As part of deploying a BI Beans application, you must bear in mind the security considerations for your application and for the databases that it will access. Internally, BI Beans does not provide mechanisms for authentication, but BI Beans does provide authorization. BI Beans allows you to use external and custom security mechanisms through the use of drivers that you plug into your application.
You can use the following three types of pluggable drivers to manage security:
Connection drivers: These drivers handle the connection to an OLAP data source and to the BI Beans Catalog. These drivers are required, so BI Beans ships with a default implementation of connection drivers. You can override and customize the connection drivers.
Authentication drivers: These drivers handle the authentication of users. The use of these drivers is optional.
User community drivers: These drivers allow an application to access a list of users from a user community. The use of these drivers is optional, and a default implementation is provided, which you can override and customize. The default implementation lists the users from the BI Beans Catalog.
These drivers can access external user community stores such as an Oracle Internet Directory (or OID -- Oracle's implementation of an LDAP service) or the Oracle RDBMS.
Before you can use any of this drivers, you must register them.
The process of managing security for a BI Beans application can be divided into two major tasks:
To establish connections for a BI Beans application:
Understand the difference between authentication and authorization. You should comprehend these concepts so that you can handle the security of your application appropriately.
Register pluggable drivers. You have the option of registering custom pluggable drivers. To register such drivers, use settings in the BI Beans configuration file or methods in the BI Beans API.
Authenticate the user. You can choose to authenticate the user in various situations.
Implement Oracle Application Server Single Sign-On. You can choose to implement a single sign-on solution to work with the BI Beans application.
Specify database connectivity information. You can use Database Access Descriptor (DAD) files to connect to an OLAP data source and to the BI Beans Catalog, as provided in the default implementation of the connection drivers. You can also specify connectivity information by implementing your own connection driver or by using methods from the BI Beans API.
To authorize access to the BI Beans Catalog:
Create a community of authorized users. The community is a list of users who can access folders in the catalog.
Grant privileges to users. You control access to the objects in the catalog by setting user privileges on folders.
Specify users for a folder and grant access. For each folder in the catalog, you specify which users can access the folder and which privileges they have.
Change access rights of a user for a folder. After granting privileges to a user for a folder, you can change that user's access rights as necessary.
As you implement the security features for an application, you work primarily with the interfaces and methods from these two packages: oracle.dss.security
and oracle.dss.persistence.security
.