Managing Application Roles and Application Policies Using Fusion Middleware Control

Application roles and application policies provide permissions for users and groups.

For detailed information about using Fusion Middleware Control, see Administering Oracle Fusion Middleware:

Tip:

After creating a new service instance or importing a BI application archive (BAR) file into a service instance, you should first check the security policy in the service instance to ensure that the users and groups from your Identity Store are mapped correctly to the application roles defined in the service instance. Each BI application archive file can contain its own security policy. Therefore it is good practice to check the security policy on your service instance after importing a BI application archive file..

Typically a BI application archive file that contains the BI metadata for an application will contain pre-defined application roles that can be used to provision users with permission to use BI functionality and access BI folders, analyses, subject areas etc. For example, the sample application contains the sample application roles BIConsumer, BIContentAuthor and BIServiceAdministrator. In order to provision users with permissions and privileges, you map users and (where possible) groups from the Identity Store (usually an LDAP directory) to the defined application roles. You use Oracle Enterprise Manager Fusion Middleware Control or Oracle WebLogic Scripting Tool (WLST) to perform this task.

If you want to create a more complex or fine grained security model, you might create your own application roles and application policies as described in this section. For example, you might want report authors in a Marketing department to only have write-access to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. To achieve this, you might create a new application role called BIContentMarketing, and provide it with appropriate privileges.

To set up the application roles that you want to deploy, do the following:

Displaying Application Policies and Application Roles Using Fusion Middleware Control

This section explains how to use Fusion Middleware Control to access the pages that manage application roles and application policies.

To display application policies and application roles using Fusion Middleware Control:

  1. Log in to Fusion Middleware Control.

    For more information, see Using Oracle Fusion Middleware Control.

  2. Select the Target Navigation icon to open the navigation pane.
  3. From the navigation pane expand the Business Intelligence folder and select biinstance.
  4. Choose one of the following options:
    • Right-click biinstance and choose Security from the menu, then Application Policies or Application Roles.

    • Alternatively from the content pane, click Business Intelligence Instance to display a menu, then choose Security, and Application Policies or Application Roles.

      Other Fusion Middleware Control Security menu options are not available from these menus.

  5. (Optional) An alternative option to Steps 3 and 4 is to expand the WebLogic Domain folder, right-click on the domain name (or click the WebLogic Domain menu).

    A Security menu displays with appropriate menu options.

    Other Fusion Middleware Control menu options are available from this menu.

  6. Choose Application Policies or Application Roles to display either the Application Policies page or the Application Roles page.
    • If the obi application stripe is displayed by default

      Oracle Business Intelligence policies or roles are displayed.

    • If the obi application stripe is not displayed by default

      You must search using the obi application stripe to display Oracle Business Intelligence policies or roles.

    The screen below shows the Application Policies page.

    The screen below shows the Application Roles page.

Creating and Deleting Application Roles Using Fusion Middleware Control

This section explains how to work with application roles, and how to create, delete, and manage application roles using Fusion Middleware Control.

In a new Oracle Business Intelligence deployment, you typically create an application role for each type of business user activity in your Oracle Business Intelligence environment. For example, a typical deployment based on either the sample application or the starter application might include three application roles: BIConsumer, BIContentAuthor, and BIServiceAdministrator. As a BI system administrator or service administrator, you should not change the application roles or the permission sets assigned to the application roles that have been delivered in a BAR file.

Oracle Business Intelligence application roles represent a role that a user has. For example, having the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline. The administrator of a service instance can create and modify application roles in your service instance. Keeping application roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new application roles to match business roles for your environment without needing to change the groups defined in the corporate directory server. To control authorization requirements more efficiently, you can then assign existing groups of users from the directory server to application roles.

Note:

Before creating a new application role and adding it to the your Oracle Business Intelligence service instance, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. For more information, see Granting Permissions To Users Using Groups and Application Roles.

For more information about creating application roles, see Managing the Policy Store in Securing Applications with Oracle Platform Security Services.

