Skip Headers
Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition
11g Release 1 (11.1.1)

Part Number E10543-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

B Understanding the Default Security Configuration

Controlling access to system resources is achieved by requiring users to authenticate at log in (authentication) and by restricting users to only the resources for which they are authorized (authorization). The Oracle Business Intelligence default security configuration is automatically configured during installation and is available for use afterwards. The default configuration includes preconfigured security providers for managing user identities, credentials, and permission grants.

This chapter contains the following sections:

Note:

Unless otherwise stated, the privileges discussed in this chapter are those maintained in the policy store provider, such as the Oracle Business Intelligence Presentation Services privileges. Catalog permissions are distinct because they are maintained in the Oracle BI Presentation Catalog. For more information about Presentation Services privileges, see Section D.2.3, "Managing Presentation Services Privileges".

B.1 About Securing Oracle Business Intelligence

Securing Oracle Business Intelligence can be broken down into two broad areas:

System access security is discussed in this guide and topics include how to limit system access to authorized users, control software resources based on permission grants, and enable secure communication among components.

Data access security is discussed in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

B.2 About the Security Framework

The Oracle Fusion Middleware security model is built upon the Oracle Fusion Middleware platform, which incorporates the Java security model. The Java model is a role-based, declarative model that employs container-managed security where resources are protected by roles that are assigned to users. However, extensive knowledge of the Java-based architecture is unnecessary when using the Oracle Fusion Middleware Security model. By being based upon this security model, Oracle Business Intelligence can furnish uniform security and identity management across the enterprise.

Oracle Business Intelligence is installed into a Oracle WebLogic Server domain during installation, which is a logically related group of resources that are managed as a unit. During a Simple installation type, an Oracle WebLogic Server domain named bifoundation_domain is created and Oracle Business Intelligence is installed into this domain. This name might vary depending upon the installation type performed. One instance of Oracle WebLogic Server in each domain is configured as an Administration Server. The Administration Server provides a central point for managing an Oracle WebLogic Server domain. The Administration Server hosts the Administration Console, which is a Web application accessible from any supported Web browser with network access to the Administration Server. Oracle Business Intelligence uses the active security realm configured for the Oracle WebLogic Server domain into which it is installed. For more information, see Section B.2.2, "Oracle WebLogic Server Domain".

For more information about the Oracle Fusion Middleware platform and the common security framework, see Oracle Fusion Middleware Application Security Guide. For more information about managing the Oracle WebLogic Server domain and security realm, see Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server and Oracle Fusion Middleware Securing Oracle WebLogic Server.

B.2.1 Oracle Platform Security Services

Oracle Platform Security Services (OPSS) is the underlying platform on which the Oracle Fusion Middleware security framework is built. Oracle Platform Security Services is standards-based and complies with role-based-access-control (RBAC), Java Enterprise Edition (Java EE), and Java Authorization and Authentication Service (JAAS). Oracle Platform Security Services enables the shared security framework to furnish uniform security and identity management across the enterprise.

For more information about Oracle Platform Security Services, see Oracle Fusion Middleware Application Security Guide.

Note:

In future versions of the documentation, references to Oracle Platform Security Services (OPSS) will be replaced by references to Oracle Entitlements Server Basic (OES Basic), with no change to customer-visible behavior. For more information, see Section 3.9, "Configuring Oracle Internet Directory as the Policy Store and the Credential Store".

B.2.2 Oracle WebLogic Server Domain

An Oracle WebLogic Server administration domain is a logically related group of Java components. A domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain. You typically configure a domain to include additional WebLogic Server instances called Managed Servers. You deploy Java components, such as Web applications, EJBs, and Web services, and other resources to the Managed Servers and use the Administration Server for configuration and management purposes only.

Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control run in the Administration Server. Oracle WebLogic Server Administration Console is the Web-based administration console used to manage the resources in an Oracle WebLogic Server domain, including the Administration Server and Managed Servers. Fusion Middleware Control is a Web-based administration console used to manage Oracle Fusion Middleware, including the components that comprise Oracle Business Intelligence. For more information about the Oracle Business Intelligence individual components, see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

Oracle Business Intelligence authentication is handled by the Oracle WebLogic Server authentication providers. An authentication provider performs the following functions:

  • Establishes the identity of users and system processes

  • Transmits identity information

Upon installation, Oracle Business Intelligence is configured to use the directory server embedded in Oracle WebLogic Server as both the default authentication provider and the repository for users and groups. Alternate authentication providers can be used if desired, and managed in the Oracle WebLogic Administration Console. For more information, see System Requirements and Certification.

B.3 Key Security Elements

The Oracle Fusion Middleware security platform depends upon the following key elements to provide uniform security and identity management across the enterprise. For more information about the Oracle Fusion Middleware security platform, see Oracle Fusion Middleware Application Security Guide.

