5 Integrating with Other Oracle Security Models

This chapter describes BI Publisher support for security models of other Oracle products including Oracle E-Business Suite security, Oracle Database security, and Oracle Siebel CRM security.

It covers the following topics:

5.1 About Integrating with Other Oracle Security Models

This chapter describes how to integrate BI Publisher with other Oracle product security models. In most cases you must first define the BI Publisher functional roles in the other Oracle product and then configure BI Publisher to use the other Oracle product security for authorization. You can use one of the Oracle product authorization methods described here in conjunction with a supported authentication method (SSO or LDAP) described in Chapter 3, "Alternative Security Options."

For conceptual information regarding BI Publisher roles and permissions, see Section 3.3, "Understanding BI Publisher's Users, Roles, and Permissions."

5.2 Before You Begin: Create a Local Superuser

Before you implement any of these security models, first create a local superuser. The local superuser credentials ensure that you can access the Administration pages of Oracle BI Publisher in case of any unexpected failures in the configured security settings.

To create a local superuser:

  1. On the Administration page, click Security Configuration.

  2. On the Security Configuration tab, under the Local Superuser region, select Enable Local Superuser, as shown in Figure 5-1.

    Figure 5-1 Enabling Local Superuser

    Surrounding text describes Figure 5-1 .

  3. Enter a name and password for your superuser.

  4. Restart BI Publisher for the Superuser to become activated in the system.

5.3 Integrating with Oracle BI Server Security

If you have installed BI Publisher as part of the Oracle Business Intelligence Enterprise Edition and you have configured Oracle BI Enterprise Edition to use legacy Oracle BI Server authentication, then follow these procedures to configure BI Publisher to use BI Server security:

Note:

The Oracle BI Server security option is for customers who want to use legacy 10g authentication. This section does not apply to you if you have configured Oracle Fusion Middleware Security.

These procedures assume that you have performed the configuration required in the BI Server. For information on configuring legacy Oracle BI security, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition

5.3.1 Configuring BI Publisher for Oracle BI Server Security

To configure BI Publisher for BI Server Security:

  1. Log in to BI Publisher with administrator credentials. Navigate to the BI Publisher Administration page. On the Administration page click Security Configuration.

    Note:

    To log in directly to the BI Publisher server, use the login URL with the /xmlpserver suffix, for example: http://example.com:9704/xmlpserver

  2. In the Authorization region of the page, select Oracle BI Server from Security Model list. Provide the following connection information for the Oracle BI Server:

    • JDBC Connection String — Example: jdbc:oraclebi://host:port/

      If you do not know the connection string to the BI Server, then you can copy it from data source connection page. From the Administration page, under Data Sources, click JDBC Connection. Locate the Oracle BI EE server and copy the connection string. If this has not been configured, then see Section C.4, "Setting Up a JDBC Connection to the Oracle BI Server."

    • Administrator Username and Administrator Password

      Enter the BISystemUser and password.

    • Database Driver Class — Example: oracle.bi.jdbc.AnaJdbcDriver

  3. Click Apply. Restart the BI Publisher application for the security changes to take effect.

5.3.2 Adding Data Sources to BI Server Roles

To add data sources to BI Server roles:

  1. Log in to Oracle Business Intelligence as an administrator.

  2. On the global header click Administration. On the Oracle BI Administration page, click Manage BI Publisher.

  3. On the BI Publisher Administration page click Roles and Permissions. The groups to which you assigned the BI Publisher groups are displayed as available roles.

  4. Find the group (role) to add data sources to and click Add Data Sources.

    Alternatively, you can navigate to the data source and add the roles that require access to the data source.

  5. Locate the appropriate data sources in the Available Data Sources list and use the shuttle buttons to move the sources to the Allowed Data Sources list for the role.

  6. Click Apply.

  7. Repeat for all roles that need access to report data sources.

5.4 Integrating with Oracle E-Business Suite

BI Publisher can leverage your E-Business Suite security to enable your users to log in to BI Publisher using their E-Business Suite credentials. The BI Publisher security integration recognizes the user's E-Business Suite responsibility and org_id combinations.

