18 Configuring for Multiple Tenants

This chapter describes how to configure the Oracle Business Intelligence system for multitenancy. You can configure Oracle Business Intelligence on one environment that serves multiple client organizations, or tenants.

This chapter includes the following sections:

Note:

While many features of Oracle Business Intelligence are available to tenants, certain features are not available in a multitenant environment, as described in Section 18.1.3, "Features that Are Unavailable for Tenant Users."

18.1 Introduction to Multitenancy with Oracle Business Intelligence

This section provides a basic introduction to using multitenancy with Oracle Business Intelligence. It includes the following topics:

18.1.1 What is Multitenancy?

Multitenancy refers to a principle in software architecture where a single installation of the software runs on one server or clustered servers, serving multiple client organizations. With a multitenant architecture, each client organization operates independently of other organizations that share the same infrastructure. Multitenancy offers the ability to host multiple companies (even competitors) in one deployment without them knowing of each other.

18.1.2 What Types of Application Roles Are Required?

You can think of a tenant as a customer or a group of people. For example, you might configure a tenant called BankA and another tenant called BankB. You can have one or more overall administrators for all tenants and the overall Oracle Business Intelligence system. Each tenant has its own tenant consumers, tenant authors, and one or more Tenant Administrators. Tenant Administrators are restricted to certain tenant-specific administration tasks.

The following sections provide an overview of the types of application roles and users that are required in a multitenant environment. For more information, see "About Application Roles" in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

18.1.2.1 BIGlobal Administrator Application Role

When Oracle Business Intelligence is not configured for multitenancy, the default installation includes the BIAdministrator application role. When Oracle Business Intelligence is configured for multitenancy, two administrative application roles are used. One role is for the overall global administrator (BI Global Administrator) and one is for the Tenant Administrator.

The BIGlobalAdministrator application role becomes a member of the original BIAdministrator role and inherits all of the BIAdministrator permissions and any permissions that are added specifically for global multitenancy administration tasks. A member of this role can maintain the Oracle Business Intelligence system as described in the other chapters of this guide and in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition. This administrator controls privileges for all tenants and can access the Presentation Services Administration page, Oracle BI Administration Tool, Job Manager, Catalog Manager, and all content. This administrator is not associated with a specific tenant.

Important:

Never map this privileged role to a user or group within a specific tenant.

Users who have been assigned the original BIAdministrator application role, but not the BIGlobalAdministrator role can still access the system, but lack the permissions to administer multitenant functionality.

BI Global Administrators must not have values set for the orclMTTenantGUID and orclMTTenantUName attributes that are described in Table 18-2. These administrators do need a unique orclMTUID attribute value, although this value should not have a tenant prefix.

18.1.2.2 Tenant Administrators

The BITenantAdministrator application role has no specific policy store permissions, but does have specific privileges that are granted in the Oracle BI Presentation Catalog for administering a tenant. This role enables users to perform self-service administration tasks on multitenant-enabled features for one tenant. These administrators cannot access the Presentation Services Administration page or the Privileges page. These administrators organize content for tenant users within the catalog by granting access to, creating, moving, and copying objects and folders.

18.1.2.3 Tenant End Users

End users in a multitenant environment are known as tenant users. These users have the same default application roles as in a non-multitenant environment, namely BIAuthor and BIConsumer. The relationship that links a tenant user to a tenant ID is managed through the Identity Store. For more information on end users, see Section 18.3.2, "Mandatory Identity Store Attributes for Tenants and Tenant Users in a Multitenant Environment."

18.1.2.4 Comparing Application Roles

Figure 18-1 shows the application roles that are used with multitenancy in comparison to roles that are used in a non-multitenant environment. When configuring Oracle Business Intelligence for multitenancy, you create two application roles. The BIGlobalAdministrator role is a member of the BIAdministrator role. The BITenantAdministrator role is for tenant users to perform certain self-service administration tasks on their tenant information only.

