System administrators must configure a business intelligence system to ensure that all functionality (including administrative functionality) is secured so that only authorized users can access the system to perform appropriate operations. Administrators also must be able to configure the system to secure all middle-tier communications.
This overview section contains the following topics:
Security settings that affect users of Presentation Services are made in the following Oracle Business Intelligence components:
Use the Oracle BI Administration Tool to perform the following tasks:
Set permissions for business models, tables, columns, and subject areas.
Specify database access for each user.
Specify filters to limit the data accessible by users.
Set authentication options.
Oracle BI Presentation Services Administration enables setting privileges for users to access features and functions such as editing views and creating agents and prompts.
Oracle BI Presentation Services enables assigning permissions for objects in the Oracle BI Presentation Catalog.
In previous releases, you could assign permissions to objects from the Presentation Services Administration pages. In this release, you set permissions either in the Catalog Manager or the Catalog page of Presentation Services. See User's Guide for Oracle Business Intelligence Enterprise Edition for information on assigning permissions in Presentation Services.
The Catalog Manager enables setting permissions for Oracle BI Presentation Catalog objects. See Configuring and Managing the Presentation Catalog in System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.
Note:
Security Administrators should advise report users to not edit Subject Area security privileges within Oracle BI Answers. The the Security Administrator should enforce data security.
When maintaining security in Presentation Services, you must ensure the following:
Only the appropriate users can sign in and access Presentation Services. You must assign sign-in rights and authenticate users through the BI Server.
Authentication is the process of using a user name and password to identify someone who is logging on. Authenticated users are then given appropriate authorization to access a system, in this case Presentation Services. Presentation Services does not have its own authentication system; it relies on the authentication system that it inherits from the BI Server.
All users who sign in to Presentation Services are granted the AuthenticatedUser Role and any other roles that they were assigned in Fusion Middleware Control.
For information about authentication, see About Authentication.
Users can access only the objects that are appropriate to them. You apply access control in the form of permissions, as described in User's Guide for Oracle Business Intelligence Enterprise Edition.
Users have the ability to access features and functions that are appropriate to them. You apply user rights in the form of privileges. Example privileges are "Edit system wide column formats" and "Create agents."
Users are either granted or denied a specific privilege. These associations are created in a privilege assignment table, as described in Managing Presentation Services Privileges.
You can configure Oracle Business Intelligence to use the single sign-on feature from the web server. Presentation Services can use this feature when obtaining information for end users. For complete information on single sign-on, see Enabling SSO Authentication.
When you assign permissions and privileges in Presentation Services, you can assign them in one of the following ways:
To application roles — This is the recommended way of assigning permissions and privileges. Application roles provide much easier maintenance of users and their assignments. An application role defines a set of permissions granted to a user or group that has that role in the system's identity store. An application role is assigned in accordance with specific conditions. As such, application roles are granted dynamically based on the conditions present at the time authentication occurs.
To individual users — You can assign permissions and privileges to specific users, but such assignments can be more difficult to maintain and so this approach is not recommended.