6
Controlling User Access to Reports

Access control enables you to restrict user access to reports that are run on Oracle Reports Services. Oracle Reports Services uses WebDB to perform a security check that ensures that users have the necessary privileges to run reports on restricted Oracle Reports Services and printers. Access control determines the following:

• What report definition files, Oracle Reports Services, and printers are restricted.

• Who has access privileges to run requested reports on a restricted Oracle Reports Services and output to a restricted printer.

• When report definition files, Oracle Reports Services, and printers are available to run.

• How report output is delivered by restricting report request options (that is, required and optional parameters) that are available to users at runtime. This includes specifying Oracle Reports Services and printers that are available to users.

WebDB stores information about the report definition file (that is, how to run the report) as a packaged procedure. In order to run a report, WebDB also needs to store access control information about the restricted Oracle Reports Services that accepts the request, and any printers that are used to print report output. These access controls are added using Reports Services Security wizards in WebDB. Only users who have Reports Services system administrator privileges can add access controls in WebDB.

You can make report requests available to users on the Web by doing the following:

• Adding a link as a WebDB component to a WebDB site that points to the report's packaged procedure. See Section 6.3.8, "Step 8. Making the Report Available to Users" for more information about this method.

• Scheduling a request to run automatically and push the report output to a WebDB site for users to view. See Section 6.3.9, "Step 9. Scheduling the Report to Run and Push the Output to a WebDB Site" for more information.

• Adding standard URL syntax to a Web site as a hyperlink. See Section 5.4, "Specifying Report Requests" for more information.

  Note: System administrators can run report requests from Reports Services Security in WebDB. See Section 6.3.7, "Step 7. Setting Parameter Values on the Reports Services Parameter Form" for more information.

6.1 Access Control Configuration and Setup Overview

This section describes how to configure Oracle Reports Services for access control and how to add access information in WebDB that will be used to run report requests to restricted Oracle Reports Services.

The steps below assume that you have already configured Oracle Reports Services using Web CGI or Servlet. See Chapter 4, "Configuring Oracle Reports Services on Sun SPARC Solaris" for more information. See Section 6.3, "Setting Up Access Controls in WebDB" for a detailed example on implementing access control in Reports Services.

6.1.1 Installing and Configuring Reports Services Security

To install and configure Reports Services security you need to configure WebDB for Reports Services security.

6.1.2 Setting up Access Control

To set up access control, you do the following:

1. Configure Oracle Reports Services for access control.

2. Create user accounts.

3. Optionally, create availability calendars in WebDB.

4. Add access to the printer in WebDB.

5. Add access to Oracle Reports Services in WebDB.

6. Add access to the report definition file in WebDB and create a packaged procedure.

   You can batch register multiple reports in WebDB using the Reports Services Batch Registering utility. Refer to the Reports Services Batch Registering Reports technical white paper located on the OTN (http://technet.oracle.com).

7. Set parameter values on the Parameter Form.

8. Publish the report request on a WebDB site.

9. Optionally, schedule the report to run and push the output to a WebDB site.

6.2 Installing and Configuring Reports Security in WebDB

Installing and configuring the Reports Services Security in WebDB involves installing WebDB and Oracle Reports Services Security feature, and then setting the authentication cookie domain.

Once Oracle Reports Services Security is installed and configured in WebDB, see Section 6.3, "Setting Up Access Controls in WebDB" for information on configuring Oracle Reports Services for access control and adding access to Oracle Reports Services, reports, and printers in WebDB.

6.2.1 Step 1. Configuring Reports Security in WebDB

You must do the following to install and configure the Reports Services Security feature in WebDB:

• Install WebDB release 2.2 or later.

• Install Reports Security feature in WebDB.

• Set the authentication cookie domain.

6.2.1.1 Installing WebDB

Install WebDB into an Oracle 7.3.4, Oracle 8.0.5, or Oracle 8i database if it has not been installed already. Refer to the Oracle WebDB Getting Started-Installation and Tutorial manual for more information.

6.2.1.2 Installing Oracle Reports Services Security Packages in WebDB

You can install Oracle Reports Services security packages from any machine (for example, where your WebDB or your Oracle Reports Services is installed).

1. If you want to install just Oracle Reports Services security packages, then start the Oracle Installer and choose the Custom Installation. From the Available Products list box, expand the Oracle Reports Developer node and choose Reports Server Security Packages. Refer to the Getting Started manual for more information about the installation process.

2. When the installation is complete, run the SQL script that installs the security packages in WebDB:
   • For Windows NT, choose Install Reports Developer Security from the Oracle Reports Developer Admin menu.

   • For UNIX, go to the ORACLE_HOME/REPORT60/SERVER/SECURITY directory and type the following at the command line:

     sqlplus /nolog @rwwwvins.sql
     
     

3. Type the following at the Enter Connection String prompt to log on to the WebDB schema (username/password@database).

   Table 6-1 Connection to Log on to the WebDB Schema

   Field	Description
   username	A user name with DBA privileges that logs you on to the WebDB schema. Contact your DBA if you cannot log on to the WebDB schema.
   password	A password that logs you on to the WebDB schema.
   database	The name of the database that connects you to the WebDB schema.

4. When the SQL script is complete, start WebDB and log on to the WebDB schema.

5. Click Administrator at the main menu. You should see the Reports Developer Security menu item.

6.2.1.3 Setting the Authentication Cookie Domain

You set the authentication cookie domain so that the cookie can send the authentication information to Oracle Reports Services where the report is sent. Click on and do the following:

For WebDB online help on this task, click the help button on the title bar... Click and type... authentication cookie Click Find andthen click... Setting the authentication cookie to display the topic.

