|Oracle® Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition
11g Release 1 (11.1.1)
Part Number E10541-06
|PDF · Mobi · ePub|
This chapter describes how to configure the Oracle Business Intelligence system for multitenancy. You can configure Oracle Business Intelligence on one environment that serves multiple client organizations, or tenants.
This chapter includes the following sections:
While many features of Oracle Business Intelligence are available to tenants, certain features are not available in a multitenant environment, as described in Section 18.1.3, "Features that Are Unavailable for Tenant Users."
This section provides a basic introduction to using multitenancy with Oracle Business Intelligence. It includes the following topics:
Multitenancy refers to a principle in software architecture where a single installation of the software runs on one server or clustered servers, serving multiple client organizations. With a multitenant architecture, each client organization operates independently of other organizations that share the same infrastructure. Multitenancy offers the ability to host multiple companies (even competitors) in one deployment without them knowing of each other.
You can think of a tenant as a customer or a group of people. For example, you might configure a tenant called BankA and another tenant called BankB. You can have one or more overall administrators for all tenants and the overall Oracle Business Intelligence system. Each tenant has its own tenant consumers, tenant authors, and one or more Tenant Administrators. Tenant Administrators are restricted to certain tenant-specific administration tasks.
The following sections provide an overview of the types of application roles and users that are required in a multitenant environment. For more information, see "About Application Roles" in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.
When Oracle Business Intelligence is not configured for multitenancy, the default installation includes the BIAdministrator application role. When Oracle Business Intelligence is configured for multitenancy, two administrative application roles are used. One role is for the overall global administrator (BI Global Administrator) and one is for the Tenant Administrator.
The BIGlobalAdministrator application role becomes a member of the original BIAdministrator role and inherits all of the BIAdministrator permissions and any permissions that are added specifically for global multitenancy administration tasks. A member of this role can maintain the Oracle Business Intelligence system as described in the other chapters of this guide and in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition. This administrator controls privileges for all tenants and can access the Presentation Services Administration page, Oracle BI Administration Tool, Job Manager, Catalog Manager, and all content. This administrator is not associated with a specific tenant.
Never map this privileged role to a user or group within a specific tenant.
Users who have been assigned the original BIAdministrator application role, but not the BIGlobalAdministrator role can still access the system, but lack the permissions to administer multitenant functionality.
BI Global Administrators must not have values set for the orclMTTenantGUID and orclMTTenantUName attributes that are described in Table 18-2. These administrators do need a unique orclMTUID attribute value, although this value should not have a tenant prefix.
The BITenantAdministrator application role has no specific policy store permissions, but does have specific privileges that are granted in the Oracle BI Presentation Catalog for administering a tenant. This role enables users to perform self-service administration tasks on multitenant-enabled features for one tenant. These administrators cannot access the Presentation Services Administration page or the Privileges page. These administrators organize content for tenant users within the catalog by granting access to, creating, moving, and copying objects and folders.
End users in a multitenant environment are known as tenant users. These users have the same default application roles as in a non-multitenant environment, namely BIAuthor and BIConsumer. The relationship that links a tenant user to a tenant ID is managed through the Identity Store. For more information on end users, see Section 18.3.2, "Mandatory Identity Store Attributes for Tenants and Tenant Users in a Multitenant Environment."
Figure 18-1 shows the application roles that are used with multitenancy in comparison to roles that are used in a non-multitenant environment. When configuring Oracle Business Intelligence for multi-tenancy, you create two application roles. The BIGlobalAdministrator role is a member of the BIAdministrator role. The BITenantAdministrator role is for tenant users to perform certain self-service administration tasks on their tenant information only.
Figure 18-1 Application Roles for Multitenancy
When you configure Oracle Business Intelligence for multitenancy, many features behave the same. The following list describes the features in Oracle Business Intelligence that are not available for tenant users:
For Tenant Administrators, the following features are not available. The BI Global Administrator can use these features.
Fusion Middleware Control (so no access to diagnostics, metrics, and system availability and capacity).
