Skip Headers
Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition
11g Release 1 (11.1.1)

Part Number E10543-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Managing Security Using the Default Security Configuration

This chapter explains how to deploy Oracle Business Intelligence using the default embedded WebLogic LDAP Server.

Note:

For a detailed list of security setup steps, see Section 1.7, "Detailed List of Steps for Setting Up Security In Oracle Business Intelligence".

By deploying the default embedded WebLogic LDAP Server, you can use the preconfigured users, groups, and application roles. You can also develop your own users, groups, and application roles.

This chapter contains the following sections:

You can migrate users (with their encrypted passwords), and groups from the default embedded WebLogic LDAP server into an alternative authentication provider (for example, OID, external tables, or another LDAP directory). For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

2.1 Working with the Default Users, Groups, and Application Roles

When you install Oracle Business Intelligence, there are a number of preconfigured users, groups, and application roles that you can use to deploy Oracle Business Intelligence. For example, there is a user that is assigned to a BIAdministrators group (with a name that is user-specified at installation time, for example WebLogic), a group named BIAdministrators, and an associated application role named BIAdministrator. The default installed users, groups, and application roles are preconfigured to work together. For example, the installed BIConsumers group is assigned to the BIConsumer application role. For a detailed description of the default security configuration, refer to Appendix B, "Understanding the Default Security Configuration".

Caution:

Oracle recommends that you do not modify the default users, groups, or application roles, unless explicitly advised to do so by Oracle Support. Oracle recommends that you only modify copies that you have made of the installed groups and application roles.

The installed application roles are preconfigured with appropriate permissions and privileges to enable them to work with the installed Oracle BI Presentation Catalog, BI Repository, and Policy Store. For example, the application role named BIAuthor is preconfigured with permissions and privileges that are required to create dashboards, reports, actions, and so on.

Figure 2-1 shows application roles, groups and users that are preconfigured during installation.

Figure 2-1 Preconfigured Application Roles, Groups, and Users

This screenshot is described in surrounding text.

The following groups are available:

The user that is specified at installation time (for example, Weblogic), is automatically assigned to the WebLogic Administrators group named BIAdministrators and to the associated application role named BIAdministrator. The user has permissions to log in to the Oracle Business Intelligence tools to create and administer other users.

Note:

Groups are organized hierarchically, and inherit privileges from parent groups. In other words, the BIAdministrators group automatically inherits privileges from the BIAuthors and BIConsumers groups. Oracle recommends that you do not change this hierarchy.

You can use the installed groups and application roles to deploy security, and if required you can develop your own groups and application roles to meet your business needs. For example:

For detailed information about the installed users, groups, and application roles, see Appendix B, "Understanding the Default Security Configuration."

2.2 An Example Security Setup Using the Default Groups and Application Roles

This example uses a small set of users, groups, and application roles to illustrate how you set up a security policy using the default groups and application roles. In this example, you want to implement the following:

Figure 2-2 shows the users, groups, and application roles that you would deploy to implement this security model.

Figure 2-2 Example Users, Groups, and Application Roles

This diagram is described in surrounding text.

Figure 2-2 shows the following:

To implement this example security model:

  1. Create seven users named User1 to User 7, as described in Section 2.3.2, "Creating a New User in the Embedded WebLogic LDAP Server".

  2. Assign the users to the installed and preconfigured groups, as follows:

    • Assign User1, User2, and User3 to the preconfigured group named BIConsumers.

    • Assign User4 and User5 to the preconfigured group named BIAuthors.

    • Assign User6 and User7 to the preconfigured group named BIAdministrators.

    For more information, see Section 2.3.4, "Assigning a User to a Group in the Embedded WebLogic LDAP Server".

2.3 Managing Users and Groups in the Embedded WebLogic LDAP Server

This section explains how to manage users and groups in the Embedded WebLogic LDAP Server, and contains the following topics:

2.3.1 Setting Up Users, Groups, and Application Roles

This section summarizes recommended approaches for setting up users, groups, and application roles.

  • The simplest way to set up security is to create users and assign them to the default groups (that is, BIConsumers, BIAuthors, or BIAdministrators).

    For example, you might create a user called Fred and assign Fred to the default group named BIAuthors. The BIAuthors group is preconfigured with the privileges it requires to access the other Oracle BI components, such as the Oracle BI repository and Oracle BI Presentation Catalog.

    For detailed steps, see Section 2.3.1.1, "Assigning a User to a Default Group".

  • If the default groups (that is, BIConsumers, BIAuthors, or BIAdministrators) do not meet your business requirements, you can extend the default security model by creating your own groups and application roles.

    For example, you might want to create a user called Jim and assign Jim to a new group called BIMarketingGroup that is assigned to a new application role named BIMarketingRole.