On the machine where WebDB is installed:

1. Open the wdbsvr.cfg file in a text editor (located in the ORACLE_HOME\LISTENER\CFG directory). Under the [SERVER] section, set the configuration parameter using the following syntax, where my_company.com is the domain name of the Oracle Reports Services

   ORCookieDomain=my_company.com
   
   

2. Save your changes and close the configuration file.

6.3 Setting Up Access Controls in WebDB

This example provides step-by-step instructions that will help you configure your Oracle Reports Services for access control. You will add access to the report definition file, Oracle Reports Services, and printer in WebDB. Finally, you will publish the report request on a WebDB site so that authorized users can run this restricted report.

This example assumes the following:

• Oracle Reports Services is configured using the Web CGI configuration.

• A printer that Oracle Reports Services can recognize must be installed and running.

• The Reports Services system administrator has WebDB site administrator privileges. This enables the Reports Services system administrator to add items to a WebDB site and grant Manage Item privileges to other users.

• You have access to the security.rdf. This report generates a 401K report for employees. Information about this report will be added in WebDB. This file is provided for you in the ORACLE_HOME\TOOLS\DOC60\US\RBBR60 directory.

• You must be able to access the Oracle Reports Services demo tables to run the security.rdf file on Oracle Reports Services. Use the demo CD that came with your product package to install the SQL scripts that are used to install the demo tables in your database. These SQL scripts can be run from the Start->Programs menu.

The 401K report that you add access to in WebDB contains vested 401K portfolio information of four fictional employees. You want to restrict access to this confidential report only to these four employees. Further, you want to ensure that the requesting employee can access only his personal information, not other employees' information. This can be achieved by doing the following:

• Restrict user access to the report itself. For the purposes of this example, you will create a user account for Jeff Abers, one of the 401K participants, and then give this user access to the report.

• Restrict authorized users access to only their personal information. Users with access to run the report will need to enter the correct last name and social security number combination to retrieve their personal 401K summary. The security.rdf report was built with two user parameters: last name and social security number (SSN). In WebDB, you will build a Runtime Parameter form that contains a list of values of the last names of 401K participants and an unrestricted parameter for the social security number.

Suppose that Jeff Abers wants to review his 401K investments. On the Runtime Parameter Form, in addition to the destination parameters, he will need to choose his last name from a list of values and then enter his social security number. When he runs the report, he must log on. WebDB checks that he has the access privileges needed to run the report. If he logs on successfully, then Oracle Reports Services processes the request. If he entered the correct last name and social security number combination, then his personal 401K report is delivered as requested.

6.3.1 Step 1. Configuring Oracle Reports Services for Access Control

Oracle Reports Services must be installed and configured before you can perform this step. See Chapter 4, "Configuring Oracle Reports Services on Sun SPARC Solaris" for information.

To configure Oracle Reports Services for access control, you will do the following:

• Create a TNS names alias that connects to WebDB.

• Restrict access to Oracle Reports Services.

6.3.1.1 Creating the TNS Names Alias that Connects to WebDB

You need to create a TNS names alias for WebDB in the tnsnames.ora file on the machine where Oracle Reports Services is installed. This enables Oracle Reports Services to communicate with WebDB.

You can create the TNS names alias using the Net8 Easy Config tool, or you can create one by editing the tnsnames.ora file in a text editor.

To create TNS names alias, you will need the following information:

• A TNS names alias for the WebDB instance.

• The host name of the database where WebDB is installed.

• The port number of the database where WebDB is installed.

• The System Identifier (SID) of the database where WebDB is installed.

You can find the host name, port number, and SID in the tnsnames.ora file in the ORACLE_HOME\NETWORK\ADMIN directory on the machine where the database is installed.

On Oracle Reports Services machine:

1. Do one of the following:
   • Start Net 8 Easy Config (if it is installed on your machine) and follow the instructions on the wizard to help you create the TNS names alias.

   • Open the tnsname.ora file located in the ORACLE_HOME\NET80\ADMIN directory. Go to step 2.

   If you installed Oracle Reports Services Security feature from your Oracle Reports Services machine, then a TNS names alias for WebDB has already been created for you. You can skip this step and go to Section 6.3.1.2, "Restricting Access to Oracle Reports Services".

2. Add the following TNS names alias to connect to WebDB:

   sec_rep.world =
     (DESCRIPTION =
       (ADDRESS =
             (PROTOCOL = TCP)
             (HOST = my_pc.my_domain)
             (PORT = 1521)
       )
       (CONNECT_DATA = (SID = ORCL)
       )
     )
   
   

   where:

   sec_rep.world	is the name of the WebDB server instance.
   .world	is the domain specified in the NAMES.DEFAULT_DOMAIN setting in the sqlnet.ora file. If the NAMES.DEFAULT_DOMAIN setting is not defined in the sqlnet.ora, then omit .world from the name of the server instance.
   TCP	is the protocol address information.
   my_pc.my_domain	is the host name or IP address of the machine where WebDB is installed.
   1521	is the port number to the database where WebDB is installed.
   ORCL	is the Oracle System Identifier for the database where WebDB is installed.

3. Save and close the tnsnames.ora file.

6.3.1.2 Restricting Access to Oracle Reports Services

To restrict access to Oracle Reports Services, you set the SECURITYTNSNAME parameter in Oracle Reports Services configuration file. Once set, access control is enforced. Users will be required to authenticate themselves to run report requests to this restricted Oracle Reports Services.

