1/14
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents and Other Resources
System Requirements and Certification
Conventions
New Features in Oracle Business Intelligence Security
New Features for Oracle BI EE 11
g
Release 1 (11.1.1.7)
New Features for Oracle BI EE 11
g
Release 1 (11.1.1.6)
New Features for Oracle BI EE 11
g
Release 1 (11.1.1.5)
New Features for Oracle BI EE 11
g
Release 1 (11.1.1.3)
1
Introduction to Security in Oracle Business Intelligence
1.1
High-Level Roadmap for Setting Up Security in Oracle Business Intelligence
1.2
Overview of Security in Oracle Business Intelligence
1.3
About Authentication
1.4
About Authorization
1.4.1
About Application Roles
1.4.2
About the Security Policy
1.5
About Preconfigured Users, Groups, and Application Roles
1.6
Using Tools to Configure Security in Oracle Business Intelligence
1.6.1
Using Oracle WebLogic Server Administration Console
1.6.2
Using Oracle Fusion Middleware Control
1.6.3
Using Oracle BI Administration Tool
1.6.4
Using Presentation Services Administration
1.7
Detailed List of Steps for Setting Up Security in Oracle Business Intelligence
1.8
Comparing the Oracle Business Intelligence 10
g
and 11
g
Security Models
1.9
Terminology
2
Managing Security Using the Default Security Configuration
2.1
Working with the Default Users, Groups, and Application Roles
2.2
An Example Security Setup Using the Default Groups and Application Roles
2.3
Managing Users and Groups in the Embedded WebLogic LDAP Server
2.3.1
Setting Up Users, Groups, and Application Roles
2.3.1.1
Assigning a User to a Default Group
2.3.1.2
Assigning a User to a New Group and a New Application Role
2.3.2
Creating a New User in the Embedded WebLogic LDAP Server
2.3.3
Creating a Group in the Embedded WebLogic LDAP Server
2.3.4
Assigning a User to a Group in the Embedded WebLogic LDAP Server
2.3.5
(Optional) Changing a User Password in the Embedded WebLogic LDAP Server
2.4
Managing Application Roles and Application Policies Using Fusion Middleware Control
2.4.1
Displaying Application Policies and Application Roles Using Fusion Middleware Control
2.4.2
Creating and Deleting Application Roles Using Fusion Middleware Control
2.4.2.1
Overview
2.4.2.2
Creating an Application Role
2.4.2.3
Assigning a Group to an Application Role
2.4.2.4
Deleting an Application Role
2.4.3
Creating Application Policies Using Fusion Middleware Control
2.4.4
Modifying Application Roles Using Fusion Middleware Control
2.4.4.1
Adding or Removing Permission Grants from an Application Role
2.4.4.2
Adding or Removing Members from an Application Role
2.4.4.3
Renaming an Application Role
2.5
Managing Metadata Repository Privileges Using the Oracle BI Administration Tool
2.5.1
Overview
2.5.2
Setting Repository Privileges for an Application Role
2.5.3
Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic
2.6
Managing Presentation Services Privileges Using Application Roles
2.6.1
Overview
2.6.2
About Presentation Services Privileges
2.6.3
Setting Presentation Services Privileges for Application Roles
2.6.4
Encrypting Credentials in BI Presentation Services - Advanced Security Configuration Topic
2.7
Managing Data Source Access Permissions Using Oracle BI Publisher
2.8
Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store
2.9
Attaching a Global Policy for Web Services in the BI Domain
3
Using Alternative Authentication Providers
3.1
Introduction
3.2
High-Level Steps for Configuring an Alternative Authentication Provider
3.3
Prerequisites for Using Alternative Authentication Providers