Essbase Components (including Essbase, Essbase Studio, and Essbase Administration Services).
You can use Essbase as a data source in a multitenant environment if you apply the appropriate security. Tenant Administrators do not have access to any administrative tools for Essbase and related tools that are installed as part of Oracle Business Intelligence.
Oracle BI Administration Tool, Catalog Manager, and Job Manager.
Usage tracking and MapViewer.
For Tenant Authors and Consumers, the following features are not available:
Catalog groups, KPIs, scorecards, BI Mobile, BI Composer, Oracle BI for Microsoft Office, Act As functionality, and direct database requests.
Oracle RTD, BI Publisher, and Marketing Segmentation.
Full-text catalog search with Oracle SES and Oracle Endeca Server. The basic catalog search is available.
Essbase Components (including Financial Reporting, Calculation Manager, and Workspace).
Audience: BI Global Administrators
By default, Oracle Business Intelligence is not configured for multitenancy. When Oracle Business Intelligence is configured to support multiple tenants, the system uses a single Oracle BI Presentation Catalog and a single Oracle BI Server repository that is shared and read-only for tenant users. Each tenant user has a tenant GUID. Global Unique Identifiers (GUIDs) are assigned to tenant users to ensure that their identity within Oracle Business Intelligence is unique. This assignment helps the system handle name clashes and name changes. When users sign in, their view of the system is based on their tenant GUID. Tenant users are assigned session variables with their tenant GUID to use for connection pools and other purposes.
The following list describes features of a multitenant system:
You use application roles as part of a multitenant system. Tenant users are mapped to application roles through groups in the identity store.
Application roles are shared across tenants, so you cannot have tenant-specific application roles. The BI Global Administrator can create an application role and assign a group (which can be a tenant-specific group) to the application role. Bear in mind that all tenants can see the name of this application role in certain dialogs, regardless of whether they are members of the group that is assigned to the role. The Tenant Administrator cannot create a new application role.
Any changes to configuration, such as the instanceconfig.xml file, apply to the entire system and are not tenant-specific. These changes include privileges in the catalog, skins, and front-end customizations.
Users of dashboards and analyses in a multitenant environment work with content specific to their tenant. For example, dashboard consumers create tenant-specific briefing books, bookmarks, and prompted links. The default properties for analyses and columns are specific to each tenant.
Agents are supported for tenants. Agents are only in the scope of that tenant. As you create an agent and add recipients from a list, you can select users and application roles, as described in the following list:
The list includes only recipient users that exist in your tenant.
The list includes application roles that are shared across all tenants. An agent that delivers to application roles delivers only to members of roles that share the same tenant as the creator of the agent.
Audience: BI Global Administrators
Keep the security considerations that are described in the following sections in mind when configuring Oracle Business Intelligence for multitenancy:
When configuring a multitenant environment, the authentication and authorization of tenant users can be performed only through Oracle Fusion Middleware security. This means that it is not possible to use initialization blocks for authentication and authorization of tenant users.
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for a complete description of using Oracle Business Intelligence with Oracle Fusion Middleware security.
In a typical, non-multitenant deployment of Oracle Business Intelligence, users are stored in an identity store. Table 18-1 describes the identity store attributes that are mandatory for each user.
Table 18-1 Attributes for Non-Tenant Users
|Typical Attribute Used (Configurable)||Attribute Description||Mandatory for Oracle Business Intelligence?|
In a multitenant deployment of Oracle Business Intelligence, each tenant user must also have the attributes that are described in Table 18-2 populated and available from the identity store. Oracle Business Intelligence does not provide tools for adding these attributes to the identity store. You must consult with the administrator of the identity store for assistance in adding these attributes, using a method that is appropriate for the type of identity store in the deployment.
Table 18-2 Attributes for Tenant Users
|Attribute Name||Description||Mandatory for Tenant Users?|
The globally unique user identifier. This attribute holds the user name prefixed with tenant name, such as tenantname.username. You must ensure that each identifier is unique.
