If you are using JPS-based security, you can use either Oracle Internet Directory or JAZN-XML method for authorization. If you are using Portal-based security, the Portal-based authorization is used.
In the case of JPS-based security, an in-process server uses
system-jazn-data.xml as the policy store, by default. Hence, Reports policies are stored in
system-jazn-data.xml under the reports application entry. Users are authorized based on this policy store. For standalone servers, all the policies are stored in the system-jazn-data.xml file and authorization is done against these policies.
Note:The authorization process involves checking whether a particular user is in the ID store used by JPS. If Single Sign-On is used for authentication, Ensure that the same users are configured in the ID store used by JPS. Alternatively, ensure that JPS points to the ID store used by Single Sign-On. Otherwise, authorization does not work.
The following table summarizes the supported authorization methods if Oracle Reports uses JPS-based security.
|Types of Report Server||Oracle Internet Directory||File Based|
If Portal-based security is configured, the following authorization methods are used.
|Types of Report Server||Authorization|
Note:If Oracle Portal is configured to perform authorization, and the report request is launched from within Oracle Portal rather than
rwservlet, Oracle Reports will similarly validate the user's privileges on the report before running it. Even for unauthenticated (
PUBLIC) users viewing public pages, Oracle Reports Services verifies that the
PUBLICuser account has appropriate privileges on the report.
Authorization occurs after a user is authenticated using Single Sign-On or Non-SSO (Oracle Internet Directory-based, File-based in case of JPS-based security, and Embedded ID store) methods. Once the user is authenticated, the report request must go through the authorization process, as shown in Figure 15-4.
The following numbered steps map to the numbers in Figure 15-5:
Reports Server validates the user privileges against the policies defined in the Policy Store.
Reports Server validates the user privileges against the policies defined in Policy Store (JAZN-XML, LDAP, or Portal repository) by the user.
Reports Server checks whether the user has the necessary privileges to run the report on the parameters specified in the Policy Store. If the validation check fails for any reason, then an error condition is returned to the user and the process terminates.
Note:If the user is executing
rwservletWeb commands such as
getserverinfo, instead of executing a report, Reports Server verifies and authorizes the user based on Policy Store settings.
If the user is authorized to execute the report, Reports Server executes the report request and passes the report output to
Reports Server delegates the job to an engine that accesses the data source, retrieves the data, and formats the report.
Report output is passed to Oracle HTTP Server.
Report output is passed to the user.
The completed output is sent to the specified destination. Depending upon the destination, the output may be served back to the browser (as shown in Figure 15-5), sent to a printer, stored in a file for future reference, sent to an FTP server, and so on.
Reports policies are granted to application roles. You must associate all users in your ID store (embedded ID store of Oracle WebLogic Server or an external Oracle Internet Directory) with one of the Reports application roles.
You must add the
oracle.security.jps.enterprise.user.class property in the
In Enterprise Manager, you can complete this task as follows:
Navigate to the WebLogic Domain menu.
Choose Security > Application Roles.
The Application Roles page is displayed. In this page, you can map users to application roles.
Alternatively, you can complete this task by manually editing the
$DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml file. This step is required if you want to use JPS to authorize your users in Oracle Internet Directory.
Search for the "reports" application in the XML file and add a user in the members section. For example, to add a user called
<member> <class>weblogic.security.principal.WLSUserImpl</class> <name>orcladmin</name> </member>
Out-of-the-box, default users, roles, and permissions are already created. As administrator, you can specify the reports to which a particular user has access by defining a security policy for each report. In the security policy, you can also specify the server, destination name (
desname), destination type (
destype), and other parameters. The security policy is checked when the user provides the user name and password.
Refer to Section 7.8.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies.
For Portal-based security, you can create a security policy in Oracle Portal. For more information, see the "Securing Oracle Portal" in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal.
In certain cases, you will want to give a particular user access to multiple related reports. Rather than specify a security policy for each report, you can collect all the reports in a single directory, then specify a security policy for the directory. Again, the security policy is checked when the user provides the user name and password.
Refer to Section 7.8.3, "Defining Security Policies for Directories" to use Oracle Enterprise Manager to update the directory security policies.
You can also specify the Oracle Reports Servlet (
rwservlet) Web commands to which a particular user/role has access by creating security policies for each Web command. The security policy is checked when the user provides the user name and password.
Refer to Section 7.8.4, "Defining Security Policies for Web Commands" to use Oracle Enterprise Manager to update the Web command security policies.
As administrator, you can specify read/write access for Reports Server, Reports Application (in-process Reports Server), or Oracle Reports Runtime to directories. This feature only checks whether the Reports Server, Reports Application (in-process Reports Server), or Oracle Reports Runtime is authorized to read from or write to a specified directory, and is unrelated to the security policies for users/roles, which check the user name and password.
Refer to Section 7.8.5, "Defining Read/Write Access to Directories" to use Oracle Enterprise Manager to specify the read/write permissions defined in the server configuration file (
rwserver.conf) under the new optional element folderAccess.