    For detailed steps, see Section 2.3.1.2, "Assigning a User to a New Group and a New Application Role".

2.3.1.1 Assigning a User to a Default Group

To create a new user and assign that user to a default group:

  1. Launch WebLogic Administration Console as described in Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

  2. Create a new user as described in Section 2.3.2, "Creating a New User in the Embedded WebLogic LDAP Server".

  3. Assign the new user to one of the installed groups (that is, BIConsumers, BIAuthors, or BIAdministrators) as described in Section 2.3.4, "Assigning a User to a Group in the Embedded WebLogic LDAP Server".

2.3.1.2 Assigning a User to a New Group and a New Application Role

To create a new user and assign the user to a new group and a new application role:

  1. Launch WebLogic Administration Console as described in Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

  2. Create a new user as described in Section 2.3.2, "Creating a New User in the Embedded WebLogic LDAP Server".

  3. Create a new group as described in Section 2.3.3, "Creating a Group in the Embedded WebLogic LDAP Server".

  4. Assign the new user to the new group as described in Section 2.3.4, "Assigning a User to a Group in the Embedded WebLogic LDAP Server".

  5. Create a new application role and assign it to the new group as described in Section 2.4.2.2, "Creating an Application Role".

    If you simply want to assign a group to an application role, follow the steps in Section 2.4.2.3, "Assigning a Group to an Application Role".

  6. Edit the Oracle BI repository and set up the privileges for the new application role as described in Section 2.5.2, "Setting Repository Privileges for an Application Role".

  7. Edit the Oracle BI Presentation Catalog and set up the privileges for the new user and group as described in Section 2.6.3, "Setting Presentation Services Privileges for Application Roles".

2.3.2 Creating a New User in the Embedded WebLogic LDAP Server

You typically create a separate user for each business user in your Oracle Business Intelligence environment. For example, you might plan to deploy 30 report consumers, 3 report authors, and 1 administrator. In this case, you would use Oracle WebLogic Server Administration Console to create 34 users, which you would then assign to appropriate groups (for example, you might use the preconfigured groups named BIConsumers, BIAuthors, and BIAdministrators).

Tip:

For an example security model showing a set of users, groups, and application roles, see Section 2.2, "An Example Security Setup Using the Default Groups and Application Roles".

Repeat this task for each user that you want to deploy.

A new user who logs in without being assigned to any groups, is given a basic level of operational permissions conferred by the BIConsumer application role, through association with the Authenticated User application role. For more information, see Appendix B, "Default Security Configuration".

To create a new user in the embedded WebLogic LDAP server:

  1. Log in to the Oracle WebLogic Server Administration Console.

    For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  3. Select Users and Groups tab, then Users. Click New.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_usertab.gif

  4. In the Create a New User page provide the following information:

    • Name: Enter the name of the user. See the online help for a list of invalid characters.

    • (Optional) Description: Enter a description.

    • Provider: Select the authentication provider from the list that corresponds to the identity store where the user information is contained. DefaultAuthenticator is the name for the default authentication provider.

    • Password: Enter a password for the user that is at least 8 characters long.

    • Confirm Password: Re-enter the user password.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration wls_newuser.gif

  5. Click OK.

    The user name is added to the User table.

2.3.3 Creating a Group in the Embedded WebLogic LDAP Server

You typically create a separate group for each functional type of business user in your Oracle Business Intelligence environment. For example, a typical deployment might require three groups: BIConsumers, BIAuthors, and BIAdministrators. In this case, you could either use the preconfigured groups named BIConsumers, BIAuthors, and BIAdministrators that are installed with Oracle Business Intelligence, or you might create your own custom groups.

Tip:

For an example security model showing a set of users, groups, and application roles, see Section 2.2, "An Example Security Setup Using the Default Groups and Application Roles".

Repeat this task for each group that you want to deploy

To create a group in the embedded WebLogic LDAP server:

  1. Launch Oracle WebLogic Server Administration Console.

    For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  3. Select Users and Groups tab, then Groups. Click New

  4. In the Create a New Group page provide the following information:

    • Name: Enter the name of the group. Group names are case insensitive but must be unique. See the online help for a list of invalid characters.

    • (Optional) Description: Enter a description.

    • Provider: Select the authentication provider from the list that corresponds to the identity store where the group information is contained. DefaultAuthenticator is the name for the default authentication provider.

  5. Click OK

    The group name is added to the Group table.

2.3.4 Assigning a User to a Group in the Embedded WebLogic LDAP Server

You typically assign each user to an appropriate group. For example, a typical deployment might require user IDs created for report consumers to be assigned to a group named BIConsumers. In this case, you could either assign the users to the default group named BIConsumers, or you could assign the users to your own custom group that you have created.