The globally unique identifier for the tenant.
The name of the tenant.
When configuring an authenticator in a multitenant-enabled environment, you must ensure that the base DN for users and the base DN for groups are common across all tenants. Additionally, the orclMTUID attribute must be used as the User Name attribute. See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for details on configuring authenticators.
The same authenticators are supported as outlined in the certification matrix for Oracle Business Intelligence; but in each case, the additional user attributes must be available or added. Oracle does not provide functionality for extending the LDAP schema to the built-in LDAP for WebLogic Server. Therefore, you must configure an alternative identity store as part of configuring Oracle Business Intelligence for multitenancy. For information on the certification matrix, see Section 1.8, "System Requirements and Certification."
The system accounts and those accounts that are used for overall tenant-wide administration of Oracle Business Intelligence operate in the same way as they do in a non-multitenant environment. Specifically, these accounts are the OracleSystemUser and the BISystemUser. These users must not have values set for the tenant-related attributes that are described in Table 18-2. One exception is if these users are authenticated using the same authenticator as the tenant users. In this case, the orclMTUID attribute must be populated using the user name without a tenant prefix.
See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for complete information on BISystemUser.
In a multitenant environment, because the authenticators are configured to use the orclMTUID attribute as the User Name (as described in Table 18-2), the UserID that is derived from any certified approach to SSO must match a valid orclMTUID value from the identity store. The UserID that comes from the SSO product must be a globally unique identifier for the user and typically has the form such as "tenantname.username".
Audience: BI Global Administrators
Tenant users are limited to working with catalog objects that are created as part of their tenant. In addition to their own tenant folders, they typically have read-only access to a shared area. For example, if you want to make a standard set of reports available, you can do this in a shared area. Alternatively, you can copy standard reports to each tenant folder.
The content in the Oracle BI Presentation Catalog is shared across tenants. The catalog is striped for each tenant so that tenant users see their own virtualized view of their catalog content. Users of one tenant cannot access content that is owned by users of other tenants. Application roles are not striped per tenant.
Top-level tenant folders are striped based on the tenant ID. The advantage of dividing the catalog by tenant ID is that security is scaled efficiently across all tenants. Tenant users are directed to their own catalog folders using the tenant ID that they are assigned when they log in. This process does not require you to provision any tenant-specific permissions.
In a multitenant environment, the catalog includes a "tenants" folder that stores all tenant-specific folders. The "tenants" folder is at the same level as the "shared," "users," and "system" folders, as shown in the following example:
/root /shared /system /users /tenants /acme /users /acme.user1 /acme_reports /company_shared /devices /subjectarea /system
Note the following about the catalog structure:
/root/shared: All tenant users have read-only access. The BI Global Administrator has full access.
/root/users: Only the BI Global Administrator (that is, users without any tenant ID) are created in this folder.
/tenants/../../system: This folder contains tenant-specific system files such as those used for formatting and devices.
/tenants/../../company_shared: This folder contains company-specific shared files, which are different from the files in the /root/shared folder. All users that belong to the appropriate tenant can access this shared folder. Users from other tenants can neither see nor access the company_shared folders of other tenants. The shared space is virtualized for each tenant.
/tenants/users: This folder contains all users for a tenant and is displayed as "My Folders" on the Catalog page. Tenanted users cannot access the /root/users folder.
Catalog groups are not supported for tenants, so the Presentation Services Administration page provides no tenant access to catalog groups. Ensure that you do not enable such access. The Admin View is not available on the Catalog page for tenant users.
Audience: BI Global Administrators
This section describes the post-installation tasks for configuring the Oracle Business Intelligence system for multiple tenants. These tasks and the sections in this chapter assume that you have a fresh installation of Oracle Business Intelligence and have not changed the default identity store configuration, policy store, or permissions for the Oracle BI Presentation Catalog.
To configure the system for multitenancy:
Stop the Oracle Business Intelligence system.
For information, see Chapter 4, "Starting and Stopping Oracle Business Intelligence."
