D Managing Security for Dashboards and Analyses

This appendix explains how to manage security for dashboards and analyses such that users have only:

Access to objects in the Oracle BI Presentation Catalog that are appropriate to them.
Access to features and tasks that are appropriate to them.
Access to saved customizations that are appropriate to them.

This appendix contains the following sections:

Section D.1, "Managing Security for Users of Oracle BI Presentation Services"
Section D.2, "Using Oracle BI Presentation Services Administration Pages"
Section D.3, "Inheritance of Permissions and Privileges for Oracle BI Presentation Services"
Section D.4, "Providing Shared Dashboards for Users"
Section D.5, "Controlling Access to Saved Customization Options in Dashboards"
Section D.6, "Enabling Users to Act for Others"

D.1 Managing Security for Users of Oracle BI Presentation Services

System administrators must configure a business intelligence system to ensure that all functionality (including administrative functionality) is secured so that only authorized users can access the system to perform appropriate operations. Administrators also must be able to configure the system to secure all middle-tier communications.

This overview section contains the following topics:

Section D.1.1, "Where Are Oracle BI Presentation Services Security Settings Made?"
Section D.1.2, "What Are the Security Goals in Oracle BI Presentation Services?"
Section D.1.3, "How Are Permissions and Privileges Assigned to Users?"

D.1.1 Where Are Oracle BI Presentation Services Security Settings Made?

Security settings that affect users of Presentation Services are made in the following Oracle Business Intelligence components:

Oracle BI Administration Tool — Enables you to perform the following tasks:
- Set permissions for business models, tables, columns, and subject areas.
- Specify database access for each user.
- Specify filters to limit the data accessible by users.
- Set authentication options.
For information, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Oracle BI Presentation Services Administration — Enables you to set privileges for users to access features and functions such as editing views and creating agents and prompts.
Oracle BI Presentation Services — Enables you to assign permissions for objects in the Oracle BI Presentation Catalog.

In previous releases, you could assign permissions to objects from the Presentation Services Administration pages. In this release, you set permissions either in the Catalog Manager or the Catalog page of Presentation Services. See Oracle Fusion Middleware User's Guide for Oracle Business Intelligence Enterprise Edition for information on assigning permissions in Presentation Services.
Catalog Manager — Enables you to set permissions for Oracle BI Presentation Catalog objects. For information on the Catalog Manager, see "Configuring and Managing the Oracle BI Presentation Catalog" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

D.1.2 What Are the Security Goals in Oracle BI Presentation Services?

When maintaining security in Presentation Services, you must ensure the following:

Only the appropriate users can sign in and access Presentation Services. You must assign sign-in rights and authenticate users through the BI Server.

Authentication is the process of using a user name and password to identify someone who is logging on. Authenticated users are then given appropriate authorization to access a system, in this case Presentation Services. Presentation Services does not have its own authentication system; it relies on the authentication system that it inherits from the BI Server.

All users who sign in to Presentation Services are granted the AuthenticatedUser Role and any other roles that they were assigned in Fusion Middleware Control.

For information about authentication, see Section 1.3, "About Authentication".
Users can access only the objects that are appropriate to them. You apply access control in the form of permissions, as described in Oracle Fusion Middleware User's Guide for Oracle Business Intelligence Enterprise Edition.
Users have the ability to access features and functions that are appropriate to them. You apply user rights in the form of privileges. Example privileges are "Edit systemwide column formats" and "Create agents."

Users are either granted or denied a specific privilege. These associations are created in a privilege assignment table, as described in Section D.2.3, "Managing Presentation Services Privileges."

You can configure Oracle Business Intelligence to use the single sign-on feature from the Web server. Presentation Services can use this feature when obtaining information for end users. For complete information on single sign-on, see Chapter 4, "Enabling SSO Authentication".

D.1.3 How Are Permissions and Privileges Assigned to Users?

When you assign permissions and privileges in Presentation Services, you can assign them in one of the following ways:

To application roles — This is the recommended way of assigning permissions and privileges. Application roles provide much easier maintenance of users and their assignments. An application role defines a set of permissions granted to a user or group that has that role in the system's identity store. An application role is assigned in accordance with specific conditions. As such, application roles are granted dynamically based on the conditions present at the time authentication occurs.

See Section 1.4.1, "About Application Roles" for information on application roles.
To individual users — You can assign permissions and privileges to specific users, but such assignments can be more difficult to maintain and so this approach is not recommended.
To Catalog groups — This approach is maintained for backward compatibility with previous releases only.

See Section D.2.2, "Working with Catalog Groups" for information on Catalog groups.

D.2 Using Oracle BI Presentation Services Administration Pages

You can use the Administration pages in Oracle BI Presentation Services to perform the tasks that are described in the following sections:

Section D.2.1, "Understanding the Administration Pages"
Section D.2.2, "Working with Catalog Groups"
Section D.2.3, "Managing Presentation Services Privileges"
Section D.2.4, "Managing Sessions in Presentation Services"

D.2.1 Understanding the Administration Pages

The main Administration page contains links that allow you to display other administration pages for performing various functions, including those related to users in Presentation Services. You can obtain information about all these pages by clicking the Help button in the upper-right corner.

Note:

Use care if multiple users have access to the Administration pages, because they can overwrite each other's changes. Suppose UserA and UserB are both accessing and modifying the Manage Privileges page in Presentation Services Administration. If UserA saves updates to privileges while UserB is also editing them, then UserB's changes are overwritten by those that UserA saved.

D.2.2 Working with Catalog Groups

In previous releases, Catalog groups were used for organizing users. Catalog group membership was used to determine the permissions and privileges that are associated with a user, either by explicit assignment or inheritance. In this release, Catalog groups have the following characteristics:

Are referred to as Catalog groups.
Can contain users, application roles, or other Catalog groups.
Exist only for the purposes of compatibility with previous releases and only with Presentation Services.
No longer have their own passwords.

While you can continue to use Catalog groups, it is recommended that you move to the use of application roles rather than Catalog groups for organizing users.

Presentation Services administrators must ensure that the names of Catalog groups are different from any user IDs that are used to log in to Oracle BI Presentation Services. If a user and a Catalog group share the same name, then the user receives an Invalid Account message when attempting to log in to Oracle BI Presentation Services.

On the Administration page in Presentation Services, you can perform the tasks that are described in the following sections:

Section D.2.2.1, "Creating Catalog Groups"
Section D.2.2.2, "Deleting Catalog Groups"
Section D.2.2.3, "Editing Catalog Groups"

D.2.2.1 Creating Catalog Groups

To create Catalog groups:

From the Home page in Presentation Services, select Administration.
Click the Manage Catalog Groups link.
Click Create a New Catalog Group.
In the Add Group dialog, enter a name for the group.
Use the shuttle control to select the Catalog groups, users, and application roles to include in this group.

Tip:

It is best practice to not include application roles in Catalog groups, to avoid complex group inheritance and maintenance situations. In particular do not add the AuthenticatedUser Role to any other Catalog groups that you create. This ensures that only the desired Catalog groups (and users) have the specified permissions and privileges, by preventing users or authenticated users from unintentionally inheriting permissions and privileges from another Catalog group.
Click OK.

D.2.2.2 Deleting Catalog Groups

To delete Catalog groups:

From the Home page in Presentation Services, select Administration.
Click the Manage Catalog Groups link.
On the Manage Catalog Groups page, select the one or more groups to delete.