To run a report request, access to the report definition file must be added in WebDB. If you want to run unrestricted report requests, then ensure the Run Only Registered Report Definition Files option is unchecked in the Server Access wizard in WebDB for this Oracle Reports Services. Users, however, will still need to authenticate themselves to the Reports Services to run the report.

On Oracle Reports Services machine, do the following:

1. Open the repserver.ora configuration file (located in the ORACLE_HOME\REPORT60\SERVER directory) in a text editor. Set the SECURTYTNSNAME parameter using the following syntax, where sec_rep is the TNS names alias of the WebDB server instance defined in the tnsnames.ora file:

   SECURITYTNSNAME="sec_rep"
   
   

2. Save and close Oracle Reports Services configuration file.

3. Stop and restart Oracle Reports Services to accept the changes made to Oracle Reports Services configuration file.

6.3.2 Step 2. Creating User Accounts

You will need to create the following users accounts:

• The Oracle Reports Services system administrator to create and maintain access controls for the restricted Oracle Reports Services, report definition files, and printers. See Section 6.3.2.1, "Creating the Reports Services System Administrator User Account". Once you create the Reports Services system administrator, you can start creating access controls for Oracle Reports Services, report definition files, and printers you want to restrict.

• Any user who will be given access privileges to run a restricted report to a restricted Oracle Reports Services and printer. See Section 6.3.2.2, "Creating Users Accounts for Running Reports". You can create user accounts at anytime. However, if you are restricting access to Oracle Reports Services, report definition files, or printers, and know which users should have access to them, then it is best to create the users accounts first.

6.3.2.1 Creating the Reports Services System Administrator User Account

In order to perform security administration in WebDB, you must have a user account that is assigned the RW_ADMINISTRATOR role. Only those users with the RW_ADMINISTRATOR role can access Reports Services Security wizards in WebDB. In addition, you must have BUILD IN privileges to the schema that will own the report's packaged procedure and any list of values (LOV) that you might create. If you have a user account with DBA privileges, then you can create user accounts. Otherwise, contact your DBA and request that user accounts be created. Click on and do the following:

For WebDB online help on this task, click the help button on the title bar... Click and type... Creating user accounts. Click Find and then click... Creating user accounts to display the topic.

Note: It is possible that the packaged procedures and the parameter list of values that you create might be owned by different schemas. You might need BUILD IN privileges to more than one schema.

To add a report item to a WebDB site, a WebDB site must be created. If you will be responsible for creating the WebDB site, then you must be a DBA with Execute privileges on the SYS.DBMS_SQL packaged procedure with the Grant option. This privilege will allow you to create the site and grant Manage Item privileges to other users.

If someone else is the site administrator, then you must be given Own, Manage Item, or Create With Approval privileges for the folder that you want to add items to. Contact the DBA or site administrator for more information.

6.3.2.2 Creating Users Accounts for Running Reports

Any users who will be given access privileges to run report requests must have a user account that WebDB can recognize. Reports Services has four predefined roles that can be assigned to users. Each role gives users access to certain administrative controls, such as monitoring jobs or viewing error messages. By default, Reports Services basic user functions (that is, the RW_BASIC_USER role) are implied if users are not assigned specific Reports Services roles.

If you have a user account with DBA privileges, then you can create user accounts. Otherwise, contact your DBA and request that user accounts be created. Click on and do the following:

For WebDB online help on this task, click the help button on the title bar... Click and type... Creating user accounts. Click Find and then click... Creating user accounts to display the topic.

For this exercise, create or request a user account for Jeff Abers, one of the employees who participates in the 401K plan. His user account should be JABERS. He is assigned the basic user role. Contact your DBA to create user accounts for those users who require access privileges to run report requests. Assign users Reports Services roles as needed.

If the JABERS user account already exists, then append your initials to it (for example, JABERSAA).

6.3.3 Step 3. Creating Availability Calendars

An availability calendar determines when report definition files, Oracle Reports Services, and printers are available for processing.

You can create two types of availability calendars:

• A simple availability calendar defines a single availability rule (for example, daily, Sunday through Saturday from 12:00 a.m. to 10:00 p.m.).

• A combined availability calendar combines two or more availability calendars (for example, combining the daily calendar with a maintenance calendar) into a single availability calendar.

You can associate only one availability calendar with a report definition file, Oracle Reports Services, or printer. If your production environment requires more than one availability rule, then you will need to combine availability calendars.

Availability calendars are not necessary if the reports definition files, Oracle Reports Services, and printers are always available for processing.

In this exercise, you will create a production calendar that determines the availability for every day of the week, days with scheduled maintenance, and holidays. To do this, you will create the following availability calendars:

• Daily calendar with an availability period of every Sunday through Saturday from 12:00 a.m. to 10:00 p.m.

• Maintenance calendar with an availability period of every Saturday from 3:00 p.m. to 10:00 p.m.

• Christmas calendar with an availability period starting on December 25 at 12:00 a.m. and ending on December 26 at 12:00 a.m.

• Production calendar that combines all the above calendars, and then excludes the maintenance and Christmas calendars. Excluding these calendars prohibits processing based on their availability rules.

6.3.3.1 Creating the Daily Calendar

You will create a daily calendar with an availability period of Sunday through Saturday from 12:00 a.m. to 10:00 p.m.

Click to access context-sensitive help for the current wizard page. Click on the title bar to access the WebDB help system.

1. Access WebDB and log on as the Reports Services system administrator. You must be logged on as the Reports Services system administrator to access the Reports Services Security wizards.

2. On the Oracle WebDB home page, click Administer. You also can click from the navigation toolbar on any WebDB page to access the Administer page.

