1 Overview of Security Integration for Oracle BI Applications
This topic describes key concepts related to security in Oracle Business Intelligence Applications (Oracle BI Applications).
Security administrators can read this topic to understand Oracle BI Applications security and its preconfigured implementation.
- Terminology Used in Security
- What Security Components Are Installed By Default?
- High-Level Steps for Setting Up Security in Oracle BI Applications
- What Tools Configure Security in Oracle BI Applications?
- Duty Roles for Access to Functional Setup Manager or Configuration Manager
- Configuration Manager Permissions Reference
- Functional Setup Manager Permissions Reference
- About Managing Presentation Services Catalog Privileges in Oracle BI
- What Security Levels Does Oracle BI Applications Use?
- Related Documentation for Oracle BI Applications Security
Terminology Used In Security
As you familiarize yourself with security concepts across different parts of the BI stack, there are differences in terminology that is used in the software and documentation.
-
Enterprise Roles are also referred to as Groups, or Job Roles. For example:
- the term Enterprise Role is used in this guide, and in Oracle Fusion Applications.
- the term Group is used in Oracle WebLogic Server Administration Console and Oracle BI Administration Tool.
This guide uses the term Enterprise Role unless referring to tools that use the term Group or Job Role.
-
Duty Roles are also referred to as Application Roles. For example:
- the term Duty Role is used in this guide and in Oracle Fusion Applications.
- the term Application Role is used in Oracle Enterprise Manager Fusion Middleware Control and Oracle WebLogic Server Administration Console.
This guide uses the term Duty Role unless referring to tools that use the term Application Role.
-
Lightweight Directory Access Protocol (LDAP) refers to the Authentication Provider. For example, Oracle WebLogic Server, Oracle Internet Directory (OID), or a proprietary LDAP server and tools.
What Security Components Are Installed By Default?
After installing Oracle BI Applications on the Oracle Analytics platform, you get the following ready-to-use security components.
-
Oracle WebLogic Server LDAP, containing a set of default Enterprise Roles.
This LDAP also contains system Users that are required for BI components.
-
Oracle BI Applications
For illustrative purposes, it is assumed that you are using the default Oracle WebLogic Server LDAP and Policy Store to deploy Oracle BI Applications. For example, you might use the default security components for testing, and then migrate the Users and Enterprise Roles to a different LDAP (for example, Oracle Internet Directory) for production. If you to deploy a different LDAP, such as Oracle Internet Directory, then you can migrate Users and Enterprise Roles from Oracle WebLogic Server LDAP to that LDAP.
High-Level Steps for Setting Up Security in Oracle BI Applications
Here are the high-level steps for setting up security in Oracle BI Applications.
What Tools Configure Security in Oracle BI Applications?
Use these tools to manage security settings in Oracle BI Applications.
-
Oracle BI Applications Functional Setup Manager (FSM)
Use FSM informational tasks to set up security for Oracle BI Applications offerings and modules. See Setting Up Security with Functional Setup Manager.
-
Oracle BI Administration Tool
Use Oracle BI Administration Tool to perform tasks such as setting permissions for business models, tables, columns, and subject areas; specifying filters to limit data accessibility; and setting authentication options. See Work with Logical Tables, Joins, and Columns in Managing Metadata Repositories for Oracle Analytics Server.
-
Oracle BI Presentation Services Administration
Use Oracle BI Presentation Services Administration to perform tasks such as setting permissions to Presentation Catalog objects, including dashboards and dashboard pages. See Managing Security for Oracle Analytics Server.
-
Oracle Enterprise Manager Fusion Middleware Control
Use Oracle Enterprise Manager Fusion Middleware Control to manage the policy store, Duty Roles, and permissions for determining functional access. See Securing Resources Using Roles and Policies for Oracle WebLogic Server.
-
Oracle WebLogic Server Administration Console
Use the Administration Console to manage Users and Enterprise Roles/Groups in the Oracle WebLogic Server LDAP. You can also use the Administration Console to manage security realms, and to configure alternative authentication providers. See Managing Security for Oracle Analytics Server.