3.4
Configuring Alternative Authentication Providers
3.4.1
Configuring Oracle Internet Directory as the Authentication Provider
3.4.2
Configuring Active Directory as the Authentication Provider
3.4.3
Configuring a Database as the Authentication Provider
3.4.3.1
Introduction and Prerequisites
3.4.3.2
Creating a Sample Schema for Users and Groups
3.4.3.3
Configuring a Data Source and SQL Authenticator Using the Oracle WebLogic Server Administration Console
3.4.3.4
Configuring the Virtualized Identity Store
3.4.3.5
Troubleshooting the SQL Authenticator
3.4.3.6
Correcting Database Adapter Errors by Deleting and Recreating the Adapter
3.4.4
Configuring LDAP as the Authentication Provider and Storing Groups in a Database
3.4.4.1
Prerequisites
3.4.4.2
Creating a Sample Schema for Groups and Group Members
3.4.4.3
Configuring a Data Source and the BISQLGroupProvider Using Oracle WebLogic Server Administration Console
3.4.4.4
Configuring the Virtualized Identity Store
3.4.4.5
Testing the Configuration by Adding a Database Group to an Application Role
3.4.4.6
Correcting Errors in the Adaptors
3.4.5
Configuring Multiple Authentication Providers Using Fusion Middleware Control
3.4.6
Configuring Multiple Authentication Providers so that When One Fails, Users from Others can Still Log In to Oracle Business Intelligence
3.4.7
Setting the JAAS Control Flag Option
3.4.8
Configuring a Single LDAP Authentication Provider as the Authenticator
3.4.8.1
Configuring Oracle Internet Directory LDAP Authentication as the Only Authenticator
3.4.8.2
Troubleshooting
3.5
Configuring User and Group Name Attributes in the Identity Store
3.5.1
Configuring User Name Attributes
3.5.2
Configuring Group Name Attributes
3.6
Configuring the GUID Attribute in the Identity Store
3.6.1
Configuring a New GUID Attribute
3.6.2
Configuring an LDAP Authenticator to Accept a GUID Field Format Not Intended as a GUID
3.7
Configuring a New Trusted User (BISystemUser)
3.8
Refreshing User GUIDs
3.9
Configuring Oracle Internet Directory (LDAP) as the Security Store
3.10
Configuring an Oracle Database as the Security Store
4
Enabling SSO Authentication
4.1
SSO Configuration Tasks for Oracle Business Intelligence
4.2
Understanding SSO Authentication and Oracle Business Intelligence
4.2.1
How an Identity Asserter Works
4.2.2
How Oracle Business Intelligence Operates with SSO Authentication
4.3
SSO Implementation Considerations
4.4
Configuring SSO in an Oracle Access Manager Environment
4.4.1
Configuring a New Authenticator for Oracle WebLogic Server
4.4.2
Configuring Oracle Access Manager as a New Identity Asserter for Oracle WebLogic Server
4.5
Enabling SSO for Oracle BI Enterprise Edition Using Oracle Single Sign-On (OSSO)
4.5.1
Installing and Configuring Oracle HTTP Server to Redirect Requests for Oracle Business Intelligence to WebLogic Server
4.5.2
Creating and Configuring an OSSO Asserter and OID Authenticator
4.5.3
Registering a Partner Application in Oracle Single Sign-On and Protecting the Oracle Business Intelligence Resource in Oracle HTTP Server
4.6
Configuring Custom SSO Environments
4.7
Enabling SSO Authentication Using Fusion Middleware Control
4.8
Enabling the Online Catalog Manager to Connect
5
SSL Configuration in Oracle Business Intelligence
5.1
Common SSL Configuration Tasks for Oracle Business Intelligence
5.2
What is SSL?
5.2.1
Using SSL in Oracle Business Intelligence
5.2.2
Creating Certificates and Keys in Oracle Business Intelligence
5.2.3
What is the Credential Store?
