some are conditionally required depending on the configuration choices that you make. You might also refer to this section if you are maintaining an existing installation of Oracle Business Intelligence.

After you have installed Oracle Business Intelligence, you typically evaluate the product using the preconfigured Users, Groups, and Application Roles that are installed by default. Later, you typically create and develop your own Users, Groups, and Application Roles iteratively to meet your business requirements.

After you have installed Oracle Business Intelligence, Oracle recommends that you complete these tasks in the order listed below.

  1. Read this chapter 'Introduction to Security in Oracle Business Intelligence' to get an overview of security concepts, tools, and terminology. In particular, you should familiarize yourself with the Oracle Business Intelligence components and tools for configuring security by reading Section 1.6, "What tools do I use to configure security in Oracle Business Intelligence?".

  2. Learn about the default set of Users, Groups, and Application Roles that are installed out-of-the-box by reading the summary in Section 2.2, "Working with the default Users, Groups, and Application Roles Installed Out-Of-The-Box".

  3. Decide which Authentication Provider to use to authenticate users, as follows:

    • If you want to use the default embedded WebLogic LDAP Server, then follow the tasks listed in Step 3 below.

    • If you want to reconfigure Oracle Business Intelligence to use a commercial authentication provider such as Oracle Internet Directory, then follow the tasks listed in Step 4 below.

      Tip:

      Oracle does not recommend using WebLogic Embedded LDAP Server in an environment with more than 1000 users. If you require a production environment with high-availability and scalability, then you should use a commercial directory server such as Oracle Internet Directory (OID) or a third-party directory server.

      For information about where to find the full list of supported Authentication Providers, see "System Requirements and Certification".

  4. (Embedded WebLogic LDAP Server-specific) If you are using the default embedded WebLogic LDAP Server as the Authentication Provider, do the following:

    Tip:

    The simplest way to set up security is to create Users and map them to the default Groups (that is, BIConsumers, BIAuthors, and BIAdministrators) that are installed out-of-the-box. For detailed steps, see Section 2.4.1.1, "How to map a User to a Default Group".

    If you want to build a more complex security model using your own Groups, create new Groups and/or new Application Roles, then map your Users to the new Groups. For detailed steps, see Section 2.4.1.2, "How to create Your Own Groups and Application Roles".

    1. Set up the Users that you want to deploy as described in Section 2.4.3, "How to create a User in the Embedded WebLogic LDAP Server".

      For example, if you want to deploy business intelligence to 20 report consumers, you might create 20 Users.

    2. If you want to map Users to the default Groups that are installed out-of-the-box, (that is, BIConsumers, BIAuthors, and BIAdministrators), then follow the steps in Section 2.4.1.1, "How to map a User to a Default Group".

      For example, you might map a set of Users to the Group named BIConsumers, a set of Users to the Group named BIAuthors, and a set of Users to the Group named BIAdministrators.

    3. If you want to create new Groups, set up the Groups that you want to use as described in Section 2.4.4, "How to create a Group in the Embedded WebLogic LDAP Server".

      For example, you might use the preconfigured Group named BIConsumers, or you might create your own Group with similar privileges.

    4. Assign your Users to appropriate Groups, as described in Section 2.4.5, "How to add a User to a Group in the Embedded WebLogic LDAP Server".

      For example, you might assign Users to the preconfigured Group named BIConsumers, or you might assign Users to a new Group that you have created.

  5. (Oracle Internet Directory (OID) specific) If you are using OID as the Authentication Provider, do the following:

    1. Configure OID as the Authentication Provider as described in Section 3.2.1, "How to Configure Oracle Internet Directory as an Authentication Store Provider".

    2. (Optional) Configure OID as the Credential Store and Policy Store Provider as described in Section 3.3, "Configuring an Alternative Policy Store and Credentials Store".

    3. Use your Authentication Provider tools (for example, OID Console) to create your Users and Groups as required.

  6. Set up the Application Roles that you want to deploy as described in Section 2.5.2, "Creating Application Roles Using Fusion Middleware Control".