To help you locate the group that you want, enter text in the Name field and click Search.
Click Delete Selected Groups.
Click OK to confirm the deletion.

D.2.2.3 Editing Catalog Groups

To edit Catalog groups:

From the Home page in Presentation Services, select Administration.
Click the Manage Catalog Groups link.
On the Manage Catalog Groups page, select the group to edit.

To help you locate the group that you want, enter text in the Name field and click Search.

You can click the More Groups button to display the next 25 groups in the list.
In the Edit Group dialog, change the name or add or remove application roles, Catalog groups, and users.
Click OK.

D.2.3 Managing Presentation Services Privileges

This section contains the following topics about Presentation Services privileges:

Section D.2.3.1, "What Are Presentation Services Privileges?"
Section D.2.3.2, "Setting Presentation Services Privileges for Application Roles"
Section D.2.3.3, "Default Presentation Services Privilege Assignments"

D.2.3.1 What Are Presentation Services Privileges?

Presentation Services privileges control the rights that users have to access the features and functionality of Presentation Services. Privileges are granted or denied to specific application roles, individual users, and Catalog groups using a privilege assignment table.

Like permissions, privileges are either explicitly set or are inherited through role or group membership. Explicitly denying a privilege takes precedence over any granted, inherited privilege. For example, if a user is explicitly denied access to the privilege to edit column formulas, but is a member of an application role that has inherited the privilege, then the user cannot edit column formulas.

Privileges are most commonly granted to the BIAuthor or BIConsumer roles. This allows users access to common features and functions of Presentation Services. While you can continue to grant privileges to Catalog groups, it is recommended that you switch the grants to application roles.

D.2.3.2 Setting Presentation Services Privileges for Application Roles

You can set Presentation Services privileges for application roles, individual users, and Catalog groups from the Presentation Services Administration Manage Privileges page.

For more information, see Section 2.6.3, "Setting Presentation Services Privileges for Application Roles".

D.2.3.3 Default Presentation Services Privilege Assignments

Table D-1 lists the privileges that you can manage, along with the application role that is granted access to that privilege by default.

These privileges apply to the Oracle Business Intelligence infrastructure. If your organization uses prebuilt applications, then some privileges might be preconfigured. For more information, see the documentation for the application.

Table D-1 Privileges and Default Settings for the Oracle Business Intelligence Infrastructure

