Oracle® Business Intelligence Presentation Services Administration Guide > Managing Oracle BI Presentation Services Security >
Inheritance of Oracle BI Presentation Services Permissions and Privileges
Permissions and privileges can be assigned to users directly or through membership in groups. From another perspective, permissions and privileges can be assigned explicitly or effectively. Effective permissions and privileges are assigned indirectly through Presentation Services group inheritance, which is the recommended way to set up your security. Permissions and privilege inheritance occurs when one Presentation Services group is a member of another Presentation Services group.
This section contains the following topics:
Rules for Inheritance in Oracle BI Presentation Services
- Any permissions or privileges given explicitly to a user override any permissions or privileges inherited from the Presentation Services group to which the user belongs.
- If a user belongs to two groups and both groups are assigned permissions, the least restrictive permissions are given to the user.
For example, if one group allows Read access and another allows Change access, the least restrictive access would be granted; in this example, Change access.
NOTE: The exception to this is if one of the two groups is explicitly denied the permissions, in which case the user is denied.
- If a user belongs to Presentation Services group X, and Presentation Services group X belongs to Presentation Services group Y, any rule assigned to group X overrides any rule assigned to group Y.
For example, if Marketing has Read permissions, Marketing Administrators, which is a member of Marketing, can have Full Control permissions.
- Explicitly denying access takes precedence over any other permissions or privileges.
When assigning permissions or privileges it often useful to look at resolved permissions for users and groups at the bottom of the screen to make sure that everyone is inheriting correctly.
Example of Inherited Privileges in Oracle BI Presentation Services
Figure 1 shows an example of how privileges are inherited through Presentation Services groups.
Figure 1. Example of Presentation Services Group Privilege Inheritance
In this example:
- User1 is a direct member of Group 1 and Group 2, and is an indirect member of Group 3, Group 4, and Group 5.
- The permissions and privileges from Group 1 are no access to DashboardA, Read access to DashboardB, and Full Control over DashboardC.
- If permissions and privileges are conflicting, the least restrictive level of authority is granted. Therefore, the inherited permissions and privileges from Group 2 include Change and Delete access to DashboardD.
- Specifically prohibiting access always takes precedence over any other settings. Therefore, Group 1's denial of access to DashboardA overrides Group 4's Read access. The result is that Group 1 provides no access to DashboardA. Likewise, Group 5 provides no access to DashboardE because access to it is explicitly denied in Group2.
The total permissions and privileges granted to User1 are as follows:
- No access to DashboardA and DashboardE because access is specifically denied.
- Read access to DashboardB.
- Full Control over DashboardC.
- Change and Delete access to DashboardD.
TIP: Do not add the default Everyone Presentation Services groups to any other Presentation Services groups that you create. This makes sure that only the desired Presentation Services groups (and users) have the specified permissions and privileges, by preventing users or authenticated users from unintentionally inheriting permissions and privileges from another Presentation Services group.