    For example, you might use the default Application Roles named BIConsumer, BIAuthor, and BIAdministrator, or you might create your own Application Roles.

  7. (Optional) If you do not want to use the preconfigured Application Policies, set up the Application Policies that you want to deploy as described in Section 2.5.3, "Creating Application Policies Using Fusion Middleware Control".

    For example, you might use the preconfigured Application Policies that are used by the preconfigured Application Roles named BIConsumer, BIAuthor, and BIAdministrator, or you might create your own Application Policies.

  8. Map each Group to an appropriate Application Role, as follows:

    • If you are using the default Groups (that is, BIConsumers, BIAuthors, and BIAdministrators) that are installed with the default embedded WebLogic LDAP Server, then these Groups are mapped to an appropriate Application Role (that is, BIConsumer, BIAuthor, or BIAdministrator). No additional steps are required to map the default Groups to Application Roles.

      If you have created new Groups, you must map the new Groups to appropriate Application Roles as described in Section 2.5.2.3, "How to map a Group to an Application Role".

    • If you are using a commercial Authenticator Provider such as Oracle Internet Directory, then you must map the Groups to appropriate Application Roles as described in Section 2.5.2.3, "How to map a Group to an Application Role".

  9. If you want to fine tune the permissions that Users and Groups have in the Oracle BI repository (that is, the RPD file), use Oracle BI Administration Tool to update the permissions as described in Section 2.6, "Managing Metadata Repository Privileges".

    For example, you might want to enable an Application Role called BISuperConsumer to create reports, so you use BI Administration Tool to change the 'Read' access to a subject area to 'Read/Write' access.

  10. If you want to fine tune the permissions that Users and Groups have in the Oracle BI Presentation Catalog, use the Administration Page in Oracle BI Presentation Catalog to the permissions as described in Section 2.7, "Managing Oracle BI Presentation Catalog Privileges Using Application Roles".

    For example, you might want to prevent an Application Role called BISuperConsumer from viewing scorecards, so you use Administration Page in Presentation Catalog to change the Scorecard\View Scorecard privileges for BISuperConsumer from 'Granted' to 'Denied'.

  11. If you want to deploy Single Sign-On, follow the steps in Chapter 4, "Enabling SSO Authentication".

    Note: If you do not want to deploy Oracle Business Intelligence in a SSO environment, then no additional configuration steps are required to deploy the default configuration.

  12. If you want to deploy secure sockets layer (SSL), follow the steps in Chapter 5, "SSL Configuration in Oracle Business Intelligence".

    Oracle Business Intelligence is installed with SSL turned off. If you want to deploy Oracle Business Intelligence in an SSL environment, follow the steps in Chapter 5, "SSL Configuration in Oracle Business Intelligence".

    Note: If you do not want to deploy Oracle Business Intelligence in an SSL environment, then no additional configuration steps are required to deploy the default configuration.

1.9 Comparing the Oracle Business Intelligence 10g and 11g Security Models

The release 10g and release 11g security models differ in the following ways:

  • Defining users and groups - In Oracle Business Intelligence release 10g users and groups could be defined within a repository file using Oracle BI Administration Tool. In Oracle Business Intelligence release 11g users and groups can no longer be defined within a repository. The Oracle Business Intelligence Enterprise Edition Upgrade Assistant migrates users and groups from a release 10g repository into the embedded LDAP server in a release 11g installation.

  • Defining security policies – In Oracle Business Intelligence release 10g security policies in the web catalog and repository could be defined to reference groups within a directory. In Oracle Business Intelligence release 11g a level of indirection is introduced whereby security policies are defined in terms of Application Roles, which are in turn are mapped to users and groups in a directory. This indirection allows an Oracle Business Intelligence release 11g system to be deployed without changes to the corporate directory and eases movement of artifacts between development, test and production environments.

