Essbase Fusion Middleware Security Mode

In This Section:

About Oracle Platform Security Services and Enterprise Manager

Understanding Security Permissions

Essbase Security Resource Type Reference

OPSS Credential Store

Also see:

About Oracle Platform Security Services and Enterprise Manager

Oracle Platform Security Services (OPSS) provides an integrated security platform that supports:

  • Authentication

  • Identity assertion

  • Authorization, based on fine-grained JAAS permissions

  • The specification and management of application policies

  • Secure storage and access of system credentials through the Credential Store Framework

  • Secure storage and access of keys and certificates through the Keystore Service

  • Auditing

  • Role administration and role mappings

  • Security configuration and management

OPSS is supported in the Oracle WebLogic Server application platform.

Essbase Java Agent provides the required initialization information to the Essbase OPSS security provider. Then OPSS sends aggregated security permissions to the Essbase OPSS security provider. When OPSS receives a request about permissions for a specific user, OPSS returns the list of permissions associated with the user and the permissions associated with groups to which the user belongs.

User and group management operations are performed in Enterprise Manager. Authentication and authorization is performed against the Essbase OPSS security provider.

Understanding Security Permissions

In Essbase, security permissions are defined by resource type, resource name, and action.

The resource type specifies the level of the permission and is used to limit the list of actions a grantee can perform. Each resource type has a set of resource names and actions that can be authorized.

Table 115 lists the Essbase resource types:

Table 115. Essbase Resource Types

Resource TypeDescription
oracle.essbase.serverGlobal, cluster, and server-level permissions
oracle.essbase.applicationApplication-level permissions
oracle.essbase.databaseDatabase-level permissions
oracle.essbase.filterFilter access control
oracle.essbase.calculationCalculation script access control
oracle.essbase.artifactsRead-only artifact access control (such as reports and load rules)
oracle.essbase.customobjectCustom objects access control

Resource names are either specific objects or hierarchical scopes, which contains objects. The resource name for the oracle.essbase.filter resource type is a specific object (in this case, a filter) in a database. The resource name for the other resource types is a scope. Any scopes below the current scope are included in the current scope. Any scopes above the current scope are not included in the current scope. For example, for the oracle.essbase.server resource type, the /cluster/application scope includes the /cluster/application/database scope below it but not the /cluster or / scopes above it.

Actions specify the operation that grantees are allowed to perform. Actions are hierarchical for most resource types (oracle.essbase.filter is an exception). Any actions below a specific action are included in the specific action. Any actions above a specific action are not included in the specific action. For example, for the oracle.essbase.application resource type, the create_delete_db action includes the start action below it but not the manage_application action above it.

The syntax for security permissions is:

resource_type/resource_name_scope,action

For example, granting the oracle.essbase.application/EssbaseCluster-1,start permission allows the grantee to start and stop all applications on EssbaseCluster-1.

Server Resource Type

Resource type: oracle.essbase.server

Description: Global, cluster, and server-level permissions

Resource names (scope): Table 116 lists the scopes for the oracle.essbase.server resource type:

Table 116. Scope Resource Names for the Server Resource Type

Resource NameScope

/

All resources at the server level

/cluster

All applications and databases within a logical cluster

/cluster/application

An application and all databases within the application

/cluster/application/database

A specific database within an application

Actions: Table 117 lists the actions for the oracle.essbase.server resource type:

Table 117. Actions for the Server Resource Type

ActionDescription
administratorFull access to administer the server, applications, and databases.
create

Ability to create and delete applications and databases within applications.

The create action includes the manage_application action for the oracle.essbase.application resource type and manage_database action for the oracle.essbase.database resource type for the applications and databases created by this user.

Application Resource Type

Resource type: oracle.essbase.application

Description: Application-level access control

Resource names (scope): Table 118 lists the scopes for the oracle.essbase.application resource type:

Table 118. Scope Resource Names for the Application Resource Type

Resource NameScope

/

All resources at the server level

/cluster

All applications and databases within a logical cluster

/cluster/application

An application and all databases within the application

/cluster/application/database

A specific database within an application

Actions: Table 119 lists the actions for the oracle.essbase.application resource type:

Table 119. Actions for the Application Resource Type

ActionDescription
manage_application

Ability to delete and modify databases and application settings within the particular application.

Includes the manage_database action for the oracle.essbase.database resource type for the databases within the application.

create_delete_db

Ability to create and delete databases within the application.

Only those applications and databases created by the user with the manage_application action can be deleted.

start

Ability to start an application.

With the oracle.essbase.application resource type:

  • You cannot stop an application

    To stop an application, use WebLogic.

  • You cannot start and stop databases within an application. To start and stop databases, you must have the start action for the oracle.essbase.database resource type.

Database Resource Type

Resource type: oracle.essbase.database

Description: Database-level access control

Resource names (scope): Table 120 lists the scopes for the oracle.essbase.database resource type:

Table 120. Scope Resource Names for the Database Resource Type

Resource NameScope

/

All resources at the server level

/cluster

All applications and databases within a logical cluster

/cluster/application

An application and all databases within the application

/cluster/application/database

A specific database within an application

Actions: Table 120 lists the actions for the oracle.essbase.database resource type:

Table 121. Actions for the Database Resource Type

ActionDescription
manage_database

Ability to manage databases (for example, to change the database properties or cache settings), database artifacts, locks, and sessions within a particular application.

