Understanding Security Configuration Types

Security in the Fusion Campus Solutions Intelligence application can be broadly classified into three configuration types—user authentication, dashboard object security, and data access security. All three configuration types play a vital role in securing data.

Security Configuration	Description
User authentication	When a user logs into OBIEE to view or build dashboards and analysis, the system authenticates the user by using the Single Signon Server and the existing identity management scheme.
Dashboard object security	Users/Groups are mapped to Oracle BI Application Roles which control repository (subject areas, presentation tables, and presentation table columns) and presentation catalog (dashboards, reports, and catalog folders) privileges. When a user logs into the system, and the user's PeopleSoft security role matches an Oracle BI Server Application Role, the system automatically assigns the appropriate object permissions to the user. Note: When you create custom dashboards in OBIEE, you can restrict access to dashboards and dashboard pages, and other Presentation Catalog objects. Use the Oracle Fusion Middleware Control to restrict access to the underlying data.
Data access security	The user's PeopleSoft security role controls the user's access to data. Data security is synchronized between the Fusion Campus Solutions Intelligence application and PeopleSoft EPM applications by creating Oracle BI Server Application Roles that match user roles. When a user navigates to a report, the data that appears is based on permissions that are granted to the user's security role, and any additional security that is applied to the Oracle BI Server Application Role. If a user's security role does not match an Oracle BI Server group, when the user signs onto the system and navigates to a report, the data that appears is based on permissions that are granted to the user's security role.

Security Configuration

Description

User authentication

When a user logs into OBIEE to view or build dashboards and analysis, the system authenticates the user by using the Single Signon Server and the existing identity management scheme.

Dashboard object security

Users/Groups are mapped to Oracle BI Application Roles which control repository (subject areas, presentation tables, and presentation table columns) and presentation catalog (dashboards, reports, and catalog folders) privileges. When a user logs into the system, and the user's PeopleSoft security role matches an Oracle BI Server Application Role, the system automatically assigns the appropriate object permissions to the user.

Note: When you create custom dashboards in OBIEE, you can restrict access to dashboards and dashboard pages, and other Presentation Catalog objects. Use the Oracle Fusion Middleware Control to restrict access to the underlying data.

Data access security

The user's PeopleSoft security role controls the user's access to data. Data security is synchronized between the Fusion Campus Solutions Intelligence application and PeopleSoft EPM applications by creating Oracle BI Server Application Roles that match user roles. When a user navigates to a report, the data that appears is based on permissions that are granted to the user's security role, and any additional security that is applied to the Oracle BI Server Application Role.

If a user's security role does not match an Oracle BI Server group, when the user signs onto the system and navigates to a report, the data that appears is based on permissions that are granted to the user's security role.

These steps explain the general flow of user authentication, dashboard object security, and data access security in the Fusion Campus Solutions Intelligence application:

The user signs onto the Single Signon (SSO) Server.
The SSO server authenticates the user by checking into the LDAP (Oracle Internet Directory) Server.
The LDAP server confirms that the user is valid.
The Application server is configured to get the user information from the SSO server.

This eliminates the need for the user to log separately into PeopleSoft Internet Architecture (PIA) and OBIEE.
After the user logs in, the system applies object-level security to determine the user's access to objects such as pages, reports, and components.

Object-level security is controlled by the OBIEE Application Role with which the user is associated.
When the user clicks on a report, the system applies data-level (row-level) security.

Data-level security is controlled by the user's security role and the Oracle BI Server Application Role with which the user is associated.
When the user clicks a link to drill in place to an OLTP, additional signon is not required.