  • Use of the Administrator user – In an Oracle Business Intelligence release 10g installation, a special user named Administrator has full administrative permissions and is also used to establish trust between processes within that installation. In Oracle Business Intelligence release 11g there is no special significance to the name Administrator and there can be one or more users who are authorized to undertake different sets of administrative functions. In Oracle Business Intelligence release 11g the identity used to establish trust between processes in an installation is configurable and independent.

  • Repository encryption – in Oracle Business Intelligence release 10g certain sensitive elements within a repository are encrypted. In Oracle Business Intelligence release 11g the entire repository is encrypted using a key derived from a user supplied password.

    Caution:

    A release 11g repository can only be opened with the password. There is no mechanism for recovering a lost password.

The following aspects of the Oracle Business Intelligence release 10g security model remain in release 11g:

  • Oracle BI Server Initialization Blocks – Oracle BI Server in release 11g continues to support the use of initialization blocks for authentication and authorization. In release 10g Oracle BI Server falls back to use initialization blocks if a matching user cannot be found in the repository. In release 11g Oracle Business Intelligence falls back to use initialization blocks if the user cannot be authenticated by the installation's configured authentication provider.

  • Presentation Catalog Groups – Oracle Business Intelligence release 11g continues to support the definition of catalog groups within the Presentation Catalog. These groups are only visible within Oracle BI Presentation Services. Oracle recommends that Oracle BI Presentation Catalog groups be used for backward compatibility only and that Application Roles be used instead for new installations.

  • SA System Subject Area – Oracle Business Intelligence release 11g supports the use of SA System Subject Area, in combination with Oracle BI Server initialization blocks, to access user, group and profile information stored in database tables.

For more information, see Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.

1.10 Terminology

The following terms are used throughout this guide:

Application Policy

Oracle Business Intelligence permissions are granted by its Application Roles. In the default security configuration, each role conveys a predefined set of permissions. An Application Policy is a collection of Java EE and JAAS policies that are applicable to a specific application. The Application Policy is the mechanism that defines the permissions each Application Role grants. Permission grants are managed in the Application Policy corresponding to an Application Role.

Application Role

Represents a role a user has when using Oracle Business Intelligence. Is also the container used by Oracle Business Intelligence to grant permissions to members of a role. Application roles are managed in the policy store provider.

Authentication

The process of verifying identity by confirming the credentials presented during logon.

Authentication Provider

A security provider used to access user and group information and is responsible for authenticating users. Oracle Business Intelligence default authentication provider is Oracle WebLogic Server embedded directory server and is named DefaultAuthenticator.

Authorization

The process of granting an authenticated user access to a resource in accordance to their assigned privileges.

Catalog Groups

A catalog group is defined locally in Oracle BI Presentation Services and is used to grant privileges in the Oracle Business Intelligence user interface in addition to granting Oracle BI Presentation Catalog permissions.

Credential Store

An Oracle Business Intelligence credential store is a file used to securely store system credentials used by the software components. This file is automatically replicated across all machines in the installation.

Credential Store Provider

The credential store is used to store and manage credentials securely that are used internally between Oracle Business Intelligence components. For example, SSL certificates are stored here.

Encryption

A process that enables confidential communication by converting plaintext information (data) to unreadable text which can be read only with the use of a key. Secure Sockets Layer (SSL) enables secure communication over TCP/IP networks, such as web applications communicating through the Internet.

Globally Unique Identifier (GUID)

A GUID is typically a 32-character hexadecimal string that is system-generated to form a unique identifier for an object. In Oracle Business Intelligence a GUID is used to refer to individual users and groups.

Impersonation

Impersonation is a feature used by Oracle Business Intelligence components to establish a session on behalf of a user without employing the user's password. For example, impersonation is used when Oracle BI Scheduler executes an Agent.

Oracle WebLogic Server Domain

A logically related group of Oracle WebLogic Server resources that includes an instance known as the Administration Server. Domain resources are configured and managed in the Oracle WebLogic Server Administration Console. During installation an Oracle WebLogic Server domain is created and Oracle Business Intelligence is installed into that domain. For more information, see Section B.2.2, "Oracle WebLogic Server Domain".