5.3
Configuring SSL Communication Between Components
5.3.1
Configuring WebLogic to use SSL in Oracle WebLogic Server Administration Console
5.3.2
Ensuring the WebLogic Server SSL Certificate Matches the Listener Address on Each WebLogic Managed Server
5.3.3
Enabling Trust Between Code Running in WebLogic Servers
5.3.4
Enabling SSL for Oracle BI EE Components Using Fusion Middleware Control
5.3.5
Configuring Oracle WebLogic Server to Use Only the HTTPs Protocol by Disabling Non-SSL Listen Ports
5.4
Additional SSL Configuration Options
5.4.1
Updating Expired SSL Certificates Using Fusion Middleware Control
5.4.2
Configuring SSL for the SMTP Server Using Fusion Middleware Control
5.4.3
Using SASchInvoke when BI Scheduler is SSL-Enabled
5.4.4
Configuring Oracle BI Job Manager
5.4.5
Enabling the Online Catalog Manager to Connect
5.4.6
Configuring the Oracle BI Administration Tool to Communicate Over SSL
5.4.7
Configuring an ODBC DSN for Remote Client Access
5.4.8
Configuring Oracle BI Publisher to Communicate Over SSL
5.4.9
Configuring SSL when Using Multiple Authenticators
5.5
Configuring SSL Communication Between Components Using the System MBean Browser
5.5.1
Locking the Configuration
5.5.2
Generating the SSL Certificates
5.5.3
Committing the SSL Configuration Changes and Releasing the Lock
5.5.3.1
Troubleshooting Tip
5.5.4
Verifying the SSL Credentials in the Credential Store
5.5.5
About Oracle BI EE SSL Everywhere Generated Certificates
5.5.6
Enabling the SSL Configuration
5.5.7
Confirming SSL Status Using the MBean Browser
5.5.8
Updating Expired SSL Certificates Using the MBean Browser
5.6
Advanced SSL Configuration Options
A
Alternative Security Administration Options
A.1
Alternative Authentication Options
A.1.1
Setting Up LDAP Authentication Using Initialization Blocks
A.1.1.1
Setting Up an LDAP Server
A.1.1.2
Defining a USER Session Variable for LDAP Authentication
A.1.1.3
Setting the Logging Level
A.1.2
Setting Up External Table Authentication
A.1.3
About Oracle BI Delivers and External Initialization Block Authentication
A.1.4
Order of Authentication
A.1.5
Authenticating by Using a Custom Authenticator Plug-In
A.1.6
Managing Session Variables
A.1.7
Managing Server Sessions
A.1.7.1
Using the Session Manager
A.2
Alternative Authorization Options
A.2.1
Changes Affecting Security in Presentation Services
A.2.2
Managing Catalog Privileges Using Catalog Groups
A.2.3
Setting Up Authorization Using Initialization Blocks
B
Understanding the Default Security Configuration
B.1
About Securing Oracle Business Intelligence
B.2
About the Security Framework
B.2.1
Oracle Platform Security Services
B.2.2
Oracle WebLogic Server Domain
B.3
Key Security Elements
B.4
Default Security Configuration
B.4.1
Default Policy Store Provider
B.4.1.1
Default Permissions
B.4.1.2
Default Application Roles
B.4.1.3
Default Application Roles, Permission Grants, and Group Mappings
B.4.2
Default Authentication Provider
B.4.2.1
Default Groups and Members
B.4.2.2
Default Users and Passwords
B.4.3
Default Credential Store Provider
B.4.3.1
Default Credentials
B.4.4
How User Permissions Are Granted Using Application Roles
B.4.4.1
Permission Inheritance and Role Hierarchy
B.4.4.2
Catalog Groups and Precedence
B.5
Common Security Tasks After Installation
B.5.1
Common Security Tasks to Evaluate Oracle Business Intelligence
B.5.2
Common Security Tasks to Implement Oracle Business Intelligence
B.6
About the Default Security Configuration After Upgrade
B.6.1
Security-Related Changes After Upgrading
B.6.1.1
Changes Affecting the Identity Store
B.6.1.2
Changes Affecting the Policy Store
B.6.1.3
Changes Affecting the Default Repository File
B.6.1.4
Changes Affecting the Oracle BI Presentation Catalog
B.6.2
Planning to Upgrade a 10
g
Repository
B.6.3
Upgrading an Existing SSL Environment
B.6.4
Upgrading an Existing SSO Environment
C
Troubleshooting Security in Oracle Business Intelligence
C.1
Resolving User Login Authentication Failure Issues
C.1.1
Authentication Concepts
C.1.1.1
Authentication Defaults on Install
C.1.1.2
Using Oracle WebLogic Server Administration Console and Fusion Middleware Control to Configure Oracle Business Intelligence
C.1.1.3
WebLogic Domain and Log Locations
C.1.1.4
Oracle Business Intelligence Key Login User Accounts
C.1.1.5
Oracle Business Intelligence Login Overview
C.1.2
Using the Oracle BI Security Diagnostics Helper to Automatically Identify Security Issues
C.1.2.1
What Is the Oracle BI Security Diagnostics Helper?
