14.5 End-to-End Security Scenarios

This section describes end-to-end security scenarios that involve both authentication and authorization.

The following table describes JPS-based security scenarios.

Table 14-7 JPS-Based Security Scenarios

Security Scenario Description

Security Scenario	Description
JPS-OID Authorization with Single-Sign-On Authentication for Reports Servlet
This scenario involves the following: Single Sign-On for authentication JPS-OID for authorization (policies)	To use this combination of authentication and authorization, complete the following steps: Enable Single Sign-On. For more information, see Enabling and Disabling Single Sign-On. Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option. Ensure that all users that are present in the Oracle Internet Directory used by Single Sign-On are in the ID store used by JPS. Alternatively, configure JPS to point to the ID store used by Single Sign-On. Add the following property in the `jps-config-jse.xml` file: `<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>` Configure JPS Oracle Internet Directory as a policy store. For more information, see Configuring an External Oracle Internet Directory as Policy Store When Using JPS-Based Security. Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies defined in Oracle Internet Directory. Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.
JPS-OID Authorization with JPS-OID as ID Store for Other Reports Clients
This scenario involves the following: JPS-OID for authentication JPS-OID for authorization (policies)	To use this combination of authentication and authorization, complete the following steps: Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option. Add the following property in the `jps-config-jse.xml` file: `<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>` Configure JPS-OID as an ID store. For more information, see Configuring External Oracle Internet Directory as ID Store When Using JPS-Based Security. Configure JPS-OID as a policy store. For more information, see Configuring an External Oracle Internet Directory as Policy Store When Using JPS-Based Security. Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies defined in Oracle Internet Directory. Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.
JAZN-XML Authorization with Single Sign-On Authentication for Reports Servlet
This scenario involves the following: Single Sign-On for authentication JAZN-XML for authorization (policies)	To use this combination of authentication and authorization, complete the following steps: Enable Single Sign-On. For more information, see Enabling and Disabling Single Sign-On. Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option. Ensure that all users that are present in the Oracle Internet Directory used by Single Sign-On are in the ID store used by JPS. Alternatively, configure JPS to point to the ID store used by Single Sign-On. Add the following property in the `jps-config-jse.xml` file: `<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>` Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports". Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles. If the `system-jazn-data.xml` file is used as the policy store, search for the "reports" application in the `system-jazn-data.xml` file. To use JPS to authorize users in Oracle Internet Directory, add the corresponding users in the member section of the `system-jazn-data.xml` file. For more information, see Section 14.4.2, "Additional Step When Using JPS for Authorization".
JAZN-XML Authorization with JPS-OID Authentication for Other Reports Clients
This scenario involves the following: JPS-OID for authentication JAZN-XML for authorization (policies)	To use this combination of authentication and authorization, complete the following steps: Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option. Add the following property in the `jps-config-jse.xml` file: `<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>` Configure JPS-OID as an ID store. For more information, see Configuring External Oracle Internet Directory as ID Store When Using JPS-Based Security. Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports" to update the report security policies defined in Oracle Internet Directory. Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles. If the `system-jazn-data.xml` file is used as the policy store, search for the "reports" application in the `system-jazn-data.xml` file. To use JPS to authorize users in Oracle Internet Directory, add the corresponding users in the member section of the `system-jazn-data.xml`. For more information, see Section 14.4.2, "Additional Step When Using JPS for Authorization".

JPS-OID Authorization with Single-Sign-On Authentication for Reports Servlet

This scenario involves the following:

Single Sign-On for authentication
JPS-OID for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

Enable Single Sign-On. For more information, see Enabling and Disabling Single Sign-On.
Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option.
Ensure that all users that are present in the Oracle Internet Directory used by Single Sign-On are in the ID store used by JPS. Alternatively, configure JPS to point to the ID store used by Single Sign-On.
Add the following property in the jps-config-jse.xml file:

<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>
Configure JPS Oracle Internet Directory as a policy store. For more information, see Configuring an External Oracle Internet Directory as Policy Store When Using JPS-Based Security.
Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies defined in Oracle Internet Directory.
Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.