3. On the Administer page, click Reports Developer Security.

4. On the Reports Services Security page, Click Availability Calendars.

5. On the Availability Calendars page, click the Simple Availability Calendar option to create a new calendar.

6. Click Create to create the simple Availability calendar.

7. On the Simple Availability Calendar page, type Daily as the Calendar Name. If the Daily calendar already exists, then append your initials to it (for example, DailyAA).

8. Click .

9. On the Date/Time Availability page, specify today's date as the start month, date, and year, and 12:00 a.m. as the start time.

10. Specify today's date as the end month, date, and year, and 10:00 p.m. as the end time.

11. Choose Daily as the Repeat option. This will repeat the duration pattern every day. For example, if the start date is Monday, January 4, 2000, then this pattern will repeat every day starting on this date until the pattern is terminated.

12. Click .

13. Optionally, on the Simple Availability Calendar Summary page, click Show Calendar to view a visual representation of the daily calendar. Green indicates availability. Close the calendar when you are finished reviewing it.

14. Click .

15. On the Create Simple Availability calendar page, click OK to create the calendar.

6.3.3.2 Creating the Maintenance Calendar

You will create a maintenance calendar with an availability period of every Saturday from 3:00 p.m. to 10:00 p.m. In a later step, you will add this calendar to the Production calendar and then exclude it to prohibit processing based on the date and time specified.

1. From the Availability Calendars page, click the Simple Availability Calendar option to create a calendar.

2. Click Create.

3. On the Simple Availability Calendar page, type Maintenance as the Calendar Name. If the Maintenance calendar already exists, then append your initials to it (for example, MaintenanceAA).

4. Click .

5. Follow steps 9-15 in Section 6.3.3.1, "Creating the Daily Calendar" to define the following availability rule:

   Table 6-2 Maintenance Calendar Rule

   Field	Value
   Duration Start	Specify a date starting on a Saturday (for example, January 8, 2000), and time starting at 3:00 p.m.
   Duration End	Specify the same date defined as the start date, and time ending at 10:00 p.m.
   Repeat	Choose Weekly.

6.3.3.3 Creating the Christmas Calendar

You will create a Christmas calendar with an availability period of every December 25 from 12:00 a.m. to December 26 at 12:00 a.m. In a later step, you will add this calendar to the Production calendar and then exclude it to prohibit processing based on the date and time specified.

1. From the Availability Calendar page, click the Simple Availability Calendar option to create the third calendar.

2. Click Create.

3. On the Simple Availability Calendar page, type Christmas as the Calendar Name. If the Christmas calendar already exists, then append your initials to it (for example, ChristmasAA).

4. Click .

5. Follow steps 9-15 in Section 6.3.3.1, "Creating the Daily Calendar" to define the following rule:

   Table 6-3 Christmas Calendar Rule

   Field	Value
   Duration Start	Specify December 25 and 12:00 a.m.
   Duration End	Specify December 26 and 12:00 a.m.
   Repeat	Choose Yearly.

6.3.3.4 Creating a Combined Availability Calendar

In this exercise, you will create a Production calendar that combines the Daily, Maintenance, and Christmas calendars, then excludes the Maintenance and Christmas calendars, which prohibits processing based on their availability rules.

1. From the Availability Calendar page, click the Combined Availability Calendar option to create the calendar that will combine the three calendars you created into one.

2. Click Create.

3. On the Combined Availability Calendar page, type Production as the Calendar Name. If the Production calendar already exists, then append your initials to it (for example, ProductionAA).

4. Click .

5. On the Select Availability Calendars page, ctrl-click the Daily, Maintenance and Christmas calendars from the Availability Calendars list box.

6. Click to move the selected calendars to the Selected Availability Calendars list box, or click to select all available calendars.

7. Click .

8. On the Exclude Availability Calendars, ctrl-click the Maintenance and Christmas calendars in the Availability Calendars list box.

9. Click to move the Maintenance and Christmas calendars to the Excluded Availability Calendars list box. Doing so prohibits processing on the date and time specified in each calendar.

10. Click .

11. On the Combined Availability Calendar Summary page, click Show Calendar to view a visual representation of the availability calendar. Green indicates availability. Close the calendar when you are finished reviewing it.

    It is a good practice to check the combined calendar at this point. You can verify that the calendars you prohibited processing on are excluded during the period specified. Scroll to December to ensure that December 25 is excluded from processing. Choose the Day option and scroll to a Saturday to ensure that processing is unavailable from 3 p.m.

12. Click .

13. On the Create Combined Availability Calendar page, click OK to create the Production calendar in WebDB.

6.3.4 Step 4. Adding Access to a Reports Services Printer in WebDB

Printer Access defines the following:

• What printer is available in WebDB to print report output.

• Who has access privileges to print output to this printer.

• When this printer is available to print report requests.

  Prerequisite: You must already have a printer that Reports Services can recognize installed and running. Refer to the DESNAME and DESFORMAT command line arguments described in Appendix A, "RWCLI60 Command Line Arguments" for more information.

Click to access context-sensitive help for the current wizard page. Click on the title bar to access the WebDB help system.

1. Click Reports Developer Security from the link history, which is located just above the navigation toolbar.

2. On the Reports Developer Security page, click Printer Access.

3. Click Create to add printer access to WebDB.

4. On the Printer Name page, type Reports_Printer in the Printer Name field. If this printer name already exists, then append your initials to it (for example, Reports_PrinterAA).

5. Type the operating system name of the printer in the OS Printer Name field (for example, the OS printer name in Windows NT might be \\net_machine\my_printer). Refer to your operating system's documentation for more information.