Duty Roles for Access to Functional Setup Manager or Configuration Manager
Duty Roles define a set of permissions granted typically to an Enterprise Role.
To access Configuration Manager or FSM (for Oracle BI Applications), a User must be assigned to an Enterprise Role that is associated with one of the following Duty Roles:
-
BI Applications Administrator Duty (BIA_ADMINISTRATOR_DUTY)
Users with the BI Applications Administrator Duty Role have access to all Oracle BI Applications Configuration Manager User Interfaces and all FSM User Interfaces.
-
BI Applications Implementation Manager (BIA_IMPLEMENTATION_MANAGER_DUTY)
Users with the BI Applications Implementation Manager Duty Role have access to Oracle BI Applications Configuration Manager Overview page and the Export and Import of Setup Data. In FSM, these users have access to Configure Offerings and Manage Implementation Projects User Interfaces but cannot execute a setup task.
-
BI Applications Functional Developer (BIA_FUNCTIONAL_DEVELOPER_DUTY)
Users with the BI Applications Functional Developer Duty Role have access to Oracle BI Applications Configuration Manager User Interfaces, except for the System Setup screens. In FSM, these users have access to the list of functional setup tasks assigned to them and have the ability to execute the setup tasks.
-
BI Applications Load Plan Developer (BIA_LOAD_PLAN_DEVELOPER_DUTY)
Users with the BI Applications Load Plan Developer Duty Role have access to the Load Plans page, where they can create, edit, delete, generate, execute and monitor load plans. Users with this role can view and edit fact groups, data load parameters, domains mappings, and schedules associated with a load plan.
-
BI Applications Load Plan Operator (BIA_LOAD_PLAN_OPERATORY_DUTY)
Users with the BI Applications Load Plan Operator Duty Role have limited access to the Load Plans page, where they can view the generation status and execution status details of load plans but are not able to modify them.
To grant users access to Oracle BI Applications components, see User Access to Configuration Manager, FSM, and Oracle Data Integrator in Oracle Business Intelligence Applications Installation Guide.
Configuration Manager Permissions Reference
The screens you can view in Configuration Manager depend on the duty roles to which you are assigned.
This table shows the list of Configuration Manager screens visible to each of the Oracle BI Applications roles.
Oracle BI Applications Duty Role | Configuration Manager screen | Associated Privilege |
---|---|---|
BI Applications Administrator |
Overview |
BIA_OVERVIEW_PRIV |
BI Applications Administrator |
System Setups - Define Oracle BI Applications Instance |
BIA_DEFINE_INSTANCE_PRIV |
BI Applications Administrator |
System Setups - Manage Oracle BI Applications |
BIA_MANAGE_INSTANCE_PRIV |
BI Applications Administrator |
System Setups - Manage Preferred Currencies |
BIA_MANAGE_INSTANCE_PRIV |
BI Applications Administrator |
Functional Configurations - 'Perform Functional Configurations' link to launch FSM |
BIA_FUNCTIONAL_SETUPS_PRIV |
BI Applications Administrator |
Setup Data Maintenance and Administration - Manage Domains and Mappings |
BIA_CONFIGURE_DOMAINS_PRIV |
BI Applications Administrator |
Setup Data Maintenance and Administration - Manage Data Load Parameters |
BIA_CONFIGURE_DATALOAD_PARAMS_PRIV |
BI Applications Administrator |
Setup Data Maintenance and Administration - Manage Reporting Parameters |
BIA_CONFIGURE_RPD_PARAMS_PRIV |
BI Applications Administrator |
Setup Data Export and Import - Export Setup Data |
BIA_EXPORT_SETUPS_PRIV |
BI Applications Administrator |
Setup Data Export and Import - Import Setup Data |
BIA_IMPORT_SETUPS_PRIV |
BI Applications Functional Developer |
Overview |
BIA_OVERVIEW_PRIV |
BI Applications Functional Developer |
Functional Configurations - 'Perform Functional Configurations' link to launch FSM |
BIA_FUNCTIONAL_SETUPS_PRIV |
BI Applications Functional Developer |
Setup Data Maintenance and Administration - Manage Domains and Mappings |
BIA_CONFIGURE_DOMAINS_PRIV |
BI Applications Functional Developer |
Setup Data Maintenance and Administration - Manage Data Load Parameters |
BIA_CONFIGURE_DATALOAD_PARAMS_PRIV |
BI Applications Functional Developer |
Setup Data Maintenance and Administration - Manage Reporting Parameters |
BIA_CONFIGURE_RPD_PARAMS_PRIV |
BI Applications Functional Developer |
Setup Data Export and Import - Export Setup Data |
BIA_EXPORT_SETUPS_PRIV |
BI Applications Functional Developer |
Setup Data Export and Import - Import Setup Data |
BIA_IMPORT_SETUPS_PRIV |
BI Applications Implementation Manager |
Overview |
BIA_OVERVIEW_PRIV |
BI Applications Implementation Manager |
Setup Data Export and Import - Export Setup Data |
BIA_EXPORT_SETUPS_PRIV |
BI Applications Implementation Manager |
Setup Data Export and Import - Import Setup Data |
BIA_IMPORT_SETUPS_PRIV |
Functional Setup Manager Permissions Reference
FSM roles are associated with Oracle BI Applications roles.
