Application roles and application policies provide permissions for users and groups.
For detailed information about using Fusion Middleware Control, see Administering Oracle Fusion Middleware:
Tip:
After creating a new service instance or importing a BI application archive (BAR) file into a service instance, you should first check the security policy in the service instance to ensure that the users and groups from your Identity Store are mapped correctly to the application roles defined in the service instance. Each BI application archive file can contain its own security policy. Therefore it is good practice to check the security policy on your service instance after importing a BI application archive file..
Typically a BI application archive file that contains the BI metadata for an application will contain pre-defined application roles that can be used to provision users with permission to use BI functionality and access BI folders, analyses, subject areas etc. For example, the sample application contains the sample application roles BIConsumer, BIContentAuthor and BIServiceAdministrator. In order to provision users with permissions and privileges, you map users and (where possible) groups from the Identity Store (usually an LDAP directory) to the defined application roles. You use Oracle Enterprise Manager Fusion Middleware Control or Oracle WebLogic Scripting Tool (WLST) to perform this task.
If you want to create a more complex or fine grained security model, you might create your own application roles and application policies as described in this section. For example, you might want report authors in a Marketing department to only have write-access to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. To achieve this, you might create a new application role called BIContentMarketing, and provide it with appropriate privileges.
To set up the application roles that you want to deploy, do the following:
Note:
You can create application roles based on preconfigured Application policies, or you can create your own Application policies. For more information about the default users, groups, and application roles, see Working with Users, Groups, and Application Roles.
This section explains how to use Fusion Middleware Control to access the pages that manage application roles and application policies.
To display application policies and application roles using Fusion Middleware Control:
This section explains how to work with application roles, and how to create, delete, and manage application roles using Fusion Middleware Control.
In a new Oracle Business Intelligence deployment, you typically create an application role for each type of business user activity in your Oracle Business Intelligence environment. For example, a typical deployment based on either the sample application or the starter application might include three application roles: BIConsumer, BIContentAuthor, and BIServiceAdministrator. As a BI system administrator or service administrator, you should not change the application roles or the permission sets assigned to the application roles that have been delivered in a BAR file.
Oracle Business Intelligence application roles represent a role that a user has. For example, having the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline. The administrator of a service instance can create and modify application roles in your service instance. Keeping application roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new application roles to match business roles for your environment without needing to change the groups defined in the corporate directory server. To control authorization requirements more efficiently, you can then assign existing groups of users from the directory server to application roles.
Note:
Before creating a new application role and adding it to the your Oracle Business Intelligence service instance, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. For more information, see Granting Permissions To Users Using Groups and Application Roles.
For more information about creating application roles, see Managing the Policy Store in Securing Applications with Oracle Platform Security Services.
Note:
For advanced-level information about using a BI repository in offline mode, see Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic.
There are two methods for creating a new application role:
Membership for an application role is controlled using the Application Roles page in Fusion Middleware Control. Valid members of an application role are users, groups, and other application roles.
Permission and permission set grants are controlled in the Application Policies page in Fusion Middleware Control. The permission and permission set grant definitions are set in the application policy, then the application policy is granted to the application role. For more information, see Creating Application Policies Using Fusion Middleware Control.
To create a new application role:
For information, see Displaying Application Policies and Application Roles Using Fusion Middleware Control.
The Oracle Business Intelligence application roles display. The screen below is displaying application roles.
In the General section:
The application role just created displays in the table at the bottom of the page.
To create an application role based on an existing one:
You assign a group to an application role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an application role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the application role named BIConsumerMarketing.
You can create application policies based on the default application policies, or you can create your own application policies.
Application policies do not apply privileges to the metadata repository or Oracle BI Presentation Catalog objects and functionality.
All Oracle Business Intelligence permissions and permission sets are provided as part of the installation and you cannot create new permissions. The application policy is the mechanism that defines the permission set and permissions grants. Permission set and permissions grants are controlled in the Fusion Middleware Control Application Policies page. The permission set and permission grants are defined in an application policy. An application role, user, or group, is then assigned to an application policy. This process makes the application role a grantee of the application policy.
There are two methods for creating a new application policy:
Note:
Oracle Business Intelligence 12c makes use of permission sets as well as permissions. A permission set is a collection of permissions. It is also known as an entitlement. All of the permissions available with BI 12c are grouped into permission sets. When the either the sample or starter application is imported into a service instance you will see the permission sets that have been assigned to the application roles. When an 11g upgrade bundle is imported into a service instance you will see the permissions from your 11g system, supplemented by new permission sets assigned to the migrated application roles
Note:
Fusion Middleware Control only allows you to view permission set grants. It does not allow you to change the permission set grants against an application role. Fusion Middleware Control does allow you to modify permission grants against application roles. In 12c, if you need to update permission set grants against an application role you need to use the WLST command line (see Managing Application Policies with WLST Commands in Securing Applications with Oracle Platform Security Services.
For more information about creating application policies, see Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.
To create a new application policy:
For information, see Displaying Application Policies and Application Roles Using Fusion Middleware Control.
You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.
Selecting non-Oracle Business Intelligence permissions have no effect in the policy.
To create an application policy based on an existing one:
You can modify an application role by changing permission grants of the corresponding application policy (if the application role is a grantee of the application policy), or by changing its members, and by renaming or deleting the application role as follows:
For more information about managing application policies and application roles, see Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.
Use this procedure if you want to change the permission grants for an application role. This is done by adding or removing the permission grants for the application policy which the application role is a grantee of.
To add or remove permission grants from an application policy:
Members can be added to or deleted from an application role using Fusion Middleware Control. You must perform these tasks in the WebLogic Domain where Oracle Business Intelligence is installed (for example, in bifoundation_domain). Valid members of an application role are users, groups, or other application roles. Being assigned to an application role is to become a member of an application role.
Best practice is to assign groups instead of individual users to application roles.
Note:
Be very careful when changing the permission grants and membership for the application role that is tagged as the administration application role, as changes to the permissions assigned to this application role could leave your system in an unusable state.
To add or remove members from an application role:
For additional information, see Managing Application Roles in Securing Applications with Oracle Platform Security Services.
You cannot directly rename an existing application role; you can only update the display name. To rename an application role you must create a new application role (using the same application policies used for the deleted application role), and delete the old application role. When you create the new application role, you specify a new name. You must also update any references to the old application role with references to the new application role in both the Oracle BI Presentation Catalog and the metadata repository.
To rename an application role in the catalog and the metadata repository use the renameAppRoles command, as described in Rename Application Role Command in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.