Oracle Business Intelligence uses these security platform elements as follows:

Application Policy

For more information about application policies, see Section 1.9, "Terminology".

An application stripe defines a subset of policies in the policy store. The Oracle Business Intelligence application stripe is named obi.

Application Role

For more information about application roles, see Section 1.4.1, "About Application Roles". For example, having the Sales Analyst application role can grant a user access to view, edit and create reports relating to a company's sales pipeline. The default security configuration provides four preconfigured roles that grant the permissions corresponding to the common types of work performed when using Oracle Business Intelligence. The application role is also the container used to grant permissions and access to its members. When members are assigned to an application role, that application role becomes the container used to convey access rights to its members. For example:

  • Oracle Business Intelligence Permissions

    These permission grants are defined in an application policy. After an application role is assigned to a policy, the permissions become associated with the application role through the relationship between policy and role. If groups of users have been assigned to that application role, the corresponding permissions are in turn granted to all members equally. More than one user or group can be members of the same application role.

  • Data Access Rights

    Application roles can be used to control access rights to view and modify data in the repository file. Data filters can be applied to application roles to control object level permissions in the Business Model and Mapping layer and the Presentation layer. For more information about using application roles to apply data access security and control repository objects, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

  • Presentation Services Object-Level Access

    Application roles can be used to grant access rights to reports and other objects in Oracle BI Presentation Services. For more information about using application roles to control access in Presentation Services, see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

Authentication Provider

For more information about authentication providers, see Section 1.3, "About Authentication".

B.4 Default Security Configuration

When operating in a development or test environment you might find it convenient to use the default security configuration because it comes preconfigured, then add user definitions and credentials specific to your business, and customize the default application roles and permission grants to meet your requirements. After the authentication, policy, and credential providers are fully configured and populated with data specific to your business, they provide all user, policy, and credential information needed by the Oracle Business Intelligence components during authentication and authorization.

The default security configuration provides you with three security providers that are integrated to ensure safe, controlled access to system and data resources. These security providers are configured during a Simple or Enterprise installation type as follows:

Table B-1 summarizes the three default security providers and their initial state after installation.

Table B-1 Default Security Providers

Security Provider Type Purpose Default Provider Options

Authentication provider

Used to control authentication.

  • DefaultAuthenticatior. Authenticates against the users and groups stored in Oracle WebLogic Server embedded directory server (identity store).

  • Oracle WebLogic Server embedded directory server is managed with Oracle WebLogic Server Administration Console.

Oracle Business Intelligence can be reconfigured to use different authentication providers and directory servers. For more information, see System Requirements and Certification.

Policy store provider

  • Used to control authorization.

  • Contains the definition of application roles, application policies, and the members assigned to application roles.

  • system.jazn-data.xml file.

  • Managed with Fusion Middleware Control.

Oracle Business Intelligence can be configured to use Oracle Internet Directory.

Credential store provider

Trusted store for holding system passwords and other security-related credentials. The data stored here is used for connecting to external systems, opening repositories, or for SSL.

  • cwallet.sso.

  • File is automatically replicated across all machines in the Oracle Business Intelligence installation.

  • Managed with Fusion Middleware Control.

Oracle Business Intelligence can be configured to use Oracle Internet Directory.


Figure B-1 shows the relationship between Oracle Business Intelligence and the authentication and policy store providers.

Figure B-1 Relationship with the Default Security Providers

This screenshot or diagram is described in surrounding text.
Description of "Figure B-1 Relationship with the Default Security Providers"

B.4.1 Default Policy Store Provider

The policy store provider contains the Oracle Business Intelligence application-specific policies, application roles, permission grants, and membership mappings configured during installation. A policy store can be file-based or LDAP-based, but the installation default provides a policy store that is an XML file.

Catalog privileges and permissions are not maintained in the policy store provider.

B.4.1.1 Default Permissions

All Oracle Business Intelligence permissions are provided; you cannot create additional permissions. In the default configuration, the application policies and application roles are preconfigured to group these permissions according to the access requirements of the Oracle Business Intelligence common user types: administrator, author, and consumer. However, these default permission grants can be changed as needed using Fusion Middleware Control. For more information, see Section 3.9, "Configuring Oracle Internet Directory as the Policy Store and the Credential Store".

Table B-2 and Table B-3 list the available permissions and resource types that are contained in the obi application stripe.