Note:

For advanced-level information about using a BI repository in offline mode, see Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic.

Creating Application Roles

There are two methods for creating a new application role:

  • Create New - Creates a new application role. You can add members at the same time or you can save the new role after naming it, and add members later.
  • Copy Existing - Creates an application role by copying an existing application role. The copy contains the same members as the original, and is made a grantee of the same application policy as is the original. Modifications can be made as needed to the copy to further customize the new application role.

Membership for an application role is controlled using the Application Roles page in Fusion Middleware Control. Valid members of an application role are users, groups, and other application roles.

Permission and permission set grants are controlled in the Application Policies page in Fusion Middleware Control. The permission and permission set grant definitions are set in the application policy, then the application policy is granted to the application role. For more information, see Creating Application Policies Using Fusion Middleware Control.

To create a new application role:

  1. Log in to Fusion Middleware Control, and display the Application Roles page.

    For information, see Displaying Application Policies and Application Roles Using Fusion Middleware Control.

  2. Ensure the Application Stripe is obi, and click the search icon next to Role Name.

    The Oracle Business Intelligence application roles display. The screen below is displaying application roles.

  3. Click Create to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:

    In the General section:

    • Role Name - Enter the name of the application role avoiding any invalid characters including spaces (see Characters in Application Role Names in Securing Applications with Oracle Platform Security Services).
    • (Optional) Display Name - Enter the display name for the application role.
    • (Optional) Description - Enter a description for the application role.
  4. In the Members section, click Add to display the Add Principal page.
  5. In the Add Principal page search for members to assign to the current application role, as follows:
    • Select Application Role, Group, or Users from the Type field drop down list.
    • Optionally enter search details into Principal Name and Display Name fields.
    • Click the search button.
    • Select from the results returned in the Searched Principals box.
    • Click OK to return to the Create Application Role page.
    • Repeat the steps until all desired members are added to the application role.
  6. Click OK to return to the Application Roles page.

    The application role just created displays in the table at the bottom of the page.

To create an application role based on an existing one:

  1. Log in to Fusion Middleware Control, and display theApplication Roles page.

    For information, see Displaying Application Policies and Application Roles Using Fusion Middleware Control.

    Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Create Application Role page.

  2. If necessary select Application Stripe and obi from the list, then click the search icon next to Role Name.

    The Oracle Business Intelligence application roles display.

  3. Select the application role you want to copy from the list to enable the action buttons.
  4. Click Create Like to display the Create Application Role Like page.

    The Members section displays the same application roles, groups, or users that are assigned to the original role. Complete the fields as follows:

    In the General section:

    • Role Name - Enter the name of the application role avoiding any invalid characters including spaces (see Characters in Application Role Names in Securing Applications with Oracle Platform Security Services).

    • (Optional)Display Name - Enter the display name for the application role.
    • (Optional) Description - Enter a description for the application role.
  5. In the Members section, click Add to display the Add Principal page.
  6. In the Add Principal page you search for members to assign to the current application role, as follows:
    • Select Application Role, Group, or Users from the Type field drop down list.
    • Optionally enter search details into Principal Name and Display Name fields.
    • Click the search button.
    • Select from the results returned in the Searched Principals box.
    • Click OK to return to the Create Application Role page.
    • Repeat the steps until all desired members are added to the application role.

    The screen below shows creation of the new application role MyNewRole, based upon the BIContentAuthor application role.

    The newly-created application role displays in the table at the bottom of the page. The screen shows the newly-created application role named MyNewRole based upon an existing application role.

  7. Modify the members as appropriate and click OK.

Assigning a Group to an Application Role

You assign a group to an application role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an application role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the application role named BIConsumerMarketing.

To assign a group to an application role:
  1. Log in to Fusion Middleware Control, and display the Application Roles page.

    For information, see Displaying Application Policies and Application Roles Using Fusion Middleware Control.

    Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page.