Component	Privilege	Description	Default Role Granted
Access	Access to Dashboards	Allows users to view dashboards.	BIConsumer
Access	Access to Answers	Allows users to access the Analysis editor.	BIAuthor
Access	Access to BI Composer	Allows users to access the BI Composer wizard.	BIAuthor
Access	Access to Delivers	Allows users to create and edit agents.	BIAuthor
Access	Access to Briefing Books	Allows users to view and download briefing books.	BIConsumer
Access	Access to Mobile	Allows users to access Presentation Services from the Oracle Business Intelligence Mobile application.	BIConsumer
Access	Access to Administration	Allows users to access the Administration pages in Presentation Services.	BIAdministrator
Access	Access to Segments	Allows users to access segments in Oracle's Siebel Marketing.	BIConsumer
Access	Access to Segment Trees	Allows users to access segment trees in Oracle's Siebel Marketing.	BIAuthor
Access	Access to List Formats	Allows users to access list formats in Oracle's Siebel Marketing.	BIAuthor
Access	Access to Metadata Dictionary	Allows users to access the metadata dictionary information for subject areas, folders, columns, and levels. For more information, see "Providing Access to Metadata Dictionary Information" in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.	BIAdministrator
Access	Access to Oracle BI for Microsoft Office	See Section D.2.3.3.2, "Access to Oracle BI for Microsoft Office Privilege."	BIConsumer
Access	Access to Oracle BI Client Installer	Allows users to download the Oracle BI Client Tools installer, which installs the Business Intelligence Administration Tool and the Oracle Business Intelligence Job Manager.	BIConsumer
Access	Catalog Preview Pane UI	Allows users access to the catalog preview pane, which shows a preview of each catalog object's appearance.	BIConsumer
Access	Access to KPI Builder	Allows users to create KPIs.	BIAuthor
Access	Access to Scorecard	Allows users access to Oracle BI Scorecard.	BIConsumer
Actions	Create Navigate Actions	See Section D.2.3.3.1, "Access to Oracle BI Enterprise Edition Actions."	BIAuthor
Actions	Create Invoke Actions	See Section D.2.3.3.1, "Access to Oracle BI Enterprise Edition Actions."	BIAuthor
Actions	Save Actions Containing Embedded HTML	See Section D.2.3.3.1, "Access to Oracle BI Enterprise Edition Actions."	BIAdministrator
Admin: Catalog	Change Permissions	Allows users to modify permissions for catalog objects.	BIAuthor
Admin: Catalog	Toggle Maintenance Mode	Shows the Toggle Maintenance Mode link on the Presentation Services Administration page, which allows users to turn maintenance mode on and off. In maintenance mode, the catalog is read-only; no one can write to it.	BIAdministrator
Admin: General	Manage Sessions	Shows the Manage Sessions link on the Presentation Services Administration page, which displays the Manage Sessions page in which users manage sessions.	BIAdministrator
Admin: General	Manage Dashboards	Allows users to create and edit dashboards, including editing their properties.	BIAdministrator
Admin: General	See Session IDs	Allows users to see session IDs on the Manage Sessions page.	BIAdministrator
Admin: General	Issue SQL Directly	Shows the Issue SQL link on the Presentation Services Administration page, which displays the Issue SQL page in which users enter SQL statements.	BIAdministrator
Admin: General	View System Information	Allows users to view information about the system at the top of the Administration page in Presentation Services.	BIAdministrator
Admin: General	Performance Monitor	Allows users to monitor performance.	BIAdministrator
Admin: General	Manage Agent Sessions	Shows the Manage Agent Sessions link on the Presentation Services Administration page, which displays the Manage Agent Sessions page in which users manage agent sessions.	BIAdministrator
Admin: General	Manage Device Types	Shows the Manage Device Types link on the Presentation Services Administration page, which displays the Manage Device Types page in which users manage device types for agents.	BIAdministrator
Admin: General	Manage Map Data	Shows the Manage Map Data link on the Presentation Services Administration page, which displays the Manage Map Data page in which users edit layers, background maps, and images for map views.	BIAdministrator
Admin: General	See Privileged Errors	Allows users to see privileged error messages. Users can see detailed error messages about database connections or other details when lower level components fail.	BIAdministrator
Admin: General	See SQL Issued in Errors	Allows users to see SQL statements that are returned by the BI Server in error messages.	BIConsumer
Admin: General	Manage Marketing Jobs	Shows the Manage Marketing Jobs link on the Presentation Services Administration page, which displays the Marketing Job Management page in which users manage marketing jobs.	BIAuthor
Admin: General	Manage Marketing Defaults	Shows the Manage Marketing Defaults link on the Presentation Services Administration page, which displays the Manage Marketing Defaults page in which users manage defaults for Oracle's Siebel Marketing application.	BIAdministrator
Admin: Security	Manage Catalog Groups	Shows the Manage Catalog Groups link on the Presentation Services Administration page, which displays the Manage Catalog Groups page in which users edit Catalog groups.	BIAdministrator
Admin: Security	Manage Privileges	Shows the Manage Privileges link on the Presentation Services Administration page, which displays the Manage Privileges page in which users manage the privileges that are described in this table.	BIAdministrator
Admin: Security	Set Ownership of Catalog Objects	Allows users to take ownership of catalog items that they did not create and do not own. Shows the "Set ownership of this item" link for individual objects and the "Set ownership of this item and all subitems" link for folders on the Properties page.	BIAdministrator
Admin: Security	User Population - Can List Users	Allows users to see the list of users for which they can perform tasks such as assigning privileges and permissions.	BIConsumer, BISystem
Admin: Security	User Population - Can List Groups	Allows users to see the list of groups for which they can perform tasks such as assigning privileges and permissions.	BIConsumer, BISystem
Briefing Book	Add To or Edit a Briefing Book	Allows users to see the Add to Briefing Book link on dashboard pages and analyses and the Edit link in briefing books.	BIAuthor
Briefing Book	Download Briefing Book	Allows users to download briefing books.	BIConsumer
Catalog	Personal Storage	Allows users to have write access to their own My Folders folders and create content there. If users do not have this privilege, then they can receive email alerts but cannot receive dashboard alerts.	BIConsumer
Catalog	Reload Metadata	Allows users to click the Reload Server Metadata link from the Refresh menu in the toolbar of the Subject Areas pane.	BIAdministrator
Catalog	See Hidden Items	Allows users to see hidden items in catalog folders. Users can also select the Show Hidden Items box on the Catalog page.	BIAuthor
Catalog	Create Folders	Allows users to create folders in the catalog.	BIAuthor
Catalog	Archive Catalog	Allows users to archive the folders and objects in the catalog.	BIAdministrator
Catalog	Unarchive Catalog	Allows users to unarchive catalog objects that have been archived previously.	BIAdministrator
Catalog	Upload Files	Allows users to upload files into an existing catalog.	BIAdministrator
Catalog	Perform Global Search	Allows user to search the catalog using the basic catalog search, which is included by default with the Oracle BI Enterprise Edition installation.	BIAuthor
Catalog	Perform Extended Search	Allows users to search the catalog using the full-text search. To provide full-text search, the administrator must have integrated Oracle BI Enterprise Edition with Oracle Secure Enterprise Search.	BIAuthor
Conditions	Create Conditions	Allows users to create or edit named conditions.	BIAuthor
Dashboards	Save Customizations	See Section D.5, "Controlling Access to Saved Customization Options in Dashboards."	BIConsumer
Dashboards	Assign Default Customizations	See Section D.5, "Controlling Access to Saved Customization Options in Dashboards."	BIAuthor
Formatting	Save SystemWide Column Formats	Allows users to save systemwide defaults when specifying formats for columns.	BIAdministrator
Home and Header	Access Home Page	Allows users to access the home page from the global header.	BIConsumer
Home and Header	Access Catalog UI	Allows users to access the catalog from the global header.	BIConsumer
Home and Header	Access Catalog Search UI	Allows users to access the search fields from the global header.	BIConsumer
Home and Header	Simple Search Field	Allows users to access the Search field in the global header.	BIConsumer
Home and Header	Advanced Search Link	Allows users to access the Advanced link in the global header.	BIConsumer
Home and Header	Open Menu	Allows users to access the Open menu from the global header.	BIConsumer
Home and Header	New Menu	Allows users to access the New menu from the global header.	BIConsumer
Home and Header	Help Menu	Allows users to access the Help menu from the global header.	BIConsumer
Home and Header	Dashboards Menu	Allows users to access the Dashboards menu from the global header.	BIConsumer
Home and Header	Favorites Menu	Allows users to access the Favorites menu from the global header.	BIConsumer
Home and Header	My Account Link	Allows users to access the My Account link when they click on their Signed In As name in the global header.	BIConsumer
Home and Header	Custom Links	Allows users to access the custom links that the administrator added to the global header.	BIConsumer
My Account	Access to My Account	Allows users to access the My Account dialog.	BIConsumer
My Account	Change Preferences	Allows users to access the Preferences tab of the My Account dialog.	BIConsumer
My Account	Change Delivery Options	Allows users to access the Delivery Options tab of the My Account dialog.	BIConsumer
Answers	Create Views	Allows users to create views.	BIAuthor
Answers	Create Prompts	Allows users to create prompts.	BIAuthor
Answers	Access Advanced Tab	Allows users to access the Advanced tab in the Analysis editor.	BIAuthor
Answers	Edit Column Formulas	Allows users to edit column formulas.	BIAuthor
Answers	Save Content with HTML Markup	See Section D.2.3.3.3, "Save Content with HTML Markup Privilege."	BIAdministrator
Answers	Enter XML and Logical SQL	Allows users to use the Advanced SQL tab.	BIAuthor
Answers	Edit Direct Database Analysis	Allows users to create and edit requests that are sent directly to the back-end data source.	BIAdministrator
Answers	Create Analysis from Simple SQL	Allows users to select the Create Analysis from Simple SQL option in the Select Subject Area list.	BIAdministrator
Answers	Create Advanced Filters and Set Operations	Allows users to click the Combine results based on union, intersection, and difference operations button from the Criteria tab in the Analysis editor.	BIAuthor
Answers	Save Filters	Allows users to save filters.	BIAuthor
Answers	Execute Direct Database Analysis	Allows users to issue requests directly to the back-end data source.	BIAdministrator
Delivers	Create Agents	Allows users to create agents.	BIAuthor
Delivers	Publish Agents for Subscription	Allows users to publish agents for subscription.	BIAuthor
Delivers	Deliver Agents to Specific or Dynamically Determined Users	Allows users to deliver agents to other users.	BIAdministrator
Delivers	Chain Agents	Allows users to chain agents.	BIAuthor
Delivers	Modify Current Subscriptions for Agents	Allows users to modify the current subscriptions for agents, including unsubscribing users.	BIAdministrator
Proxy	Act As Proxy	Allows users to act as proxy users for other users, as described in Section D.6, "Enabling Users to Act for Others."	Denied: BIConsumer
RSS Feeds	Access to RSS Feeds	Allows users to subscribe to and receive RSS feeds with alerts and contents of folders. If Presentation Services uses the HTTPS protocol, then the RSS Reader that you use must also support the HTTPS protocol.	BIAuthor
Scorecard	Create/Edit Scorecards	Allows users to create and edit scorecards.	BIAuthor
Scorecard	View Scorecards	Allows users to view scorecards.	BIConsumer
Scorecard	Create/Edit Objectives	Allows users to create and edit objectives.	BIAuthor
Scorecard	Create/Edit Initiatives	Allows users to create and edit initiatives.	BIAuthor
Scorecard	Create Views	Allows users to create and edit scorecard objects that present and analyze corporate strategy, such as vision and mission statements, strategy maps, cause & effect maps, and so on.	BIAuthor
Scorecard	Create/Edit Causes and Effects Linkages	Allows users to create and edit cause and effect relationships.	BIAuthor
Scorecard	Create/Edit Perspectives	Allows users to create and edit perspectives.	BIAdministrator
Scorecard	Add Annotations	Allows users to add comments to KPIs and scorecard components.	BIConsumer
Scorecard	Override Status	Allows users to override statuses of KPIs and scorecard components.	BIConsumer
Scorecard	Create/Edit KPIs	Allows users to create and edit KPIs.	BIAuthor
Scorecard	Write Back to Database for KPI	Allows users to enter and submit a KPI's actual and target settings values to the repository.	BIConsumer
Scorecard	Add Scorecard Views to Dashboards	Allows users to add scorecard views (such as strategy trees) to dashboards.	BIConsumer
List Formats	Create List Formats	Allows users to create list formats in Oracle's Siebel Marketing.	BIAuthor
List Formats	Create Headers and Footers	Allows users to create headers and footers for list formats in Oracle's Siebel Marketing.	BIAuthor
List Formats	Access Options Tab	Allows users to access the Options tab for list formats in Oracle's Siebel Marketing.	BIAuthor
List Formats	Add/Remove List Format Columns	Allows users to add and remove columns for list formats in Oracle's Siebel Marketing.	BIAdministrator
Segmentation	Create Segments	Allows users to create segments in Oracle's Siebel Marketing.	BIAuthor
Segmentation	Create Segment Trees	Allows users to create segment trees in Oracle's Siebel Marketing.	BIAuthor
Segmentation	Create/Purge Saved Result Sets	Allows users to create and purge saved result sets in Oracle's Siebel Marketing.	BIAdministrator
Segmentation	Access Segment Advanced Options Tab	Allows users to access the Segment Advanced Options tab in Oracle's Siebel Marketing.	BIAdministrator
Segmentation	Access Segment Tree Advanced Options Tab	Allows users to access the Segment Tree Advanced Options tab in Oracle's Siebel Marketing.	BIAdministrator
Segmentation	Change Target Levels within Segment Designer	Allows users to change target levels within the Segment Designer in Oracle's Siebel Marketing.	BIAdministrator
Mobile	Enable Local Content	Allows users of Oracle Business Intelligence Mobile to save local copies of BI content to their mobile devices.	BIConsumer
Mobile	Enable Search	Allows users of Oracle Business Intelligence Mobile to search the catalog.	BIConsumer
SOAP	Access SOAP	Allows users to access various Web services.	BIConsumer, BISystem
SOAP	Impersonate as System User	Allows users to impersonate a system user using a Web service.	BISystem
SOAP	Access MetadataService Service	Allows users to access the MetadataService Web service.	BIConsumer, BISystem
SOAP	Access AnalysisExportViewsService Service	Allows users to access the ReportingEditingService Web service.	BIConsumer
SOAP	Access ReportingEditingService Service	Allows users to access the ReportingEditingService Web service.	BIConsumer, BISystem
SOAP	Access ConditionEvaluationService Service	Allows users to access the ConditionEvaluationService Web service.	BIConsumer, BISystem
SOAP	Access ReplicationService Service	Allows users to access the ReplicationService Web service to replicate the Oracle BI Presentation Catalog.	BISystem
SOAP	Access CatalogIndexingService Service	Allows users to access the CatalogIndexingService Web service to index the Oracle BI Presentation Catalog for use with full-text search.	BISystem
SOAP	Access DashboardService Service	Allows users to access the DashboardService Web service.	BIConsumer, BISystem
SOAP	Access SecurityService Service	Allows users to access the SecurityService Web service.	BIConsumer, BISystem
SOAP	Access Tenant Information	Internal only.	BISystem
SOAP	Access ScorecardMetadataService Service	Allows users to access the ScorecardMetadataService Web service.	BIConsumer, BISystem
SOAP	Access ScorecardAssessmentService Service	Allows users to access the ScorecardAssessmentService Web service.	BIConsumer, BISystem
SOAP	Access HtmlViewService Service	Allows users to access the HtmlViewServiceService Web service.	BIConsumer, BISystem
SOAP	Access CatalogService Service	Allows users to access the CatalogService Web service.	BIConsumer, BISystem
SOAP	Access IBotService Service	Allows users to access the IBotService Web service.	BIConsumer, BISystem
SOAP	Access XmlGenerationService Service	Allows users to access the XmlGenerationService Web service.	BIConsumer, BISystem
SOAP	Access JobManagementService Service	Allows users to access the JobManagementService Web service.	BIConsumer, BISystem
SOAP	Access KPIAssessmentService Service	Allows users to access the JKPIAssessmentService Web service.	BIConsumer, BISystem
Subject Area (by its name)	Access within Oracle BI Answers	Allows users to access the specified subject area within the Answers editor.	BIAuthor
Views	Add/Edit AnalyzerView	Allows users to access the Analyzer view.	BIAdministrator
Views	Add/Edit Column SelectorView	Allows users to create and edit column selector views.	BIAuthor
Views	Add/Edit CompoundView	Allows users to create and edit compound layout views.	BIAuthor
Views	Add/Edit GraphView	Allows users to create and edit graph views.	BIAdministrator
Views	Add/Edit FunnelView	Allows users to create and edit funnel graph views.	BIAuthor
Views	Add/Edit GaugeView	Allows users to create and edit gauge views.	BIAuthor
Views	Add/Edit FiltersView	Allows users to create and edit filter views.	BIAuthor
Views	Add/Edit Dashboard PromptView	Allows users to create and edit dashboard prompt views.	BIAuthor
Views	Add/Edit Static TextView	Allows users to create and edit static text views.	BIAuthor
Views	Add/Edit Legend View	Allows users to create and edit legend views.	BIAuthor
Views	Add/Edit MapView	Allows users to create and edit map views.	BIAuthor
Views	Add/Edit NarrativeView	Allows users to create and edit narrative views.	BIAuthor
Views	Add/Edit No ResultsView	Allows users to create and edit no result views.	BIAuthor
Views	Add/Edit Pivot TableView	Allows users to create and edit pivot table views.	BIAuthor
Views	Add/Edit Report PromptView	Allows users to create and edit prompt views.	BIAuthor
Views	Add/Edit Create SegmentView	Allows users to create and edit segment views.	BIAuthor
Views	Add/Edit SelectionStepsView	Allows users to create and edit selection steps views.	BIAuthor
Views	Add/Edit Logical SQLView	Allows users to create and edit logical SQL views.	BIAuthor
Views	Add/Edit TableView	Allows users to create and edit table views.	BIAuthor
Views	Add/Edit Create Target ListView	Allows users to create and edit target list views.	BIAuthor
Views	Add/Edit TickerView	Allows users to create and edit ticker views.	BIAuthor
Views	Add/Edit TitleView	Allows users to create and edit title views.	BIAuthor
Views	Add/Edit View SelectorView	Allows users to create and edit view selector views.	BIAuthor
Write Back	Write Back to Database	Grants the right to write data into the data source.	Denied: BIConsumer
Write Back	Manage Write Back	Grants the right to manage write back requests.	BIAdministrator

