Managing Duty Roles in Oracle BI Applications

2 Managing Duty Roles in Oracle BI Applications

Object-level and data-level security are implemented in Oracle BI Applications using Duty Roles in the Policy Store. Duty Roles define a set of permissions granted typically to an Enterprise Role.

This figure illustrates how users are assigned to Enterprise Roles in the LDAP, which are associated with Duty Roles in the Policy Store.

Description of the illustration sec_high1.gif

Duty Roles are typically related to either data or object security. For example, the Oracle BI Applications repository (OracleBIApps.rpd) uses the following Duty Roles:

The HR Org-based Security Duty Role is used to control access to human resources data at the data security level.
The Human Resources Analyst Duty Role is used to control Presentation layer object visibility for the Human Resources Analyst role at the object security level.

The standard hierarchical structure of Duty Roles and users in Oracle BI Applications is typically the following: data security Duty Role, then object security Duty Role, then Enterprise Role (also called Group), then User. It is a best practice to use this structure when setting up security.

Security administrators can view, modify, and create Duty Roles in Oracle Enterprise Manager Fusion Middleware Control.

For example, BI User Fred has Enterprise Role 'Fixed Asset Accounting Manager EBS'. To provision Fred with security access for Fixed Assets Accounting reporting for EBS, you edit the BI Duty Role 'Fixed Asset Accounting Manager EBS' and add Enterprise Role 'Fixed Asset Accounting Manager EBS' as a Member.

Matching Pre-Configured Duty Roles with User Responsibilities

Pre-configured Duty Roles match responsibilities and roles in source operational applications, so that after authentication the correct roles can be applied. An administrator can check a user's responsibilities in the following ways:

In the Siebel or Oracle EBS operational applications, go to the Responsibilities view.
In PeopleSoft applications, go to the Roles view to check a user's roles.
In JD Edwards EnterpriseOne applications, go to the User Profiles application (P0092) to check a user's roles.
Individual users can view the list of Duty Roles to which they are assigned. In the Oracle BI Applications, select Signed In As, username, then My Account. Then, click the Application Roles tab to view the Duty Roles. In Presentation Services, Duty Roles are used to control the ability to perform actions (privileges) within Presentation Services.

For more information, refer to the system administrator for your source system.

Tools to View Pre-configured Duty Roles

You can use a number of BI tools to view pre-configured Duty Roles, as follows:

Oracle BI Administration Tool

To view pre-configured Duty Roles using Oracle BI Administration Tool, open the repository, select Manage, then Identity. Duty Roles are visible in the Identity Manager dialog in online mode. In offline mode, only Duty Roles that have had permissions, filters, or query limits set for them appear. For this reason, it is recommended that when you work with data access security in the Oracle BI Applications repository, you use online mode.
Oracle Enterprise Manager Fusion Middleware Control , see Viewing Duty Roles for Oracle BI Applications.
Oracle Authorization Policy Manager (APM) - In Oracle APM, navigate to the 'obi' Application and use the Search options to locate Duty Roles prefixed with 'OBIA_'. Select a Duty Role, then click Open to display the <Application> | Application Role dialog. Display the External Role Mapping tab, and check that the role list contains the appropriate Enterprise Roles.

Viewing Duty Roles for Oracle BI Applications

You can view the Duty Roles for Oracle BI Applications using Oracle Enterprise Manager Fusion Middleware Control.

The following figure shows an example of additional predefined Duty Roles that are created when Oracle BI Applications is installed. The list of Duty Roles depends on your installation. Description of 103-view-duty-roles-intro.gif follows
Description of the illustration 103-view-duty-roles-intro.gif

Log in to Oracle Enterprise Manager Fusion Middleware Control as an administrator.
Click Target Navigation, expand Business Intelligence, select biinstance, select Security, and then Application Roles.

You see the list of available Duty roles. The Membership for <Duty Role name> area displays Enterprise Roles or other Duty Roles that are associated with the selected Duty Role.
Description of the illustration 103-view-duty-roles-step2.gif

Provisioning BI Users with Duty Roles

To provision a BI User with a Duty Role, you first assign the User to an Enterprise Role/Group in LDAP, then make sure that the Enterprise Role/Group is associated with the appropriate Duty Role in the Policy Store.

BI Users are provisioned with BI Duty Roles using Enterprise Roles in the LDAP. To provision users, you typically use either Oracle Fusion Middleware, or the Oracle BI Repository initialization blocks. If you are using the default embedded Enterprise Roles in Oracle WebLogic Server LDAP, then these Enterprise Roles are associated with the appropriate Duty Roles by default, and no further configuration is required.

If you are using a different LDAP with your own set of Enterprise Roles, then you need to make sure that these are associated with the appropriate Duty Roles, by following the steps below.

Log in to Oracle Enterprise Manager Fusion Middleware Control as an administrator.
Click Target Navigation, expand Business Intelligence, select biinstance, select Security, and then Application Roles.

You see the list of available Duty Roles.
Provision a BI User with a Duty Role.
1. Select the Duty Role that a BI User requires access to.
2. Click Edit to display the Edit Application Role dialog.
  
  Description of the illustration 103-provisioning-bi-usersroles-step3a.gif
3. In the Member list, click Add to display the Add Principal dialog.
4. Use the Search area to locate and select the Enterprise Role/Group that the BI User has.
  
  For example, User Fred has Enterprise Role "Fixed Asset Accounting Manager EBS". To provision Fred with security access for the "Fixed Assets Accounting" reporting for E-Business Suite, you edit the BI Duty Role "Fixed Asset Accounting Manager EBS" and add Enterprise Role "Fixed Asset Accounting Manager EBS" as a Member.
  Description of the illustration 103-provisioning-bi-usersroles-step3c.gif
5. Click OK.

Creating Duty Roles for Oracle BI Applications

You can edit or create Duty roles.

Log in to Oracle Enterprise Manager Fusion Middleware Control as an administrator.
Click Target Navigation, expand Business Intelligence, select biinstance, select Security, and then Application Roles.

You see the list of available Duty roles.
Click Create to display the Create Application Role dialog.

Alternatively, select a Duty Role similar to the one that you want to create, and click Create Like. Using Create Like copies the default Members (that is, Enterprise Roles/Groups).
Use the General area to specify the details.
In the Member list, click Add to search for and select the Enterprise Roles/Groups that you want this Duty Role to be associated with.
Click OK.

User Access Using Roles

Authorization for Oracle BI Applications is controlled by security policies (Oracle BI Applications privileges) defined for users using a role-based model.

Every Oracle Applications user is hired by their company to perform a role in the organization, for example, Payroll Manager or Accounts Payable Manager. An Oracle Applications user is granted a role and thus inherits one or more associated privileges that were granted to the role.

It is possible to grant multiple Duty Roles to a User; however Oracle recommends that Enterprise Roles are defined so that a User is provisioned with a single Duty Role.

Note that while LDAP is required for Oracle Fusion Applications environments, it is optional for other source applications.