Table B-2 Default Permissions

Permission Name Description

oracle.bi.publisher.administerServer

Enables the Administration link to access the Administration page and grants permission to set any of the system settings.

oracle.bi.publisher.developDataModel

Grants permission to create or edit data models.

oracle.bi.publisher.developReport

Grants permission to create or edit reports, style templates, and sub templates. This permission also enables connection to the BI Publisher server from the Template Builder.

oracle.bi.publisher.runReportOnline

Grants permission to open (execute) reports and view the generated document in the report viewer.

oracle.bi.publisher.scheduleReport

Grants permission to create or edit jobs and also to manage and browse jobs.

oracle.bi.publisher.accessReportOutput

Grants permission to browse and manage job history and output.

oracle.bi.publisher.accessExcelReportAnalyzer

Grants permission to download the Analyzer for Excel and to download data from a report to Excel using the Analyzer for Excel. Note that to enable a user to upload an Analyzer for Excel template back to the report definition, the permission oracle.bi.publisher.developReport must also be granted.

oracle.bi.publisher.accessOnlineReportAnalyzer

Grants permission to launch the Analyzer and manipulate the data. Note that to save an Analyzer template to a report definition, the permission oracle.bi.publisher.developReport must also be granted.

oracle.bi.server.impersonateUsers

Used by internal components that need to act on behalf of end users.

oracle.bi.server.manageRepositories

Grants permission to open, view, and edit repository files using the Administration Tool or the Oracle BI Metadata Web Service.

oracle.bi.server.queryUserPopulation

Internal use only.

oracle.bi.scheduler.manageJobs

Grants permission to use Job Manager to manage scheduled Delivers jobs.

EPM_Calc_Manager_Designer

Grants permissions for EPM Calc Manager Designer.

EPM_Calc_Manager_Administrator

Grants permissions for EPM Calc Manager Administrator.

EPM_Essbase_Filter

Grants permissions for EPM Essbase Filter.

EPM_Essbase_Administrator

Grants permissions for EPM Essbase Administrator.

oracle.epm.financialreporting.accessReporting

Grants permissions for EPM Report Access.

oracle.epm.financialreporting.administerReporting

Grants permissions for EPM Report Administration.

oracle.epm.financialreporting.editBatch

Grants permissions for EPM Batch Edit.

oracle.epm.financialreporting.editBook

Grants permissions for EPM Book Edit.

oracle.epm.financialreporting.editReport

Grants permissions for EPM Report Edit.

oracle.epm.financialreporting.scheduleBatch

Grants permissions for EPM Batch Scheduling.


Oracle RTD controls authorization using resources defined in context of a Java class. The Java class oracle.security.jps.ResourcePermission can be used as the permission class within any grant to protect application or system resources. Oracle RTD uses this class to control access to the following types of resource:

Table B-3 lists the Oracle RTD resource types.

Table B-3 Oracle RTD Resource Types and Actions

Type of Resource Resource Type Name Stored in Application Grants Action[:Qualifier] Comments

Inline Service

rtd_ils

choice_editor

Might execute any methods of the ExternalChoice Web service for the named Inline Service.

Inline Service

rtd_ils

decision_service:normal

Might execute any integration points (advisors and informants) for the named Inline Service.

Action qualifier normal allows integration point requests to be executed in the server.

Inline Service

rtd_ils

decision_service:stress

Might execute any integration points (Advisors and Informants) for the named Inline Service.

Action qualifier stress allows LoadGen to issue integration point calls. To be accepted by the server, the user also needs the normal action.

Inline Service

rtd_ils

open_service:read

Authorizes the use of Decision Center to open the named Inline Service for viewing.

Authorizes the External Rule Editor to access the named Inline Service, since the External Rule Editor does not need to update the content of the Inline Service.

Inline Service

rtd_ils

open_service:write

Authorizes the use of Decision Center to open the named Inline Service for editing.

Inline Service

rtd_ils

deploy_service

Authorizes the deployment of the named Inline Service from Decision Studio.

Inline Service

rtd_ils

download_service

Authorizes the use of Decision Studio to download the named Inline Service from a server.

Decision Center Perspective

rtd_dc_persp

dc_perspective

Opens the named Decision Center Perspective, to have Decision Center render its specialized set of UI elements or capabilities.

Registered Batch Job Type

rtd_batch

batch_admin

Might execute any methods of the BatchManager Web service to start, stop, or query the status of the registered batch job type name.


B.4.1.2 Default Application Roles

The default application roles are grouped into broad categories of functional usage: administrator (BIAdministrator), author (BIAuthor), and consumer (BIConsumer). These categories correspond to the typical roles that users of Oracle Business Intelligence assume: an administrator, an author who creates reports for others, and a consumer who reads (consumes) reports created by others (authors).

The default Oracle Business Intelligence application roles are as follows:

BIAdministrator Role

The BIAdministrator role grants administrative permissions necessary to configure and manage the Oracle Business Intelligence installation. Any member of the BIAdministrators group is explicitly granted this role and implicitly granted the BIAuthor and BIConsumer roles. See Table B-4 and Table B-5 for a list of the default role permissions.

Note:

The BIAdministrator role must exist (with the BISystem role), for Oracle Business Intelligence to function correctly.