Enable multitenancy, as described in Section 18.5.1, "Enabling the System for Multitenancy."
Do not log in to the system as a tenant user until you have completed the tenant provisioning task in this procedure.
Configure the identity store by performing the following steps:
Add the multitenancy attributes to the schema, as described in Section 18.3.2, "Mandatory Identity Store Attributes for Tenants and Tenant Users in a Multitenant Environment."
Populate the identity store with users and groups for the system users, administrative users, and tenant users as described in Section 18.3.3, "System Users in a Multitenant Environment."
Configure the appropriate application roles and users, as described in Section 18.5.2, "Configuring Application Roles and Users."
Configure data sources, as described in Section 18.5.3, "Configuring Data Sources for Tenants."
Disable features of Oracle Business Intelligence that are unavailable in a multitenant environment, as described in Section 18.5.4, "Making Features Unavailable in the Multitenant Environment."
Optionally configure Single Sign-On (SSO) as described in Section 18.3.4, "UserID from SSO Must Match the orclMTUID Attribute Value."
Provision tenants, as described in Section 18.6.1, "Provisioning and Unprovisioning Tenants."
Restart the Oracle Business Intelligence system.
To enable the options for multitenancy, you must add a system property and include the appropriate element in the instanceconfig.xml file, as described in the following procedure.
To enable the use of multitenancy:
Manually add the system property oracle.multitenant.enabled=true to MW_HOME/user_projects/domains/bifoundation_domain/bin/setDomainEnv.sh on UNIX and .cmd on Windows using the syntax appropriate for the platform. Enter it after the EXTRA_JAVA_PROPERTIES line, as shown in the following example for the Windows platform:
set JAVA_PROPERTIES=%JAVA_PROPERTIES% %EXTRA_JAVA_PROPERTIES%
set JAVA_PROPERTIES=%JAVA_PROPERTIES% -Doracle.multitenant.enabled=true
Open the instanceconfig.xml file for editing, as described in Section 3.6, "Where Are Configuration Files Located?"
Locate the Catalog section in which you must add the EnableMultiTenancy element.
The EnableMultiTenancy element is not included in the instanceconfig.xml file by default, but it is set to false by default. If you do not set it to true, then the options for multitenancy are not available.
Include the EnableMultiTenancy element within the Catalog element, as shown in the following example. The Catalog element likely includes other elements within it.
<Catalog> <EnableMultiTenancy>true</EnableMultiTenancy> </Catalog>
Save your changes and close the file.
Restart Oracle Business Intelligence.
You must configure the appropriate application roles and users for the multitenant system, as described in the following sections:
You must configure the BI Global Administrator to manage a multitenant system. Perform the following procedure for overall system administrators, and not for tenant administrators.
To configure the BI Global Administrator:
Create an application role called BIGlobalAdministrator.
Grant the following permission to the application role so that the administrator can manage all tenants:
Action = _all_
This permission enables the BI Global Administrator to access the Administration page in Presentation Services, to access the Admin view on the Catalog page, and to call multitentant web services (as described in Section 18.6.1, "Provisioning and Unprovisioning Tenants" and Section 18.6.3, "Archiving Content for Tenants.")
Make this application role a member of BIAdministrator.
The BI Global Administrator must configure the administrator for each tenant. You can use an application role called BITenantAdministrator to map users and groups to. This application role does not have any permissions granted to it in the policy store, but it does have specific privileges for the Oracle BI Presentation Catalog.
To configure the Tenant Administrator application role:
Create an application role called BITenantAdministrator.
Ensure the following:
That you grant no permissions to the BITenantAdministrator role.
That no tenant users are assigned the BIAdministrator or BIGlobalAdministrator roles.
Optionally, in the policy store, make the BITenantAdministrator role a member of the BIAuthor application role so that the Tenant Administrator can create folders and perform related tasks.
Each time that you provision a new tenant and add new users to the Identity Store for the new tenant, map specific users or groups to this application role to provision specific tenant users with administrative permissions for their tenant.