Figure 18-1 Application Roles for Multitenancy

Description of Figure 18-1 follows
Description of "Figure 18-1 Application Roles for Multitenancy"

18.1.3 Features that Are Unavailable for Tenant Users

When you configure Oracle Business Intelligence for multitenancy, many features behave the same. The following list describes the features in Oracle Business Intelligence that are not available for tenant users:

  • For Tenant Administrators, the following features are not available. The BI Global Administrator can use these features.

    • Fusion Middleware Control (so no access to diagnostics, metrics, and system availability and capacity).

    • Essbase Components (including Essbase, Essbase Studio, and Essbase Administration Services).

      You can use Essbase as a data source in a multitenant environment if you apply the appropriate security. Tenant Administrators do not have access to any administrative tools for Essbase and related tools that are installed as part of Oracle Business Intelligence.

    • Oracle BI Administration Tool, Catalog Manager, and Job Manager.

    • Usage tracking and MapViewer.

  • For Tenant Authors and Consumers, the following features are not available:

    • Catalog groups, KPIs, scorecards, BI Mobile, BI Composer, Oracle BI for Microsoft Office, Act As functionality, and direct database requests.

    • Oracle RTD, BI Publisher, and Marketing Segmentation.

    • Full-text catalog search with Oracle SES and Oracle Endeca Server. The basic catalog search is available.

    • Oracle Essbase Components (including Financial Reporting, Calculation Manager, and Workspace).

      If you install the Oracle Essbase Suite and configure Oracle Business Intelligence for multitenancy, then the log files will contain errors about the Oracle Essbase Suite. You can ignore such errors in log files for a multitenant configuration.

For information on controlling features for tenants as part of the configuration process, see Section 18.5.4, "Making Features Unavailable in the Multitenant Environment."

18.2 How Oracle Business Intelligence Works when Configured for Multitenancy

Audience: BI Global Administrators

By default, Oracle Business Intelligence is not configured for multitenancy. When Oracle Business Intelligence is configured to support multiple tenants, the system uses a single Oracle BI Presentation Catalog and a single Oracle BI Server repository that is shared and read-only for tenant users. Each tenant user has a tenant GUID. Global Unique Identifiers (GUIDs) are assigned to tenant users to ensure that their identity within Oracle Business Intelligence is unique. This assignment helps the system handle name clashes and name changes. When users sign in, their view of the system is based on their tenant GUID. Tenant users are assigned session variables with their tenant GUID to use for connection pools and other purposes.

The following list describes features of a multitenant system:

  • You use application roles as part of a multitenant system. Tenant users are mapped to application roles through groups in the identity store.

    Application roles are shared across tenants, so you cannot have tenant-specific application roles. The BI Global Administrator can create an application role and assign a group (which can be a tenant-specific group) to the application role. Bear in mind that all tenants can see the name of this application role in certain dialogs, regardless of whether they are members of the group that is assigned to the role. The Tenant Administrator cannot create a new application role.

  • Any changes to configuration, such as the instanceconfig.xml file, apply to the entire system and are not tenant-specific. These changes include privileges in the catalog, skins, and front-end customizations.

  • Users of dashboards and analyses in a multitenant environment work with content specific to their tenant. For example, dashboard consumers create tenant-specific briefing books, bookmarks, and prompted links. The default properties for analyses and columns are specific to each tenant.

  • Agents are supported for tenants. Agents are only in the scope of that tenant. As you create an agent and add recipients from a list, you can select users and application roles, as described in the following list:

    • The list includes only recipient users that exist in your tenant.

    • The list includes application roles that are shared across all tenants. An agent that delivers to application roles delivers only to members of roles that share the same tenant as the creator of the agent.

18.3 Security Considerations when Configuring for Multitenancy

Audience: BI Global Administrators

Keep the security considerations that are described in the following sections in mind when configuring Oracle Business Intelligence for multitenancy:

18.3.1 Authentication and Authorization of Tenant Users Using Fusion Middleware Security

When configuring a multitenant environment, the authentication and authorization of tenant users can be performed only through Oracle Fusion Middleware security. This means that it is not possible to use initialization blocks for authentication and authorization of tenant users.

