Granting Privileges to Users

You can control users' access to the BI Beans Catalog by setting user privileges. The following list describes the interfaces that support setting user privileges and the classes that implement these interfaces by default:

Security framework

Each folder has an access control list, which is an object that implements the Acl interface. The persistence service extends the Acl interface to provide extra functionality; this subinterface is the AclObject interface. Each entry in the access control list associates a user with a privilege.

Constants for levels of access

The following constants, which are defined in the oracle.dss.bicontext.Privilege class, identify different levels of access that you can grant to users, from the lowest level of control to the highest:

All privileges imply lower privileges. For example, a user who can write to a folder can also list the contents, read the contents, and add subfolders. The only thing that such a user cannot do is to set privileges on the folder.

Default access

Access is granted at the folder level only and applies to all subfolders and objects in that folder.  That is, by default for each folder, all users inherit the access that they have to that folder's parent folder. For example, if you have write access to a folder, you have write access to every object in that folder. Similarly, a subfolder inherits the users from its parent folder. To change access to a subfolder, you must specify privileges for each user.

Important: In order for one user to change or grant privileges to another user on a folder, the grantor must have FULL_CONTROL privileges for that folder.

The following table lists various methods in the first column. For each method, the second column indicates the type of privilege that is required to execute the method for folders, while the third column indicates the type of privilege for objects. A value of NA indicates that that method does not apply.

Method Name

Folder

Object

bind

NA

ADD_FOLDER

rebind

NA

WRITE

lookup

LIST

READ

unbind

NA

WRITE

rename

ADD_FOLDER for the folder that you are renaming and WRITE privileges for the parent of the folder that you are renaming

WRITE

list

LIST

NA

listBindings

LIST

NA

getObject

LIST

READ

createSubcontext

ADD_FOLDER

NA

destroySubcontext

WRITE

NA

copy

READ for the folder that you are copying and all of its subfolders, LIST for its parent folder, and ADD_FOLDER for the copy target

READ for the object that you are copying and ADD_FOLDER for the copy target

move

WRITE for the folder that you are moving, LIST for all of its subfolders and for its parent folder, and ADD_FOLDER for the move target

WRITE for the object that you are moving and ADD_FOLDER for the move target

getAttributes

No privilege required

LIST

modifyAttributes

ADD_FOLDER

WRITE

search

LIST

NA

addEntries

FULL_CONTROL

NA

removeEntries

FULL_CONTROL

NA

checkUserPrivileges

LIST

NA

getUserPrivileges

LIST

NA

entries

LIST

NA

listDependents

NA

No privilege required

associate

READ for both the folder to associate and the target folder

READ for both the object to associate and the target object

disassociate

READ for both the folder to disassociate and the target folder

READ for both the object to disassociate and the target object

listAssociates

LIST

LIST

listReferringAssociates

LIST

LIST

getassociateObject

READ for both the folder whose association you want and for the target association

READ for both the object whose association you want and for the target association

Considerations in assigning privileges

As you assign privileges to folders, consider what your users will want to do. Users might need adequate privileges for several different folders in order to complete a task that they want to do. For example, to copy an object from one folder to another, the user might need privileges on several folders.

The following diagram shows a sample file structure. The folder MyFolder has two subfolders: MyFebruarySalesFolder and MyMarchSalesFolder. The folder MyFebuarySalesFolder has two objects: MyFebruaryBarGraph and MyFebruaryCrosstab. The folder MyMarchSalesFolder has two subfolders: MyCrosstabFolder and MyGraphsFolder.

Folder structure described in preceding text

Suppose you, as a user, want to copy myFebruaryBarGraph to MyGraphsFolder in MyMarchSalesFolder, where you will update it with March data. You can do this through the BI Explorer, through the persistence object chooser, or by using methods on the StorageManager. You must, however, have the following permissions:

  1. You must have at least LIST privilege to MyFolder, in order to list the items at all.

  2. You must have at least READ privilege to MyFebruarySalesFolder in order to copy myFebruaryBarGraph from the folder.

  3. You must have at least LIST permission to MyMarchSalesFolder, in order to list MyCrosstabFolder and MyGraphsFolder.

  4. You must have at least WRITE permission to MyGraphsFolder, in order to copy an object into it.

Changing Access Rights of a User for a Folder
Creating a Community of Authorized Users
Specifying Users for a Folder and Granting Access Rights