-
The BI Applications Administrator role (BIA_ADMINISTRATOR_DUTY) is associated to the following FSM roles:
-
ASM_FUNCTIONAL_SETUPS_DUTY
-
ASM_IMPLEMENTATION_MANAGER_DUTY
-
ASM_APPLICATION_DEPLOYER_DUTY
-
ASM_APPLICATION_REGISTRATION_DUTY
-
ASM_LOGICAL_ ENTITY_MODELING_DUTY
-
ASM_SETUP_OBJECTS_PROVIDER_DUTY
-
-
The BI Applications Implementation Manager role (BIA_IMPLEMENTATION_MANAGER_DUTY) is associated to the following Functional Setup Manager duty:
-
ASM_IMPLEMENTATION_MANAGER_DUTY
-
-
The BI Applications Functional Developer role (BIA_FUNCTIONAL_DEVELOPER_DUTY) is associated to the following Functional Setup Manager duty:
-
ASM_FUNCTIONAL_SETUPS_DUTY
-
About Managing Presentation Services Catalog Privileges in Oracle Analytics
When you add a new catalog privilege to a Duty Role in Oracle BI Presentation Services, the change is not immediately reflected in the Oracle Analytics environment.
To register the catalog privilege, both the administrator and the user must perform the following tasks:
-
The Oracle BI administrator must reload the Oracle BI Server metadata through Oracle BI Presentation Services. To reload the metadata in Oracle BI Answers, click My Profile and select Administration, and then click Reload Files and Metadata.
To manage Presentation Services catalog privileges, see Managing Security for Oracle Analytics Server.
-
Users belonging to that Duty Role must log out from the Oracle BI Applications (or from Siebel or Oracle EBS operational application if the user is looking at Oracle BI dashboards using an embedded application) and then log in again.
What Security Levels Do Oracle BI Applications Use?
Security in Oracle BI Applications can be classified broadly into three levels.
-
Object-level security. Object-level security controls the visibility to business logical objects based on a user's role. You can set up object-level security for metadata repository objects, such as business models and subject areas, and for Web objects, such as dashboards and dashboard pages, which are defined in the Presentation Catalog.
-
Data-level security. Data-level security controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI Answers, and so on) based on the user's association to data in the transactional system.
-
User-level security (authentication of users). User-level security refers to authentication and confirmation of the identity of a user based on the credentials provided.
About Object-Level Security
Duty Roles control access to metadata objects, such as subject areas, tables and columns. For example, users in a particular department can view only the subject areas that belong to their department.
Metadata Object-Level Security in the Oracle BI Repository
Metadata object security is configured in the Oracle BI Repository, using the Oracle BI Administration Tool. The Everyone Duty Role is denied access to each of the subject areas. Each subject area is configured to give explicit read access to selected related responsibilities. This access can be extended to tables and columns. By default in Oracle BI Applications, only permissions at the subject area level have been configured.
