Skip Headers
Oracle® Fusion Middleware Publishing Reports to the Web with Oracle Reports Services
11g Release 1 (11.1.1)

Part Number B32121-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

15.4 Authorization in Oracle Reports

If you are using JPS-based security, you can use either Oracle Internet Directory or JAZN-XML method for authorization. If you are using Portal-based security, the Portal-based authorization is used.

In the case of JPS-based security, an in-process server uses system-jazn-data.xml as the policy store, by default. Hence, Reports policies are stored in system-jazn-data.xml under the reports application entry. Users are authorized based on this policy store. For standalone servers, all the policies are stored in the system-jazn-data.xml file and authorization is done against these policies.

Note:

The authorization process involves checking whether a particular user is in the ID store used by JPS. If Single Sign-On is used for authentication, Ensure that the same users are configured in the ID store used by JPS. Alternatively, ensure that JPS points to the ID store used by Single Sign-On. Otherwise, authorization does not work.

The following table summarizes the supported authorization methods if Oracle Reports uses JPS-based security.

Table 15-5 Authorization Methods for JPS-Based Security

Types of Report Server Oracle Internet Directory File Based

In-process

Yes

Yes

Standalone

Yes

Yes


If Portal-based security is configured, the following authorization methods are used.

Table 15-6 Authorization Method for Portal-Based Security

Types of Report Server Authorization

In-process

Portal-based

Standalone

Portal-based


Note:

If Oracle Portal is configured to perform authorization, and the report request is launched from within Oracle Portal rather than rwservlet, Oracle Reports will similarly validate the user's privileges on the report before running it. Even for unauthenticated (PUBLIC) users viewing public pages, Oracle Reports Services verifies that the PUBLIC user account has appropriate privileges on the report.

15.4.1 Authorization Process

Authorization occurs after a user is authenticated using Single Sign-On or Non-SSO (Oracle Internet Directory-based, File-based in case of JPS-based security, and Embedded ID store) methods. Once the user is authenticated, the report request must go through the authorization process, as shown in Figure 15-4.

Figure 15-4 Authorization Process Flow

Description of Figure 15-4 follows
Description of "Figure 15-4 Authorization Process Flow"

The following numbered steps map to the numbers in Figure 15-5:

  1. Reports Server validates the user privileges against the policies defined in the Policy Store.

    Reports Server validates the user privileges against the policies defined in Policy Store (JAZN-XML, LDAP, or Portal repository) by the user.

    Reports Server checks whether the user has the necessary privileges to run the report on the parameters specified in the Policy Store. If the validation check fails for any reason, then an error condition is returned to the user and the process terminates.

    Note:

    If the user is executing rwservlet Web commands such as showjobs and getserverinfo, instead of executing a report, Reports Server verifies and authorizes the user based on Policy Store settings.

  2. If the user is authorized to execute the report, Reports Server executes the report request and passes the report output to rwservlet.

    Reports Server delegates the job to an engine that accesses the data source, retrieves the data, and formats the report.

  3. Report output is passed to Oracle HTTP Server.

  4. Report output is passed to the user.

    The completed output is sent to the specified destination. Depending upon the destination, the output may be served back to the browser (as shown in Figure 15-5), sent to a printer, stored in a file for future reference, sent to an FTP server, and so on.

15.4.2 Additional Step When Using JPS for Authorization

Reports policies are granted to application roles. You must associate all users in your ID store (embedded ID store of Oracle WebLogic Server or an external Oracle Internet Directory) with one of the Reports application roles.

You must add the oracle.security.jps.enterprise.user.class property in the jps-config-jse.xml file.

In Enterprise Manager, you can complete this task as follows:

  1. Navigate to the WebLogic Domain menu.

  2. Choose Security > Application Roles.

    The Application Roles page is displayed. In this page, you can map users to application roles.

Alternatively, you can complete this task by manually editing the $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml file. This step is required if you want to use JPS to authorize your users in Oracle Internet Directory.

Search for the "reports" application in the XML file and add a user in the members section. For example, to add a user called orcladmin, add:

<member>
<class>weblogic.security.principal.WLSUserImpl</class>
<name>orcladmin</name>
</member>

15.4.3 Defining Security Policies for Reports

Out-of-the-box, default users, roles, and permissions are already created. As administrator, you can specify the reports to which a particular user has access by defining a security policy for each report. In the security policy, you can also specify the server, destination name (desname), destination type (destype), and other parameters. The security policy is checked when the user provides the user name and password.

15.4.3.1 Defining Security Policies for JPS-Based Security

Refer to Section 7.8.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies.

15.4.3.2 Defining Security Policies for Portal-Based Security

For Portal-based security, you can create a security policy in Oracle Portal. For more information, see the "Securing Oracle Portal" in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal.

15.4.4 Defining Security Policies for Directories for JPS-Based Security

In certain cases, you will want to give a particular user access to multiple related reports. Rather than specify a security policy for each report, you can collect all the reports in a single directory, then specify a security policy for the directory. Again, the security policy is checked when the user provides the user name and password.

Refer to Section 7.8.3, "Defining Security Policies for Directories" to use Oracle Enterprise Manager to update the directory security policies.

15.4.5 Defining Security Policies for Web Commands for JPS-Based Security

You can also specify the Oracle Reports Servlet (rwservlet) Web commands to which a particular user/role has access by creating security policies for each Web command. The security policy is checked when the user provides the user name and password.

Refer to Section 7.8.4, "Defining Security Policies for Web Commands" to use Oracle Enterprise Manager to update the Web command security policies.

15.4.6 Defining Read/Write Access to Directories

As administrator, you can specify read/write access for Reports Server, Reports Application (in-process Reports Server), or Oracle Reports Runtime to directories. This feature only checks whether the Reports Server, Reports Application (in-process Reports Server), or Oracle Reports Runtime is authorized to read from or write to a specified directory, and is unrelated to the security policies for users/roles, which check the user name and password.

Refer to Section 7.8.5, "Defining Read/Write Access to Directories" to use Oracle Enterprise Manager to specify the read/write permissions defined in the server configuration file (rwserver.conf) under the new optional element folderAccess.

15.4.7 Searching Application Policies in Enterprise Manager

Application policies are the authorization policies that an application uses for controlling access to its resources. You can enter search keyword for principals or permissions to query application security grants. You can use an application stripe to search if the application uses a stripe that is differerent from the name of the application.

To search for application policies in Enterprise Manager, complete the following steps:

  1. Log in to Enterprise Manager.

  2. Navigate to the Reports Application home page.

  3. From the Reports menu, select Security > Application Policies.

    The Application Policies page is displayed.

  4. Check the Select Application Stripe to Search option .

  5. In the drop-down menu, select reports.

  6. In the Principal field, enter the name of the principal.

  7. In the Permissions field, enter the permissions.

  8. Click the right arrow button to search application security grants.

15.4.8 Searching Application Roles in Enterprise Manager

Application roles are the roles used by security-aware applications that are specific to the application. These roles are seeded by applications in WebLogic Domain policy store when the applications are registered.

To search for application roles in Enterprise Manager, complete the following steps:

  1. Log in to Enterprise Manager.

  2. Navigate to the Reports Application home page.

  3. From the Reports menu, select Security > Application Roles.

    The Application Roles page is displayed.

  4. Check the Select Application Stripe to Search option .

  5. In the drop-down menu, select reports.

  6. In the Role Name field, enter the name of the application role to search.

  7. Click the right arrow button to search application roles.