You can configure Tenant Consumers and Tenant Authors (who create content). Bear the following points in mind as you create these users:
All authenticated users must have an active entry in the identity store.
Tenant Consumers and Tenant Authors must have values for the attributes that are described in Table 18-2.
Tenant Consumers must have their identity store group mapped to the BIConsumer application role to view Oracle Business Intelligence content.
Tenant Authors must have their identity group mapped to the BIAuthor application role to create and modify content.
In a multitenant environment, you must segregate the following on a per-tenant basis: data access and the cache for the BI Server. You must also control database resources. This section contains the following topics:
You want to have a level of control over the database resources to ensure that a single tenant user has access to only the data that is appropriate for him. Although a single Oracle BI repository is shared across all tenants, you can use a session variable to identify which tenant a user belongs to. In a multitenant environment, this session variable is populated whenever a tenant user logs into Oracle Business Intelligence. This session variable is called TENANTGUID and is populated automatically with the value from the orclMTTenantGUID attribute for the tenant user as described in Section 18.3, "Security Considerations when Configuring for Multitenancy." This value is the unique tenant identifier. In the repository, you can use this session variable for security filters, with connection pool configuration, and for segregating the BI Server cache by tenant.
In a multitenant environment, the single Oracle BI repository is shared and read-only for all tenant users. Only the BI Global Administrator can modify the repository and connection pools for the data source. Because of the single repository, all tenants access data through one connection pool. You can use one of the following techniques to ensure that tenant users have access only to their own tenant data, based on the data source:
With this technique, when a tenant user runs a query, the TENANTGUID variable is used either directly or indirectly to determine the schema that the query references. Consequently, a tenant user sees data only from his own schema.
Use this technique when the Oracle Database is the data source type. A variation on this technique also works for SQL Server using a parameterized connection string to SQL Server. For information, see the description of Data source name in "Common Connection Pool Properties in the General Tab" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Each tenant has its own schema in the database and each schema is identical in shape (but not data).
A single connection pool is configured using a session variable as a parameter to represent the schema name.
The password for each schema is the same for all schemas and is used in the connection pool configuration.
The user name for each schema is either the same as the TENANTGUID value for each tenant, or one or more session variables are configured to derive the schema name (and optionally other connection details other than the password) based on the TENANTGUID value.
Use this technique for relational data sources and only if it is feasible to add the TENANTGUID column to each source table.
All tenant data is in the same schema, but each table includes a column that stores the TENANTGUID value for each row of data.
Each logical query must apply a security filter for Oracle Business Intelligence to constrain data based on the rows where the TENANTGUID column value matches the TENANTGUID session variable.
All tenant users must be members of a single application role, such as BIConsumer.
A BI Server data filter must be applied to this application role as follows:
<column that contains TENANTGUID value> = 'valueof(NQ_SESSION.TENANTGUID)'
You can configure Oracle Business Intelligence to respect VPD-type data security for the Oracle Database or Essbase.
Configure the data source to apply data security such that tenant users see data only for their tenant.
This step is specific to the data source type:
For the Oracle Database, you must add a custom on-connect script to the connection pool for the Oracle Database. This custom script sets the VPD connection.
To facilitate tenant-specific query limits being applied across all database objects that are defined in the Oracle BI repository, you can use two session variables: OBIS_DB_MAXROWS and OBIS_DB_MAXEXECTIME. These variables are optional, but if you set them, then they override the values that the BI Server obtains for maximum rows and maximum execution time from the permissions that are assigned to application roles or users in the repository.
You set these variables as you set any other session variables in Oracle Business Intelligence. For example, you can set them using an initialization block that finds a value from a database table based on the TENANTGUID value. For information on setting session variables, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Section 18.1.3, "Features that Are Unavailable for Tenant Users" describes the features that you should not use with multitenancy. You must manually ensure that tenant users cannot access these features, as described in the following procedure.
To make features unavailable in a multitenant environment:
Log in to Presentation Services as a member of the BIGlobalAdministrator role.