Identity Store

An identity store contains user name, password, and group membership information. In Oracle Business Intelligence, the identity store is typically a directory server and is what an authentication provider accesses during the authentication process. For example, when a user name and password combination is entered at log in, the authentication provider searches the identity store to verify the credentials provided. Oracle Business Intelligence can be reconfigured to use alternative identity stores. For a complete list, see System Requirements and Supported Platforms for Oracle Fusion Middleware 11gR1. For more information, see System Requirements and Certification.

Policy Store Provider

The policy store is the repository of system and application-specific policies. It holds the mapping definitions between the default Oracle Business Intelligence Application Roles, permissions, users and groups all configured as part of installation. Oracle Business Intelligence permissions are granted by mapping users and groups from the identity store to Application Roles and permission grants located in the policy store.

Policy Store

Contains the definition of Application Roles, Application Policies, and the members mapped (users, groups, and applications roles) to Application Roles. The default policy store is a file that is automatically replicated across all machines in an Oracle Business Intelligence installation. A policy store can be file-based or LDAP-based.

Presentation Catalog Permissions

These rights grant Presentation Services object level access. They are stored in the Presentation Catalog and managed by Oracle BI Presentation Server.

Presentation Catalog Privileges

These rights grant access to Presentation Catalog features. They are stored in the Presentation Catalog and managed by Oracle BI Presentation Server. These privileges are either granted or denied.

Secure Sockets Layer (SSL)

Provides secure communication links. Depending upon the options selected, SSL might provide a combination of encryption, authentication, and repudiation. For HTTP based links the secured protocol is known as HTTPS.

Security Policy

The security policy defines the collective group of access rights to Oracle Business Intelligence resources that an individual user or a particular Application Role have been granted. Where the access rights are controlled is determined by which Oracle Business Intelligence component is responsible for managing the resource being requested. A user's security policy is the combination of permission and privilege grants governed by the following elements:

  • Presentation Catalog: defines which catalog objects and Oracle BI Presentation Services functionality can be accessed by users. Access to this functionality is managed in Oracle Business Intelligence user interface. These permissions and privileges can be granted to individual users or by membership in corresponding Application Roles.

  • Repository File: defines access to the specified metadata within the repository file. Access to this functionality is managed in Oracle BI Administration Tool. These permissions and privileges can be granted to individual users or by membership in corresponding Application Roles.

  • Policy Store: defines which Oracle Business Intelligence, Oracle BI Publisher, and Real Time Decisions functionality can be accessed. Access to this functionality is managed in Oracle Enterprise Manager Fusion Middleware Control. These permissions and privileges can be granted to individual users or by membership in corresponding Application Roles.

Security Realm

During installation an Oracle WebLogic Server domain is created and Oracle Business Intelligence is installed into that domain. Security for an Oracle WebLogic Server domain is managed in its security realm. A security realm acts as a scoping mechanism. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. Only one security realm can be active for the domain. Oracle Business Intelligence authentication is performed by the authentication provider configured for the default security realm for the WebLogic Server domain in which it is installed. Oracle WebLogic Server Administration Console is the administration tool for managing an Oracle WebLogic Server domain.

Single Sign-On

A method of authorization enabling a user to authenticate once and gain access to multiple software application during a single browser session.

Users and Groups

A user is an entity that can be authenticated. A user can be a person, such as an application user, or a software entity, such as a client application. Every user is given a unique identifier within in the identity store.

Groups are organized collections of users that have something in common. A group is a static identifier that is assigned by a system administrator. Users organized into groups facilitate efficient security management. There are two types of groups: an LDAP group and a catalog group. A catalog group is used to support the existing user base in Presentation Services to grant privileges in the Oracle Business Intelligence user interface. Using catalog groups is not considered a best practice and is available for backward compatibility in upgraded systems.