6. Click .

7. On the Users and Roles page, choose JABERS and your Reports Services system administrator user account from the All Users list box to specify who can output reports to this printer.

8. Click to move this user to the Selected Users list box.

9. Click .

10. On the Availability Calendar page, type Production as the availability calendar, or click to find the availability calendar. If you want to make this printer available all the time, then do not specify a calendar.

11. Click .

12. On the Add Printer Access page, click OK to add access to this printer in WebDB.

6.3.5 Step 5. Adding Access to Oracle Reports Services in WebDB

Oracle Reports Services Access defines the following in WebDB:

• What Oracle Reports Services is available in WebDB for processing requests.

• What printer is available to Oracle Reports Services.

• Who has access privileges to send report requests to this Oracle Reports Services.

• When this Oracle Reports Services is available to accept report requests.

Click to access context-sensitive help for the current wizard page. Click on the title bar to access the WebDB help system.

1. Click Reports Developer Security from the link history.

2. At the Reports Developer Security page, click Server Access.

3. Click Create.

4. On the Server Name and Printers page, type Repserver in the Server Name field. If this server name already exists, then append your initials to it (for example, RepserverAA).

5. Type repserver in the Reports Server TNS Name field. The Reports Services TNS name is Oracle Reports Services entry name that is added to the tnsname.ora file when you installed and configured Oracle Reports Services. See Chapter 4, "Configuring Oracle Reports Services on Sun SPARC Solaris" for more information.

6. Type the Reports Services Web Gateway URL in lowercase:

   http://my_webserver/cgi-bin/rwcgi60.exe
   
   

   The Reports Services Web Gateway URL is determined by the virtual location of the Web CGI.

7. Choose the Reports_Printer from the Printers list box.

8. Click .

9. On the Users and Roles page, choose JABERS and your Reports Services system administrator user account from the All Users list box to specify who can access this server.

   Be sure that you select the same users who have been given access to the printer.

10. Click to move this user to the Selected Users list box.

11. Click .

12. On the Availability Calendar page, type Production as the availability calendar, or click to find the availability calendar. If you want to make this server available all the time, then do not specify a calendar.

13. Click .

14. On the Add Server Access page, click OK to add server access to WebDB.

6.3.6 Step 6. Adding Access to the Report Definition File in WebDB

Report Definition File Access defines the following in WebDB:

• What Reports Services .RDF, .REP, or .XML file you want to make accessible in WebDB.

• Who has access privileges to run this report definition file.

• When this report definition file is available to run.

• How report output is delivered by restricting the report request options (that is, required and option parameters) that are available to users at runtime. This includes specifying Oracle Reports Services and printers that are available to users.

In this exercise, you will restrict access to the security.rdf file (located in the ORACLE_HOME\TOOLS\DOC60\US\RBBR60 directory) in WebDB based on the following information:

• Destination type is restricted to Cache and Printer.

• Destination format is restricted to HTMLCSS and PDF.

• P_LASTNAME user parameter is restricted to a list of values defined in WebDB.

• P_SSN user parameter is used to validate the social security number and last name pair.

• COPIES system parameter is restricted to two copies preventing users from printing more than two copies of their report.

• USERID system parameter is restricted so that users can save database logon information in the Runtime Parameter Form. Specifying the USERID as a restricted parameter is necessary if you want users to schedule their reports to run automatically.

Click to access context-sensitive help for the current wizard page. Click on the title bar to access the WebDB help system.

6.3.6.1 Creating a List of Values for the Lastname User Parameter

If you want users to select values from a list of values for any system or user parameters you define on the Optional Parameters page, then you must create this list in WebDB.

Recall that the security.rdf report gathers information about the vested portfolios of employees participating in the company's 401K plan. You want to restrict access to only those employees who participate in the plan. In this exercise, you will create a list of values for the P_Lastname user parameter that lists the last names of these employees.

If you are not publishing the report request on a WebDB site, then creating a list of values in WebDB is not necessary. You can create a list of values in Report Builder using the Parameter Form editor. Click on and do the following:

For Report Builder online help on this task, choose Help->Report Builder Help Topics On the Index page, type... parameter, list of values. Then click Display to view help topic... Creating a list of values (LOV) for a parameter.

1. Click from the navigation toolbar.

2. At the Shared Components menu, click Lists of Values (LOV).

3. Choose the Static - Static Values option, and then click Create LOV.

4. On the Create Static List of Values page, choose a schema as the Owning Schema of this LOV.

5. Choose PUBLIC from the Privileges list box so that all users have access to this LOV.

6. Type LASTNAME_LOV as the name of LOV. If this LOV already exists, then append your initials to it (for example, LASTNAME_LOVAA).

7. Choose Combo Box as the Default Format.

8. Enter the following values in the table:

   Table 6-4 Static List of Values

   Display Value	Return Value	Display Order
   Abers	Abers	1
   Costner	Costner	2
   Matsumoko	Matsumoko	3
   Williams	Williams	4

9. Click Add LOV.

10. From the Manage List of Values page, the newly created LOV is displayed in the Recently Edited List of Values section. If you want to test the LOV, then you can do so here.

6.3.6.2 Adding Access the Report Definition File

If you back out of the wizard page (that is, click Back on your Web browser), then you will lose the settings you defined on that page. If you need to make changes, then first create the packaged procedure for the report by completing the wizard. Then, edit the package by clicking Edit on the Manage Component page.

1. Click from the navigation toolbar and click Reports Developer Security.

2. On the Reports Developer Security page, click Report Definition File Access.

3. Click Create.

4. On the Report Name and Schema page, choose a schema from the Owner list box. The schema that you choose will own this packaged procedure for this report.