Tip:

For an example security model showing a set of users, groups, and application roles, see Section 2.2, "An Example Security Setup Using the Default Groups and Application Roles".

Repeat this task to assign each user to an appropriate group.

To add a user to a group in the embedded WebLogic LDAP server:

  1. Launch Oracle WebLogic Server Administration Console.

    For more information, see Section 1.6.1, "Using Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  3. Select Users and Groups tab, then Users.

  4. In the Users table select the user you want to add to a group.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_usertogroup.gif

  5. Select the Groups tab.

  6. Select a group or groups from the Available list box.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_group.gif

  7. Click Save.

2.3.5 (Optional) Changing a User Password in the Embedded WebLogic LDAP Server

Perform this optional task if you want to change the default password for a user.

To change a user password in the embedded WebLogic LDAP server:

  1. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  2. Select Users and Groups tab, then Users

  3. In the Users table select the user you want to change the password for. The user's Settings page displays.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_settings.gif

  4. Select the Passwords tab and enter the password in the New Password and Confirm Password fields.

  5. Click Save.

    Note:

    If you change the password of the system user, you also need to change it in the credential store.

2.4 Managing Application Roles and Application Policies Using Fusion Middleware Control

In Oracle Business Intelligence, you use Fusion Middleware Control to manage application roles and application policies that provide permissions for users and groups. For detailed information about using Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide.

Tip:

If you are using the default groups (that is, BIConsumers, BIAuthors, and BIAdministrators) that are installed with the default embedded WebLogic LDAP Server, then these groups are assigned to an appropriate application role (that is, BIConsumer, BIAuthor, or BIAdministrator). No additional steps are required to assign the default groups to application roles.

The simplest way to set up security is to assign your groups to the default application roles, (that is, BIConsumer, BIAuthor, and BIAdministrator). Each default group is preconfigured to use the appropriate default application role. For example, the default group named BIAuthors is assigned to the default application role named BIAuthor. In other words, any users that you add to the default group named BIAuthors automatically have the privileges required to create reports and perform related duties.

If you want to create a more complex or fine grained security model, you might create your own application roles and application policies as described in this section. For example, you might want report authors in a Marketing department to only have write-access to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. To achieve this, you might create a new application role called BIAuthorMarketing, and provide it with appropriate privileges.

Caution:

If you are deploying the default Policy Store, then Oracle recommends that you make a copy of the original system-jazn-data.xml policy file and place it in a safe location. Use the copy of the original file to restore the default policy store configuration, if needed. Changes to the default security configuration might lead to an unwanted state. The default location is MW_HOME/user_projects/domain/<your_domain>/config/fmwconfig.

To set up the application roles that you want to deploy, do the following:

2.4.1 Displaying Application Policies and Application Roles Using Fusion Middleware Control

This section explains how to use Fusion Middleware Control to access the pages that manage application roles and application policies.

To display application policies and application roles using Fusion Middleware Control:

This method explains how to display application policies or Application Roles for Oracle Business Intelligence

  1. Log in to Fusion Middleware Control.

    For more information, see Section 1.6.2, "Using Oracle Fusion Middleware Control".

  2. From the navigation pane expand the Business Intelligence folder and select coreapplication.

  3. Choose one of the following options:

    • Right-click coreapplication and choose Security from the menu, then choose Application Policies or Application Roles.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration coreapp_security_navigation.gif

    • Alternatively from the content pane, click Business Intelligence Instance to display a menu, then choose Security, and Application Policies or Application Roles.

      Other Fusion Middleware Control Security menu options are not available from these menus.

  4. (Optional) An alternative option to Steps 2 and 3 is to expand the WebLogic Domain folder, select bifoundation_domain and right-click (or click the WebLogic Domain menu).

    A Security menu displays with appropriate menu options.

    Other Fusion Middleware Control menu options are available from this menu.

  5. Choose Application Policies or Application Roles to display either the Application Policies page or the Application Roles page.

    • If the obi application stripe is displayed by default

      Oracle Business Intelligence policies or roles will be displayed.

    • If the obi application stripe is not displayed by default

      You must search using the obi application stripe to display Oracle Business Intelligence policies or roles.

    Figure 2-3 shows the Application Policies page and the default Oracle Business Intelligence application policies.

    Figure 2-3 Application Policies Page

    This screenshot or diagram is described in surrounding text.
    Description of "Figure 2-3 Application Policies Page"

    Figure 2-4 shows the Application Roles page with default Oracle Business Intelligence application roles.

