Customizing the Default Security Configuration

You can customize the default security configuration in various ways.

• Configure a new authentication provider. See Configuring a New Authentication Provider.

• Configure new policy store and credential store providers. See Configuring a New Policy Store and Credential Store Provider.

• Migrate policies and credentials from one store to another. See Reassociating the Policy Store and Credential Store.

• Create new application roles. See Creating Application Roles Using Fusion Middleware Control.

• Create new application policies. See Creating Application Policies Using Fusion Middleware Control.

• Modify the permission grants for an application policy. See Changing Permission Grants for an Application Policy.

Configuring a New Authentication Provider

You can configure another supported LDAP server to be the authentication provider.

Configuring BI Publisher to use an alternative external identity store is performed using the Oracle WebLogic Server Administration Console. BI Publisher delegates authentication and user population management to the authentication provider and identity store configured for the domain it is a part of. For example, if configured to use Oracle WebLogic Server's default authentication provider, then management is performed in the Oracle WebLogic Server Administration Console. If configured to use Oracle Internet Directory (OID), then the OID management user interface is used, and so on.

If using an authentication provider other than the one installed as part of the default security configuration, the default users and groups that are discussed in Default Users and Groups are not automatically present. You can create users and groups with names of your own choosing or re-create the default user and group names if the authentication provider supports this. After this work is completed, you must map the default BI Publisher application roles to different groups again. For example, if the corporate LDAP server is being used as the identity store and you are unable to re-create the BI Publisher default users and groups in it, you must map the default application roles to different groups specific to the corporate LDAP server. Use Fusion Middleware Control to map the groups to application roles.

For information about how to configure a different authentication provider, see Oracle WebLogic Server Administration Console Online Help and Administering Security for Oracle WebLogic Server 12c (12.2.1).

Configuring a New Policy Store and Credential Store Provider

The policy store and credential store can be file-based or LDAP-based.

The supported LDAP server for both stores in this release is Oracle Internet Directory. The pre-requisites for using an LDAP-based store are the same as for both the policy store and credential store. For more information, see “Configuring LDAP-Based Policy and Credential Stores” in Securing Applications with Oracle Platform Security Services.

Reassociating the Policy Store and Credential Store

Migrating policies and credentials from one security store to another is called reassociation.

Both policy store and credential store data can be reassociated (migrated) from a file-based store to an LDAP-based store, or from an LDAP-based store to another LDAP-based store

Because the credential store and the policy store must both be of the same type, when reassociating one store you must reassociate the other.

For more information about reassociation and the steps required to migrate credential store and policy store data to Oracle Internet Directory, see “Reassociating with Fusion Middleware Control” in Securing Applications with Oracle Platform Security Services.

Customizing the Policy Store

The Fusion Middleware Security model can be customized for your environment by creating your own application policies and application roles.

Existing application roles can be modified by adding or removing members as needed. Existing application policies can be modified by adding or removing permission grants. For more information about managing application policies and application roles, see Securing Applications with Oracle Platform Security Services.

Note:

Before creating a new application policy or application role and adding it to the default BI Publisher security configuration, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. Best practice is to leave the default security configuration in place and first incorporate your customized application policies and application roles in a test environment. For more information, see Permission Grants and Inheritance.

Creating Application Roles Using Fusion Middleware Control

There are two methods for creating a new application role.

• Create New — A new application role is created. Members can be added at the same time or you can save the new role after naming it and add members later.

• Copy Existing — A new application role is created by copying an existing application role. The copy contains the same members as the original, and is made a Grantee of the same application policy. You can modify the copy as needed to finish creating the new role.

To create a new application role:

1. Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

   For information, see Accessing Oracle Enterprise Manager Fusion Middleware Control.

2. Choose Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name.

   The BI Publisher application roles display.

3. Click Create to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:

   In the General section:

   • Role Name — Enter the name of the application role.

   • (Optional) Display Name — Enter the display name for the application role.

   • (Optional) Description — Enter a description for the application role.

   In the Members section, select the users, groups, or application roles to be mapped to the application role. Then select Add Application Role or Add Group or Add Users accordingly. To search in the dialog box that displays:

   • Enter a name in Name field and click the blue button to search.

   • Select from the results returned in the Available box.

   • Use the shuttle controls to move the desired name to the Selected box.

   • Click OK to return to the Create Application Role page.

   • Repeat the steps until all members are added to the application role.

4. Click OK to return to the Application Roles page.

   The application role just created displays in the table at the bottom of the page.

To create an application role based on an existing one:

1. Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

   For information, see Accessing Oracle Enterprise Manager Fusion Middleware Control.

2. Choose Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

   The BI Publisher application roles display.

3. Select an application role from the list to enable the action buttons.
4. Click Create Like to display the Create Application Role Like page.