5. Type Investment_Report in the Report Name field. The report name cannot be prefaced with numeric characters (for example, 401K_report is an invalid file name and my_401K_report is valid). If this report name already exists, then append your initials to it (for example, Investment_ReportAA).

6. Choose repserver from the Reports Servers list box.

7. Type security.rdf as the Reports Services File Name. Ensure Oracle Reports Services can find this report definition file. The report's source path must be set in the SOURCEDIR parameter in Oracle Reports Services configuration, or must be set in the REPORTS60_PATH environment variable.

8. Click .

9. On the Users and Roles page, choose JABERS and your Reports Services system administrator user account from the All Users list box to specify who can run this report. Ensure that you choose the same users who have been given access to the printer and Oracle Reports Services.

10. Click to move this user to the Selected Users list box.

11. Click .

12. On the Availability Calendar page, type Production as the availability calendar, or click to find the availability calendar. If you want to make this report definition file available all the time, then do not specify a calendar.

13. Click .

14. On the Required Parameters page, ctrl-click Cache and Printer from the Types list box.

15. Shift-click HTMLCSS and PDF from the Formats list box.

16. Choose Reports_Printer from the Printers list box. If the printer you defined does not appear, then you might have entered an incorrect OS Printer Name when you created access to your printer. Finish creating this report definition file package. It is likely that an invalid package will be created. Return to the Printer Access wizard and edit access to the Reports_Printer. After you edit the printer access. Return to the Report Definition File Access wizard, edit the report definition file access for this report, then create a new package.

17. Optionally, choose another Parameter form template. The template you choose determines the page style on which the Runtime Parameter Form is displayed.

18. Click .

19. On the Optional Parameters page, type P_LASTNAME in the Parameter Name column. When users run this report at runtime, they will be required to select a last name to run the report. The P_LASTNAME is the name of the parameter defined in report. Open the security.rdf file in Report Builder and view the parameters in the Parameter Form editor to determine the parameter's name.

20. Type LASTNAME_LOV in the LOV column to enable users to choose the last name of the 401K participant from a list of values, or click to find the LOV.

21. Type P_SSN in the second row of the Parameter Name column to require users to type their social security number in the Runtime Parameter Form.

22. Type COPIES in the third row of the Parameter Name column to restrict the number of copies the user can print when outputting the report to a printer.

23. Type 1 in the Low Value column.

24. Type 2 in the High Value column.

25. Type USERID in the fourth row of the Parameter Name column. This enables users to specify the database that they can connect to if they want to schedule the report to run automatically.

26. Click twice to skip the Validation Trigger page.

27. At the Add Report Definition File Access page, click OK to create the packaged procedure for this report. When the package is created, the Manage Component page appears. From this page, you can edit the report access, run the report, or set up the Parameter Form. The next exercise explains how to set the default parameter values in the Parameter Form that are used to run the report.

    If an invalid package is created, then you will be unable to proceed to the next step. Verify the access controls that you defined for the printer, Oracle Reports Services, and report. Make the necessary changes and then try to create a valid production package for this report definition file.

    To edit access to the report definition file, click from the navigation toolbar. At the Reports Developer Security menu, choose Report Definition File Access. Then, to access the Manage Component page for a particular report, find the report or choose the report from the Recently Edited Report Definition File section. At the Manage Component page, click Edit.

6.3.7 Step 7. Setting Parameter Values on the Reports Services Parameter Form

As the Reports Services system administrator, you can run the restricted report request you just created to ensure that it will run as expected. You also can set the default parameters that will be available to users at runtime. You can run and set default parameter values from the Manage Component page.

6.3.7.1 Running the Report Output to Cache

In this exercise and the next, you will choose parameters values to run the report to cache for debugging purposes, not to set the default values that will be available to users at runtime. You will set the default values in Section 6.3.7.3, "Setting the Default Parameters for Users at Runtime".

1. On the Manage Component page, click Parameters to set the default parameters and choose the parameters that will be visible on the Runtime Parameter Form.

   To access the Manage Component page, click . At the Reports Developer Security menu, choose Report Definition File Access. Then, find the report or choose the report from the Recently Edited Report Definition File section.

2. On the Reports Services Parameter Form, set the following parameters:

   Table 6-5 Parameter Form Settings for Debugging Cache Output

   Parameter	Value
   Server	repserver
   Printer	Reports_Printer
   Destype	Cache
   Desformat	HTMLCSS
   Desname	blank
   Copies	1
   P_LASTNAME	Abers
   P_SSN	559014203
   USERID	username/password@my_db where username/password@my_db is the user name and password for the database you want to connect to.

   CAUTION: When setting parameter values for debugging purposes, be sure to delete (or not save) any confidential parameter values, such as social security numbers, from this Parameter Form. Otherwise, this confidential information will be made public when you add this report request to a WebDB site.

3. Click Run Report to run the report as requested.

6.3.7.2 Running the Report Output to a Restricted Printer (Optional)

Following are the steps you would follow if you want to run report output to a restricted printer:

1. If you want to send the output to the printer, then return to the Manage Component page and click Parameters.

2. At the Reports Services Parameter Form, choose the following parameter values:

   Table 6-6 Parameter Form Settings for Debugging Printer Output

   Parameter	Value
   Server	repserver
   Printer	Reports_Printer
   Destype	Printer
   Desformat	PDF
   Desname	defaults to the printer name
   Copies	1
   P_LASTNAME	Abers
   P_SSN	559014203
   USERID	username/password@my_db where username/password@my_db is the user name and password for the database you want to connect to.