    Figure 2-4 Application Roles Page

    This screenshot or diagram is described in surrounding text.
    Description of "Figure 2-4 Application Roles Page"

2.4.2 Creating Application Roles Using Fusion Middleware Control

This section explains how to create and manage application roles using Oracle Fusion Middleware Control, and contains the following topics:

2.4.2.1 Overview

In a new Oracle Business Intelligence deployment, you typically create an application role for each type of business user activity in your Oracle Business Intelligence environment. For example, a typical deployment might require three application roles: BIConsumer, BIAuthor, and BIAdministrator. In this case, you could either use the preconfigured application roles named BIConsumer, BIAuthor, and BIAdministrator that are installed with Oracle Business Intelligence, or you could create your own custom application roles. For more information about the default application roles, see Section 2.1, "Working with the Default Users, Groups, and Application Roles".

Oracle Business Intelligence application roles represent a role that a user has. For example, having the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline. You can create new application roles to supplement or replace the default roles configured during installation. Keeping application roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new application roles to match business roles for your environment without needing to change the groups defined in the corporate directory server. To control authorization requirements more efficiently, you can then assign existing groups of users from the directory server to application roles.

Note:

Before creating a new application role and adding it to the default Oracle Business Intelligence security configuration, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. For more information, see Section B.4.4, "How User Permissions Are Granted Using Application Roles".

For more information about creating application roles, see "Managing Policies with Fusion Middleware Control" in Oracle Fusion Middleware Application Security Guide.

Note:

For advanced-level information about using a BI repository in offline mode, see Section 2.5.3.1, "About Managing Application Roles in the Metadata Repository".

2.4.2.2 Creating an Application Role

There are two methods for creating a new application role:

  • Create New - Creates a new application role. You can add members at the same time or you can save the new role after naming it, and add members later.

  • Copy Existing - Creates an application role by copying an existing application role. The copy contains the same members as the original, and is made a grantee of the same application policy as is the original. Modifications can be made as needed to the copy to further customize the new application role.

Membership in an application role is controlled using the Application Roles page in Fusion Middleware Control. Valid members of an application role are users, groups, and other application roles.

Permission grants are controlled in the Application Policies page in Fusion Middleware Control. The permission grant definitions are set in the application policy, then the application policy is granted to the application role. For more information, see Section 2.4.3, "Creating Application Policies Using Fusion Middleware Control".

To create a new application role:

  1. Log in to Fusion Middleware Control, and display the Application Roles page.

    For information, see Section 2.4.1, "Displaying Application Policies and Application Roles Using Fusion Middleware Control".

    Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page.

  2. If necessary, select Select Application Stripe to Search, then choose obi from the list. Click the search icon next to Role Name. This screenshot or diagram is described in surrounding text.

    The Oracle Business Intelligence application roles display. Figure 2-5 shows the default application roles.

    Figure 2-5 Default Application Roles in Fusion Middleware Control

    This screenshot or diagram is described in surrounding text.
    Description of "Figure 2-5 Default Application Roles in Fusion Middleware Control"

  3. Click Create to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:

    In the General section:

    • Role Name - Enter the name of the application role

    • (Optional) Display Name - Enter the display name for the application role.

    • (Optional) Description - Enter a description for the application role.

    In the Members section, select the users, groups, or application roles to be assigned to the application role. Select Add Application Role or Add Group or Add Users accordingly. To search in the dialog box that displays:

    • Enter a name in Name field and click the blue button to search.

    • Select from the results returned in the Available box.

    • Use the shuttle controls to move the desired name to the Selected box.

    • Click OK to return to the Create Application Role page.

    • Repeat the steps until all desired members are added to the application role.

  4. Click OK to return to the Application Roles page.

    The application role just created displays in the table at the bottom of the page.

To create an application role based on an existing one:

  1. Log in to Fusion Middleware Control, and display the Application Roles page.

    For information, see Section 2.4.1, "Displaying Application Policies and Application Roles Using Fusion Middleware Control".

    Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page.

  2. If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence application roles display.

  3. Select the application role you want to copy from the list to enable the action buttons.

  4. Click Create Like to display the Create Application Role Like page.

    The Members section is completed with the same application roles, groups, or users that are assigned to the original role.

  5. Complete the Role Name, Display Name, and Description fields.

    Figure 2-6 shows creation of the new application role MyNewRole, based upon the default BIAuthor application role.

    Figure 2-6 New Application Role Based on Default BIAuthor Role

    This screenshot or diagram is described in surrounding text.
    Description of "Figure 2-6 New Application Role Based on Default BIAuthor Role"

  6. Modify the members as appropriate and click OK.

    The newly-created application role displays in the table at the bottom of the page. Figure 2-7 shows the newly-created application role named MyNewRole that is based upon the default BIAuthor application role.