D.2.3.3.1 Access to Oracle BI Enterprise Edition Actions

You must set the Action privileges, which determine whether the Actions functionality is available to users and specify which user types can create Actions. The following list describes these privileges:

Create Navigate Actions — Determines which users can create a Navigate action type. The sessions of users who are denied this privilege do not contain any of the user interface components that allow them to create Navigate Actions. For example, if a user is denied this privilege and chooses to create an action from the Oracle BI Enterprise Edition global header, the dialog where the user selects an action type does not include the Navigate Actions options (Go to BI Content, Go to a Web Page, and so on). However, users who are denied this privilege can add saved actions to analyses and dashboards. And, users who are denied this privilege can execute an action from an analysis or dashboard that contains an action.
Create Invoke Actions — Determines which users can create an Invoke action type. The sessions of user who are denied this privilege do not contain any of the user interface components that allow them to create Invoke Actions. For example, if a user is denied this privilege and chooses to access the agent editor's Actions tab and clicks the Add New Action button, the dialog where the user selects the action type does not include the Invoke Actions options (Invoke a Web Service, Invoke an HTTP Request, and so on). However, users who are denied this privilege can add saved actions to analyses and dashboards. And, users who are denied this privilege can execute an action from an analysis or dashboard that contains an action.
Save Actions Containing Embedded HTML — Determines which users can embed HTML code in the customization of Web service action results. Use care in assigning this privilege, because it poses a security risk to allow users to run HTML code.

