|
Oracle® Business Intelligence Presentation Services Administration Guide > Managing Oracle BI Presentation Services Security >
About Setting Oracle BI Presentation Services Permissions
Permissions are used to control access to shared information contained in: - Presentation Catalog items
- Dashboards
Permissions, which may be explicitly set or inherited, are configured from:
You can set permissions from the level of the application all the way down to individual requests in either Oracle BI Presentation Services or the Presentation Catalog. This section contains the following topics:
Types of Permissions in Oracle BI Presentation Services
Oracle BI Presentation Services supports the following permissions: - Change/Delete. Authority given to view content, and make changes or delete the content.
- Full Control. Authority given to view content, make changes or delete the content, set permissions, and delete the item, folder, or dashboard.
- No Access. Access is not allowed for this user or group. Explicitly denying access takes precedence over any other permission.
- Read. Authority given to view the contents of the item, folder or dashboard, but cannot make any changes.
- Traverse Folder. Authority to access objects in folders within the selected folder when the user does not have permission to the selected folder. Example: The user is granted Traverse Folder permission to the /shared/test folder. The user cannot access objects in the /shared/test folder, but can access objects stored in lower-level folders, such as /shared/test/guest.
Recommendations for Setting Permissions in Oracle BI Presentation Services
Follow these recommendations when setting permissions: - Assign permissions through Presentation Services group membership, even if you want to assign permissions for a single user. For more information, read Types of Presentation Services Groups.
- Set the permission to the Group folder for the appropriate groups to Read.
- For groups (or users, if necessary) that are going to be modifying the dashboards and dashboard content accessible to the group, set the permissions for the group to Full Control. This is often a dashboard or content builder group. While allowing change and delete control, Full Control also allows the specified group (or user) to set permissions, and to delete the item, folder, or dashboard.
If you plan to have numerous or varying users creating and modifying dashboard content for a given group, create a separate, corresponding "builder" group that has all the back-end permissions of the primary group, but with a different name. For example, you could create a Sales group and a SalesBuilder group. By giving the SalesBuilder group appropriate permissions to the Presentation Catalog, you can control and change who can make changes to dashboards and content. Assuming session variable security is in place, you could make a user a dashboard builder or content creator by changing the user's group from "Sales" to "SalesBuilder" in the database table that holds security information.
- For each Subject Area, grant Read permissions to the corresponding Subject Area folder within the Requests folder (and everything it contains). Make sure that the Everyone group has no access permission to the Subject Area folder.
- For groups that should be able to save requests for public use against a given Subject Area, grant them Full Control to the Subject Area folder and everything it contains, and likewise for the Common folder. For more information on setting permissions, see Setting Permissions in Oracle BI Presentation Services Administration.
- To make sure that only members of the designated Presentation Services groups (or users) have access to Presentation Catalog folders, folder content, and Dashboards, do not set explicit permissions for the default Presentation Services group Everyone.
NOTE: Oracle BI Presentation Services does not allow you to remove permissions for yourself or for the administrator. This prevents you from locking yourself out of an item, folder, or dashboard.
TIP: To provide a place for all users within a group to share requests with each other, create a folder under the Subject Area folder called, for example, Share or Publish, and give the entire group Change/Delete permission to just that folder.
|
