These topic explain how to deploy Oracle Business Intelligence security using the embedded WebLogic LDAP Server with the sample application.
By deploying the default embedded WebLogic LDAP Server with the sample application, you can use its default users, groups, and application roles. You can also develop your own users, groups, and application roles.
Example of Users, Groups, and Application Roles Security Setup
Managing Users and Groups in the Embedded WebLogic LDAP Server
Managing Application Roles and Application Policies Using Fusion Middleware Control
Managing Metadata Repository Privileges Using the Oracle BI Administration Tool
Managing Presentation Services Privileges Using Application Roles
Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store
Using runcat to Manage Security Tasks in the Oracle BI Presentation Catalog
You can migrate users (with their encrypted passwords), groups, roles and policies from the embedded WebLogic LDAP server and into another one. See Exporting and Importing Information in the Embedded LDAP Server in Administering Security for Oracle WebLogic Server.
When you configure Oracle Business Intelligence with the Sample Application that is made available with the BI installation, a number of application roles are provided for you to use in order to provision users and groups that enable you to use BI functionality and access BI folders, reports, data columns and other objects.
For example, following a new installation of Oracle Business Intelligence, if you have selected to populate your initial service instance using the Sample Application, the user specified for creating the BI domain during the configuration step is assigned to the BIServiceAdministrator application role. In addition, the Sample Application provides the BIContentAuthor and BIConsumer application roles, these application roles are preconfigured to work together. For example, a user who is a member of the BIServiceAdministrator application role automatically inherits the BIContentAuthor and BIConsumer application roles and is therefore provisioned with all the privileges and permissions associated with all of these application roles. See Understanding the Default Security Configuration for this security configuration.
The Sample Application roles have appropriate permissions and privileges to enable them to work with the sample Oracle BI Presentation Catalog, BI Repository, and Policy Store. For example, the application role BIContentAuthor is preconfigured with permissions and privileges that are required to create dashboards, reports, actions, and so on.
The screen below shows application roles, groups and users that are preconfigured in the sample and starter applications installation.
When you initially configure your BI domain, a service instance is created based on one of the BI application archive (BAR) files that are included with the BI installation. Each BI application contains an application role that is tagged as the administration application role. The name of this administration application role is determined by the developer or author of the BI application archive. In the case of the sample, starter and empty applications available with the BI installation this administration application role is called BIServiceAdministrator. The authors of these applications have assigned specific permission sets and privileges to this application role to enable members of this application role to administer the system. When the BI service instance is created the BI system administrator specifies an owner (a user) for the service instance. The system assigns the administration application role to the service instance owner whenever a BI archive file is imported into the service instance.
Note:
When importing an 11g upgrade bundle into a 12c service instance, the system automatically tags the BIAdministrator application role as the administration application role.
See Installing and Configuring Oracle Business Intelligence and importServiceInstance in System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.
You can use the sample application roles to deploy security. You can then create your own groups and application roles to meet your business needs. For example:
This example uses a small set of users, groups, and application roles to illustrate how you might set up a security model. In this example, you want to implement the following:
The diagram shows the users, groups, and application roles that you would deploy to implement this example security model.
The diagram shows the following:
See:
This section explains how to manage users and groups in the Embedded WebLogic LDAP Server, and contains the following topics:
You can extend the security model by creating users, and assigning the users to new groups, and application roles.
For example, you can create a user named, Jim, and assign Jim to the BIMarketingGroup group that is assigned to an application role named BIMarketingRole.
The process for assigning a user to a group, and an application role is as follows:
You typically create a separate user for each business user in your Oracle Business Intelligence environment. For example, you might plan to deploy 30 report consumers, 3 report authors, and 1 administrator. In this case, you would use Oracle WebLogic Server Administration Console to create 34 users, which you would then assign to appropriate groups.
All users who are able to log in are given a basic level of operational permissions conferred by the built-in Authenticated User application role. The author of the BI application that is imported into your service instance might have designed the security policy so that all authenticated users are members of an application role that grants privileges in the BI application. See Security Configuration Using the Sample Application
DefaultAuthenticator is the name for the default authentication provider.
You can create a separate group for each functional type of business user in your Oracle Business Intelligence environment.
A typical deployment might require three groups: BIConsumers, BIContentAuthors, and BIServiceAdministrators. You could create groups with those names and configure the group to use with Oracle Business Intelligence, or you might create your own custom groups.
See Example of Users, Groups, and Application Roles Security Setup.
DefaultAuthenticator is the default authentication provider.
You typically assign each user to an appropriate group. For example, a typical deployment might require user IDs created for report consumers to be assigned to a group named BIConsumers. In this case, you could either assign the users to the default group named BIConsumers, or you could assign the users to your own custom group that you have created.