D.2.3.3.2 Access to Oracle BI for Microsoft Office Privilege

The Access to Oracle BI for Microsoft Office privilege shows the following option for the Download BI Desktop Tools link in the Get Started area of the Oracle BI EE Home page:

Oracle BI for MS Office: Downloads the installation file for the Oracle BI Add-in for Microsoft Office.

The Access to Oracle BI for Microsoft Office privilege does not affect the display of the Copy link for analyses. The link is always available there.

The location of the installation file to download for Oracle BI for Microsoft Office is specified by default in the BIforOfficeURL element in the instanceconfig.xml file. For more information on using Oracle BI for Microsoft Office and the Copy option, see Oracle Fusion Middleware User's Guide for Oracle Business Intelligence Enterprise Edition.

D.2.3.3.3 Save Content with HTML Markup Privilege

By default, Presentation Services is secured against cross-site scripting (XSS). Securing against XSS escapes input in fields in Presentation Services and renders it as plain text. For example, an unscrupulous user can use an HTML field to enter a script that steals data from a page.

By default, end users cannot save content that is flagged as HTML; instead only administrators who have the Save Content with HTML Markup privilege can save content that contains HTML code. Users that have the Save Content with HTML Markup privilege can save an image with the "fmap" prefix. If users try to save an image with the "fmap" prefix when they do not have this privilege assigned, then they see an error message.

D.2.4 Managing Sessions in Presentation Services

Using the Session Management page in Presentation Services Administration, you can view information about active users and running analyses, cancel requests, and clear the cache.

To manage sessions in Presentation Services:

From the Home page in Presentation Services, select Administration.
Click the Manage Sessions link.

The Session Management screen is displayed with the following tables:
- The Sessions table, which gives information about sessions that have been created for users who have logged in:
- The Cursor Cache table, which shows the status of analyses:

To cancel all running requests:

Click Cancel Running Requests.
Click Finished.

To cancel one running analysis:

In the Cursor Cache table, identify the analysis and click the Cancel link in the Action column.

The user receives a message indicating that the analysis was canceled by an administrator.

To clear the Web cache:

In the Cursor Cache table, identify the analysis and click Close All Cursors.
Click Finished.

To clear the cache entry associated with an analysis:

In the Cursor Cache table, identify the analysis and click the Close link in the Action column.

To view the query file for information about an analysis:

In the Cursor Cache table, identify the analysis and click the View Log link.

Note:

Query logging must be turned on for data to be saved in this log file.

D.3 Inheritance of Permissions and Privileges for Oracle BI Presentation Services

Permissions and privileges can be assigned to users directly or through membership in application roles or Catalog groups. From another perspective, permissions and privileges can be assigned explicitly or effectively. Effective permissions and privileges are assigned indirectly through inheritance from application roles or Catalog groups, which is the recommended approach for assignments.

This section contains the following topics:

Section D.3.1, "Rules for Inheritance for Permissions and Privileges"
Section D.3.2, "Example of Inherited Privileges for Application Roles"
Section D.3.3, "Example of Inherited Privileges for Catalog Groups"

D.3.1 Rules for Inheritance for Permissions and Privileges

The following list describes the rules of inheritance for permissions and privileges:

Any permissions or privileges granted explicitly to a user override any permissions or privileges inherited from the application roles or Catalog groups to which the user belongs.
If a user belongs to two application roles or Catalog groups and both are granted permissions, then the least restrictive permissions are given to the user.

For example, if one application role allows Open access and another allows Modify access, then the least restrictive access would be granted; in this example, Open access.

Note:

The exception to this is if one of the two application roles or Catalog groups is explicitly denied the permissions, in which case the user is denied.
If a user belongs to Application Role X, and Application Role X is a member of Application Role Y, then any permissions assigned to Application Role X override any permissions assigned to Application Role Y. The same holds true if X and Y are Catalog groups.

For example, if Marketing has Open permissions, Marketing Administrators, which is a member of Marketing, can have Full Control permission.
If a Catalog group is specified along with an application role in the Permissions dialog in Presentation Services, then the Catalog group takes precedence.

For example, suppose that for a certain object, the BIAdministrator role has Read-Only permission and the Admin Catalog Group has Full Control permission. If a user signs in who is a member of both the BIAdministrator role and the Admin Catalog Group, then he is granted full access to the object.
Explicitly denying access takes precedence over any other permissions or privileges.

D.3.2 Example of Inherited Privileges for Application Roles

Figure D-1 shows an example of how privileges are inherited through application roles. At the top of the diagram is a rectangle labeled User1, which specifies that User1 is a member of Role1 and Role2. Attached beneath the User1 rectangle are two more rectangles — one on the left that represents Role1 and one on the right that represents Role2.

The Role1 rectangle specifies that Role1 has no access to DashboardA and is a member of Role3 and Role4.
The Role2 rectangle specifies that Role2 has Open access to DashboardD, is a member of Role5, and has no access to DashboardE.

Attached beneath the Role1 rectangle are two more rectangles — one on the left that represents Role3 and one on the right that represents Role4:

The Role3 rectangle specifies that Role3 has Open access to DashboardB.
The Role4 rectangle specifies that Role4 has Full Access to DashboardC and Open access to DashboardA.

And finally, attached beneath the Role2 rectangle is a rectangle that represents Role5. The Role5 rectangle specifies that Role5 has Modify access to DashboardD and Open access to DashboardE.

Figure D-1 Example of Inheritance of Permissions Using Roles

Description of "Figure D-1 Example of Inheritance of Permissions Using Roles"

In this example:

User1 is a direct member of Role1 and Role2, and is an indirect member of Role3, Role4, and Role5.
The permissions and privileges from Role1 are no access to DashboardA, Open access to DashboardB, and Full Control for DashboardC.
If one application role is a member of a second application role, then any permissions assigned to the first application role override any permissions assigned to the first role. Therefore, the inherited permissions and privileges from Role2 include Modify access to DashboardD from Role5.
Specifically denying access always takes precedence over any other settings. Therefore, Role1's denial of access to DashboardA overrides Role4's Open access. The result is that Role1 has no access to DashboardA. Likewise, Role5 has no access to DashboardE, because access to that dashboard is explicitly denied for Role2.

The total permissions and privileges granted to User1 are as follows:

No access to DashboardA and DashboardE, because access is specifically denied.
Open access to DashboardB.
Full Control for DashboardC.
Modify access to DashboardD.

D.3.3 Example of Inherited Privileges for Catalog Groups

Any permissions or privileges granted explicitly to a Catalog group take precedence over permissions or privileges granted to an application role. For example, suppose that you have an application role called Marketing_US that has Full Access to the Marketing Dashboard. You want to restrict a small set of the users in the Marketing_US role to not have access to that dashboard. To do so, you create a Catalog group called Marketing_SanJose and add the appropriate users as members of that group. You then deny the Marketing_SanJose Catalog group access to the Marketing Dashboard. Even though those users belong to the Marketing_US role, they are denied access to the Marketing Dashboard.