BIAuthor Role

The BIAuthor role grants permissions necessary to create and edit content for other users to use, or to consume. Any member of the BIAuthors group is explicitly granted this role and implicitly granted the BIConsumer role. See Table B-4 and Table B-5 for a list of the default role permissions.

BIConsumer Role

The BIConsumer role grants permissions necessary to use, or to consume, content created by other users. See Table B-4 and Table B-5 for a list of the default role permissions.

BISystem Role

The BISystem role grants the permissions necessary to impersonate other users. This role is required by Oracle Business Intelligence system components for inter-component communication. See Table B-4 and Table B-5 for a list of the default role permissions.

Note:

The BISystem Role must exist (with the BIAdministrator role), for Oracle Business Intelligence to function correctly.

Authenticated Role

The Authenticated role is a special application role provided by the Oracle Fusion Middleware security model and is made available to any application deploying this security model. Oracle Business Intelligence uses the authenticated application role to grant permissions implicitly derived by the role and group hierarchy of which the Authenticated role is a member. The Authenticated role is a member of the BIConsumer role by default and, as such, all Authenticated role members are granted the permissions of the BIConsumer role implicitly.

Every user who successfully logs in to Oracle Business Intelligence becomes a member of the Authenticated role, which is a replacement Everyone Catalog group in release 10g . The Authenticated role is not part of the obi application stripe and is not searchable in the Oracle Business Intelligence policy store. However, the Authenticated role is displayed in the administrative interface for the policy store, is available in application role lists, and can be added as a member of another application role.

You can assign the Authenticated role to another user, group, or application role, but you cannot remove the Authenticated role itself. Removal of the Authenticated role would result in the inability to log in to the system and this right would need to be granted explicitly.

For more information about the Oracle Fusion Middleware security model and the Authenticated role, see Oracle Fusion Middleware Application Security Guide.

B.4.1.3 Default Application Roles, Permission Grants, and Group Mappings

The default file-based policy store is configured with the Oracle Business Intelligence default application roles. Each application role is preconfigured with a set of permissions grants and one or more members. Members of an application role can include users, groups, or other application roles from the policy store.

Table B-4 and Table B-5 lists the default configuration of application roles, permission grants, and members. The default naming convention is that application role names are singular and group names are plural.

Table B-4 Default Application Role, Permission Grants, and Members

Role Name Role Permissions Members

BIAdministrator

  • oracle.bi.server.manageRepositories

  • oracle.bi.scheduler.manageJobs

  • oracle.bi.publisher.administerServer

  • EPM_Calc_Manager_Administrator

  • oracle.epm.financialreporting.administerReporting

BIAdministrators group

BIAuthor

  • oracle.bi.publisher.developReport

  • oracle.bi.publisher.devlopDataModel

  • EPM_Essbase_Administrator

  • EPM_Calc_Manager_Designer

  • oracle.epm.financialreporting.editBatch

  • oracle.epm.financialreporting.editBook

  • oracle.epm.financialreporting.editReport

  • oracle.epm.financialreporting.scheduleBatch

  • BIAuthors group

  • BIAdministrator application role

BIConsumer

  • oracle.bi.publisher.accessExcelReportAnalyzer

  • oracle.bi.publisher.accessOnlineReportAnalyzer

  • oracle.bi.publisher.runReportOnline

  • oracle.bi.publisher.accessReportOutput

  • oracle.bi.publisher.scheduleReport

  • EPM_Essbase_Filter

  • oracle.epm.financialreporting.acessReporting

  • BIConsumers group

  • BIAuthor application role

BISystem

  • oracle.bi.scheduler.manageJobs

  • oracle.bi.server.manageRepositories

  • oracle.bi.server.impersonateUser

  • oracle.bi.server.queryUserPopulation

BISystemUser


Table B-5 lists the default application roles, Oracle RTD resource types, resource names, and actions in the default application grants after installation. For more information about Real-Time Decision (RTD) resource defaults, see "Security for Oracle Real-Time Decisions" in Oracle Fusion Middleware Administrator's Guide for Oracle Real-Time Decisions

Note:

The resource name _all _ is a special name that matches any Oracle RTD resource name of the associated resource type.

Table B-5 Default Application Grants for Oracle RTD Users

Application Role Resource Type Resource Name Action[:Qualifier]

BIAdministrator

rtd_ils

_all_

open_service:read

open_service:write

deploy_service

download_service

choice_editor

decision_service:normal

decision_service:stress

dc_perspective

batch_admin

BIAuthors

rtd_ils

_all_

open_service:read

open_service:write

deploy_service

download_service

decision_service:normal

decision_service:stress

BIAuthors

rtd_dc_persp

_all_

dc_perspective

BIConsumer

rtd_ils

_all_

open_service:read

choice_editor

decision_service:normal

BIConsumer

rtd_dc_persp

Explore

dc_perspective

BIConsumer

rtd_dc_persp

At a Glance

dc_perspective

BIConsumer

rtd_batch

_all_

batch_admin


B.4.2 Default Authentication Provider

An authentication provider accesses user and group information and is responsible for authenticating users. An identity store contains user name, password, and group membership information and in Oracle Business Intelligence is currently a directory server. The default security configuration authenticates against the Oracle WebLogic Server embedded directory server using an authentication provider named DefaultAuthenticator.