See Example of Users, Groups, and Application Roles Security Setup and Using Oracle WebLogic Server Administration Console.
When a user is no longer required you must completely remove their user ID from the system to prevent an identical, newly-created user from inheriting the old user's access permissions. This situation can occur because authentication and access permissions are associated with user ID.
You delete a user by removing the user from the policy store, the Oracle BI Presentation Catalog, the metadata repository, and the identity store.
See Delete Users Command in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
If you are using an identity store other than Oracle WebLogic Server LDAP, follow the appropriate instructions for your identity store.
If you have assigned the user to any application roles, you must update the application roles to remove all references to that user.
deleteusers
command.Perform this optional task to change the default password for a user.
If you change the password of the system user, you also need to change it in the credential store.
Application roles and application policies provide permissions for users and groups.
After creating a service instance or importing a BI application archive (BAR) file into a service instance, you should check the security policy in the service instance to ensure that users and groups from your Identity Store are mapped correctly to the application roles defined in the service instance. Each BI application archive file can contain its own security policy. As a best practice, check the security policy on your service instance after importing a BI application archive file.
A BI application archive file that has the BI metadata for an application contains pre-defined application roles that you can use to provision users with permissions. For example, the sample application contains the application roles, BIConsumer, BIContentAuthor, and BIServiceAdministrator. To provision users with permissions and privileges, you map users and groups from the Identity Store, usually an LDAP directory, to the defined application roles.
Important:
You use Oracle Enterprise Manager Fusion Middleware Control to manage operations on permission grants. You must use Oracle WebLogic Scripting Tool (WLST) commands to perform operations on permission set grants. See grantEntitlement
and revokeEntitlement
. See OPPS Security Store WLST Commands in Oracle Fusion Middleware WLST Command Reference for Infrastructure Security guide.
If you want to create a more complex or fine grained security model, you can create your own application roles and application policies. For example, you might want to limit report authors in a Marketing department to write-access only to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. You can create a new application role, called BIContentMarketing, and provide the role with appropriate privileges.
See:
Creating and Deleting Application Roles Using Fusion Middleware Control.
You can create application roles based on preconfigured Application policies, or you can create your own Application policies. See Working with Users, Groups, and Application Roles.
You can display application policies and application roles that are assigned to permission set grants in Fusion Middleware Control.
Fusion Middleware Control displays permission grants and permission set grants. You can only carry out operations on the permission grants. If you add a permission grant to your application role using Fusion Middleware Control, you can delete the application role through Fusion Middleware Control.
You need to use WLST commands to manage permission set grants. See OPSS Security Store WLST Commands in Fusion Middleware WLST Command Reference for Infrastructure Security.
Use Fusion Middleware Control to create, delete, and manage application roles.
In a new Oracle Business Intelligence deployment, you create an application role for each type of business user activity in your Oracle Business Intelligence environment. For example, a deployment based on the sample application or the starter application might include the BIConsumer, BIContentAuthor, and BIServiceAdministrator application roles. As a BI system administrator or service administrator, you should not change the application roles or the permission sets assigned to the application roles that have been delivered in a BAR file.
Oracle Business Intelligence application roles represent a role that is assigned to a user. For example, the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline. The service instance administrator can create and modify application roles. Keeping application roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new application roles to match business roles for your environment without changing the groups defined in the corporate directory server. To control authorization requirements, you can then assign existing groups of users from the directory server to application roles.
Before creating a new application role and adding the application role to the your Oracle Business Intelligence service instance, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. See Granting Permissions To Users Using Groups and Application Roles.
See Managing the Policy Store in Securing Applications with Oracle Platform Security Services.
See Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic.
Create application roles in Fusion Middleware Control using these steps.
You can also add members to the application role. See Characters in Application Role Names in Securing Applications with Oracle Platform Security Services.
You can create application roles by copying an existing role, see Creating Applications Roles From Existing Roles.
Valid members of an application role are users, groups, and other application roles.
Membership for an application role is controlled using the Application Roles page in Fusion Middleware Control.
The permission and permission set grant definitions are set in the application policy, then the application policy is granted to the application role, see Creating Application Policies Using Fusion Middleware Control. Permission and permission set grants are displayed in the Application Policies page in Fusion Middleware Control.
You can create an application role by copying an existing application role.
The copy contains the same members as the original, and is made a grantee of the same application policy as is the original. You can make modifications to customize the new application role.
See Characters in Application Role Names in Securing Applications with Oracle Platform Security Services.
You assign a group to an application role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an application role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the application role named BIConsumerMarketing.
See Displaying Application Policies and Application Roles Using Fusion Middleware Control.
Whether or not the obi
application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page.
