About Authorization
Authorization is about ensuring users can do and see what they are authorized to do and see.
After a user has been authenticated, the next critical aspect of security is ensuring that the user can do and see what they are authorized to do and see. Authorization for Oracle Business Intelligence 12c is controlled by a security policy defined in terms of application roles.
About Application Roles
Application roles define the security policy for users.
Instead of defining the security policy in terms of users in groups in a directory server, Oracle Business Intelligence uses a role-based access control model. Security is defined in terms of application roles that are assigned to directory server groups and users. For example, application roles BIServiceAdministrator, BI Consumer, and BIContentAuthor.
Application roles represent a functional role that a user has, which gives that user the privileges required to perform that role. For example, having the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline.
This indirection between application roles and directory server users and groups allows the administrator for Oracle Business Intelligence to define the application roles and policies without creating additional users or groups in the corporate LDAP server. Instead, the administrator defines application roles that meet the authorization requirements and assigns those roles to preexisting users and groups in the corporate LDAP server.
In addition, the indirection afforded by application roles allows the artifacts of a business intelligence system to be easily moved between development, test and production environments. No change to the security policy is needed and all that is required is to assign the application roles to the users and groups available in the target environment.
The diagram below shows an example set of groups, users, application roles, permissions, and inheritance.
The diagram shows the following:
-
The group named BIConsumers contains User1, User2, and User3. Users in the group BIConsumers are assigned the application role BIConsumer, which enables the users to view reports.
-
The group named BIContentAuthors contains User4 and User5. Users in the group BIContentAuthors are assigned the application role BIContentAuthor, which enables the users to create reports.
-
The group named BIServiceAdministrators contains User6 and User7. Users in the group BIServiceAdministrators are assigned the application role BIServiceAdministrator, which enables the users to manage repositories.
About the Security Policy
The security policy is split across Oracle BI Presentation Services, the metadata repository, and the policy store.
The security policy definition is split across the following components:
-
Oracle BI Presentation Services
Oracle BI Presentation Services defines which the specific catalog objects and Oracle BI Presentation Services functionality that users can access with specific application roles. Access to functionality is defined in the Managing Privileges page for Oracle BI Presentation Services privileges and access to Oracle BI Presentation Catalog objects is defined in the Permission dialog.
-
Repository
The repository defines the metadata items in the repository that user can access with assignment to specific application roles. You can define the security policy using the Oracle BI Administration Tool.
-
Policy Store
The Policy Store defines theBI Server and Oracle BI Publisher functionality that user can access with specific application roles. In the default Oracle Business Intelligence configuration, the policy store is managed using Oracle Enterprise Manager Fusion Middleware Control or by using Oracle WebLogic Scripting Tool (WLST). See Securing Applications with Oracle Platform Security Services.
See Using Tools to Configure Security in Oracle Business Intelligence.