D.4 Providing Shared Dashboards for Users

This section contains the following topics on providing shared dashboards for users:

Section D.4.1, "Understanding the Catalog Structure for Shared Dashboards"
Section D.4.2, "Creating Shared Dashboards"
Section D.4.3, "Testing the Dashboards"
Section D.4.4, "Releasing Dashboards to the User Community"

D.4.1 Understanding the Catalog Structure for Shared Dashboards

The Oracle BI Presentation Catalog has two main folders:

My Folders — Contains the personal storage for individual users. Includes a Subject Area Contents folder where you save objects such as calculated items and groups.
Shared Folders — Contains objects and folders that are shared across users. Dashboards that are shared across users are saved in a Dashboards subfolder under a common subfolder under the /Shared Folders folder

Note:

If a user is given permission to an analysis in the Oracle BI Presentation Catalog that references a subject area to which the user does not have permission, then the BI Server still prevents the user from executing the analysis.

D.4.2 Creating Shared Dashboards

After setting up the Oracle BI Presentation Catalog structure and setting permissions, you can create shared dashboards and content for use by others.

One advantage to creating shared dashboards is that pages that you create in the shared dashboard are available for reuse. Users can create their own dashboards using the pages from your shared dashboards and any new pages that they create. You can add pages and content as described in Oracle Fusion Middleware User's Guide for Oracle Business Intelligence Enterprise Edition.

If you plan to allow multiple users to modify a shared default dashboard, then consider putting these users into an application role. For example, suppose that you create an application role called Sales and create a default dashboard called SalesHome. Of the 40 users that have been assigned the Sales application role, suppose that there are three who must have the ability to create and modify content for the SalesHome dashboard. Create a SalesAdmin application role, with the same permissions as the primary Sales application role. Add the three users who are allowed to make changes to the SalesHome dashboard and content to this new SalesAdmin application role, and give this role the appropriate permissions in the Oracle BI Presentation Catalog. This allows those three users to create and modify content for the SalesHome dashboard. If a user no longer requires the ability to modify dashboard content, then you can change the user's role assignment to Sales. If an existing Sales role user must have the ability to create dashboard content, then the user's role assignment can be changed to SalesAdmin.

For more information about creating shared dashboards, see 'Managing Dashboards' in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

D.4.3 Testing the Dashboards

Before releasing dashboards and content to the user community, perform some tests.

To test the dashboard:

Verify that users with appropriate permissions can correctly access it and view the intended content.
Verify that users without appropriate permissions cannot access the dashboard.
Verify that styles and skins are displayed as expected, and that other visual elements are as expected.
Correct any problems you find and test again, repeating this process until you are satisfied with the results.

D.4.4 Releasing Dashboards to the User Community

After testing is complete, notify the user community that the dashboard is available, ensuring that you provide the relevant network address.

D.5 Controlling Access to Saved Customization Options in Dashboards

This section provides an overview of saved customizations and information about administering saved customizations. It contains the following topics:

Section D.5.1, "Overview of Saved Customizations in Dashboards"
Section D.5.2, "Administering Saved Customizations"
Section D.5.3, "Permission and Privilege Settings for Creating Saved Customizations"
Section D.5.4, "Example Usage Scenario for Saved Customization Administration"

D.5.1 Overview of Saved Customizations in Dashboards

Saved customizations allow users to save and view later dashboard pages in their current state with their most frequently used or favorite choices for items such as filters, prompts, column sorts, drills in analyses, and section expansion and collapse. By saving customizations, users need not make these choices manually each time that they access the dashboard page.

Users and groups with the appropriate permissions and dashboard access rights can perform the following activities:

Save various combinations of choices as saved customizations, for their personal use or use by others.
Specify a saved customization as the default customization for a dashboard page, for their personal use or use by others.
Switch between their saved customizations.

You can restrict this behavior in the following ways:

Users can view only the saved customizations that are assigned to them.
Users can save customizations for personal use only.
Users can save customizations for personal use and for use by others.

For information about end users and saved customizations with dashboards, see Oracle Fusion Middleware User's Guide for Oracle Business Intelligence Enterprise Edition.

D.5.2 Administering Saved Customizations

This section describes the privileges and permissions that are required to administer saved customizations. It also describes the relevant portions of the Oracle BI Presentation Catalog that relate to storing and administering saved customizations.

D.5.2.1 Privileges for Saved Customizations

In Oracle BI Presentation Services Administration, the following privileges in the Dashboards area, along with permission settings for key dashboard elements, control whether users or groups can save or assign customizations:

Save Customizations
Assign Default Customizations

You can set neither privilege, one privilege, or both privileges for a user or group, depending on the level of access desired. For example, a user who has neither privilege can view only the saved customization that is assigned as his or her default customization.

D.5.2.2 Permissions for Saved Customizations

This section describes the permissions that are required for users to administer saved customizations of dashboard pages, and the relevant portions of the Oracle BI Presentation Catalog structure for setting permissions on shared and personal saved customizations.

D.5.2.2.1 Assigning Permissions to Dashboards

You set permissions for dashboards and pages, such as Full Control or No Access, in the Permission dialog in Oracle BI EE. You assign these permissions in the same manner as for other objects in the catalog.

D.5.2.2.2 Assigning Permissions for Customizations on a Dashboard Page

You set permissions for working with saved customizations on a particular dashboard page in the Dashboard Properties dialog, which is available in the Dashboard Builder. After selecting a page in the list in the dialog, click one of the following buttons:

Specify Who Can Save Shared Customizations displays the Permission dialog in which you specify who can save shared customizations for that dashboard page.
Specify Who Can Assign Default Customizations displays the Permission dialog in which you specify who can assign default customizations for that dashboard page.

Catalog objects and permissions scenarios are described in the following sections.

D.5.2.2.3 Catalog Folder Structure for Saved Customizations

In addition to the privileges that you set in Oracle BI Presentation Services Administration, the level of control that users and groups have over saved customizations depends on their access rights to key elements. For example, users and groups that can create and edit underlying dashboards, save dashboard view preferences as customizations, and assign customizations to other users as default customizations require Full Control permission to the key elements in shared storage, while users and groups that can view only their assigned default saved customizations need only View access to the key elements in shared storage.

Key elements in the catalog include the following folders:

Shared Storage Folders.

Shared storage folders for dashboards are typically located within the Dashboards sub-folder of a parent shared folder. Dashboards are identified by their assigned names. You can save a dashboard anywhere in the Oracle BI Presentation Catalog. If you save a dashboard within a subfolder called "Dashboards", then that dashboard's name is displayed in the list of dashboards that is displayed from the Dashboards link in the global header.

Permission settings control access to a specific dashboard for editing. Typically, if permissions are inherited down to the _selections and Dashboards sub-folders, then users who can edit dashboards can also save customizations and set defaults. Access to a specific dashboard folder controls whether a user or group can edit the dashboard.

The _selections folder contains a page identifier folder for each dashboard page. Shared saved customizations are located within this folder. Access to the page identifier folder controls whether a user or group can display, save, or edit customizations for that page.

The _defaults folder within a _selections folder contains assigned default customizations. Each group that has an assigned default is displayed here. Access to this folder controls whether a user or group can assign defaults.
Personal Storage Folders.

Within a user's personal folder, the _selections folder contains an individual user's saved customizations. Like the shared _selections folder, a personal _selections folder contains a page identifier folder for each dashboard page. The page identifier folder contains personal saved customizations and a _defaultlink file that specifies a user's preference for the personal defaulted customization.

A personal saved customization default overrides an assigned shared customization default.