See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for a complete description of using Oracle Business Intelligence with Oracle Fusion Middleware security.

18.3.2 Mandatory Identity Store Attributes for Tenants and Tenant Users in a Multitenant Environment

In a typical, non-multitenant deployment of Oracle Business Intelligence, users are stored in an identity store. Table 18-1 describes the identity store attributes that are mandatory for each user.

Table 18-1 Attributes for Non-Tenant Users

Typical Attribute Used (Configurable) Attribute Description Mandatory for Oracle Business Intelligence?

cn

User Name

Yes

orclGUID

GUID

Yes


In a multitenant deployment of Oracle Business Intelligence, each tenant user must also have the attributes that are described in Table 18-2 populated and available from the identity store. Oracle Business Intelligence does not provide tools for adding these attributes to the identity store. You must consult with the administrator of the identity store for assistance in adding these attributes, using a method that is appropriate for the type of identity store in the deployment.

Table 18-2 Attributes for Tenant Users

Attribute Name Description Mandatory for Tenant Users?

orclMTUID

The globally unique user identifier. This attribute holds the user name prefixed with tenant name, such as tenantname.username. You must ensure that each identifier is unique.

Yes

orclMTTenantGUID

The globally unique identifier for the tenant.

Yes

orclMTTenantUName

The name of the tenant.

No


When configuring an authenticator in a multitenant-enabled environment, you must ensure that the base DN for users and the base DN for groups are common across all tenants. Additionally, the orclMTUID attribute must be used as the User Name attribute. See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for details on configuring authenticators.

The same authenticators are supported as outlined in the certification matrix for Oracle Business Intelligence; but in each case, the additional user attributes must be available or added. Oracle does not provide functionality for extending the LDAP schema to the built-in LDAP for WebLogic Server. Therefore, you must configure an alternative identity store as part of configuring Oracle Business Intelligence for multitenancy. For information on the certification matrix, see Section 1.8, "System Requirements and Certification."

18.3.3 System Users in a Multitenant Environment

The system accounts and those accounts that are used for overall tenant-wide administration of Oracle Business Intelligence operate in the same way as they do in a non-multitenant environment. Specifically, these accounts are the OracleSystemUser and the BISystemUser. These users must not have values set for the tenant-related attributes that are described in Table 18-2. One exception is if these users are authenticated using the same authenticator as the tenant users. In this case, the orclMTUID attribute must be populated using the user name without a tenant prefix.

See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for complete information on BISystemUser.

18.3.4 UserID from SSO Must Match the orclMTUID Attribute Value

In a multitenant environment, because the authenticators are configured to use the orclMTUID attribute as the User Name (as described in Table 18-2), the UserID that is derived from any certified approach to SSO must match a valid orclMTUID value from the identity store. The UserID that comes from the SSO product must be a globally unique identifier for the user and typically has the form such as "tenantname.username".

For information on configuring SSO, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

18.4 Securing Catalog Objects for Tenants

Audience: BI Global Administrators

Tenant users are limited to working with catalog objects that are created as part of their tenant. In addition to their own tenant folders, they typically have read-only access to a shared area. For example, if you want to make a standard set of reports available, you can do this in a shared area. Alternatively, you can copy standard reports to each tenant folder.

The content in the Oracle BI Presentation Catalog is shared across tenants. The catalog is striped for each tenant so that tenant users see their own virtualized view of their catalog content. Users of one tenant cannot access content that is owned by users of other tenants. Application roles are not striped per tenant.

Top-level tenant folders are striped based on the tenant ID. The advantage of dividing the catalog by tenant ID is that security is scaled efficiently across all tenants. Tenant users are directed to their own catalog folders using the tenant ID that they are assigned when they log in. This process does not require you to provision any tenant-specific permissions.