    Figure 2-7 Newly Created Application Role

    This screenshot or diagram is described in surrounding text.
    Description of "Figure 2-7 Newly Created Application Role"

2.4.2.3 Assigning a Group to an Application Role

You assign a group to an application role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an application role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the application role named BIConsumerMarketing.

To assign a group to an application role:

  1. Log in to Fusion Middleware Control, and display the Application Roles page.

    For information, see Section 2.4.1, "Displaying Application Policies and Application Roles Using Fusion Middleware Control".

    Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page.

  2. If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name. This screenshot or diagram is described in surrounding text.

    The Oracle Business Intelligence application roles display. Figure 2-8shows the default application roles.

    Figure 2-8 The Default Application Roles

    This screenshot or diagram is described in surrounding text.
    Description of "Figure 2-8 The Default Application Roles"

  3. Select an application role in the list and click Edit to display an edit dialog, and complete the fields as follows:

  4. In the Members section, use the Add Group option to add the group that you want to assign to the Roles list.

    For example, if a group for marketing report consumers named BIMarketingGroup require an application role called BIConsumerMarketing, then add the group named BIMarketingGroup to Roles list.

  5. Click OK to return to the Application Roles page.

2.4.3 Creating Application Policies Using Fusion Middleware Control

You can create application roles based on default preconfigured application policies, or you can create your own application policies.

Application policies do not apply privileges to the metadata repository or Oracle BI Presentation Catalog objects and functionality.

All Oracle Business Intelligence permissions are provided as part of the installation and you cannot create new permissions. The application policy is the mechanism that defines the permissions grants. Permission grants are controlled in the Fusion Middleware Control Application Policies page. The permission grants are defined in an application policy. An application role, user, or group, is then assigned to an application policy. This process makes the application role a grantee of the application policy.

There are two methods for creating a new application policy:

  • Create New - Create a new application policy and permissions are added to it.

  • Copy Existing - Create new application policy by copying an existing application policy. The copy is named and existing permissions are removed or permissions are added.

For more information about creating application policies, see "Managing Policies with Fusion Middleware Control" in Oracle Fusion Middleware Application Security Guide.

To create a new application policy:

  1. Log in to Fusion Middleware Control, and display the Application Policies page.

    For information, see Section 2.4.1, "Displaying Application Policies and Application Roles Using Fusion Middleware Control".

    Whether or not the obi application stripe is pre-selected and the Oracle Business Intelligence application policies are displayed depends upon the method used to navigate to the Application Policies page.

  2. If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee. This screenshot or diagram is described in surrounding text.
    Description of the illustration em_createpolicy.gif

  3. Click Create to display the Create Application Grant page.

  4. To add permissions to the policy being created, click Add in the Permissions area to display the Add Permission dialog.

    • Complete the Search area and click the blue search button next to the Resource Name field.

      All permissions located in the obi application stripe are displayed. This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicypermission.gif

    • Select the desired Oracle Business Intelligencer permission and click OK. Repeat until all desired permissions are selected. Selecting non-Oracle Business Intelligence permissions have no effect in the policy.

    • To remove any items, select it and click Delete.

    You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.

  5. To add an application role to the policy being created, click Add Application Role in the Grantee area to display the Add Application Role dialog.

    • Complete the Search area and click the blue search button next to the Resource Name field.

    • Select from the Available Roles list and use the shuttle controls to move it to Selected Roles.

    • Click OK.

    You are returned to the Application Policies page. The Principal and Permissions of the policy created are displayed in the table. The following figure shows the new application policy just created with MyNewRole application role as the grantee (Principal). This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newpolicy06.gif

To create an application policy based on an existing one:

  1. Log in to Fusion Middleware Control, and display the Application Policies page.

    For information, see Section 2.4.1, "Displaying Application Policies and Application Roles Using Fusion Middleware Control".

    Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Policies page.

  2. If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.

  3. Select an existing policy from the table.

    The following figure shows the BIAuthor Principal selected with the Create Like button activated, which is used as an example in this procedure. This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newpolicy01.gif

  4. Click Create Like to display the Create Application Grant Like page. The Permissions table is automatically filled in with permissions granted by the policy selected.

    The following figure shows the Create Application Grant Like dialog after the BIAuthor policy has been selected. Note that the Permissions section is completed with the permission grants for the BIAuthor policy. This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newpolicycopy.gif

  5. To remove any items, select it and click Delete.

  6. To add application roles to the policy, click Add Application Role in the Grantee area to display the Add Application Role dialog.

    The following figures use the MyNewRole application role as an example.

    • Complete the Search area and click the blue search button next to the Resource Name field. The application roles matching the search are displayed. This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicy03.gif

    • Select from the Available Roles list and use the shuttle controls to move it to Selected Roles. The Create Application Grant Like page displays with the selected application role added as Grantee. This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicy04.gif

    • Click OK. You are returned to the Create Application Grant Like dialog and the Grantee section is completed.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicy05.gif

    • Click OK to return to the Application Policies page.

