What Security Levels Do Oracle BI Applications Use?

Security in Oracle BI Applications can be classified broadly into three levels.

  • Object-level security. Object-level security controls the visibility to business logical objects based on a user's role. You can set up object-level security for metadata repository objects, such as business models and subject areas, and for Web objects, such as dashboards and dashboard pages, which are defined in the Presentation Catalog.

  • Data-level security. Data-level security controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI Answers, and so on) based on the user's association to data in the transactional system.

  • User-level security (authentication of users). User-level security refers to authentication and confirmation of the identity of a user based on the credentials provided.

About Object-Level Security

Duty Roles control access to metadata objects, such as subject areas, tables and columns. For example, users in a particular department can view only the subject areas that belong to their department.

Metadata Object-Level Security in the Oracle BI Repository

Metadata object security is configured in the Oracle BI Repository, using the Oracle BI Administration Tool. The Everyone Duty Role is denied access to each of the subject areas. Each subject area is configured to give explicit read access to selected related responsibilities. This access can be extended to tables and columns. By default in Oracle BI Applications, only permissions at the subject area level have been configured.


The Siebel Communications and Financial Analytics industry applications have tables and columns that are industry-specific, and, therefore, hidden from other Duty Roles.

Oracle Business Intelligence supports hierarchies within Duty Roles. In the policy store, there are certain Duty Roles that are parent Duty Roles, which define the behavior of all the child Duty Roles. Inheritance is used to enable permissions to ripple through to child Duty Roles.

Metadata Object-Level Security in Presentation Services

Access to Oracle BI Presentation Services objects, such as dashboards, pages, reports, and Web folders, is controlled using Duty Roles. To manage object-level security in Presentation Services, see Managing Presentation Services Privileges Using Application Roles in Security Guide for Oracle Business Intelligence Enterprise Edition.

About Data-Level Security

Data-level security defines what a user in an OLTP application can access inside a report. The same report, when run by two different users, can bring up different data. This is similar to how the My Opportunities view in an operational application displays different data for different users. However, the structure of the report is the same for all users, unless a user does not have access to the report subject area, in which case the report displays an error.

During installation and configuration, you must make sure the correct Duty Roles and initialization blocks are set up for your environment.

Initialization Blocks Used for Data-Level Security in Oracle BI Applications

Initialization blocks are deployed as part of your configuration using guidance provided in FSM tasks. See Setting Up Security with Functional Setup Manager.

To use FSM tasks, see Roadmap for Functional Configuration in Oracle Business Intelligence Applications Configuration Guide.

To use initialization blocks in Oracle Business Intelligence, see Working with Initialization Blocks in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition and Setting Up Authorization Using Initialization Blocks in Security Guide for Oracle Business Intelligence Enterprise Edition.

About Data-Level Security Design in Oracle BI Applications

Oracle BI Applications maintains data-level security Duty Roles that are assigned dynamically to every user at the session level. Each Duty Role has a set of filters associated with it that determines the data that each user is allowed to see. A user is assigned a Duty Role through the Authorization initialization block.

The data security design has the following features:

  • Drill down. The user can drill down on a particular position in the position hierarchy to slice the data by the next position level in the hierarchy. For example, if the initial report is defined as:

    select Top Level Position, Revenue from RevenueStar

    then by drilling down on a value of MyPosition in the TopLevelPosition hierarchy, the report will become:

    Select Level8 Position, Revenue, where TopLevelPosition = 'MyPosition'
  • Personalized reports. Users at different levels of the Position hierarchy can use the same Position-based reports but with each user seeing the data corresponding to his or her level. In such reports, Position is a dynamic column.

    For example, if a report is defined as:

    select Position, Revenue from RevenueStar

    the logical query for the user at the top level of the hierarchy will be:

    select Top Level Position, Revenue from RevenueStar

    The logical query for the user at the next level of the hierarchy will be:

    select Level8 Position, Revenue from RevenueStar
  • CURRENT Position hierarchy columns. Position hierarchy columns with the prefix CURRENT contain the Current Position hierarchy at any point of time. This feature allows users to see the same data associated with the employee holding the Current Employee position at the time the report runs. This type of Analysis is called As Is.

  • Additional Position hierarchy columns. The columns EMP_LOGIN and EMPLOYEE_FULL_NAME are used at every level of the Position hierarchy to store additional information about an employee holding a particular position. In the Logical layer, the Employee path and Position path are two drill down paths under the Position hierarchy that allow the user to drill down on a position to see all positions under it. It also allows an employee to see all the employees reporting to him or her.

Implementing Data-Level Security in the Oracle BI Repository

Data-level security in Oracle BI Applications is implemented in three major steps.

  1. Set up initialization blocks that obtain specific security-related information when a user logs in, for example, the user's hierarchy level in the organization hierarchy, or the user's responsibilities.

    Initialization blocks obtain Dimension Ids for each user session in order to restrict row-level access to factual or dimensional data. See About Data-Level Security for a description of the preconfigured initialization blocks.

  2. Set up the joins to the appropriate security tables in the metadata physical and logical layers.
  3. Set up the data filters for each Duty Role on each logical table that needs to be secured.

    See Applying Data Access Security to Repository Objects in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

About User-Level Security

User security concerns the authentication and confirmation of the identity of the user based on the credentials provided, such as user name and password. By default, user-level security is set up in the embedded Oracle WebLogic Server LDAP and Policy Store in Oracle BI EE.

See Working with the Default Users, Groups, and Application Roles in Security Guide for Oracle Business Intelligence Enterprise Edition.