When a user logs in to a system with a user name and password combination, Oracle WebLogic Server validates identity based on the combination provided. During this process, a Java principal is assigned to the user or group that is undergoing authentication. The principal can consist of one or more users or groups and is stored within subjects. A subject is a JAAS element used to group and hold identity information.

Upon successful authentication, each principal is signed and stored in a subject. When a program call accesses a principal stored in a subject, the default authenticator provider verifies the principal has not been altered since signing, and the principal is returned to the program making the call. For example, in the Oracle WebLogic Server default authenticator, the subject contains a principal for the user (WLSUserPrincipal) and a principal for the group (WLSGroupsPrincipals) of which the user is a member. If an authentication provider other than the installation default is configured, consult that provider's documentation because how identity information is stored might differ.

B.4.2.1 Default Groups and Members

Groups are logically ordered sets of users. Creating groups of users who have similar system resource access needs enables easier security management. Managing a group is more efficient than managing a large number of users individually. Groups are then assigned to application roles to grant rights. Oracle recommends that you organize your users into groups for easier maintenance.

The default group names discussed here are provided as a convenience so you can begin using the Oracle Business Intelligence software immediately after installation, but you are not required to maintain the default names.

Table B-6 lists the group names and group members that are created during the installation process. These defaults can be changed to different values and additional group names can be added by an administrative user using Oracle WebLogic Server Administration Console.

Table B-6 Default Groups and Members

Purpose Group Name and Members Description

Contains the Oracle Business Intelligence administrative users.

Name: BIAdministrators

Members: Any administratror user

  • Members of the BIAdministrators group are granted administrative permissions because this group is assigned to the BIAdministrator application role at installation.

  • All users requiring administrative permissions should be added to the BIAdministrators group when using the default security configuration.

Contains the Oracle Business Intelligence authors.

Name: BIAuthors

Members: BIAdministrators group

Members of the BIAuthors group have the permissions necessary to create content for other users to use, or to consume.

Contains the Oracle Business Intelligence consumers.

Name: BIConsumers

Members: BIAuthors group and Oracle WebLogic Server LDAP server users group

  • Members of the BIConsumers group have the permissions necessary to use, or consume, content created by other users.

  • The BIConsumers group represents all users that have been authenticated by Oracle Business Intelligence. By default, every authenticated user is automatically added to this group.

  • Oracle WebLogic Server LDAP server users group members have the permissions necessary to log in to and use Oracle WebLogic Server Administration Console.


B.4.2.2 Default Users and Passwords

Oracle WebLogic Server embedded directory server contains Oracle Business Intelligence user names provided as part of the default security configuration. These default user names are provided as a convenience so you can begin using the Oracle Business Intelligence software immediately after installation, but you are not required to keep using the default names.

Table B-7 lists the default user names and passwords in the Oracle WebLogic Server embedded directory server after installation.

Table B-7 Default Users and Passwords

Purpose User Name and Password Description

Administrative user

Name: administrator user

Password: user supplied

  • This user name is entered by the person performing the installation, it can be any desired name, and does not need to be named Administrator.

  • The password entered during installation can be changed later using the administration interface for the identity store provider.

  • An administrative user is a member of the BIAdministrators group and has all rights granted to the Oracle Business Intelligence Administrator user in earlier releases, except impersonation. The administrator user cannot impersonate other users.

  • The single administrative user is shared by Oracle Business Intelligence and Oracle WebLogic Server. This user is automatically made a member of the Oracle WebLogic Server default Administrators group after installation. This enables this user to perform all Oracle WebLogic Server administration tasks, including the ability to manage Oracle WebLogic Server embedded directory server.

  • A fixed user created during installation for trusted communication between components.

  • All Oracle Business Intelligence system components run as this user.

Name: BISystemUser

Password: system generated

  • This is a highly privileged user whose credentials should be protected from non-administrative users.

  • Using a separate user for secure inter-component communication enables you to change the password for the system administrator account without affecting communication between components.

  • The name of this user can be changed or a different user can be created for inter-component communication.


B.4.3 Default Credential Store Provider

A credential store is a repository of security data (credentials) that validates the authority of users, Java components, and system components. Oracle Business Intelligence system processes use these credentials to establish trusted communication.

B.4.3.1 Default Credentials

The Oracle Business Intelligence default credential store is file-based, also known as being wallet-based, and is represented by the file cwallet.sso. The default credential store is managed in Fusion Middleware Control.