C.1.2.2
Setting Up the Oracle BI Security Diagnostics Helper Using a Script - First-Time Use Only
C.1.2.3
Deploying the Oracle BI Security Diagnostics Helper
C.1.2.4
Running the Oracle BI Security Diagnostics Helper
C.1.2.5
Using the Oracle BI Diagnostics Helper
C.1.2.6
Restarting the WebLogic Servers
C.1.3
Identifying Causes of User Login Authentication Failure
C.1.4
Resolving User Login Authentication Failures
C.1.4.1
Single User Cannot Log in to Oracle Business Intelligence
C.1.4.2
Users Cannot Log in to Oracle Business Intelligence Due to Misconfigured Authenticators
C.1.4.3
Users Cannot Log in to Oracle Business Intelligence When Oracle Web Services Manager is not Working
C.1.4.4
Users Cannot Log in to Oracle Business Intelligence - Is BI System User Authentication Working?
C.1.4.5
Users Cannot Log in to Oracle Business Intelligence - Is the External Identity Store Configured Correctly?
C.1.4.6
Users Can Log in With Any or No Password
C.1.4.7
Have Removed Default Authenticator and Cannot Start WebLogic Server
C.2
Resolving Inconsistencies with the Identity Store
C.2.1
User Is Deleted from the Identity Store
C.2.2
User Is Renamed in the Identity Store
C.2.3
User Name Is Reused in the Identity Store
C.2.4
Group Associated with User Name Does Not Exist in the Identity Store
C.3
Resolving Inconsistencies with the Policy Store
C.3.1
Application Role Was Deleted from the Policy Store
C.3.2
Application Role Is Renamed in the Policy Store
C.3.3
Application Role Name Is Reused in the Policy Store
C.3.4
Application Role Reference Is Added to a Repository in Offline Mode
C.4
Resolving SSL Communication Problems
C.5
Resolving Issues with BI System User Credentials
C.6
Resolving Custom SSO Environment Issues
C.7
Resolving RSS Feed Authentication When Using SSO
D
Managing Security for Dashboards and Analyses
D.1
Managing Security for Users of Oracle BI Presentation Services
D.1.1
Where Are Oracle BI Presentation Services Security Settings Made?
D.1.2
What Are the Security Goals in Oracle BI Presentation Services?
D.1.3
How Are Permissions and Privileges Assigned to Users?
D.2
Using Oracle BI Presentation Services Administration Pages
D.2.1
Understanding the Administration Pages
D.2.2
Working with Catalog Groups
D.2.2.1
Creating Catalog Groups
D.2.2.2
Deleting Catalog Groups
D.2.2.3
Editing Catalog Groups
D.2.3
Managing Presentation Services Privileges
D.2.3.1
What Are Presentation Services Privileges?
D.2.3.2
Setting Presentation Services Privileges for Application Roles
D.2.3.3
Default Presentation Services Privilege Assignments
D.2.4
Managing Sessions in Presentation Services
D.3
Determining a User's Privileges and Permissions in Oracle BI Presentation Services
D.3.1
Rules for Determining a User's Privileges or Permissions
D.3.2
Example of Determining a User's Privileges with Application Roles
D.3.3
Example of Determining a User's Permissions with Application Roles
D.3.4
Example of Determining a User's Privileges with Deprecated Catalog Groups
D.3.5
Example of Determining a User's Permissions with Deprecated Catalog Groups
D.4
Providing Shared Dashboards for Users
D.4.1
Understanding the Catalog Structure for Shared Dashboards
D.4.2
Creating Shared Dashboards
D.4.3
Testing the Dashboards
D.4.4
Releasing Dashboards to the User Community
D.5
Controlling Access to Saved Customization Options in Dashboards
D.5.1
Overview of Saved Customizations in Dashboards
D.5.2
Administering Saved Customizations
D.5.2.1
Privileges for Saved Customizations
D.5.2.2
Permissions for Saved Customizations
D.5.3
Permission and Privilege Settings for Creating Saved Customizations
D.5.4
Example Usage Scenario for Saved Customization Administration
D.6
Enabling Users to Act for Others
D.6.1
Why Enable Users to Act for Others?
D.6.2
What Are the Proxy Levels?
D.6.3
Process of Enabling Users to Act for Others
D.6.3.1
Defining the Association Between Proxy Users and Target Users
D.6.3.2
Creating Session Variables for Proxy Functionality
D.6.3.3
Modifying the Configuration File Settings for Proxy Functionality
D.6.3.4
Creating a Custom Message Template for Proxy Functionality
D.6.3.5
Assigning the Proxy Privilege
Index
Scripting on this page enhances content navigation, but does not change the content in any way.