The manage_database action also gives full control of artifacts without the oracle.essbase.artifact resource type being explicitly granted.

custom_calc

Ability to calculate, update, and read data values based on the assigned scope, using any assigned calculations and filters.

The custom_calc action includes executing calculation scripts. The source of a calculation can be a calculation script or a string (using an API).

server_calc

Ability to execute default calculations based on the assigned scope, using any assigned calculations and filters.

This action includes executing calculation scripts, created by a user with the manage_database action and that are stored on the server.

writeAbility to update and read data values based on the assigned scope, using any assigned filter.
use_filterAbility to access specific data and metadata according to the restrictions of a filter.
readAbility to read data values.
start

Ability to start and stop a database.

With the oracle.essbase.database resource type, you cannot start and stop the application that contains the database.

  • To start an application, you must have the start action of the oracle.essbase.application resource type.

  • To stop an application, use WebLogic.

Filter Resource Type

Resource type: oracle.essbase.filter

Description: Filter access control; access to a specific filter within a database

Resource name (object): /cluster/application/database/filtername

Actions: apply

Apply the filter identified by the /cluster/application/database/filtername resource name.

Essbase receives an aggregated list of filters for each user from OPSS. The list includes the filters associated with the user and filters associated from groups to which the user belongs.

Calculation Resource Type

Resource type: oracle.essbase.calculation

Description: Calculation script access control

Resource names (scope): Table 122 lists the scopes for the oracle.essbase.calculation resource type:

Table 122. Scope Resource Names for the Calculation Resource Type

Resource NameScope

/cluster/

All calculation scripts within a logical cluster

/cluster/application

All calculation scripts within an application and all databases within the application

/cluster/application/database

All calculation scripts within a specific database within an application

/cluster/application/database/scriptname

Access to a specific calculation script within a database

Action: execute

Execute the calculation script identified by the /cluster/application/database/scriptname resource name.

To execute default calculations, you need the server_calc action for the oracle.essbase.database resource type.

Artifact Resource Type

Resource type: oracle.essbase.artifact

Description: Artifact access control

Resource names (scope): Table 123 lists the scopes for the oracle.essbase.artifact resource type:

Table 123. Scope Resource Names for the Artifact Resource Type

Resource NameScope

/cluster/

All artifacts within a logical cluster

/cluster/application

All artifacts within an application and all databases within the application

/cluster/application/database

All artifacts within a specific database within an application

/cluster/application/database/scriptname

Access to a specific artifact within a database

Actions: Table 124 lists the actions for the oracle.essbase.artifact resource type:

Table 124. Actions for the Artifact Resource Type

ActionDescription
access

Allow the user access to the artifacts within the scope of the resource name

create

Allow the user to create, edit, and delete the artifact specified by the resource name.

The create action includes the edit and delete actions for the artifacts that the user created.

edit

Allow the user to edit or remove the artifact identified by the resource name.

The edit action is automatically granted to the user who created the artifact.

delete

Allow the user to remove the artifact identified by the resource name.

The delete action is automatically granted to the user who created the artifact.

Note:

The manage_database action for the oracle.essbase.database rescource type gives full control of artifacts without the oracle.essbase.artifact resource type being explicitly granted.

Custom Object Resource Type

Resource type: oracle.essbase.customobject

Description: Custom object access control

Resource names (scope): Table 125 lists the scopes for the oracle.essbase.customobject resource type:

Table 125. Scope Resource Names for the Custom Object Resource Type

Resource NameScope

/schema/

All custom objects stored on a specific schema

/cluster/application

All custom objects stored on a specific schema within an application and all databases within the application

/cluster/application/database

All custom objects stored on a specific schema within a specific database within an application
/schema/application/database/type/name/scriptnameAccess to a specific custom object within a database

OPSS Credential Store

Table 126. Credential Store

Key NameKey TypeDescriptionSample

dbJDBCUrl

Generic

The JDBC URL that is used to connect to the Essbase database.

jdbc:oracle:thin@host:port:sid

dbJDBCDriverProperty

Generic

The name of the JDBC driver.

oracle.jdbc.OracleDriver

dbUserPassword

Password

The Essbase database user name and the absolute path to a secure file that contains the database user password.

The dbUserPassword key is used for JDBC and ODBC connectivity.

TBD

ODBCConStr

Generic

The ODBC connection string that Essbase Server uses to access the Essbase RDBMS schema

DRIVER=DataDirect 7.0 Oracle Wire Protocol;HOST=scl34507.us.oracle.com;PORT=1521;SERVICENAME=orcl

CDSBIPasswd

Password

The user name and password that Essbase cube deployment service uses to connect to the Oracle Business Intelligence ODBC driver.

Weblogic/welcome1

CDSBIConStr

Generic

The ODBC connection string that Essbase cube deployment service uses to connect to the BI ODBC driver.

OBI_BUSINESS_MODEL:oraclebi://host:port