In a multitenant environment, the catalog includes a "tenants" folder that stores all tenant-specific folders. The "tenants" folder is at the same level as the "shared," "users," and "system" folders, as shown in the following example:

/root
    /shared
    /system
    /users
    /tenants
        /acme
            /users
        /acme.user1
            /acme_reports
            /company_shared
            /devices
            /subjectarea
            /system

Note the following about the catalog structure:

  • /root/shared: All tenant users have read-only access. The BI Global Administrator has full access.

  • /root/users: Only the BI Global Administrator (that is, users without any tenant ID) are created in this folder.

  • /tenants/../../system: This folder contains tenant-specific system files such as those used for formatting and devices.

  • /tenants/../../company_shared: This folder contains company-specific shared files, which are different from the files in the /root/shared folder. All users that belong to the appropriate tenant can access this shared folder. Users from other tenants can neither see nor access the company_shared folders of other tenants. The shared space is virtualized for each tenant.

  • /tenants/users: This folder contains all users for a tenant and is displayed as "My Folders" on the Catalog page. Tenanted users cannot access the /root/users folder.

Catalog groups are not supported for tenants, so the Presentation Services Administration page provides no tenant access to catalog groups. Ensure that you do not enable such access. The Admin View is not available on the Catalog page for tenant users.

18.5 Configuring the System for Multitenancy

Audience: BI Global Administrators

This section describes the post-installation tasks for configuring the Oracle Business Intelligence system for multiple tenants. These tasks and the sections in this chapter assume that you have a fresh installation of Oracle Business Intelligence and have not changed the default identity store configuration, policy store, or permissions for the Oracle BI Presentation Catalog.

To configure the system for multitenancy:

  1. Stop the Oracle Business Intelligence system.

    For information, see Chapter 4, "Starting and Stopping Oracle Business Intelligence."

  2. Enable multitenancy, as described in Section 18.5.1, "Enabling the System for Multitenancy."

    Note:

    Do not log in to the system as a tenant user until you have completed the tenant provisioning task in this procedure.

  3. Configure the identity store by performing the following steps:

    1. Add the multitenancy attributes to the schema, as described in Section 18.3.2, "Mandatory Identity Store Attributes for Tenants and Tenant Users in a Multitenant Environment."

    2. Populate the identity store with users and groups for the system users, administrative users, and tenant users as described in Section 18.3.3, "System Users in a Multitenant Environment."

  4. Configure the appropriate application roles and users, as described in Section 18.5.2, "Configuring Application Roles and Users."

  5. Configure data sources, as described in Section 18.5.3, "Configuring Data Sources for Tenants."

  6. Disable features of Oracle Business Intelligence that are unavailable in a multitenant environment, as described in Section 18.5.4, "Making Features Unavailable in the Multitenant Environment."

  7. Optionally configure Single Sign-On (SSO) as described in Section 18.3.4, "UserID from SSO Must Match the orclMTUID Attribute Value."

  8. Upgrade the catalog, as described in "Upgrade the Oracle BI Repository and Catalog" in Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.

  9. Provision tenants, as described in Section 18.6.1, "Provisioning and Unprovisioning Tenants."

  10. Restart the Oracle Business Intelligence system.

  11. Log into Presentation Services as the following users:

    BIGlobalAdministrator, BIAuthor, and BIConsumer and verify that each user has access to the appropriate features as outlined in Section 18.1.3, "Features that Are Unavailable for Tenant Users."

  12. Log into Presentation Services and in the catalog, grant the BITenantAdministrator full access to the company_shared folder.

    Log into Presentation Services as BITenantAdministrator and create a directory under the company_shared directory.

  13. Verify that the following directories for tenant users exist under the following directory:

    ORACLE_HOME/instances/instance1/bifoundation/OracleBIPresentationServicesComponent/coreapplication_obips1/catalog/SampleAppLite/root/tenants

    ORACLE_HOME/instances/instance1/bifoundation/OracleBIPresentationServicesComponent
    /coreapplication_obips1/catalog/SampleAppLite/root/tenants
    /tenant1/users
    /tenant2/users
    

    Verify that the appropriate number of directories exist based on the number of tenants.

