Managing Presentation Services Privileges Using Application Roles

The catalog for your service instance includes a security policy for Presentation Services privileges. These privileges confer permissions for accessing specific Presentation Services functionality such as access to answers, access to dashboards as well as permissions on catalog objects such as folders and analyses.

When you create a service instance or import a BI application archive file into a service instance, the security policy for the catalog (Presentation Services Privileges) is imported from the BI application archive file. The service administrator can modify the catalog security policy.

You use application roles to manage privileges.

When groups are assigned to application roles, the group members are automatically granted associated privileges in Presentation Services. This is in addition to the Oracle Business Intelligence permissions.

Tip:

A list of application roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services.

About Presentation Services Privileges

Presentation Services privileges are managed in the Presentation Services Administration Manage Privileges page, and they grant or deny access to Presentation Services features, such as the creation of analyses and dashboards. Presentation Services privileges have no effect in other Oracle Business Intelligence components.

Being a member of an application role that has been assigned Presentation Services privileges will grant those privileges to the user. The Presentation Services privileges assigned to application roles can be modified by adding or removing privilege grants using the Manage Privileges page in Presentation Services Administration.

Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

The following topics explain how to manage Presentation Services privileges using application roles in Presentation Services Administration Manage Privileges page:

Setting Presentation Services Privileges for Application Roles

If you create an application role, you must set appropriate Presentation Services privileges to enable users with the application role to perform various functional tasks.

For example, you might want users with an application role named BISalesAdministrator to be able to create Actions in Oracle Business Intelligence. In this case, you would grant them a privilege named Create Invoke Action.

Presentation Services privileges cannot be assigned using the administrative interfaces used to manage the policy store. If you create a new application role to grant Oracle Business Intelligence permissions, then you must set Presentation Services privileges for the new role in addition to any Oracle Business Intelligence permissions.

Note:

Presentation Services privileges can be assigned to a new application role programmatically using SecurityService Service. For more information, see SecurityService Service in Integrator's Guide for Oracle Business Intelligence Enterprise Edition

To set Presentation Services privileges for an application role:

  1. Log in to Oracle BI Presentation Services as a user with Administrator privileges.

    For more information, see Using Presentation Services Administration Page.

  2. From the Home page in Presentation Services, select Administration.

    Description of GUID-EC7388C8-A133-4A01-8195-A85010CF97BB-default.gif follows
    Description of the illustration GUID-EC7388C8-A133-4A01-8195-A85010CF97BB-default.gif

    Note:

    If you log in as a user without Administrator privileges, the Administration option is not displayed.


    Description of GUID-8DCBF78D-5B8F-4561-BDAB-F474A57C0E6C-default.gif follows
    Description of the illustration GUID-8DCBF78D-5B8F-4561-BDAB-F474A57C0E6C-default.gif

  3. In the Security area, click Manage Privileges to display the Manage Privileges page.

    This page enables you to view application roles for Presentation Services privileges.


    Description of GUID-377C35F8-9A28-4160-9B9D-D78DFCC281A1-default.gif follows
    Description of the illustration GUID-377C35F8-9A28-4160-9B9D-D78DFCC281A1-default.gif

  4. Click an application role next to the privilege that you want to administer.

    For example, to administer the privilege named Access to Scorecard for the application role named BIConsumer, you would click the BIConsumer link next to Access to Scorecard.


    Description of GUID-36D87096-3F69-468A-9623-77AFA5DB47B0-default.gif follows
    Description of the illustration GUID-36D87096-3F69-468A-9623-77AFA5DB47B0-default.gif

    Use the Privilege <privilege_name> dialog to add application roles to the list of permissions, and grant and revoke permissions from application roles. For example, to grant the selected privilege to an application role, you must add the application role to the Permissions list.

  5. Add an application role to the Permissions list, as follows:
    1. Click Add Users/Roles.
    2. Select Application Roles from the list and click Search.
    3. Select the application role from the results list.
    4. Use the shuttle controls to move the application role to the Selected Members list.
    5. Click OK.
  6. Set the permission for the application role by selecting Granted or Denied in the Permission list.

    Note:

    Explicitly denying a Presentation Services permission takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

  7. Save your changes.

Note:

Existing Catalog groups are migrated during the upgrade process. Moving an existing Oracle BI Presentation Catalog security configuration to the role-based Oracle Fusion Middleware security model based requires that each Catalog group be replaced with a corresponding application role. To duplicate an existing Presentation Services configuration, replace each Catalog group with a corresponding application role that grants the same Oracle BI Presentation Catalog privileges. You can then delete the original Catalog group from Presentation Services.

Encrypting Credentials in BI Presentation Services - Advanced Security Configuration Topic

The BI Server and Presentation Services client support industry-standard security for login and password encryption.

When an end user enters a user name and password in the web browser, the BI Server uses the Hypertext Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit), preventing unauthorized users from accessing data or Oracle Business Intelligence metadata.

At the database level, Oracle Business Intelligence administrative users can implement database security and authentication. Finally, a proprietary key-based encryption provides security to prevent unauthorized users from accessing the metadata repository.