      The Principal and Permissions of the application policy just created are displayed in the table.

This screenshot or diagram is described in surrounding text.
Description of the illustration em_newpolicy06.gif

2.4.4 Modifying Application Roles Using Fusion Middleware Control

You can modify an application role by changing permission grants of the corresponding application policy (if the application role is a grantee of the application policy), or by changing its members, as follows:

Note:

Oracle recommends that you do not change the permission grants and membership for the default application roles named BIConsumer, BIAuthor, and BIAdministrator.

For more information about managing application policies and application roles, see "Managing Policies with Fusion Middleware Control" in Oracle Fusion Middleware Application Security Guide.

2.4.4.1 Adding or Removing Permission Grants from an Application Role

Use this procedure if you want to change the permission grants for an application role. This is done by adding or removing the permission grants for the application policy which the application role is a grantee of.

To add or remove permission grants from an application policy:

  1. Log in to Fusion Middleware Control, and display the Application Policies page.

    For more information, see Section 2.4.1, "Displaying Application Policies and Application Roles Using Fusion Middleware Control".

    Whether or not the obi stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Policies page.

  2. If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.

  3. Select the application role from the Principal column and click Edit.

  4. Add or delete permissions from the Edit Application Grant view and click OK to save the changes.

2.4.4.2 Adding or Removing Members from an Application Role

Members can be added to or deleted from an application role using Fusion Middleware Control. You must perform these tasks in the WebLogic Domain where Oracle Business Intelligence is installed (for example, in bifoundation_domain). Valid members of an application role are users, groups, or other application roles. Being assigned to an application role is to become a member of an application role. Best practice is to assign groups instead of individual users to application roles.

Note:

Be very careful when changing the permission grants and membership for the default application roles. For example, the BISystem application role provides the permissions required for system communication and changes to it could result in an unusable system.

To add or remove members from an application role:

  1. Log in to Fusion Middleware Control, and display the Application Roles page.

    For information, see Section 2.4.1, "Displaying Application Policies and Application Roles Using Fusion Middleware Control".

    Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page

  2. If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence application roles are displayed.

  3. Select the cell next to the application role name and click Edit to display the Edit Application Role page.

    You can add or delete members from the Edit Application Role page. Valid members are application roles, groups, and users.

  4. From Members, select from the following options:

    • To delete a member: Select the Name of the member to activate the Delete button. Click Delete.

    • To add a member: Click the Add button that corresponds to the member type being added. Select from Add Application Role, Add Group, and Add User.

  5. If adding a member, complete Search and select from the available list. Use the shuttle controls to move the member to the selected field. Click OK.

    For example, the following figure shows the Add Group dialog and after the Report_Dev group has been selected. This screenshot or diagram is described in surrounding text.

    The added member displays in the Members column corresponding to the application role modified in the Application Roles page. For example, the following figure shows the Edit Application Role page for the MyNewRole application role after the Report_Dev group has been added.

    This screenshot or diagram is described in surrounding text.

  6. Click OK in the Edit Application Role page to return to the Application Roles page.

    The members just added to the application role display in the Members section. If members were deleted, they no longer display.

    The following figure shows the MyNewRole application role with the just added member Report_Dev group displaying.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_group2role.gif

For additional information, see "Managing Application Roles" in Oracle Fusion Middleware Application Security Guide.

2.5 Managing Metadata Repository Privileges Using the Oracle BI Administration Tool

This section explains how to use the Oracle BI Administration Tool to configure security in the Oracle BI repository, and contains the following topics:

2.5.1 Overview

You use Identity Manager in the Oracle BI Administration Tool to manage permissions for application roles, and set access privileges for objects such as subject areas and tables. For an overview about using the Oracle BI Administration Tool to configure security, see Section 1.6.3, "Using Oracle BI Administration Tool".

Note:

Oracle Business Intelligence Applications customers should read this section to understand the basics about security and setting up authentication, and then refer to the security and configuration information provided in Oracle Fusion Middleware Reference Guide for Oracle Business Intelligence Applications.

2.5.2 Setting Repository Privileges for an Application Role

The default application roles (that is, BIConsumer, BIAuthor, and BIAdministrator) are preconfigured with permissions for accessing the metadata repository. If you create a new application role, you must set appropriate repository permissions for the new application role, to enable that role to access the metadata repository.

Note:

In addition, you might assign Oracle BI Presentation Catalog privileges to a new application role. For more information, see Section 2.6.3, "Setting Presentation Services Privileges for Application Roles".