18.5.1 Enabling the System for Multitenancy

To enable the options for multitenancy, you must add a system property and include the appropriate attribute or element, as described in the following procedure.

To enable the use of multitenancy:

  1. Manually add the system property oracle.multitenant.enabled=true to MW_HOME/user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh on UNIX and .cmd on Windows using the syntax appropriate for the platform. Enter it after the EXTRA_JAVA_PROPERTIES line, as shown in the following example for the Windows platform:

    set JAVA_PROPERTIES=%JAVA_PROPERTIES% %EXTRA_JAVA_PROPERTIES%
    set JAVA_PROPERTIES=%JAVA_PROPERTIES% -Doracle.multitenant.enabled=true

  2. If you use Oracle Business Intelligence 11g (Release 11.1.1.7.1 or later), then use the Fusion Middleware Control MBean Browser for the attribute. In the browser, set the MultipleTenantsEnabled attribute to true for the biee.admin MBean.

    See Section 3.5, "Using the Fusion Middleware Control MBean Browser to Update Configuration Settings."

  3. If you use Oracle Business Intelligence 11g (Release 11.1.1.7.0), then perform the following steps to include the element for multitenancy:

    1. Open the instanceconfig.xml file for editing, as described in Section 3.6, "Where Are Configuration Files Located?"

    2. Locate the Catalog section in which you must manually add the EnableMultiTenancy element.

      The EnableMultiTenancy element is not included in the instanceconfig.xml file by default, but it is set to false by default. If you do not include it and set it to true, then the options for multitenancy are not available.

    3. Include the EnableMultiTenancy element within the Catalog element, as shown in the following example. The Catalog element likely includes other elements within it.

      <Catalog>
            <EnableMultiTenancy>true</EnableMultiTenancy>
      </Catalog>
      
    4. Save your changes and close the file.

  4. Restart Oracle Business Intelligence.

    Note:

    Ensure that you restart Oracle Business Intelligence at this point. You must restart Oracle Business Intelligence to ensure that the changes that you have made to enable multitenancy take effect and that directories for tenant users are created at the correct locations.

18.5.2 Configuring Application Roles and Users

You must configure the appropriate application roles and users for the multitenant system, as described in the following sections:

18.5.2.1 Configuring the BI Global Administrator

You must configure the BI Global Administrator to manage a multitenant system. Perform the following procedure for overall system administrators, and not for tenant administrators.

To configure the BI Global Administrator:

  1. Create an application role called BIGlobalAdministrator.

  2. Grant the following permission to the application role so that the administrator can manage all tenants:

    resourceType=oracle.bi.multitenancy.permission,resourceName=oracle.bi.administerTenant
    Action = _all_

    This permission enables the BI Global Administrator to access the Administration page in Presentation Services, to access the Admin view on the Catalog page, and to call multitentant web services (as described in Section 18.6.1, "Provisioning and Unprovisioning Tenants" and Section 18.6.3, "Archiving Content for Tenants.")

  3. Make this application role a member of BIAdministrator.

  4. Restart OPMN and the Oracle BI Presentation Services.

    For information, see "Starting and Stopping Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.

18.5.2.2 Configuring the Tenant Administrator Application Role

The BI Global Administrator must configure the administrator for each tenant. You can use an application role called BITenantAdministrator to map users and groups to. This application role does not have any permissions granted to it in the policy store, but it does have specific privileges for the Oracle BI Presentation Catalog.

To configure the Tenant Administrator application role:

  1. Create an application role called BITenantAdministrator.

  2. Ensure the following:

    • That you grant no permissions to the BITenantAdministrator role.

    • That no tenant users are assigned the BIAdministrator or BIGlobalAdministrator roles.