Credentials are grouped into logical collections called maps. The default security configuration contains the following maps: oracle.bi.system and oracle. bi.enterprise. Each credential is accessed from a map using a key, such as system.user or repository.paint. A key is case sensitive. Each repository file has its own entry in the credential map.

The oracle.bi.actions credential map is created manually. For information about creating the oracle.bi.actions credential map, see "Adding and Maintaining Credentials for Use with Action Framework" in Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition.

Table B-8 lists the credentials contained in the default credential store after installation.

Table B-8 Default Credentials

Description Map and Key User Name and Password

Repository password

map: oracle.bi.enterprise

key: repository.RPD name

Name: Not Applicable

Password: user supplied

BISystem user

map: oracle.bi.system

key: system.user

Name: BISystemUser

Password: system generated

Oracle Business Intelligence Scheduler Schema user

map: oracle.bi.enterprise

key: scheduler.schema

Name: Name of Scheduler schema

Password: system generated


B.4.4 How User Permissions Are Granted Using Application Roles

The default Oracle Business Intelligence security configuration provides preconfigured permissions granted to application roles. Application roles have groups as members, and permissions are inherited by users through their membership of groups. A group assigned to an application role conveys the role's permissions to all members of the group.

Permissions are granted by Oracle Business Intelligence application roles by establishing the following relationships:

  • A group defines a set of users having similar system access requirements. Users are added as members of one or more groups according to the level of access required.

  • An application role defines the role a user typically performs when using Oracle Business Intelligence. The default security configuration provides the following roles: administrator (BIAdministrator), author (BIAuthor), and consumer (BIConsumer).

  • A group is assigned to one or more application roles that match the type of access required by each group.

  • An application policy defines Oracle Business Intelligence permissions that grant a set of access rights corresponding to each role type.

  • An application role is assigned to an application policy that grants the set of permissions required by the role type (administrator, author, consumer). Once configured, the application role is the grantee of the application policy.

  • Group membership can be inherited by nature of the group hierarchy. Application roles assigned to inherited groups are also inherited, and their permissions are likewise conveyed.

How the system determines a user's permissions:

  1. A user enters credentials into a Web browser at login. The user credentials are authenticated by the authentication provider against data contained the identity store.

  2. After successful authentication, a Java subject and principal combination is issued, which is populated with the user name and the user's groups.

  3. A list of the user's groups is checked against the application roles. A list is created of the application roles that are assigned to each of the user's groups.

  4. A user's permission grants are determined from knowing which application roles the user is a member of. The list of groups is generated only to determine what roles a user has, and is not used for any other purpose.

For example, the ability to open a repository file in online mode from the Oracle BI Administration Tool requires the manage repository permission (oracle.bi.server.manageRepositories). In the default security configuration, this permission is granted by membership in the BIAdministrator application role. The BIAdministrator application policy contains the actual permission grant definitions, and in this example, the BIAdministrator application policy contains the manage repository permission definition. The default security configuration includes a preconfigured association between the BIAdministrator application role and the BIAdministrators group. To convey the manage repository permission to a user in your environment, add that user to the BIAdministrators group. Every user who needs to manage a repository in online mode should be added to the BIAdministrators group instead of granting the required permission to each user individually. If a user no longer requires the manage repository permission, you then remove the user from the BIAdministrators group. After removal from the BIAdministrators group, the user no longer has the BIAdministrator application role or the manage repository permission granted by role membership.

Users can also obtain permissions by inheriting group membership and application roles. For more information and an example of how this is accomplished, see Section B.4.4.1, "Permission Inheritance and Role Hierarchy".

B.4.4.1 Permission Inheritance and Role Hierarchy

In Oracle Business Intelligence, the members of a default application role includes both groups and other application roles. The result is a hierarchical role structure where permissions can be inherited in addition to being explicitly granted. A group that is a member of a role is granted both the permissions of the role and the permissions for all roles descended from that role. It is important when constructing a role hierarchy that circular dependencies are not introduced.

Figure B-2 shows the relationship between default application roles and how permissions are granted to members.

Figure B-2 Default Application Role Hierarchy Example

This screenshot or diagram is described in surrounding text.
Description of "Figure B-2 Default Application Role Hierarchy Example"

In Figure B-2 the role hierarchy grants permissions using several of the Oracle Business Intelligence default groups and application roles. The default BIAdministrator role is a member the BIAuthor role, and BIAuthor role is a member of BIConsumer role. The result is that members of the BIAdministrators group are granted all the permissions of the BIAdministrator role, the BIAuthor role, and the BIConsumer role. So a user who is a member of a particular group is granted both explicit permissions and any additional inherited permissions.

Note:

By themselves, groups and group hierarchies do not provide access rights to application resources. Privileges are conveyed by the permission grants defined in an application policy. A user, group, or application role becomes a grantee of the application policy. The application policy grantee conveys the permissions and this is done by direct association (such as a user) or by becoming a member of the grantee (such as a group or application role).