To set repository permissions for an application role:

  1. Open the repository in the Oracle BI Administration Tool (in Online mode).

    For more information, see Section 1.6.3, "Using Oracle BI Administration Tool".

  2. In the Presentation panel, navigate to the subject area or sub-folder for which you want to set permissions.

  3. Right-click the subject area or sub-folder and select Properties to display the properties dialog.

    For example, to provide access to the Paint subject area, right-click Paint.

  4. Click Permissions to display the Permissions <Name> dialog.

    Note:

    Ensure that the Show all users/application roles check box is selected.

    This screenshot or diagram is described in surrounding text.
  5. Use the Permissions <Name> dialog to change the security permissions for application roles in the User/Application Role list.

    For example, to enable users to create dashboards and reports, you might change the repository permissions for an application role named BISalesAnalysis from 'Read' to 'Read/Write'.

    Note:

    Best practice is to modify permissions for application roles, not modify permissions for individual users.

Tip:

To see all permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of users and application roles and what permissions that have for the selected object.

2.5.3 Advanced Security Configuration Topics

This section contains advanced topics.

2.5.3.1 About Managing Application Roles in the Metadata Repository

Application role definitions are maintained in the policy store and any changes must be made using the administrative interface. The repository maintains a copy of the policy store data to facilitate repository development. The Oracle BI Administration Tool displays application role data from the repository's copy; you are not viewing the policy store data in real time. Policy store changes made while you are working with an offline repository are not available in the Administration Tool until the policy store next synchronizes with the repository. The policy store synchronizes data with the repository copy whenever the BI Server restarts; if a mismatch in data is found, an error message is displayed.

While working with a repository in offline mode, you might discover that the available application roles do not satisfy the membership or permission grants needed at the time. A placeholder for an Application Role definition can be created in the Administration Tool to facilitate offline repository development. But this is just a placeholder visible in the Administration Tool and is not an actual application role. You cannot created an actual application role in the Administration Tool. You can create an application role only in the policy store, using the administrative interface available for managing the policy store.

An application role must be defined in the policy store for each application role placeholder created using the Administration Tool before bringing the repository back online. If a repository with role placeholders created while in offline mode is brought online before valid application roles are created in the policy store, then the application role placeholder disappears from the Administration Tool interface. Always create a corresponding application role in the policy store before bringing the repository back online when using role placeholders in offline repository development.

For more information about how to create a placeholder for an application role during repository development, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

2.6 Managing Presentation Services Privileges Using Application Roles

This section explains how to manage Presentation Services privileges using application roles in Presentation Services Administration Manage Privileges page, and contains the following topics:

2.6.1 Overview

Privileges that are stored in Presentation Services control access to features such as the creation analyses and dashboards. The default Oracle Business Intelligence application roles (BIAdministrator, BIAuthor, BIConsumer) are automatically configured with these privileges during installation, in addition to the Oracle Business Intelligence application policy permissions.

Systems upgraded from a previous release can continue to use Catalog groups to grant these privileges, but this is not considered a best practice. Best practice is to use application roles to manage privileges, which streamlines the security management process. For example, using the same set of application roles throughout the system eliminates the need to manage a separate set of Catalog groups and member lists. For more information regarding how to continue using upgraded Catalog groups to manage Presentation Services privileges, see Section A.2.1, "Changes Affecting Security in Presentation Services".

Note:

Assigning an application role to be a member of a Catalog group creates complex group inheritance and maintenance situations and is not considered a best practice.

When groups are assigned to application roles, the group members are automatically granted associated privileges in Presentation Services. This is in addition to the Oracle Business Intelligence permissions.

Tip:

A list of application roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services.

2.6.2 About Presentation Services Privileges

Presentation Services privileges are maintained in the Presentation Services Administration Manage Privileges page, and they grant or deny access to Presentation Services features, such as the creation of analyses and dashboards. Presentation Services privileges have no effect in other Oracle Business Intelligence components.

Being a member of a group assigned to a default application role grants Presentation Services privileges, in addition to the Oracle Business Intelligence permissions discussed in Section B.4.1.3, "Default Application Roles, Permission Grants, and Group Mappings". The Presentation Services privileges granted by a default application role can be modified by adding or removing default privilege grants using the Manage Privileges page in Presentation Services Administration.

Whenever a new catalog is created, it is populated with the default application role to Presentation Services privilege mappings. If you have changed the default mappings and want to see the default associations, create a new catalog by pointing to a file location where no catalog exists. When Presentation Services starts, a catalog is created as part of the initialization process.

Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

2.6.3 Setting Presentation Services Privileges for Application Roles

If you create an application role, you must set appropriate Presentation Services privileges to enable users with the application role to perform various functional tasks. For example, you might want users with an application role named BISalesAdministrator to be able to create Actions in Oracle Business Intelligence. In this case, you would grant them a privilege named Create Invoke Action.