JPS-OID Authorization with JPS-OID as ID Store for Other Reports Clients

This scenario involves the following:

JPS-OID for authentication
JPS-OID for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option.
Add the following property in the jps-config-jse.xml file:

<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>
Configure JPS-OID as an ID store. For more information, see Configuring External Oracle Internet Directory as ID Store When Using JPS-Based Security.
Configure JPS-OID as a policy store. For more information, see Configuring an External Oracle Internet Directory as Policy Store When Using JPS-Based Security.
Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies defined in Oracle Internet Directory.
Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.

JAZN-XML Authorization with Single Sign-On Authentication for Reports Servlet

This scenario involves the following:

Single Sign-On for authentication
JAZN-XML for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

Enable Single Sign-On. For more information, see Enabling and Disabling Single Sign-On.
Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option.
Ensure that all users that are present in the Oracle Internet Directory used by Single Sign-On are in the ID store used by JPS. Alternatively, configure JPS to point to the ID store used by Single Sign-On.
Add the following property in the jps-config-jse.xml file:

<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>
Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports".
Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.
If the system-jazn-data.xml file is used as the policy store, search for the "reports" application in the system-jazn-data.xml file. To use JPS to authorize users in Oracle Internet Directory, add the corresponding users in the member section of the system-jazn-data.xml file. For more information, see Section 14.4.2, "Additional Step When Using JPS for Authorization".

JAZN-XML Authorization with JPS-OID Authentication for Other Reports Clients

This scenario involves the following:

JPS-OID for authentication
JAZN-XML for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

Enable JPS-based security. On the Reports Server Advanced Configuration page in Enterprise Manager, select the Enable Security check box, and then select the Oracle Platform Security for Java option.
Add the following property in the jps-config-jse.xml file:

<property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>
Configure JPS-OID as an ID store. For more information, see Configuring External Oracle Internet Directory as ID Store When Using JPS-Based Security.
Create security policies. Refer to Section 6.8.2, "Defining Security Policies for Reports" to update the report security policies defined in Oracle Internet Directory.
Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.
If the system-jazn-data.xml file is used as the policy store, search for the "reports" application in the system-jazn-data.xml file. To use JPS to authorize users in Oracle Internet Directory, add the corresponding users in the member section of the system-jazn-data.xml. For more information, see Section 14.4.2, "Additional Step When Using JPS for Authorization".

The following table describes Portal-based security scenarios.

Table 14-8 Portal-Based Security Scenarios

Security Scenario	Description
Portal-Based Authorization with Single-Sign-On Authentication for Reports Servlet
This scenario involves the following: Single Sign-On for authentication Portal-based authorization (policies)	To use this combination of authentication and authorization, complete the following steps: Enable Single Sign-On. For more information, see Enabling and Disabling Single Sign-On. Ensure that Portal-based security is enabled. If you have enabled JPS-based security, switch to Portal-based security. In the Advanced Configuration Page in Enterprise Manager, select the Enable Security check box and then the Security features available through Oracle Portal option under the Reports Security section. Create security policies in Oracle Portal. For more information about creating security policies in Oracle Portal, see the Securing Oracle Portal chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal. Map users to application roles. For more information about mapping users to application roles, see Section 15.1, "Creating Reports Users and Named Groups"
Portal-Based Authorization with Oracle Internet Directory as ID Store for Other Reports Clients
This scenario involves the following: Oracle Internet Directory for authentication Portal-based for authorization (policies)	To use this combination of authentication and authorization, complete the following steps: Configure Oracle Internet Directory as an ID store. For more information, see Configuring External Oracle Internet Directory as ID Store. Ensure that Portal-based security is enabled. If you have enabled JPS-based security, switch to Portal-based security. In the Advanced Configuration Page in Enterprise Manager, select the Enable Security check box and then the Security features available through Oracle Portal option under the Reports Security section. Create security policies in Oracle Portal. For more information about creating security policies in Oracle Portal, see the Securing Oracle Portal chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal. Map users to application roles. For more information about mapping users to application roles, see Section 15.1, "Creating Reports Users and Named Groups"