  3. Optionally, in the policy store, make the BITenantAdministrator role a member of the BIAuthor application role so that the Tenant Administrator can create folders and perform related tasks.

  4. Each time that you provision a new tenant and add new users to the Identity Store for the new tenant, map specific users or groups to this application role to provision specific tenant users with administrative permissions for their tenant.

18.5.2.3 Configuring Tenant Users

You can configure Tenant Consumers and Tenant Authors (who create content). Bear the following points in mind as you create these users:

  • All authenticated users must have an active entry in the identity store.

  • Tenant Consumers and Tenant Authors must have values for the attributes that are described in Table 18-2.

  • Tenant Consumers must have their identity store group mapped to the BIConsumer application role to view Oracle Business Intelligence content.

  • Tenant Authors must have their identity group mapped to the BIAuthor application role to create and modify content.

18.5.3 Configuring Data Sources for Tenants

In a multitenant environment, you must segregate the following on a per-tenant basis: data access and the cache for the BI Server. You must also control database resources. This section contains the following topics:

18.5.3.1 Controlling Database Resources

You want to have a level of control over the database resources to ensure that a single tenant user has access to only the data that is appropriate for him. Although a single Oracle BI repository is shared across all tenants, you can use a session variable to identify which tenant a user belongs to. In a multitenant environment, this session variable is populated whenever a tenant user logs into Oracle Business Intelligence. This session variable is called TENANTGUID and is populated automatically with the value from the orclMTTenantGUID attribute for the tenant user as described in Section 18.3, "Security Considerations when Configuring for Multitenancy." This value is the unique tenant identifier. In the repository, you can use this session variable for security filters, with connection pool configuration, and for segregating the BI Server cache by tenant.

18.5.3.2 Applying Tenant-Specific Data Security

In a multitenant environment, the single Oracle BI repository is shared and read-only for all tenant users. Only the BI Global Administrator can modify the repository and connection pools for the data source. Because of the single repository, all tenants access data through one connection pool. You can use one of the following techniques to ensure that tenant users have access only to their own tenant data, based on the data source:

18.5.3.2.1 Technique 1: Segregating Data Using One Schema Per Tenant for Oracle Database and SQL Server

With this technique, when a tenant user runs a query, the TENANTGUID variable is used either directly or indirectly to determine the schema that the query references. Consequently, a tenant user sees data only from his own schema.

Use this technique when the Oracle Database is the data source type. A variation on this technique also works for SQL Server using a parameterized connection string to SQL Server. For information, see the description of Data source name in "Common Connection Pool Properties in the General Tab" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

  1. Each tenant has its own schema in the database and each schema is identical in shape (but not data).

  2. A single connection pool is configured using a session variable as a parameter to represent the schema name.

  3. The password for each schema is the same for all schemas and is used in the connection pool configuration.

  4. The user name for each schema is either the same as the TENANTGUID value for each tenant, or one or more session variables are configured to derive the schema name (and optionally other connection details other than the password) based on the TENANTGUID value.

18.5.3.2.2 Technique 2: Using a BI Server Data Filter with the TENANTGUID Variable for Relational Data Source

Use this technique for relational data sources and only if it is feasible to add the TENANTGUID column to each source table.

  1. All tenant data is in the same schema, but each table includes a column that stores the TENANTGUID value for each row of data.

  2. Each logical query must apply a security filter for Oracle Business Intelligence to constrain data based on the rows where the TENANTGUID column value matches the TENANTGUID session variable.

    1. All tenant users must be members of a single application role, such as BIConsumer.

    2. A BI Server data filter must be applied to this application role as follows:

      <column that contains TENANTGUID value> = 'valueof(NQ_SESSION.TENANTGUID)'

18.5.3.2.3 Technique 3: Using VPD in the Data Source to Apply Data Security for Oracle Database and Oracle Essbase

You can configure Oracle Business Intelligence to respect VPD-type data security for the Oracle Database or Essbase.