You must not delete an application role without first consulting your system administrator.
You can create application policies based on the default application policies, or you can create your own application policies.
Oracle Business Intelligence Enterprise Edition 12c uses permission sets as well as permissions. A permission set is a collection of permissions, also known as an entitlement. All of the permissions available with Oracle BI EE 12c are grouped into permission sets. When the sample or starter application is imported into a service instance, you see the permission sets that have been assigned to the application roles. When an Oracle BI EE 11g upgrade bundle is imported into a service instance you see the permissions from your Oracle BI EE 11g system, supplemented by new permission sets assigned to the migrated application roles
Fusion Middleware Control only allows you to view permission set grants. It does not allow you to change the permission set grants against an application role. InFusion Middleware Control, you can modify permission grants against application roles. In Oracle BI EE 12c, if you need to update permission set grants against an application role you need to use the WLST command line, see Managing Policies with WLST in Securing Applications with Oracle Platform Security Services.
You can create an application policy using on an existing application policy.
The Principal represents the name of the policy grantee.
You can modify an application role by changing permission set grants of the corresponding application policy, if the application role is a grantee of the application policy, or by changing its members, and by renaming or deleting the application role as follows:
See Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.
Use this procedure to change the permission grants for an application role by adding the application role to an application policy using Fusion Middleware Control.
You can add or delete members from an application role using Fusion Middleware Control.
You must perform these tasks in the WebLogic domain where Oracle Business Intelligence is installed, for example, in bifoundation_domain
. Valid members of an application role are users, groups, or other application roles.
Assign groups instead of individual users to application roles as a best practice, and then assign users to the groups.
Note:
Be very careful when changing the permission grants and membership for the application role that is tagged as the administration application role, as changes to the permissions assigned to this application role could leave your system in an unusable state.
See Displaying Application Policies and Application Roles Using Fusion Middleware Control.
See Managing Application Roles in Securing Applications with Oracle Platform Security Services.
You cannot directly rename an existing application role. You can only update the display name.
To rename an application role you must create a new application role using the same application policies used for the deleted application role, and delete the old application role. When you create the new application role, you specify a new name. You must also update any references to the old application role with references to the new application role in both the Oracle BI Presentation Catalog and the metadata repository.
To rename an application role in the catalog and the metadata repository use the renameAppRoles
command, as described in Rename Application Role Command in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
You use Identity Manager in the Oracle BI Administration Tool to manage permissions for application roles, and set access privileges for objects such as subject areas and tables.
Use the Oracle BI Administration Tool to configure security in the Oracle BI repository:
The data model for your service instance includes a security policy that defines permissions for accessing different parts of the data model, such as columns and subject areas.
The author of your data model uses the administration tool to maintain this security policy including assigning data model permissions to application roles.
When you create a service instance or import a BI application archive file into a service instance, the security policy for the data model is imported from the BI application archive file.
See Setting Presentation Services Privileges for Application Roles, and Setting Permissions Using Command-Line Tools in XML Schema Reference for Oracle Business Intelligence Enterprise Edition.
Best practice is to modify permissions for application roles, not modify permissions for individual users.
To view the permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of users and application roles and the permissions for the selected object.
Application role definitions are maintained in the policy store and any changes must be made using the administrative interface.
The repository maintains a copy of the policy store data to facilitate repository development. The Oracle BI Administration Tool displays application role data from the repository's copy; you are not viewing the policy store data in real time. Policy store changes made while you are working with an offline repository are not available in the Administration Tool until the policy store next synchronizes with the repository. The policy store synchronizes data with the repository copy whenever the BI Server restarts; if a mismatch in data is found, an error message is displayed.
While working with a repository in offline mode, you might discover that the available application roles do not satisfy the membership or permission grants needed at the time. A placeholder for an Application Role definition can be created in the Administration Tool to facilitate offline repository development. But this is just a placeholder visible in the Administration Tool and is not an actual application role. You cannot create an actual application role in the Administration Tool. You can create an application role only in the policy store, using the administrative interface available for managing the policy store.
An application role must be defined in the policy store for each application role placeholder created using the Administration Tool before bringing the repository back online. If a repository with role placeholders created while in offline mode is brought online before valid application roles are created in the policy store, then the application role placeholder disappears from the Administration Tool interface. Always create a corresponding application role in the policy store before bringing the repository back online when using role placeholders in offline repository development.
The catalog for your service instance includes a security policy for Presentation Services privileges. These privileges confer permissions for accessing specific Presentation Services functionality such as access to answers, access to dashboards as well as permissions on catalog objects such as folders and analyses.
When you create a service instance or import a BI application archive file into a service instance, the security policy for the catalog, Presentation Services Privileges, is imported from the BI application archive file. The service administrator can modify the catalog security policy.