Note:

If a dashboard page with saved customizations is deleted, then the saved customizations are also deleted from the catalog. If the underlying dashboard structure changes such that a saved customization is no longer valid when a user accesses it, then the default content is displayed on the dashboard.

D.5.3 Permission and Privilege Settings for Creating Saved Customizations

Table D-2 describes typical user roles and specific permission settings that can be granted to users for creating saved customizations. The folder names listed in the Permission and Privilege Settings column are described in the preceding section.

Table D-2 User Roles and Permission Settings for Saved Customizations

User Role	Permission and Privilege Settings
Power users such as IT users who must perform the following tasks: Create and edit underlying dashboards. Save dashboard view preferences as customizations. Assign customizations to other users as default customizations.	In the Shared section of the catalog, requires Full Control permission to the following folders: dashboard_name _selection _defaults Typically, no additional privileges must be assigned.
Technical users such as managers who must perform the following tasks: Save customizations as customizations for personal use. Save customizations for use by others. Users cannot create or edit underlying dashboards, or assign view customizations to others as default customizations.	In the Shared section of the catalog, requires View permission to the following folders: dashboard_name In the Shared section of the catalog, requires Modify permission to the following folders: _selections _defaults Typically, no additional privileges must be assigned.
Everyday users who must save customizations for personal use only.	In Oracle BI Presentation Services Administration, requires the following privilege to be set: Save Customizations In the dashboard page, requires that the following option is set: Allow Saving Personal Customizations In the catalog, no additional permission settings are typically required.
Casual users who must view only their assigned default customization.	In the Shared section of the catalog, the user needs View permission to the following folders: dashboard_name _selections _defaults In the catalog, no additional permission settings are typically required.

User Role

Permission and Privilege Settings

Power users such as IT users who must perform the following tasks:

Create and edit underlying dashboards.
Save dashboard view preferences as customizations.
Assign customizations to other users as default customizations.

In the Shared section of the catalog, requires Full Control permission to the following folders:

dashboard_name
_selection
_defaults

Typically, no additional privileges must be assigned.

Technical users such as managers who must perform the following tasks:

Save customizations as customizations for personal use.
Save customizations for use by others.

Users cannot create or edit underlying dashboards, or assign view customizations to others as default customizations.

In the Shared section of the catalog, requires View permission to the following folders:

dashboard_name

In the Shared section of the catalog, requires Modify permission to the following folders:

_selections
_defaults

Typically, no additional privileges must be assigned.

Everyday users who must save customizations for personal use only.

In Oracle BI Presentation Services Administration, requires the following privilege to be set:

Save Customizations

In the dashboard page, requires that the following option is set:

Allow Saving Personal Customizations

In the catalog, no additional permission settings are typically required.

Casual users who must view only their assigned default customization.

In the Shared section of the catalog, the user needs View permission to the following folders:

dashboard_name
_selections
_defaults

In the catalog, no additional permission settings are typically required.

D.5.4 Example Usage Scenario for Saved Customization Administration

Depending on the privileges set and the permissions granted, you can achieve various combinations of user and group rights for creating, assigning, and using saved customizations.

For example, suppose a group of power users cannot change dashboards in a production environment, but they are allowed to create saved customizations and assign them to other users as default customizations. The following permission settings for the group are required:

Open access to the dashboard, using the Catalog page.
Modify access to the _selections and _defaults subfolders within the dashboard folder in the Oracle BI Presentation Catalog, which you assign using the Dashboard Properties dialog in the Dashboard Builder. After selecting a page in the list in the dialog, click Specify Who Can Save Shared Customizations and Specify Who Can Assign Default Customizations.

D.6 Enabling Users to Act for Others

This section contains the following topics on enabling users to act for others:

Section D.6.1, "Why Enable Users to Act for Others?"
Section D.6.2, "What Are the Proxy Levels?"
Section D.6.3, "Process of Enabling Users to Act for Others"

D.6.1 Why Enable Users to Act for Others?

You can enable one user to act for another user in Oracle BI Presentation Services. When a user (called the proxy user) acts as another (called the target user), the proxy user can access the objects in the catalog for which the target user has permission.

Enabling a user to act for another is useful, for example, when a manager wants to delegate some of his work to one of his direct reports or when IT support staff wants to troubleshoot problems with another user's objects.

See Oracle Fusion Middleware User's Guide for Oracle Business Intelligence Enterprise Edition for information on how users enable others to act for them.

D.6.2 What Are the Proxy Levels?

When you enable a user to be a proxy user, you also assign an authority level (called the proxy level). The proxy level determines the privileges and permissions granted to the proxy user when accessing the catalog objects of the target user. The following list describes the proxy levels:

Restricted — Permissions are read-only to the objects to which the target user has access. Privileges are determined by the proxy user's account (not the target user's account).

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers.
Full — Permissions and privileges are inherited from the target user's account.

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user can access Answers.

When you have enabled a user to act as a proxy user, that user can display the Act As option in the global header of Presentation Services to select the target user to act as, provided the Act As Proxy privilege has been set.

Tip:

Before a proxy user can act as a target user, the target user must have signed into Presentation Services at least once and accessed a dashboard.

Note:

If you are a user who can be impersonated by a proxy user, you can see the users with the permission to proxy (Act As) you. To see these users, log in to Analytics, go to the My Account dialog box and display the extra tab called Delegate Users. This tab displays the users who can connect as you, and the permission they have when they connect as you (Restricted or Full).

D.6.3 Process of Enabling Users to Act for Others

To enable users to act for others, perform the following tasks:

Section D.6.3.1, "Defining the Association Between Proxy Users and Target Users"
Section D.6.3.2, "Creating Session Variables for Proxy Functionality"
Section D.6.3.3, "Modifying the Configuration File Settings for Proxy Functionality"
Section D.6.3.4, "Creating a Custom Message Template for Proxy Functionality"
Section D.6.3.5, "Assigning the Proxy Privilege"
Section D.6.3.6, "Assigning the manageRepositories Permission"

D.6.3.1 Defining the Association Between Proxy Users and Target Users

You define the association between proxy users and target users in the database by identifying, for each proxy user/target user association, the following:

ID of the proxy user
ID of the target user
Proxy level (either full or restricted)

For example, you might create a table called Proxies in the database that looks like this:

proxyId	targetId	proxyLevel
Ronald	Eduardo	full
Timothy	Tracy	restricted
Pavel	Natalie	full
William	Sonal	restricted
Maria	Imran	restricted

After you define the association between proxy users and target users, you must import the schema to the physical layer of the BI Server. For information on importing a schema, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

D.6.3.2 Creating Session Variables for Proxy Functionality

To authenticate proxy users, you must create the following two session variables along with their associated initialization blocks. For both variables, you must modify the sample SQL statement according to the schema of the database.

PROXY — Use this variable to store the name of the proxy user.

Use the initialization block named ProxyBlock and include code such as the following:
```
select targetId
from Proxies 
where 'VALUEOF(NQ_SESSION.RUNAS)'=targetId and ':USER'=proxyId
```
PROXYLEVEL — Use this optional variable to store the proxy level, either Restricted or Full. If you do not create the PROXYLEVEL variable, then the Restricted level is assumed.

Use the initialization block named ProxyLevel and include code such as the following:
```
select proxyLevel 
from Proxies 
where 'VALUEOF(NQ_SESSION.RUNAS)'=targetId and ':USER'=proxyId
```

For more information on creating session variables, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

D.6.3.3 Modifying the Configuration File Settings for Proxy Functionality

Use various elements in the instanceconfig.xml file to configure the proxy functionality.

