Detailed List of Steps for Setting Up Security in Oracle Business Intelligence

Follow these steps to set up security in a new installation of Oracle Business Intelligence. Some tasks are mandatory, some are optional, and some are conditionally required depending on the configuration choices that you make. You might also refer to this section if you are maintaining an existing installation of Oracle Business Intelligence.

After you have installed Oracle Business Intelligence, you typically evaluate the product using the sample application. Later, you typically create and develop your own users, groups, and application roles iteratively to meet your business requirements.

Oracle recommends that you complete these post installation tasks in the following order:

  1. Read this chapter for an overview of security concepts, tools, and terminology. In particular, you should familiarize yourself with the Oracle Business Intelligence components and tools for configuring security by reading Using Tools to Configure Security in Oracle Business Intelligence
  2. Learn about users, groups, and application roles by reading the summary in Working with Users, Groups, and Application Roles.
  3. Decide which authentication provider to use to authenticate users, as follows:
    • If you want to use the default embedded WebLogic LDAP Server, then follow the tasks listed in Step 4.
    • If you want to reconfigure Oracle Business Intelligence to use an alternative authentication provider such as Oracle Internet Directory (OID), then follow the tasks listed in Step 5.

      Tip:

      Oracle does not recommend using WebLogic Embedded LDAP Server in an environment with more than 1000 users. If you require a production environment with high-availability and scalability, then you should use a directory server such as Oracle Internet Directory (OID) or a third-party directory server.

      For information about where to find the full list of supported authentication providers, see System Requirements and Certification.

  4. (Embedded WebLogic LDAP Server-specific) If you are using the default embedded WebLogic LDAP Server as the authentication provider, do the following:
    1. Set up the users that you want to deploy as described in Creating a New User in the Embedded WebLogic LDAP Server.

      For example, if you want to deploy Oracle Business Intelligence to 20 people who need to view analyses, you might create 20 users.

    2. If you want to create new groups, set up the groups that you want to use as described in Creating a New Group in the Embedded WebLogic LDAP Server.
    3. Assign your users to appropriate groups, as described in Assigning a User to a Group in the Embedded WebLogic LDAP Server.
    4. Assign groups of users to application roles.

      For detailed steps, see Assigning a User to a New Group, and a New Application Role.

  5. (Oracle Internet Directory (OID) specific) If you are using OID as the authentication provider, do the following:
    1. Configure OID as the authentication provider as described in High-Level Steps for Configuring an Alternative Authentication Provider.
    2. Use your authentication provider tools (for example, OID Console) to create your users and groups as required.

  6. Set up the application roles that you want to deploy as described in Creating and Deleting Application Roles Using Fusion Middleware Control.

    For example, you might use BIConsumer, BIContentAuthor, and BIServiceAdministrator, or you might create your own application roles.

  7. (Optional) If you do not want to use existing application policies, you can set up the application policies that you want to deploy as described in Creating Application Policies Using Fusion Middleware Control.

    For example, you might use the application policies that are used by the sample application roles BIConsumer, BIContentAuthor, and BIServiceAdministrator, or you might create your own application policies.

  8. Assign each group to an appropriate application role, as follows:
  9. If you want to fine-tune the permissions that users and groups have in the Oracle BI repository, use the Administration Tool to update the permissions as described in Managing Metadata Repository Privileges Using the Oracle BI Administration Tool.

    For example, you might want to enable an application role called BISuperConsumer to create analyses, so you use the Administration Tool to change the Read access to a subject area to Read/Write access.

    Note:

    If you are using the default SampleAppLite.rpd file in a production system, you should change the password from its installed value, using the Administration Tool. For more information about the SampleAppLite repository file, see About the SampleApp.rpd Demonstration Repository in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

  10. If you want to fine-tune the permissions that users and groups have in the Presentation Services Administration page to change the permissions as described in Managing Presentation Services Privileges Using Application Roles.

    For example, you might want to prevent an application role called BISuperConsumer from viewing scorecards, so you use Presentation Services Administration Page to change the Scorecard\View Scorecard privileges for BISuperConsumer from Granted to Denied.

  11. If you want to deploy Single Sign-On, follow the steps in Enabling SSO Authentication.
  12. If you want to deploy secure sockets layer (SSL), follow the steps in Configuring SSL in Oracle Business Intelligence.

    Oracle Business Intelligence is installed with SSL turned off. If you want to deployOracle Business Intelligence in an SSL environment, follow the steps in Configuring SSL in Oracle Business Intelligence.