When users log in they are prompted to select a responsibility. Reports that users run against the E-Business Suite data tables then filter the data based on their responsibility and org_id combination. Users can switch responsibilities and reporting organization while still logged in using the My Account dialog.

When you integrate with the E-Business Suite security, your E-Business Suite responsibilities appear as roles in the BI Publisher security center. You can then add BI Publisher catalog permissions and data access privileges to the imported roles/responsibilities. See Section 3.3, "Understanding BI Publisher's Users, Roles, and Permissions."

Follow these procedures to integrate BI Publisher with Oracle E-Business Suite:

Note:

In this release, users cannot access or execute reports that are stored on the E-Business Suite instance. Reports must reside in the BI Publisher catalog. The E-Business Suite data security is enforced when BI Publisher connects to the E-Business Suite data tables to retrieve the report data.

Oracle BI Publisher relies on information stored in the DBC file to connect to the E-Business Suite instance. Ensure that you can locate and have access to this file. The DBC file is typically located under the $FND_SECURE directory.

5.4.1 Features of the Integration with E-Business Suite Security

When BI Publisher is integrated with E-Business Suite security, the following features are enabled:

  • When users log in to BI Publisher using their E-Business Suite credentials, they are prompted to choose a responsibility, as shown in Figure 5-2.

    Figure 5-2 Selecting a Responsibility at Log In

    Choosing a responsibility at log in

  • Users can switch responsibilities or reporting organizations using the My Account dialog.

  • The data source connection to the E-Business Suite instance is automatically configured and available in the data model editor, as shown in Figure 5-3.

    Figure 5-3 E-Business Suite Data Source Option in Data Model Editor

    E-Business Suite data source shown in data model editor

5.4.2 Configuring BI Publisher to Use E-Business Suite Security

To configure BI Publisher for E-Business Suite Security:

  1. In the Oracle E-Business Suite, log in as a System Administrator and create the following responsibilities to correspond to the BI Publisher functional roles:

    • XMLP_ADMIN — Serves as the administrator role for the BI Publisher server.

    • XMLP_DEVELOPER  — Allows users to build reports in the system.

    • XMLP_SCHEDULER — Allows users to schedule reports.

    • XMLP_ANALYZER_EXCEL — Allows users to use the Excel Analyzer feature.

    • XMLP_ANALYZER_ONLINE — Allows users to use the online analysis feature.

    • XMLP_TEMPLATE_BUILDER — Allows users to connect to the BI Publisher server from the Template Builder and to upload and download templates. Allows users to design layouts using the BI Publisher Layout Editor.

  2. Add these new BI Publisher responsibilities to the appropriate users.

    Note:

    Ensure that you assign at least one user to the XMLP_ADMIN group.

  3. Log in to Oracle BI Publisher. On the Administration page, select Security Configuration.

  4. In the Authorization region of the page, select Oracle E-Business Suite from the Security Model list.

  5. Load the DBC file from the E-Business Suite instance. This is typically located under the $FND_SECURE directory. If you do not have access to this file, then contact your E-Business Suite system administrator. This file specifies how BI Publisher should access the E-Business Suite instance.

  6. Click Apply. Restart BI Publisher for the security changes to take effect.

When you restart the system, the E-Business Suite responsibilities to which BI Publisher roles have been assigned are visible as roles in the BI Publisher security center.

5.4.3 Adding Data Sources to the E-Business Suite Roles

To view a report generated from a particular data source, a report consumer's role must be granted access to the data source. Similarly, to create a data model based on a particular data source, the report author's role must be granted access to the data source.

To grant a role access to a data source:

  1. On the Administration tab, under Security Configuration, click Roles and Permissions. The responsibilities that are assigned BI Publisher roles in the E-Business Suite instance are displayed as available roles.

  2. Find the role to which you want to add data sources and click Add Data Sources. The Add Data Sources page is displayed.

  3. Locate the appropriate data sources in the Available Data Sources list and use the shuttle buttons to move the sources to the Allowed Data Sources list for the role.