You use application roles to manage privileges.
When groups are assigned to application roles, the group members are automatically granted associated privileges in Presentation Services. This is in addition to the Oracle Business Intelligence permissions.
Tip:
A list of application roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services.
About Presentation Services Privileges
Presentation Services privileges are managed in the Presentation Services Administration Manage Privileges page, and they grant or deny access to Presentation Services features, such as the creation of analyses and dashboards. Presentation Services privileges have no effect in other Oracle Business Intelligence components.
Being a member of an application role that has been assigned Presentation Services privileges will grant those privileges to the user. The Presentation Services privileges assigned to application roles can be modified by adding or removing privilege grants using the Manage Privileges page in Presentation Services Administration.
Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.
If you create an application role, you must set appropriate Presentation Services privileges to enable users with the application role to perform various functional tasks.
For example, you might want users with an application role named BISalesAdministrator to be able to create Actions in Oracle Business Intelligence. In this case, you would grant them a privilege named Create Invoke Action.
Presentation Services privileges cannot be assigned using the administrative interfaces used to manage the policy store. If you create a new application role to grant Oracle Business Intelligence permissions, then you must set Presentation Services privileges for the new role in addition to any Oracle Business Intelligence permissions.
Note:
You can assign Presentation Services privileges to a new application role programmatically, see SecurityService Service in Integrator's Guide for Oracle Business Intelligence Enterprise Edition
If you log in as a user without Administrator privileges, the Administration option is not displayed.
Explicitly denying a Presentation Services permission takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.
Existing Catalog groups are migrated during the upgrade process. Moving an existing Oracle BI Presentation Catalog security configuration to the role-based Oracle Fusion Middleware security model based requires that each Catalog group be replaced with a corresponding application role. To duplicate an existing Presentation Services configuration, replace each Catalog group with a corresponding application role that grants the same Oracle BI Presentation Catalog privileges. You can then delete the original Catalog group from Presentation Services.
For example, to administer the privilege named Access to Scorecard for the application role named BIConsumer, you would click the BIConsumer link next to Access to Scorecard.
Use the Privilege <privilege_name> dialog to add application roles to the list of permissions, and grant and revoke permissions from application roles. For example, to grant the selected privilege to an application role, you must add the application role to the Permissions list.
The BI Server and Presentation Services client support industry-standard security for login and password encryption.
When an end user enters a user name and password in a web browser, the BI Server uses the Hypertext Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit) to prevent unauthorized users from accessing data or Oracle Business Intelligence metadata.
At the database level, Oracle Business Intelligence administrative users can implement database security and authentication. Proprietary key-based encryption provides security to prevent unauthorized users from accessing the metadata repository.
You manage the data source access permissions stored in BI Publisher, using the BI Publisher Administration pages.
Data source access permissions control application role access to data sources. A user must be assigned to an application role which is granted specific data source access permissions that enable the user to perform the following tasks:
See Granting Data Access in Administrator's Guide for Oracle Business Intelligence Publisher.
Use this procedure to enable high availability in a clustered environment when using the default WebLogic LDAP identity store.
Configure the virtualize
attribute to enable high availability of the default embedded Oracle WebLogic Server LDAP identity store in a clustered environment. When you set the virtualize
attribute value to true, Oracle BI EE processes look to their local managed server where the processes can authenticate and perform lookups against a local copy of the embedded default Oracle WebLogic Server LDAP identity store.
Use lowercase for the property name virtualize
. Use uppercase for the property name OPTIMIZE_SEARCH
.
You can invoke the command line utility on supported platforms for Oracle Business Intelligence such as Windows, Linux, IBM-AIX, Sun Solaris, and HP-UX.
Enter a command such as the following one on Linux for assistance in using the command line utility:
./runcat.sh -help
Use the following syntax to convert a permission for a catalog group into a permission for an application role.
runcat.cmd/runcat.sh -cmd replaceAccountInPermissions -old <catalog_group_name> -oldType group -new <application_role_name> -newType role -offline <catalog_path>
See Opening an Oracle BI Presentation Catalog in System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.
Reporting on Users Privileges for a Set of Oracle BI Presentation Catalog Items
Use the following syntax to report on all privileges in the Oracle BI Presentation Catalog, and who has those privileges. For example:
runcat.cmd/runcat.sh -cmd report -online http://localhost:8080/analytics/saw.dll -credentials c:/oracle/catmancredentials.properties -outputFile c:/temp/report.txt -delimiter "\t" -folder "/system/privs" -mustHavePrivilege -type "Security ACL" -fields "Path:Accounts" "Must Have Privilege"
For help use the following command:
runcat.sh -cmd report -help