Before you begin this procedure, ensure that you are familiar with the information in 'Using a Text Editor to Update Oracle Business Intelligence Configuration Settings' in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

To manually configure for proxy functionality:

Open the instanceconfig.xml file for editing, as described in 'Where are Configuration Files Located' in Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.
Locate the section in which you must add the elements that are described in the following list:
- LogonParam: Serves as the parent element for the TemplateMessageName and MaxValues elements.
- TemplateMessageName: Specifies the name of the custom message template in the Custom Messages folder that contains the SQL statement to perform tasks related to displaying proxy and target users. The default name is LogonParamSQLTemplate.
  
  The name that you specify in the TemplateMessageName element must match the name that you specify in the WebMessage element in the custom message file. For more information, see Section D.6.3.4, "Creating a Custom Message Template for Proxy Functionality."
- MaxValues: Specifies the maximum number of target users to be listed in the User box in the Act As dialog box. If the number of target users for a proxy user exceeds this value, then an edit box, where the proxy user can enter the ID of a target user, is shown rather than a list of target users. The default is 200.

Include the elements and their ancestor elements as appropriate, as shown in the following example:

<LogonParam>
     <TemplateMessageName>LogonParamSQLTemplate</TemplateMessageName>
     <MaxValues>100</MaxValues>
</LogonParam>

Save your changes and close the file.
Restart Oracle Business Intelligence.

D.6.3.4 Creating a Custom Message Template for Proxy Functionality

You must create a custom message template for the proxy functionality that contains the SQL statement to perform the following tasks:

Obtain the list of target users that a proxy user can act as. This list is displayed in the User box in the Act As dialog box.
Verify whether the proxy user can act as the target user.
Obtain the list of proxy users that can act as the target user. This list is displayed on the target user's My Account screen.

In the custom message template, you place the SQL statement to retrieve this information in the following XML elements:

Element	Description
getValues	Specifies the SQL statement to return the list of target users and corresponding proxy levels. The SQL statement must return either one or two columns, where the: First column returns the IDs of the target users (Optional) Second column returns the names of the target users
verifyValue	Specifies the SQL statement to verify if the current user can act as the specified target user. The SQL statement must return at least one row if the target user is valid or an empty table if the target user is invalid.
getDelegateUsers	Specifies the SQL statement to obtain the list of proxy users that can act as the current user and their corresponding proxy levels. The SQL statement must return either one or two columns, where the: First column returns the names of the proxy users (Optional) Second column returns the corresponding proxy levels

Element

Description

getValues

Specifies the SQL statement to return the list of target users and corresponding proxy levels.

The SQL statement must return either one or two columns, where the:

First column returns the IDs of the target users
(Optional) Second column returns the names of the target users

verifyValue

Specifies the SQL statement to verify if the current user can act as the specified target user.

The SQL statement must return at least one row if the target user is valid or an empty table if the target user is invalid.

getDelegateUsers

Specifies the SQL statement to obtain the list of proxy users that can act as the current user and their corresponding proxy levels.

The SQL statement must return either one or two columns, where the:

First column returns the names of the proxy users
(Optional) Second column returns the corresponding proxy levels

You can create the custom message template in one of the following files:

The original custom message file in the directory
A separate XML file in the directory

To create the custom message template:

To create the custom message template in the original custom message file:
1. Make a backup of the original custom message file in a separate directory.
2. Make a development copy in a different directory and open it in a text or XML editor.
To create the custom message template in a separate XML file, create and open the file in the ORACLE_INSTANCE\bifoundation\OracleBIPresentationServicesComponent\coreapplication_obipsn\analyticsRes\customMessages directory.
Start the custom message template by adding the WebMessage element's begin and end tags. For example:
```
<WebMessage name="LogonParamSQLTemplate">
</WebMessage>
```
Note:

The name that you specify in the WebMessage element must match the name that you specify in the TemplateMessageName element in the instanceconfig.xml file. For information, see Section D.6.3.3, "Modifying the Configuration File Settings for Proxy Functionality."
After the </WebMessage> tag:
1. Add the <XML> and </XML> tags
2. Between the <XML> and </XML> tags, add the <logonParam name="RUNAS"> and </logonParam> tags.
3. Between the <logonParam name="RUNAS"> and </logonParam> tags, add each of the following tags along with its corresponding SQL statements:
  - <getValues> and </getValues>
  - <verifyValue> and </verifyValue>
  - <getDelegateUsers> and </getDelegateUsers>
The following entry is an example:
```
<XML>
   <logonParam name="RUNAS">
     <getValues> EXECUTE PHYSICAL CONNECTION POOL Proxy.Proxy
        select TARGET from Proxy where PROXYER='@{USERID}'
     </getValues>
     <verifyValue> EXECUTE PHYSICAL CONNECTION POOL Proxy.Proxy
        select TARGET from Proxy where PROXYER ='@{USERID}'
             and TARGET='@{VALUE}'
     </verifyValue>
     <getDelegateUsers>EXECUTE PHYSICAL CONNECTION POOL Proxy.Proxy 
        select PROXYER, PROXY_LEVEL from Proxy where TARGET='@{USERID}'
     </getDelegateUsers>
   </logonParam>
</XML>
```
Note that you must modify the example SQL statement according to the schema of the database. In the example, the database and connection pool are both named Proxy, the proxyId is PROXYER, and the targetId is TARGET.
If you created the custom message template in the development copy of the original file, then replace the original file in the customMessages directory with the newly edited file.
Test the new file.
(Optional) If you created the custom message template in the development copy of the original file, then delete the backup and development copies.
Load the custom message template by either restarting the server or by clicking the Reload Files and Metadata link on the Presentation Services Administration screen. For information on the Administration page, see Section D.2.1, "Understanding the Administration Pages."

D.6.3.5 Assigning the Proxy Privilege

For each user whom you want to enable as a proxy user or for each application role or Catalog group whose members you want to enable as proxy users, you must grant the Act As Proxy privilege. For information on how to assign privileges, see Section D.2.3.2, "Setting Presentation Services Privileges for Application Roles."

D.6.3.6 Assigning the manageRepositories Permission

You must assign the manageRepositories permission to each user you want to allow to act as a proxy user. To assign the permission, create a group called Proxy and associate it with an application role called Proxy, and with an application policy called Proxy (granted the manageRepositories permission), and then add each user (who you want to be a proxy user), to the Proxy group. To achieve this aim, the following must be true:

A group must exist, or must be created (for example, named Proxy) .

For more information, see Section 2.3.3, "Creating a Group in the Embedded WebLogic LDAP Server."
An application role must exist, or must be created (for example, named Proxy), and be mapped to the group called Proxy.

For more information, see Section 2.4.2.2, "Creating an Application Role."
An application policy must exist, or must be created (for example, named Proxy), and the Proxy application role must be made a grantee of the manageRepositories permission, where:
- Permission Class
  
  oracle.security.jps.ResourcePermission
- Resource Name
  
  resourceType=oracle.bi.server.permission,resourceName=oracle.bi.server.manageRepositories
- Permission Actions
  
  _all_
For more information, see Section 2.4.3, "Creating Application Policies Using Fusion Middleware Control."
For each user you want to enable as a proxy user, you must add that user to the Proxy group.

For more information, see Section 2.3.4, "Assigning a User to a Group in the Embedded WebLogic LDAP Server."