  4. Click Apply.

  5. Repeat for all roles that need access to report data sources.

5.4.4 Granting Catalog Permissions to the E-Business Suite Roles

For a role to access objects in a folder, you must grant the role permissions to the catalog object. You can grant permissions at the folder level, so that a role has the same access to every object in a folder, or you can assign access individually to each object in a folder.

See the following sections for more information:

To grant permissions to E-Business Suite roles:

  1. In the catalog, navigate to a catalog object required for a role.

  2. Click the More link for the object and then click Permissions to open the Permissions dialog.

  3. Click the Create icon to open the Add Roles dialog.

  4. Click Search to populate the list of Available Roles.

  5. Use the Move button to move the appropriate roles from the Available Roles list to the Selected Roles list.

  6. Click OK.

  7. Enable the appropriate permissions for the role by selecting the check boxes.

  8. If you have selected a folder: To apply the selections to all items within a folder, select Apply permissions to items within this folder.

5.5 Integrating with Oracle Database Security

BI Publisher offers integration with Oracle Database security to enable you to administer the BI Publisher users with your Oracle Database users. Follow these procedures to integrate BI Publisher with Oracle E-Business Suite:

Note:

For information on setting up Oracle Database security, see the Oracle Database Security Guide.

When you restart the server, the roles to which BI Publisher roles have been assigned are visible as roles in the BI Publisher security center.

5.5.1 Defining the BI Publisher Functional Roles in the Oracle Database

To define the BI Publisher functional roles in the Oracle Database:

  1. In the Oracle Database, create the following roles to correspond to the BI Publisher functional roles:

    • XMLP_ADMIN — Serve as the administrator role for the BI Publisher server.

    • XMLP_DEVELOPER — Allows users to build reports in the system.

    • XMLP_SCHEDULER — Allows users to schedule reports.

    • XMLP_ANALYZER_EXCEL — Allows users to use the Excel analysis feature.

    • XMLP_ANALYZER_ONLINE — Allows users to use the online analysis feature.

    • XMLP_TEMPLATE_BUILDER — Allows users to connect to the BI Publisher server from the Template Builder and to upload and download templates.

  2. Assign these roles to the appropriate Database roles and users. You might also want to create additional reporting roles that you can use when setting up your report privileges on the BI Publisher side. For example, you might create a role called "HUMAN_RESOURCES_MANAGER" that you can assign a Human Resources Folder of reports to. You can then assign that role to any user requiring access to the Human Resources reports.

  3. Ensure to assign the XMLP_ADMIN role to a user with administration privileges, such as SYSTEM.

  4. Log in to BI Publisher application with Administrator privileges. From the Administration page, select Security Configuration.

  5. In the Authorization region of the page, select Oracle Database from the Security Model list. Provide the following connection information:

    • JDBC Connection String — Example: jdbc:oracle:thin:@mycompany.com:1521:orcl

    • Administrator Username and Administrator Password — Note the following requirements for this user:

      • The user must be granted the XMLP_ADMIN role

      • The user must have privileges to access data from the dba_users/_roles/_role_privs tables.

    • Database Driver Class — Example: oracle.jdbc.driver.OracleDriver

  6. Click Apply. Restart BI Publisher for the security changes to take effect.

5.5.2 Adding Data Sources to Roles

To view a report generated from a particular data source, a report consumer's role must be granted access to the data source. Similarly, to create a data model based on a particular data source, the report author's role must be granted access to the data source.

To grant a role access to a data source:

  1. On the Administration tab, under Security Configuration, click Roles and Permissions.

  2. Find the role to which you want to add data sources and click Add Data Sources. The Add Data Sources page is displayed.

  3. Locate the appropriate data sources in the Available Data Sources list and use the shuttle buttons to move the sources to the Allowed Data Sources list for the role.

  4. Click Apply.

  5. Repeat for all roles that need access to report data sources.

5.5.3 Granting Catalog Permissions to Roles

For a role to access objects in a folder, you must grant the role permissions to the catalog object. You can grant permissions at the folder level, so that a role has the same access to every object in a folder, or you can assign access individually to each object in a folder.