  1. Configure the data source to apply data security such that tenant users see data only for their tenant.

    This step is specific to the data source type:

18.5.3.3 Setting Tenant-Specific Query Limits

To facilitate tenant-specific query limits being applied across all database objects that are defined in the Oracle BI repository, you can use two session variables: OBIS_DB_MAXROWS and OBIS_DB_MAXEXECTIME. These variables are optional, but if you set them, then they override the values that the BI Server obtains for maximum rows and maximum execution time from the permissions that are assigned to application roles or users in the repository.

You set these variables as you set any other session variables in Oracle Business Intelligence. For example, you can set them using an initialization block that finds a value from a database table based on the TENANTGUID value. For information on setting session variables, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

18.5.4 Making Features Unavailable in the Multitenant Environment

Section 18.1.3, "Features that Are Unavailable for Tenant Users" describes the features that are not used with multitenancy. You must manually ensure that tenant users cannot access these features, as described in the following procedure.

To make features unavailable in a multitenant environment:

  1. Log in to Presentation Services as a member of the BIGlobalAdministrator role.

  2. Revoke all privileges for Tenant Author except for the following ones, as described in "Managing Presentation Services Privileges" in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition:

    Access to Answers
    Access to Delivers
    Access to Metadata Dictionary
    Create Invoke Actions
    Change Permissions
    Manage Dashboards
    Add To or Edit a Briefing Book
    See Hidden Items
    Create Folders
    Perform Global Search
    Create Conditions
    Create Views
    Create Prompts
    Edit Column Formulas
    Enter XML and Logical SQL
    Create Advanced Filters and Set Operations
    Save Filters
    Create Agents
    Publish Agents for Subscription
    Chain Agents
    Subject Area Access as appropriate
    Add/Edit Column SelectorView
    Add/Edit Compound LayoutView
    Add/Edit GraphView
    Add/Edit FunnelView
    Add/Edit GaugeView
    Add/Edit Micro Chart View
    Add/Edit FiltersView
    Add/Edit Dashboard PromptView
    Add/Edit Performance TileView
    Add/Edit Static TextView
    Add/Edit LegendView
    Add/Edit NarrativeView
    Add/Edit No ResultsView
    Add/Edit Pivot TableView
    Add/Edit Report PromptView
    Add/Edit Selection StepsView
    Add/Edit TableView
    Add/Edit TickerView
    Add/Edit TitleView
    Add/Edit TrellisView
    Add/Edit View SelectorView
    
  3. Grant the following privilege for Tenant Authors to create agents and add recipients:

    User Population - Can List Application Roles
    

    If you do not grant this privilege, then users see an error message when clicking the Recipient tab while working with agents.

  4. Revoke all privileges for Tenant Consumer except for the following ones:

    Access to Dashboards
    Access to Briefing Books
    Catalog Preview Pane UI
    Access to Export
    Create Navigate Actions
    See SQL issued in errors
    User Population - Can List Users
    User Population - Can List Application Roles
    Access to Permissions Dialog
    Download Briefing Book
    Add to snapshot briefing book
    Personal Storage (My Folders and My Dashboard)
    Save Customizations
    Create Bookmark Links
    Create Prompted Links
    Export Entire Dashboard To Excel
    Export Single Dashboard Page To Excel
    Access Home Page
    Access Catalog UI
    Access Catalog Search UI
    Simple Search Field
    Advanced Search Link
    Open Menu
    New Menu
    Help Menu
    Dashboards Menu
    Favorites Menu
    My Account Link
    Custom Links
    Access to My Account
    Change Preferences
    Change Delivery Options
    Access to RSS Feeds
    
  5. Grant the following privileges for Tenant Administrators:

    Deliver Agents to Specific or Dynamically Determined Users
    Modify Current Subscriptions for Agents
    
  6. Grant all SOAP privileges to the BI Global Administrator so that he can perform web service tasks such as provisioning and unprovisioning tenants and archiving content.

  7. Ensure that in the policy store, a tenant user does not have any of the grants that are given by default to the BIConsumer and BIAuthor roles.

