You can control users' access to the BI Beans Catalog by setting user privileges. The following list describes the interfaces that support setting user privileges and the classes that implement these interfaces by default:
oracle.dss.persistence.security.server.AclImpl
-- Implements AclObject
oracle.dss.persistence.security.common.AclEntryImpl
-- Implements AclEntry
oracle.dss.persistence.security.common.GroupImpl
-- Implements bicontext.Group
oracle.dss.persistence.security.common.UserImpl
-- Implements bicontext.User
oracle.dss.bicontext.Privilege
-- The level of access to assign for a folder
Each folder has an access control list, which is an object that implements the Acl
interface. The persistence service extends the Acl
interface to provide extra functionality; this subinterface is the AclObject
interface. Each entry in the access control list associates a user with a privilege.
The following constants, which are defined in the oracle.dss.bicontext.Privilege
class, identify different levels of access that you can grant to users, from the lowest level of control to the highest:
LIST
-- Permission only to list the contents of the folder.
READ
-- Permission to read the contents of the folder (that is, to load objects).
ADD_FOLDER
-- Permission to add objects and subfolders to the folder.
WRITE
-- Permission to delete objects and subfolders of the folder.
FULL_CONTROL
-- Full permission, including permission to set privileges. A creator of a folder is automatically granted full permission for that folder.
All privileges imply lower privileges. For example, a user who can write to a folder can also list the contents, read the contents, and add subfolders. The only thing that such a user cannot do is to set privileges on the folder.
Access is granted at the folder level only and applies to all subfolders and objects in that folder. That is, by default for each folder, all users inherit the access that they have to that folder's parent folder. For example, if you have write access to a folder, you have write access to every object in that folder. Similarly, a subfolder inherits the users from its parent folder. To change access to a subfolder, you must specify privileges for each user.
Important: In order for one user to change or grant privileges to another user on a folder, the grantor must have FULL_CONTROL
privileges for that folder.
The following table lists various methods in the first column. For each method, the second column indicates the type of privilege that is required to execute the method for folders, while the third column indicates the type of privilege for objects. A value of NA indicates that that method does not apply.
Method Name |
Folder |
Object |
---|---|---|
|
NA |
ADD_FOLDER |
|
NA |
WRITE |
|
LIST |
READ |
|
NA |
WRITE |
|
ADD_FOLDER for the folder that you are renaming and WRITE privileges for the parent of the folder that you are renaming |
WRITE |
|
LIST |
NA |
|
LIST |
NA |
|
LIST |
READ |
|
ADD_FOLDER |
NA |
|
WRITE |
NA |
|
READ for the folder that you are copying and all of its subfolders, LIST for its parent folder, and ADD_FOLDER for the copy target |
READ for the object that you are copying and ADD_FOLDER for the copy target |
|
WRITE for the folder that you are moving, LIST for all of its subfolders and for its parent folder, and ADD_FOLDER for the move target |
WRITE for the object that you are moving and ADD_FOLDER for the move target |
|
No privilege required |
LIST |
|
ADD_FOLDER |
WRITE |
|
LIST |
NA |
|
FULL_CONTROL |
NA |
|
FULL_CONTROL |
NA |
|
LIST |
NA |
|
LIST |
NA |
|
LIST |
NA |
|
NA |
No privilege required |
|
READ for both the folder to associate and the target folder |
READ for both the object to associate and the target object |
|
READ for both the folder to disassociate and the target folder |
READ for both the object to disassociate and the target object |
|
LIST |
LIST |
|
LIST |
LIST |
|
READ for both the folder whose association you want and for the target association |
READ for both the object whose association you want and for the target association |
As you assign privileges to folders, consider what your users will want to do. Users might need adequate privileges for several different folders in order to complete a task that they want to do. For example, to copy an object from one folder to another, the user might need privileges on several folders.
The following diagram shows a sample file structure. The folder MyFolder
has two subfolders: MyFebruarySalesFolder
and MyMarchSalesFolder
. The folder MyFebuarySalesFolder
has two objects: MyFebruaryBarGraph
and MyFebruaryCrosstab
. The folder MyMarchSalesFolder
has two subfolders: MyCrosstabFolder
and MyGraphsFolder
.
Suppose you, as a user, want to copy myFebruaryBarGraph
to MyGraphsFolder
in MyMarchSalesFolder
, where you will update it with March data. You can do this through the BI Explorer, through the persistence object chooser, or by using methods on the StorageManager
. You must, however, have the following permissions:
You must have at least LIST
privilege to MyFolder
, in order to list the items at all.
You must have at least READ
privilege to MyFebruarySalesFolder
in order to copy myFebruaryBarGraph
from the folder.
You must have at least LIST
permission to MyMarchSalesFolder
, in order to list MyCrosstabFolder
and MyGraphsFolder
.
You must have at least WRITE
permission to MyGraphsFolder
, in order to copy an object into it.
Changing Access Rights of a User for a Folder
Creating a Community of Authorized Users
Specifying Users for a Folder and Granting Access Rights