Object-level and data-level security are implemented in Oracle BI Applications using Duty Roles in the Policy Store. Duty Roles define a set of permissions granted typically to an Enterprise Role.
This figure illustrates how users are assigned to Enterprise Roles in the LDAP, which are associated with Duty Roles in the Policy Store.
Duty Roles are typically related to either data or object security. For example, the Oracle BI Applications repository (OracleBIAnalyticsApps.rpd) uses the following Duty Roles:
The HR Org-based Security Duty Role is used to control access to human resources data at the data security level.
The Human Resources Analyst Duty Role is used to control Presentation layer object visibility for the Human Resources Analyst role at the object security level.
The standard hierarchical structure of Duty Roles and users in Oracle BI Applications is typically the following: data security Duty Role, then object security Duty Role, then Enterprise Role (also called Group), then User. It is a best practice to use this structure when setting up security.
Security administrators can view, modify, and create Duty Roles in Oracle Enterprise Manager Fusion Middleware Control.
For example, BI User Fred has Enterprise Role 'Fixed Asset Accounting Manager EBS'. To provision Fred with security access for Fixed Assets Accounting reporting for EBS, you edit the BI Duty Role 'Fixed Asset Accounting Manager EBS' and add Enterprise Role 'Fixed Asset Accounting Manager EBS' as a Member.
Matching Pre-Configured Duty Roles with User Responsibilities
Pre-configured Duty Roles match responsibilities and roles in source operational applications, so that after authentication the correct roles can be applied. An administrator can check a user's responsibilities in the following ways:
In the Siebel or Oracle EBS operational applications, go to the Responsibilities view.
In PeopleSoft applications, go to the Roles view to check a user's roles.
In JD Edwards EnterpriseOne applications, go to the User Profiles application (P0092) to check a user's roles.
Individual users can view the list of Duty Roles to which they are assigned. In the Oracle BI Applications, select Signed In As, username, then My Account. Then, click the Roles and Catalog Groups tab to view the Duty Roles. In Presentation Services, Duty Roles are used to control the ability to perform actions (privileges) within Presentation Services.
For more information, refer to the system administrator for your source system.
Tools to View Pre-configured Duty Roles
You can use a number of BI tools to view pre-configured Duty Roles, as follows:
Oracle BI Administration Tool
To view pre-configured Duty Roles using Oracle BI Administration Tool, open the repository, select Manage, then Identity. Duty Roles are visible in the Identity Manager dialog in online mode. In offline mode, only Duty Roles that have had permissions, filters, or query limits set for them appear. For this reason, it is recommended that when you work with data access security in the Oracle BI Applications repository, you use online mode.
Oracle Enterprise Manager Fusion Middleware Control , see Viewing Duty Roles for Oracle BI Applications.
Oracle Authorization Policy Manager (APM) - In Oracle APM, navigate to the 'obi' Application and use the Search options to locate Duty Roles prefixed with 'OBIA_'. Select a Duty Role, then click Open to display the <Application> | Application Role dialog. Display the External Role Mapping tab, and check that the role list contains the appropriate Enterprise Roles.