Table B-9 details the role and permissions granted to all group members (users) shown in Figure B-2.

Table B-9 Permissions Granted by The Role Hierarchy Example

User Name Group Membership: Explicit/Inherited Application Role Membership: Explicit/Inherited Permission Grants: Explicit/Inherited

User1, User2, User3

BIConsumers: Explicit

BIConsumer: Explicit

Access reports: Explicit

User4, User5

BIAuthors: Explicit

BIConsumers: Inherited

BIAuthor: Explicit

BIConsumer: Inherited

Create reports: Explicit

Access reports: Inherited

User6, User7

BIAdministrators: Explicit

BIAuthors: Inherited

BIConsumers: Inherited

BIAdministrator: Explicit

BIAuthor: Inherited

BIConsumer: Inherited

Manage repository: Explicit

Create reports: Inherited

Access Reports: Inherited


B.4.4.2 Catalog Groups and Precedence

If Catalog groups and application roles are used in combination to manage Catalog permissions or privileges, the Catalog groups take precedence. For example, if a user is a member of a Catalog group that grants access to a Presentation Services object or feature and is also a member of an application role that denies access to the same object or feature, then this user has access. A Catalog group takes precedence over an application role. For more information about Presentation Services permissions and privileges, see Section D.2.3, "Managing Presentation Services Privileges".

B.5 Common Security Tasks After Installation

The common security tasks performed after a successful Oracle Business Intelligence software installation are different according to purpose. Common reasons to install Oracle Business Intelligence are:

Implementation typically involves moving through the product lifecyle of using the product in one or more of the following environments:

B.5.1 Common Security Tasks to Evaluate Oracle Business Intelligence

Table B-10 contains common security tasks performed to evaluate Oracle Business Intelligence and provides links for more information.

Table B-10 Task Map: Common Security Tasks to Evaluate Oracle Business Intelligence

Task Description For Information

Understand the Oracle Fusion Middleware security model and the Oracle Business Intelligence default security configuration.

Familiarize yourself with the key elements of the Oracle Fusion Middleware security model and the Oracle Business Intelligence default security configuration after a successful installation.

Chapter 1, "Introduction to Security in Oracle Business Intelligence"

Section B.4, "Default Security Configuration"

Oracle Fusion Middleware Application Security Guide

Add users and groups to the default identity store.

Create new User and group definitions for the embedded directory server using Oracle WebLogic Server Administration Console.

Section 2.3.2, "Creating a New User in the Embedded WebLogic LDAP Server"

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help

Add a new member to a default application role.

Add a new user or group as a member to a default application role, such as BIConsumer.

Section 2.4.4, "Modifying Application Roles Using Fusion Middleware Control"

Section B.4.1.3, "Default Application Roles, Permission Grants, and Group Mappings"

Oracle Fusion Middleware Application Security Guide

Create a new application role based on an existing default application role.

Create a new application role based on an existing default application role by copying it and naming the copy.

Section 2.4.2, "Creating Application Roles Using Fusion Middleware Control"

Oracle Fusion Middleware Application Security Guide


B.5.2 Common Security Tasks to Implement Oracle Business Intelligence

Table B-11 contains common security tasks performed when you implement Oracle Business Intelligence and provides links for more information. The following tasks are performed in addition to the tasks listed in Section B.5.1, "Common Security Tasks to Evaluate Oracle Business Intelligence".

Table B-11 Task Map: Common Security Tasks to Implement Oracle Business Intelligence

Task Description For Information

Transition to using your enterprise directory server as the authentication provider and identity store.

Configure your enterprise directory server to become the authentication provider and identity store.

Section 3.4, "Configuring Alternative Authentication Providers"

Appendix A, "Alternative Security Administration Options"

Create a new application role.

Create a new application role and make the role a grantee of an application policy.

Section 2.4.2, "Creating Application Roles Using Fusion Middleware Control"

Assign a group to a newly created application role.

Assign a group to a newly created application role to convey the permission grants to group members.

Section 2.4.4, "Modifying Application Roles Using Fusion Middleware Control"

Decide whether to use SSL.

Decide whether to use SSL communication and devise a plan to implement.

Chapter 5, "SSL Configuration in Oracle Business Intelligence"

Decide whether to use an SSO provider in your deployment.

Decide whether to use SSO authentication and devise a plan to implement.

Chapter 4, "Enabling SSO Authentication"


B.6 About the Default Security Configuration After Upgrade

The Upgrade Assistant is a unified graphical user interface that enables you to selectively upgrade your Oracle Business Intelligence installation. For complete upgrade information, see Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence Enterprise Edition.

Significant changes have been made to the security model regarding how and where users, groups, and credentials are defined and stored. The following is a summary of some of the changes that are made during the upgrade process by the Upgrade Assistant:

Caution:

Before upgrading, create a backup of the repository file and the Oracle BI Presentation Catalog to ensure that you can restore the originals if needed.