3. Click Run Report.

4. Click OK when a message appears stating that the report was printed successfully.

6.3.7.3 Setting the Default Parameters for Users at Runtime

Once you are satisfied that the report can run based on the restrictions imposed, you can set the default parameter values and choose the parameters that will be available to users on the Runtime Parameter Form.

1. On the Reports Services Parameter Form, set the following parameters:

   Table 6-7 Default Parameter Settings for Users

   Parameter	Default Value	Visible to User
   Server	repserver	No
   Printer	Reports_Printer	No
   Destype	Cache	Yes
   Desformat	HTMLCSS	Yes
   Desname	blank	No
   COPIES	1	Yes
   P_LASTNAME	blank	Yes
   P_SSN	Type your SSN	Yes
   USERID	Type the database logon	Yes

   You might want to make parameters visible to users on the Runtime Parameter Form only when they need to take an action on the parameter (that is, select or input a value) to run the request. In this case, the Server and Printer parameters are restricted to one server and printer. The Desname parameter is populated automatically with the printer name when Printer is chosen as the Destination type. These parameters do not require user input to run the report.

   When users run the report from a WebDB site, they can set the default parameters values available to them on the Runtime Parameter Form to their personal preferences. See Section 6.3.8, "Step 8. Making the Report Available to Users" for more information.

2. Click Save Parameters to save the changes made to this Parameter Form.

6.3.8 Step 8. Making the Report Available to Users

You make the report available to users in a WebDB site by adding a link as a WebDB component that points to the INVESTMENT_REPORT packaged procedure.

6.3.8.1 Creating a WebDB Site

Create a WebDB site if it has not already been created. Click on and do the following:

For WebDB online help on this task, click the help button on the title bar... Click and type... web site. Click Find and click... Creating web sites to display the topic.

To create a WebDB site, the Reports Services system administrator will need to have site administrator privileges (that is, a DBA with execute privileges on the SYS.DBMS_SQL packaged procedure with the Grant option). If someone else is the site administrator, then ask that person to create the WebDB site.

6.3.8.2 Creating a Folder in the WebDB Site

You will create the folder in which the report's packaged procedure is added. By default this folder and any items that are added to it are available only to the owner of the folder (that is, the Reports Services system administrator). You can make the folder available to all users (that is, to public users) or available only to users who have been given access to it. You will restrict access to this folder only to the users who have access privileges to run this report (that is, JABERS).

If you make a folder public, then PUBLIC users (that is, users who have not logged on to the WebDB site) can access the report's Parameter/Scheduling form and might unknowingly save their personal information to it. Subsequent PUBLIC users will see this confidential information. To prevent this from happening, it is best to restrict access to the folder to those users who have access to run the report. Users must log on to access the restricted folder. Once logged on, the information they save on the Parameters/Scheduling form is secured (that is, only they can view it).

Click to access context-sensitive help for the current wizard page. Click on the title bar to access theWebDB help system.

1. From your Web browser, type the URL of the WebDB site. For example:

   http://my_webdb_server.com:1111/my_webdb_site
   
   

   If you have site administrator privileges to create a site, then click from the navigation toolbar on any WebDB page to access the Sites page. Click Site Home Page to access the WebDB site.

2. Log on as the Reports Services system administrator.

   To add a WebDB component to a WebDB site, your Reports Services system administrator user account must have site administrator privileges (that is, a DBA with execute privileges on the SYS.DBMS_SQL packaged procedure with the Grant option). If you do not have site administrator privileges, then you must have Own, Manage Item, or Create with Approval privileges for the folders in which the component is being added. Contact your DBA or site administrator for more information.

3. At the WebDB Site home page, click .

4. Click to add a new folder to your site.

5. On the Folder Manager page, type Benefits as the internal folder name of the new folder.

6. Type Benefits as the title of the folder that will be displayed in the WebDB site. If the Benefits folder has already been created by another user, then append your initials to the folder name (for example, BenefitsAA).

7. Click Create to create the folder.

8. Choose Benefits from the list box.

9. Click Edit.

10. Click the Users tab.

11. On the Benefits page, type JABERS as the Name of the user you want to have access to this folder.

12. Click Add to Access list. Notice that JABER is listed in the User Access List with view privileges. Keep this default.

13. Click to return to the Benefits folder.

6.3.8.3 Adding the Report Request to the Folder

To add the report request to the folder, do the following:

1. On the Benefits, click to access the Item wizard and add the report request to this folder.

2. On the Add an Item page, choose WebDB Component as the Item Type.

3. Choose Regular Item as the Display Option.

4. Click Next.

5. On the WebDB Component page, choose WEBDB.INVESTMENT_REPORT from the list box, where WEBDB is the name of the schema that owns this report's package procedure for the 401K report.

6. Type Investment Summary Report as the Title.

7. Choose General as the Category.

8. Type Restricted 401K Report in the Description text box.

9. Click Next.

10. On the second WebDB Component page, choose the Display Parameter Form option.

11. Click Finish. A link to the packaged procedure that contains the report request appears in the Benefits folder.

6.3.8.4 Running the Report as a User

You will run this report as JABERS, not as the Reports Services system administrator. In this exercise, you will set your default parameter settings for Jeff Abers and then run the report.

Click to access context-sensitive help for the current wizard page. Click on the title bar to access the WebDB help system.

1. Click Log Off on the navigation bar to log off as the Reports Services system administrator.

2. Click Log On to log on as JABERS.

3. Click Site Map to access the Benefits folder.

4. Click Benefits folder.

5. In the Benefits folder, click Investment Summary Report.

6. On the Parameters/Scheduling page, choose the following parameters:

   Table 6-8 User's Default Parameter Settings

   Parameter	Default value
   Destype	Cache
   Desformat	HTMLCSS
   COPIES	1
   P_LASTNAME	Abers
   P_SSN	559014203
   USERID	username/password@my_db where username/password@my_db is the user name and password for the database you want to connect to.