See the following sections for more information:

To grant catalog permissions to a role:

  1. In the catalog, navigate to a catalog object required for a role.

  2. Click the More link for the object and then click Permissions to open the Permissions dialog.

  3. Click the Create icon to open the Add Roles dialog.

  4. Click Search to populate the list of Available Roles.

  5. Use the Move button to move the appropriate roles from the Available Roles list to the Selected Roles list.

  6. Click OK.

  7. Enable the appropriate permissions for the role by selecting the check boxes.

  8. If you have selected a folder: To apply the selections to all items within a folder, select Apply permissions to items within this folder.

5.6 Integrating with Oracle Siebel CRM Security

To configure BI Publisher to integrate with Siebel security, perform the tasks in the following sections:

5.6.1 Setting Up BI Publisher Roles as Siebel CRM Responsibilities

To set up BI Publisher roles as Siebel CRM responsibilities:

  1. Using Siebel Administrator credentials, navigate to Administration - Application, and then Responsibilities.

  2. In the Responsibilities list, add a new record for each of the BI Publisher functional roles:

    • XMLP_ADMIN — Serves as the administrator role for the BI Publisher server.

    • XMLP_DEVELOPER — Allows users to build reports in the system.

    • XMLP_SCHEDULER — Allows users to schedule reports.

    • XMLP_ANALYZER_EXCEL — Allows users to use the Excel analyzer feature.

    • XMLP_ANALYZER_ONLINE — Allows users to use the online analysis feature.

    • XMLP_TEMPLATE_BUILDER — Allows users to connect to the BI Publisher server from the Template Builder and to upload and download templates and grants access to the layout editor.

  3. Assign these roles to the appropriate users. You might also want to create additional reporting roles that you can use when setting up your report privileges in the BI Publisher. For example, you might create a role called "EXECUTIVE_SALES" that you can assign a executive-level report folder. You can then assign that role to any user requiring access to the Executive reports.

  4. Ensure to assign the XMLP_ADMIN role to a user with administration privileges.

5.6.2 Configuring BI Publisher to Use Siebel Security

To configure BI Publisher to use Siebel Security:

  1. Log in to BI Publisher with Administrator privileges. From the Administration page select Security Configuration.

  2. In the Authorization region of the page, select Siebel Security from the Security Model list. Provide the following connection information:

    • Siebel Web Service Endpoint String

    • Administrator Username.

    • Administrator Password

  3. Click Apply. Restart BI Publisher for the security changes to take effect.

When you log back in to BI Publisher, the responsibilities to which you added the BI Publisher functional roles are displayed in the Roles and Permissions page.

5.6.3 Adding Data Sources to Roles

To view a report generated from a particular data source, a report consumer's role must be granted access to the data source. Similarly, to create a data model based on a particular data source, the report author's role must be granted access to the data source.

To grant a role access to a data source:

  1. On the Administration tab, under Security Configuration, click Roles and Permissions.

  2. Find the role to which you want to add data sources and click Add Data Sources. The Add Data Sources page is displayed.

  3. Locate the appropriate data sources in the Available Data Sources list and use the shuttle buttons to move the sources to the Allowed Data Sources list for the role.

  4. Click Apply.

  5. Repeat for all roles that need access to report data sources.

5.6.4 Granting Catalog Permissions to Roles

For a role to access objects in a folder, you must grant the role permissions to the catalog object. You can grant permissions at the folder level, so that a role has the same access to every object in a folder, or you can assign access individually to each object in a folder.

See the following sections for more information:

To grant catalog permissions to a role:

  1. In the catalog, navigate to a catalog object that is required for a role.

  2. Click the More link for the object and then click Permissions to open the Permissions dialog.

  3. Click the Create icon to open the Add Roles dialog.

  4. Click Search to populate the list of Available Roles.

  5. Use the Move button to move the appropriate roles from the Available Roles list to the Selected Roles list.

  6. Click OK.

  7. Enable the appropriate permissions for the role by selecting the check boxes.

  8. If you have selected a folder: To apply the selections to all items within a folder, select Apply permissions to items within this folder.