Revoke the following privileges for Tenant Author and Tenant Consumer, as described in "Managing Presentation Services Privileges" in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition:
Manage Catalog Groups Access to BI Composer Access to Mobile Access to Segments Access to Segment Trees Access to List Formats Access to Oracle BI for Microsoft Office Access to Oracle BI Client Installer Access to KPI Builder Access to Scorecard Manage Marketing Jobs User Population - Can List Groups Perform Extended Search Access Advanced Tab Assign Default Customizations Create/Edit Scorecards View Scorecards Create/Edit Objectives Create/Edit Initiatives Scorecard - Create Views Create/Edit Causes And Effects Linkages Create/Edit Perspectives Add Annotations Override Status Create/Edit KPIs Write Back to Database for KPI Add Scorecard Views To Dashboards All List Format Columns Enable Local Content All Segmentation privileges All SOAP privileges
Grant the following privileges for Tenant Administrators
Deliver Agents to Specific or Dynamically Determined Users Modify Current Subscriptions for Agents
Grant all SOAP privileges to the BI Global Administrator so that he can perform web service tasks such as provisioning and unprovisioning tenants and archiving content.
Ensure that in the policy store, a tenant user does not have any of the grants that are given by default to the BIConsumer and BIAuthor roles.
When you have modified these privileges, ensure that no other administrator changes the settings.
Audience: BI Global Administrators
You can perform the following tasks to manage tenants:
This section contains the following information on provisioning tenants:
You can provision new tenants or unprovision existing tenants at any time. When you provision a tenant, you configure the catalog for the tenant. Shared folders and tenant-specific folders are created in the catalog. When you unprovision a tenant, its folders are deleted from the catalog. Provisioning and unprovisioning tenants does not modify the identity store or policy store configuration.
For example, you can provision certain companies if they sign a contract with your organization. Suppose that TenantA is provisioned. The home folders for TenantA's users are included in the /tenants/TenantA/users folder. These inclusions are completely transparent to the TenantA users. Tenants see the /shared folder if they have the permissions to see it, but they see only the tenant folder for their particular tenant ID.
The following sections describe the tools for provisioning and unprovisioning tenants:
You can use menu options in Catalog Manager to provision and unprovision tenants when the catalog is open in offline mode. From the Tools menu in Catalog Manager, select Multi-Tenancy, then either Provision Tenant or Unprovision Tenant.
When the catalog is open in online mode, you can provision or unprovision tenants using the web service only if you have the BIGlobalAdministrator role, as described in Section 18.5.2, "Configuring Application Roles and Users."
With this role, you can use a suitable web service client to obtain a BI Session ID in online mode. You use the session-based SOAP web service called MultiTenancyManagementService for managing objects in the catalog and artifacts in Oracle BI Presentation Services in a multitenant system. You access the wsdl for the web service at the following location:
Use the following methods for provisioning and unprovisioning tenants:
MultiTenancyManagementService.provisionTenant( ListOFTenantGUIDs, sessionID)
MultiTenancyManagementService.unprovisionTenant( ListOFTenantGUIDs, sessionID)
See Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition for complete details on using web services with Oracle Business Intelligence.
If you longer need a tenant in a multitenant system, then you can remove the tenant and its content as described in the following procedure. This procedure removes user folders for tenant users.
To remove a tenant:
Remove the folders for the tenant by unprovisioning the tenant in the Catalog Manager, as described in Section 18.6.1, "Provisioning and Unprovisioning Tenants."
Remove the tenant identities in the identity store.
Remove the data sources for the tenant.
You can archive and unarchive objects and folders that belong to a tenant. If you have the following permission:
then you can use a suitable web service client to obtain a BI Session ID and call the methods in the MultiTenancyManagementService web service as follows:
Audience: BI Global Administrators and Tenant Administrators
If you try to add a tenant and see the error "Path not found," then ensure that the Oracle BI Presentation Catalog is upgraded to the latest version.