Note:
The Siebel Communications and Financial Analytics industry applications have tables and columns that are industry-specific, and, therefore, hidden from other Duty Roles.
Oracle Analytics supports hierarchies within Duty Roles. In the policy store, there are certain Duty Roles that are parent Duty Roles, which define the behavior of all the child Duty Roles. Inheritance is used to enable permissions to ripple through to child Duty Roles.
Metadata Object-Level Security in Presentation Services
Access to Oracle BI Presentation Services objects, such as dashboards, pages, reports, and Web folders, is controlled using Duty Roles. To manage object-level security in Presentation Services, see Managing Security for Oracle Analytics Server.
About Data-Level Security
Data-level security defines what a user in an OLTP application can access inside a report. The same report, when run by two different users, can bring up different data. This is similar to how the My Opportunities view in an operational application displays different data for different users. However, the structure of the report is the same for all users, unless a user does not have access to the report subject area, in which case the report displays an error.
During installation and configuration, you must make sure the correct Duty Roles and initialization blocks are set up for your environment.
Initialization Blocks Used for Data-Level Security in Oracle BI Applications
Initialization blocks are deployed as part of your configuration using guidance provided in FSM tasks. See Setting Up Security with Functional Setup Manager.
To use FSM tasks, see Roadmap for Functional Configuration in Oracle Business Intelligence Applications Configuration Guide.
To use initialization blocks in Oracle Analytics, see Work with Initialization Blocks.
About Data-Level Security Design in Oracle BI Applications
Oracle BI Applications maintains data-level security Duty Roles that are assigned dynamically to every user at the session level. Each Duty Role has a set of filters associated with it that determines the data that each user is allowed to see. A user is assigned a Duty Role through the Authorization initialization block.
The data security design has the following features:
-
Drill down. The user can drill down on a particular position in the position hierarchy to slice the data by the next position level in the hierarchy. For example, if the initial report is defined as:
select Top Level Position, Revenue from RevenueStar
then by drilling down on a value of MyPosition in the TopLevelPosition hierarchy, the report will become:
Select Level8 Position, Revenue, where TopLevelPosition = 'MyPosition'
-
Personalized reports. Users at different levels of the Position hierarchy can use the same Position-based reports but with each user seeing the data corresponding to his or her level. In such reports, Position is a dynamic column.
For example, if a report is defined as:
select Position, Revenue from RevenueStar
the logical query for the user at the top level of the hierarchy will be:
select Top Level Position, Revenue from RevenueStar
The logical query for the user at the next level of the hierarchy will be:
select Level8 Position, Revenue from RevenueStar
-
CURRENT Position hierarchy columns. Position hierarchy columns with the prefix CURRENT contain the Current Position hierarchy at any point of time. This feature allows users to see the same data associated with the employee holding the Current Employee position at the time the report runs. This type of Analysis is called As Is.
-
Additional Position hierarchy columns. The columns EMP_LOGIN and EMPLOYEE_FULL_NAME are used at every level of the Position hierarchy to store additional information about an employee holding a particular position. In the Logical layer, the Employee path and Position path are two drill down paths under the Position hierarchy that allow the user to drill down on a position to see all positions under it. It also allows an employee to see all the employees reporting to him or her.
Implement Data-Level Security in the Oracle BI Repository
Data-level security in Oracle BI Applications is implemented in three major steps.
About User-Level Security
User security concerns the authentication and confirmation of the identity of the user based on the credentials provided, such as user name and password. By default, user-level security is set up in the embedded Oracle WebLogic Server LDAP and Policy Store in Oracle Analytics Server.
See Managing Security for Oracle Analytics Server.
Related Documentation for Oracle BI Applications Security
Oracle offers additional documentation to help you configure security for Oracle BI Applications.
When configuring security in Oracle BI Applications, in some circumstances you might need to refer to security in other areas:
-
Oracle Fusion Applications security; see the Fusion Applications Security documentation.
-
Oracle Analytics Server security implementation; see Oracle Analytics Server documentation Oracle Analytics Server documentation:
-
Managing Security for Oracle Analytics Server
-
Managing Metadata Repositories for Oracle Analytics Server
-