As part of the process for managing security for a BI Beans application, you must understand the difference between authentication and authorization so that you can handle them appropriately.
Runtime access to services is determined by the user’s credentials. The process of verifying the identity of the user is referred to as authentication. The user may be authenticated through an explicit login process or through some other security mechanism. Whatever process is used, an application is performing authentication whenever the application checks the identity of the user who is requesting access to services.
BI Beans provides a flexible architecture for implementing authentication, establishing connections, and managing user communities. By implementing interfaces, you can create custom drivers that plug into the application module, which manages communication and tracks application-wide information. These drivers control how the application authenticates the user, determine how to connect to the BI Beans Catalog and the OLAP data source, and handle communities of users.
BI Beans provides default implementations of the drivers that establish the connections to the BI Beans Catalog and to Oracle OLAP and that list users. You cannot disable the connection drivers. You can use the defaults or implement your own drivers. You can also implement an Oracle Application Server Single Sign-On solution for authentication.
The pluggable authentication and connection drivers, if registered and turned on, are invoked each time a connection to a data source is requested.
Once the user has been authenticated and a connection is in place, the process of controlling access to resources is referred to as authorization. A BI Beans application can use authentication services when establishing connections to data stores. However, once the connections are in place, BI Beans uses authorization services to control access to the BI Beans Catalog. You cannot disable these authorization services.
BI Beans provides authorization facilities for controlling access to folders in the BI Beans Catalog. You can use these features of the persistence service to build a scoping scheme that is based on the identity of the user who is requesting access to the persistence service. The scoping scheme addresses the fact that all users do not have access to all folders.
The default pluggable connection driver establishes a connection to the Oracle
database by using the Oracle database user name and password and hands back
the connection to the BI Beans Catalog runtime environment. When a user interacts
with the Catalog, the user works with only those folders for which that user
is scoped (that is, for which that user has the appropriate privileges). To
filter the Catalog view for specific users, BI Beans uses the user name that
is stored in the BIUser
object. This object is populated using
different mechanisms, as described in the following list:
For Java-client applications, the user name is obtained either from the settings in the BI Beans configuration file or through the use of methods in the BI Beans API that specify the user name.
For HTML-client applications, the user name is obtained either from the settings in the BI Beans configuration file, through the use of methods in the BI Beans API that specify the user name, or through communication with Oracle Application Server Single Sign-On.
If the user name is not known to the BI Beans Catalog, then an exception is thrown. The specified user name must exist in the Catalog. You can use scripts to populate the users in the Catalog.
BI Beans does not provide authorization facilities for controlling access to OLAP data. The identity of the user who is requesting access to Oracle OLAP is simply passed through to the Oracle database where the data resides. The database itself controls access to data based on that identity.