   The Members section is completed with the same application roles, groups, or users that are mapped to the original role.

5. Complete the Role Name, Display Name, and Description fields.

   The figure below shows an application role based upon BIContentAuthor after being named MyNewRole, as an example.

   
   

   
   Description of the illustration GUID-92C24EC2-3B28-424E-8C72-5D30F68B11A3-default.gif

   
   
6. Use Add and Delete to modify the members as appropriate and click OK.

   The just created application role displays in the table at the bottom of the page. The figure below shows the example MyNewRole that is based upon the default BIContentAuthor application role.

   
   

   
   Description of the illustration GUID-087BE796-A663-4E89-AE87-74BDFED09472-default.gif

   
   

Creating Application Policies Using Fusion Middleware Control

All BI Publisher permissions are provided and you cannot create new permissions. Permission grants are controlled in the Fusion Middleware Control Application Policies page.

The permission grants are defined in an application policy. An application role, user, or group, is then mapped to an application policy. This process makes the application role, user, or group a Grantee of the application policy.

There are two methods for creating a new application policy:

• Create New — A new application policy is created and permissions are added to it.

• Copy Existing — A new application policy is created by copying an existing application policy. The copy is named and existing permissions are removed or permissions are added as needed.

To create a new application policy:

1. Log in to Fusion Middleware Control, navigate to Security, then select Application Policies to display the Application Policies page.

   For information, see Accessing Oracle Enterprise Manager Fusion Middleware Control.

2. Choose Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Permission.

   The BI Publisher application policies are displayed. The Principal column displays the name of the policy Grantee.

3. Click Create to display the Create Application Grant page.

4. To add permissions to the policy being created, click Add in the Permissions area to display the Add Permission dialog.

   • Complete the Search area and click the blue search button next to the Resource Name field.

     All permissions located in the obi application stripe are displayed. For information about the BI Publisher permissions, see Default Application Roles and Permissions.

   • Select the desired BI Publisher permission and click OK. Repeat until all desired permissions are selected. Selecting non-BI Publisher permissions has no effect in the policy.

   • To remove any items, select it and click Delete.

   You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.

5. To add an application role to the policy being created, click Add Application Role in the Grantee area to display the Add Application Role dialog.

   • Complete the Search area and click the blue search button next to the Resource Name field.

   • Select from the Available Roles list and use the shuttle controls to move it to Selected Roles.

   • Click OK.

   You are returned to the Application Policies page. The Principal (Grantee) and Permissions of the policy just created are displayed in the table.

To create an application policy based on an existing one:

1. Log in to Fusion Middleware Control navigate to Security, then select Application Policies to display the Application Policies page.

   For information, see Accessing Oracle Enterprise Manager Fusion Middleware Control.

2. Choose Select Application Stripe to Search, then select obi from the list. Click the search icon next to Permission.

   The BI Publisher application policies are displayed. The Principal column displays the name of the policy Grantee.

3. Select an existing policy from the table.

   For example, the figure below shows the BIContentAuthor Principal (Grantee) selected and the Create Like button activated.

   
   

   
   Description of the illustration GUID-EF98C0FE-4276-4836-A80F-EF0112E3D7B8-default.gif

   
   
4. Click Create Like to display the Create Application Grant Like page. The Permissions table displays the names of the permissions granted by the policy selected.
5. To remove any items, select it and click Delete.
6. To add application roles to the policy, click Add Application Role in the Grantee area to display the Add Application Role dialog.

   The following figures use the MyNewRole application role as an example.

   • Complete the Search area and click the blue search button next to the Resource Name field, as shown below.

     
     

     
     Description of the illustration GUID-09A60584-C5CE-4003-B473-57B5366F5EBE-default.gif

     
     

   • Select from the Available Roles list and use the shuttle controls to move it to Selected Roles. The Create Application Grant Like page displays (as shown in below) with the selected application role added as Grantee.

     
     

     
     Description of the illustration GUID-5806644B-4FDE-4278-B04E-4FCD01157F07-default.gif

     
     

   • Click OK.

You are returned to the Application Policies page. The Principal and Permissions of the policy created are displayed in the table, as shown below.

Description of the illustration GUID-32BF514C-B676-4B78-9272-FED8E27D5D3A-default.gif

Changing Permission Grants for an Application Policy

You can change one or more permissions granted by an application policy.

To add or remove permission grants from an application policy:

1. Log in to Fusion Middleware Control, navigate to Security, then select Application Policies to display the Application Policies page.

   For information, see Accessing Oracle Enterprise Manager Fusion Middleware Control.

2. Choose Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name.

   The BI Publisher application policies are displayed. The Principal column displays the name of the policy Grantee.

3. Select the name of the application role from the Principal column and click Edit.
4. Add or delete permissions from the Edit Application Grant view and click OK to save the changes.