  2. If necessary, select Application Stripe and obi from the list, then click the search icon next to Role Name.

    The Oracle Business Intelligence application roles display. The screen shows the current application roles.

  3. Select an application role in the list and click Edit to display the Edit Application Role dialog, and complete the fields as follows:

    In the General section:

    • Role Name - The name of the application role, this field is read only.
    • Display Name - The display name for the application role.
    • Description - A description for the application role.
  4. In the Members section, click Add to add the group that you want to assign to the Roles list.

    For example, if a group for marketing report consumers named BIMarketingGroup require an application role called BIConsumerMarketing, then add the group named BIMarketingGroup to Roles list.

  5. Click OK to return to the Application Roles page.

Deleting Application Roles

You must not delete an application role without first consulting your system administrator.

To delete an application role:

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. Select the application role you want to delete.
  3. Click Delete, then click Yes, to confirm deletion of the application role.

Creating Application Policies Using Fusion Middleware Control

You can create application policies based on the default application policies, or you can create your own application policies.

Application policies do not apply privileges to the metadata repository or Oracle BI Presentation Catalog objects and functionality.

All Oracle Business Intelligence permissions and permission sets are provided as part of the installation and you cannot create new permissions. The application policy is the mechanism that defines the permission set and permissions grants. Permission set and permissions grants are controlled in the Fusion Middleware Control Application Policies page. The permission set and permission grants are defined in an application policy. An application role, user, or group, is then assigned to an application policy. This process makes the application role a grantee of the application policy.

There are two methods for creating a new application policy:

  • Create New - Create a new application policy and permissions are added to it.
  • Copy Existing - Create new application policy by copying an existing application policy. The copy is named and existing permissions are removed or permissions are added.

    Note:

    Oracle Business Intelligence 12c makes use of permission sets as well as permissions. A permission set is a collection of permissions. It is also known as an entitlement. All of the permissions available with BI 12c are grouped into permission sets. When the either the sample or starter application is imported into a service instance you will see the permission sets that have been assigned to the application roles. When an 11g upgrade bundle is imported into a service instance you will see the permissions from your 11g system, supplemented by new permission sets assigned to the migrated application roles

    Note:

    Fusion Middleware Control only allows you to view permission set grants. It does not allow you to change the permission set grants against an application role. Fusion Middleware Control does allow you to modify permission grants against application roles. In 12c, if you need to update permission set grants against an application role you need to use the WLST command line (see Managing Application Policies with WLST Commands in Securing Applications with Oracle Platform Security Services.

For more information about creating application policies, see Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.

To create a new application policy:

  1. Log in to Fusion Middleware Control, and display the Application Policies page.

    For information, see Displaying Application Policies and Application Roles Using Fusion Middleware Control.

  2. Select obi from the Application Stripe list, then click the search icon next to Name.
    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.
  3. Click Create to display the Create Application Grant page.
  4. To add permissions to the policy being created, click Add in the Permissions area to display the Add Permission dialog.
    • Complete the Search area and click the blue search button next to the Resource Name field.
    • Select the desired Oracle Business Intelligence permission and click Continue.
    • Modify permission details if required in the Customize page, then click Select to add the permission.

      You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.

    • Repeat until all desired permissions are selected.

      Selecting non-Oracle Business Intelligence permissions have no effect in the policy.

    • To remove a permission, select it and click Delete.
  5. To add an application role, group, or user to the policy being created, click Add in the Grantee area to display the Add Principal page.
    • Complete the Search area and click the blue search button next to the Display Name field.
    • Select a principal from the Searched Principals list.
    • Click OK to display the Create Application Grant page.
    • Click OK.
    You are returned to the Application Policies page. The Principal and Permissions of the policy created are displayed in the tables. The following screen shows the new application policy just created with MyNewRole application role as the grantee (Principal).

To create an application policy based on an existing one:

  1. Log in to Fusion Middleware Control, and display the Application Policies page.
  2. Select obi from the Application Stripe list, then click the search icon next to Name.