7. Click Save Parameters to save your personalized settings.

   The default settings saved here are the ones that are accessible only to this user. If you (or someone else) logged on as a different user, then the default settings defined by the Reports Services system administrator would display. That user could then personalize her or his own settings.

8. Click Run Report.

6.3.9 Step 9. Scheduling the Report to Run and Push the Output to a WebDB Site

Suppose that Jeff Abers only wants to review his 401K investments once a month. Further, he prefers to have this report run automatically and pushed to his own personal folder by 9:00 a.m. on the last Friday of every month. First, you will create Jeff's own personal folder (that is, one that only his user account can access). Then, you will schedule the report to run automatically.

Prerequisite: You must have already completed the exercise in Section 6.3.8, "Step 8. Making the Report Available to Users".

6.3.9.1 Creating a Personal Folder

To ensure that only the specified user can access his or her own personal reports, the user (that is, you are logged on as JABERS for this exercise) can create her or his own personal folder.

Click to access context-sensitive help for the current wizard page. Click on the title bar to access the WebDB help system.

1. Access the WebDB site from your Web browser, and log on as JABERS if you have not already done so.

2. Click Administration from the navigation bar.

3. Under the Access Managers section, click Personal Information.

4. Check the Create Personal Folder box. If the Create Personal Folder box does not appear, then your personal folder has already been created.

5. Type personal information as desired.

6. Click .

You are the owner of your personal folder. No one else can access it unless you give them permission to do so. You are ready to schedule the 401K report to run automatically and push to the JABERS personal folder.

6.3.9.2 Scheduling the Report

In this exercise, you will schedule the report to run every last Friday of the month at 9:00 a.m. You also want to retain historical records of your 401K results for two months.

Click to access context-sensitive help for the current wizard page. Click on the title bar to access the WebDB help system.

1. Click Site Map from the navigation bar. You should be logged on as JABERS.

2. Click the Benefits folder.

3. Click Investment Summary Report. If the default parameters have not been set, then go to Section 6.3.8.4, "Running the Report as a User" and set the default parameters.

4. On the Parameters/Scheduling page, click Schedule.

5. Choose to start the job at 9:00 a.m. on today's date. If you want to run the report immediately, then choose the Immediately option.

6. Choose the following Repeat option:

   Last Friday of each month on or before the 30 th.

   Rather than waiting until the end of the month for the report to run, set the repeat option to repeat every n hours. Once you are satisfied that the report output can be pushed successfully to the result folder, reset the repeat pattern.

7. Set the following output destination options:

   Table 6-9 Output Destination Settings

   Field	Value
   Site	The name of the WebDB site in which the Result folder is located.
   Log File Folder	JABERS
   Result Title	My 401K Report
   Result Folder	JABERS
   Overwrite Previous Result	uncheck
   Expiration	60 days

   CAUTION: The names of the Log File Folder and Result Folder are case-sensitive. If want your report output and status information to be pushed to an existing folder, then you must type the exact folder name. If you mistype the folder names, then WebDB will not be able to find them, and by default will add the named folders to the Reports Services Output and Reports Services Status folders. By default, these folders are given public access (that is, all users will be able to view your personal report). Exercise care when defining these folders.

8. Click Submit. A message stating that the report was successfully scheduled appears. If you scheduled the report to run immediately, then the report output is displayed in your browser.

9. Click OK. The job will run based on its scheduled date, time, and repeat pattern.

6.3.9.3 Viewing the Pushed Report Output

To view the pushed report output, do the following:

1. Click Site Map from the navigation bar. You are still logged on as JABERS.

2. Click JABERS to open the folder.

3. Click My 401K Report to view the report.

Notice that in addition to a link to the report itself, a link to status information about the report is also available. Use this status link to help you troubleshoot any problems you might have running this scheduled report. Depending on the Reports Services role (for example, RW_BASIC_USER) this user is assigned, you might see different status details. If users are having problems scheduling and running their reports, then they should contact the Reports Services system administrator for help.

6.3.9.4 Optional Exercise

Suppose that the Human Resource director asked you (the Reports Services system administrator) to make a stock report available to all employees. You want to run this stock report automatically every morning so that employees can monitor the status of certain stocks. This report will be pushed to a public folder from which all employees can view it.

Use the exercises in this chapter to help you add access to the template.rdf report (located in the ORACLE_HOME\TOOLS\DOC60\US\RBBR60 directory) in WebDB.

Since you (as the Reports Services system administrator) will be scheduling this report to run and push to a public folder, this report needs to be accessible only to the Reports Services system administrator.

Add this report's packaged procedure to the Benefits folder as a WebDB component. Then, schedule this report to run every morning at 10:00 a.m. pushing the report output to a new folder called Stocks.

The Stock folder must be set up to display for public users.

6.4 Summary

You have successfully configured Oracle Reports Services for access control. In this chapter, you learned how to do the following:

• Create availability calendars to determine when reports, Oracle Reports Services, and printers are available for processing.

• Add access to printers, Oracle Reports Services, and report definition files in WebDB by restricting who can access them and restricting when they are available for processing.

• Add a report request, stored as a packaged procedure, to a WebDB site as a WebDB component.

• Enable users to set their personal default parameters and run report requests from a WebDB site.

• Enable users to schedule reports to run automatically and push the resulting report to their own personal folder.