How to Define New Groups and Mappings for Users and BI Roles
Oracle BI Applications implements data and object security using a set of BI Duty Roles. BI Users are provisioned with BI Duty Roles via Enterprise Roles in LDAP.
-
Enterprise Role
-
Job Role
-
Group
To simplify security provisioning, each BI Duty Role encapsulates all object and data security access required for a particular BI application area. Therefore, you typically only need to provision a BI User with a single Duty Role in order to enable them to access a specific application area. For example, the BI Duty Role 'Fixed Asset Accounting Manager EBS' provides the encapsulation for EBS Fixed Asset Accounting security.
You can provision a BI User with a Duty Role by using Fusion Middleware (FMW), or by using an RPD init block.
How to Use Fusion Middleware (FMW) to Provision a BI User
To use the FMW provisioning for BI Duty Roles, the BI Users and Enterprise Roles must be present in an LDAP and that LDAP should have been configured as the source for authentication for BI. If your installation has existing Enterprise Roles that you wish to use for BI security, then you might consider using this approach.
In this approach, you can use your own Enterprise Roles to associate BI Duty Roles to BI Users, or you can use the default Enterprise Roles provided with Oracle WebLogic Server LDAP. A BI User with one of the default Enterprise Roles automatically inherits the associated default Duty Roles.
Using Your Own Enterprise Roles with the Default Duty Roles
For example, assume the following scenario:
- Your LDAP has Enterprise Role 'ABC Corp Americas Account Manager'.
- BI Users and Enterprise Roles are present in this LDAP.
- This LDAP is used as source for authentication for the BI installation.
Use Oracle Enterprise Manager Fusion Middleware Control in the BI instance and make the Enterprise Role 'ABC Corp Americas Account Manager' a member of BI Duty Role 'Fixed Asset Accounting Manager EBS'.
BI Users (for example, Fred) with Enterprise Role 'ABC Corp Americas Account Manager' inherit BI Duty Role 'Fixed Asset Accounting Manager EBS', and have security access for Fixed Assets Accounting reporting for EBS, as illustrated in the diagram below.
Using the Default Enterprise Roles with the Default Duty Roles
Oracle BI Applications provides a sample set of Enterprise Roles (also known as Groups) that inherit the BI Duty Role hierarchy. For example, the default Enterprise Role 'Fixed Asset Accounting Manager EBS' is a member of BI Duty Role 'Fixed Asset Accounting Manager EBS'.
BI Users (for example Fred) with Enterprise Role 'Fixed Asset Accounting Manager EBS' automatically inherit BI Duty Role 'Fixed Asset Accounting Manager EBS', and have security access for Fixed Assets Accounting reporting for EBS, as illustrated in the diagram below.
Provisioning BI Users in the Installed Oracle WebLogic Server LDAP
Use the default installed Oracle WebLogic Server LDAP and default Enterprise Roles.
-
Use the security FSM Tasks for your Offerings to determine the Init Blocks and Duty Roles required by BI Users.
In addition to the information in the FSM Tasks for security, use Content Guide for Oracle BI Applications for a definitive list of default Duty Roles and Enterprise Roles required by BI Users (refer to Tech Note 1674181.1 on My Oracle Support).
-
Use Oracle WebLogic Server Administration Console to assign each BI User to the appropriate Enterprise Role/Group for the Duty Role that the User requires.
For example, if you assign BI User Fred to the Enterprise Role 'Fixed Asset Accounting Manager EBS', then Fred automatically inherits the BI Duty Role 'Fixed Asset Accounting Manager EBS'.
To assign a BI User to an Enterprise Role/Group, select Security Realms, Users, Groups, Users, then BI User, and use the Groups tab to specify one or more Enterprise Roles/Groups.
Refer to the Weblogic Server Administration Console Help for detailed instructions.
Provisioning BI Users Using Your Own LDAP
If your installation has an existing LDAP (and you do not wish to use the default Oracle WebLogic Server LDAP) that is being used for authentication, then you can create your own Enterprise Roles, or copy/migrate the Enterprise Roles from the installed Oracle WebLogic Server LDAP to your LDAP.
-
Use the security FSM Tasks for your Offerings to determine the Init Blocks and Duty Roles required by BI Users.
In addition to the information in the FSM Tasks for security, use Content Guide for Oracle BI Applications for a definitive list of default Duty Roles and Enterprise Roles required by BI Users (refer to Tech Note 1674181.1 on My Oracle Support).
-
If you want to deploy the default Enterprise Roles/Groups from Oracle WebLogic Server LDAP, then copy or migrate the Enterprise Roles/Groups to your LDAP.
-
Use native LDAP tools to assign each BI User to an appropriate Enterprise Role/Group for the Duty Role that the BI User requires.
For example, if you assign BI User Fred to the Enterprise Role 'Fixed Asset Accounting Manager EBS', then Fred automatically inherits the BI Duty Role 'Fixed Asset Accounting Manager EBS'.
-
Make sure that each Enterprise Role is associated with the correct Duty Role.
How to Use An RPD Init Block to Provision a BI User
For each Offering and Functional Area, FSM Tasks for security typically specify:
- Init Blocks that you need to enable.
- Duty Roles that BI Users require.
Oracle BI Applications provides an Init block named 'Authorization' that queries the roles/responsibilities associated to users in the source system and populates a Oracle BI EE variable called GROUP. Oracle BI EE associates BI Duty Roles to users that are populated in the GROUP variable.
For example, to associate BI Duty Role 'Fixed Asset Accounting Manager EBS' to a user using Init block approach, do the following:
-
In Oracle BI Administration Tool, if the 'Authorization' Init block if disabled, then you must enable it, as follows:
-
Edit the BI metadata repository (for example, OracleBIAnalyticsApps.rpd).
-
Navigate to Manage, Variables, then Session – Initialization Blocks (Inventory Organizations EBS).
-
Open the initialization block (Inventory Organizations EBS).
-
Clear the Disabled check box.
-
-
Update the Init block SQL to use the EBS SQL used to populate users' EBS responsibilities.
Oracle BI Applications provides different SQL statements for E-Business Suite, Siebel, and PeopleSoft for this Init block.
-
Create responsibility 'Fixed Asset Accounting Manager EBS' in the E-Business Suite source system and assign it to the user.
-
When the init block is run for the user, the GROUP variable will be populated with value 'Fixed Asset Accounting Manager EBS'.
The BI server will then assign BI Duty Role 'Fixed Asset Accounting Manager EBS' to the user (that is, the BI Duty Role of the same name).
-
If the user has multiple responsibilities in the source system, then the GROUP variable will contain the names of all of the responsibilities.
Oracle BI EE will assign BI Duty Roles that match any names contained in the GROUP variable. If one of the names within the GROUP variable does not matches any BI Duty Role, then Oracle BI EE will ignore that name. For example, if the GROUP variable contains the value (A, B, C, D) and if BI Duty Roles of names A, B and C exist, then the user will be assigned BI Duty Roles (A, B, C). The value D will be ignored.