    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.

  3. Select an existing policy from the table.
    The following screen shows the BIContentAuthor Principal selected with the Create Like button activated, which is used as an example in this procedure.
  4. Click Create Like to display the Create Application Grant Like page. The Permissions table automatically displays permissions granted by the policy selected.
    The following screen shows the Create Application Grant Like dialog after the BIContentAuthor policy has been selected. Note that the Permissions section displays the permission grants for the BIContentAuthor policy.
  5. To remove any items, select it and click Delete.
  6. To add application roles to the policy, click Add Application Role in the Grantee area to display the Add Application Role dialog.

    The following screens use the MyNewRole application role as an example.

Modifying Application Roles Using Fusion Middleware Control

You can modify an application role by changing permission grants of the corresponding application policy (if the application role is a grantee of the application policy), or by changing its members, and by renaming or deleting the application role as follows:

For more information about managing application policies and application roles, see Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.

Adding or Removing Permission Grants from an Application Role

Use this procedure if you want to change the permission grants for an application role. This is done by adding or removing the permission grants for the application policy which the application role is a grantee of.

To add or remove permission grants from an application policy:

  1. Log in to Fusion Middleware Control, and display the Application Policies page.

    For more information, see Displaying Application Policies and Application Roles Using Fusion Middleware Control.

    Whether or not the obi stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Policies page.

  2. If necessary, selectApplication Stripe andobi from the list, then click the search icon next to Role Name.

    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.

  3. Select the application role from the Principal column and click Edit.
  4. Add or delete permissions from the Edit Application Grant view and click OK to save the changes.

Adding or Removing Members from an Application Role

Members can be added to or deleted from an application role using Fusion Middleware Control. You must perform these tasks in the WebLogic Domain where Oracle Business Intelligence is installed (for example, in bifoundation_domain). Valid members of an application role are users, groups, or other application roles. Being assigned to an application role is to become a member of an application role.

Best practice is to assign groups instead of individual users to application roles.

Note:

Be very careful when changing the permission grants and membership for the application role that is tagged as the administration application role, as changes to the permissions assigned to this application role could leave your system in an unusable state.

To add or remove members from an application role:

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. If not already displayed, select Application Stripe and obi from the list, then click the search icon next to Role Name.

    TheOracle Business Intelligence application roles are displayed.

  3. Select the cell next to the application role name and click Edit to display theEdit Application Role page.

    You can add or delete members from the Edit Application Role page. Valid members are application roles, groups, and users.

  4. To delete a member, select the Name of the member to activate the Delete button, then click Delete.
  5. To add a member click theAdd button to display the Add Principal page.

    Search for members to assign to the current application role, as follows:

    • Select Application Role, Group, or Users from theType field list.

    • Optionally enter search details into Principal Name and Display Name fields.

    • Click the search button.

    • Select from the results returned in the Searched Principals box.

    • Click OK to return to the Create Application Role page.

    • Repeat the steps until all desired members are added to the application role.

      The added member displays in the Members section corresponding to the application role modified in the Application Roles page. For example, the following figure shows the page for the MyNewRole application role after the Operators group has been added.

  6. Click OK in the Edit Application Role page to return to the Application Role page.

    The members just added to the application role display in the Membership for section. If members were deleted, they no longer display.

    The following screen shows the MyNewRole application role with the recently added member Operators group displaying.

For additional information, see Managing Application Roles in Securing Applications with Oracle Platform Security Services.

Renaming an Application Role

You cannot directly rename an existing application role; you can only update the display name. To rename an application role you must create a new application role (using the same application policies used for the deleted application role), and delete the old application role. When you create the new application role, you specify a new name. You must also update any references to the old application role with references to the new application role in both the Oracle BI Presentation Catalog and the metadata repository.

To rename an application role in the catalog and the metadata repository use the renameAppRoles command, as described in Rename Application Role Command in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.