Presentation Services privileges cannot be assigned using the administrative interfaces used to manage the policy store. If you create a new application role to grant Oracle Business Intelligence permissions, then you must the set Presentation Services privileges for the new role in addition to any Oracle Business Intelligence permissions.

Note:

Presentation Services privileges can be assigned to a new application role programmatically using SecurityService Service. For more information, see "SecurityService Service" in Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition

To set Presentation Services privileges for an application role:

  1. Log in to Oracle BI Presentation Services as a user with Administrator privileges.

    For more information, see Section 1.6.4, "Using Presentation Services Administration".

  2. From the Home page in Presentation Services, select Administration.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration biadmin_admin_nav.gif

    Note:

    If you log in as a user without Administrator privileges, the Administration option is not displayed.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration biadmin_security.gif

  3. In the Security area, click Manage Privileges to display the Manage Privileges page.

    This page enables you to view application roles for Presentation Services privileges.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration biadmin_pspriv.gif

  4. Click an application role next to the privilege that you want to administer.

    For example, to administer the privilege named Access to Scorecard for the application role named BIConsumer, you would click the BIConsumer link next to Access to Scorecard.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration admin_per6.gif

    Use the Privilege <privilege_name> dialog to add application roles to the list of permissions, and grant and revoke permissions from application roles. For example, to grant the selected privilege to an application role, you must add the application role to the Permissions list.

  5. Add an application role to the Permissions list, as follows:

    1. Click Add Users/Roles.

    2. Select Application Roles from the list and click Search.

    3. Select the application role from the results list.

    4. Use the shuttle controls to move the application role to the Selected Members list.

    5. Click OK.

  6. Set the permission for the application role by selecting Granted or Denied in the Permission list.

    Note:

    Explicitly denying a Presentation Services permission takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

  7. Save your changes.

Note:

Existing Catalog groups are migrated during the upgrade process. Moving an existing Presentation Services Catalog security configuration to the role-based Oracle Fusion Middleware security model based requires that each Catalog group be replaced with a corresponding application role. To duplicate an existing Presentation Services configuration, replace each Catalog group with a corresponding application role that grants the same Presentation Services Catalog privileges. You can then delete the original Catalog group from Presentation Services.

2.6.4 Advanced Security Configuration Topics

This section contains advanced topics.

2.6.4.1 About Encryption in BI Presentation Services

The BI Server and Presentation Services client support industry-standard security for login and password encryption. When an end user enters a user name and password in the Web browser, the BI Server uses the Hypertext Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit), preventing unauthorized users from accessing data or Oracle Business Intelligence metadata.

At the database level, Oracle Business Intelligence administrative users can implement database security and authentication. Finally, a proprietary key-based encryption provides security to prevent unauthorized users from accessing the metadata repository.

2.7 Managing Data Source Access Permissions Using Oracle BI Publisher

This section discusses managing the data source access permissions that are stored in Oracle BI Publisher, using the Oracle BI Publisher Administration pages. Data source access permissions control application role access to data sources. A user must be assigned to an application role which is granted specific data source access permissions to enable the user to perform the following tasks:

For more information regarding data source security in published reporting, see "Granting Access to Data Sources" in the Oracle Fusion Middleware Administrator's and Developer's Guide for Oracle Business Intelligence Publisher.

2.8 Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store

To enable high availability of the default embedded Oracle WebLogic Server LDAP identity store in a clustered environment, you configure the virtualize attribute. When you set the virtualize attribute value to true, Managed servers are able to use a copy of the embedded default Oracle WebLogic Server LDAP identity store.

To configure the virtualize attribute for high availability of the default embedded Oracle WebLogic Server LDAP identity store:

  1. Log in to Fusion Middleware Control.

    For more information, see Section 1.6.2, "Using Oracle Fusion Middleware Control".

  2. From the navigation pane expand the WebLogic Domain folder and select bifoundation_domain.

  3. Right-click bifoundation_domain and select Security, then Security Provider Configuration to display the Security Provider Configuration page.

    This screenshot is described in surrounding text.
  4. In the Identity Store Provider area, click Configure to display the Identity Store Configuration page.

    This screenshot is described in surrounding text.
  5. In the Custom Properties area, use the Add option to add a Custom Property called virtualize.

    Figure 2-9 shows an example set of Custom Properties including a new property called virtualize with its value set to true.

    Figure 2-9 Identity Store Configuration Page Showing New Custom Property

    This screenshot is described in surrounding text.
  6. Click OK to save the changes.

  7. Restart the Administration Server, any Managed Servers, and Oracle BI components.