  8. When you have modified these privileges, ensure that no other administrator changes the settings.

18.6 Managing Tenants

Audience: BI Global Administrators

You can perform the following tasks to manage tenants:

18.6.1 Provisioning and Unprovisioning Tenants

This section contains the following information on provisioning tenants:

18.6.1.1 About Provisioning and Unprovisioning Tenants

You can provision new tenants or unprovision existing tenants at any time. When you provision a tenant, you configure the catalog for the tenant. Shared folders and tenant-specific folders are created in the catalog. When you unprovision a tenant, its folders are deleted from the catalog. Provisioning and unprovisioning tenants does not modify the identity store or policy store configuration.

For example, you can provision certain companies if they sign a contract with your organization. Suppose that TenantA is provisioned. The home folders for TenantA's users are included in the /tenants/TenantA/users folder. These inclusions are completely transparent to the TenantA users. Tenants see the /shared folder if they have the permissions to see it, but they see only the tenant folder for their particular tenant ID.

18.6.1.2 Tools for Provisioning and Unprovisioning Tenants

The following sections describe the tools for provisioning and unprovisioning tenants:

18.6.1.2.1 Using Menu Options in Catalog Manager

You can use menu options in Catalog Manager to provision and unprovision tenants when the catalog is open in offline mode. From the Tools menu in Catalog Manager, select Multi-Tenancy, then either Provision Tenant or Unprovision Tenant.

To verify that tenants have been provisioned properly, you can check the root directory for the catalog to confirm that it contains a subdirectory called tenants. The following example shows the tenants subdirectory under the root folder for the SampleAppLite application:

ORACLE_HOME/instances/instance1/bifoundation/OracleBIPresentationServicesComponent
/coreapplication_obips1/catalog/SampleAppLite/root/tenants
18.6.1.2.2 Using Methods in the Web Service

When the catalog is open in online mode, you can provision or unprovision tenants using the web service only if you have the BIGlobalAdministrator role, as described in Section 18.5.2, "Configuring Application Roles and Users."

With this role, you can use a suitable web service client to obtain a BI Session ID in online mode. You use the session-based SOAP web service called MultiTenancyManagementService for managing objects in the catalog and artifacts in Oracle BI Presentation Services in a multitenant system. You access the wsdl for the web service at the following location:

http://managed-server-host-name:port-number/analytics/saw.dll/wsdl/v8

Use the following methods for provisioning and unprovisioning tenants:

MultiTenancyManagementService.provisionTenant( ListOFTenantGUIDs, sessionID)

MultiTenancyManagementService.unprovisionTenant( ListOFTenantGUIDs, sessionID)

See Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition for complete details on using web services with Oracle Business Intelligence.

18.6.2 Removing Tenants

If you longer need a tenant in a multitenant system, then you can remove the tenant and its content as described in the following procedure. This procedure removes user folders for tenant users.

To remove a tenant:

  1. Remove the folders for the tenant by unprovisioning the tenant in the Catalog Manager, as described in Section 18.6.1, "Provisioning and Unprovisioning Tenants."

  2. Remove the tenant identities in the identity store.

  3. Remove the data sources for the tenant.

18.6.3 Archiving Content for Tenants

You can archive and unarchive objects and folders that belong to a tenant. If you have the following permission:

oracle.bi.multitenancy.permission,resourceName=oracle.bi.administerTenant

then you can use a suitable web service client to obtain a BI Session ID and call the methods in the MultiTenancyManagementService web service as follows:

MultiTenancyManagementService.archiveTenant(ListOFTenantGUIDs, sessionID)

MultiTenancyManagementService.unarchiveTenant(ListOFTenantGUIDs, sessionID)

18.7 Troubleshooting a Multitenant Environment

Audience: BI Global Administrators and Tenant Administrators

If you try to add a tenant and see the error "Path not found," then ensure that the Oracle BI Presentation Catalog is upgraded to the latest version.