B.6.1 Security-Related Changes After Upgrading

The following is an overview of the security-related changes initiated by the Upgrade Assistant when upgrading an Oracle Business Intelligence installation. For information about upgrading a system, see Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence Enterprise Edition.

In general, the standard upgrade process is as follows. The Upgrade Assistant is run on a system that has the Oracle Business Intelligence Release 11g software installed. During this process the metadata from the Release 10g repository file and Oracle BI Presentation Catalog is imported to the Release 11g system. The Release 10g system is left unchanged after the upgrade process completes. The imported metadata is upgraded as needed to function in the Release 11g environment, such as moving users and groups defined in the repository to the Oracle WebLogic Server embedded LDAP server, and so on. However, configuration settings such as SSL settings are not carried over from the upgrade source.

Before running the Upgrade Assistant you must have the following available:

  • The Oracle Business Intelligence Release 10g installation, which is used as the upgrade source. This installation can be configured to use any combination of security mechanisms supported in the Release 10g, including: repository users and groups, authentication initialization blocks, Catalog groups, and SA System Subject Area.

  • A default installation of Oracle Business Intelligence Release 11g to be used as the target for the upgrade. This installation must not have been customized in any way.

The Upgrade Assistant prompts for details of the Release 10g installation. The Upgrade Assistant migrates the existing security-related entries to the Release 11g system, as explained in the following sections.

B.6.1.1 Changes Affecting the Identity Store

The Upgrade Assistant automatically creates the following entries in the Oracle WebLogic Server embedded LDAP server for the target system:

  • An LDAP group corresponding to each group found in the repository. This does not include the Administrators group found in prior releases. Any users that were in this Administrators group are added to the BIAdministrators LDAP group.

  • LDAP group hierarchies that match the repository group hierarchies.

  • The Administrator user is migrated and made a part of the BIAdministrators group.

All users, other than the Administrator user, who are members of the Administrators group in the default repository are added to the BIAdministrators group in the embedded LDAP server. The Release 11g Administrator user that is created from information provided during installation is also added to the BIAdministrators group in the embedded LDAP server.

B.6.1.2 Changes Affecting the Policy Store

The Upgrade Assistant automatically creates the following entries in the file-based policy store for the target system:

  • An application role that corresponds to each group in the default repository. This does not include the Administrators group found in prior releases. The application role is granted to the group with the same name.

  • Application role hierarchies that match the repository group hierarchies.

B.6.1.3 Changes Affecting the Default Repository File

The upgrade assistant automatically upgrades the default repository in the source system and makes the following changes:

  • All groups in the default Release 10g repository are converted to application role references (placeholders) to application roles created in the policy store during upgrade.

  • All users are removed from the default repository during upgrade and replaced with references (name and GUID) to LDAP users created in the embedded LDAP server on the target system.

  • A numerical suffix is added to the name of an upgraded repository file. A number is added to indicate the number of times that file has been upgraded.

B.6.1.4 Changes Affecting the Oracle BI Presentation Catalog

The Upgrade Assistant automatically makes the following changes to the Oracle BI Presentation Catalog:

  • The Oracle BI Presentation Catalog is scanned and the old security representations are converted to the new ones. Permissions and privileges that existed in 10g are migrated. The internal representation of each user is updated to the standard GUID being used across the environment. Users not found in the LDAP server are placed in the initialization block users folder until they have been added to the LDAP server, after which they are moved to the standard user folder. All references to old user and group representation are replaced by the GUID. The entire Oracle BI Presentation Catalog is reviewed.

  • Leaves the Release 10g Catalog groups in the upgraded Oracle BI Presentation Catalog and assigns the same privileges, access, and membership.

B.6.2 Planning to Upgrade a 10g Repository

A Release 10g repository can be opened and upgraded using the Upgrade Assistant. The following security-related changes are made to the repository upon upgrade:

  • The upgraded repository is protected and encrypted by the password entered during the upgrade.

  • The repository file is upgraded to contain references to users it expects to be present in the identity store and references to application roles it expects to be present in the policy store.

The upgraded repository can be opened in the Oracle BI Administration Tool in offline mode as usual, and can be deployed to a server to be opened in online mode.

For more information about upgrading a Release 10g repository, see Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence Enterprise Edition.

B.6.3 Upgrading an Existing SSL Environment

Configuration settings such as SSL settings are not carried over from the upgrade source. For information regarding configuring SSL, see Chapter 5, "SSL Configuration in Oracle Business Intelligence".

B.6.4 Upgrading an Existing SSO Environment

Configuration settings such as single sign-on (SSO) settings are not carried over from the upgrade source. For information regarding configuring SSO, see Chapter 4, "Enabling SSO Authentication".