1. Managing Security for Oracle Analytics Server
  2. Set Up Security With Users, Groups, and Application Roles
  3. Manage Model Administration Tool Privileges

Manage Model Administration Tool Privileges

Use Identity Manager in the Model Administration Tool to configure security in the semantic model.

Topics:

Use Model Administration Tool

You use Model Administration Tool to configure permissions for users and application roles against objects in the semantic model.

If you log in to Model Administration Tool in online mode, then you can view all users from the WebLogic Server.

If you log in to Model Administration Tool in offline mode, you can only view references to users that have previously been assigned permissions directly in the semantic model. The best practice is to assign semantic model permissions to application roles rather than directly to users.

  1. Log in to Model Administration Tool and open a semantic model in Online Mode.
  2. Optional: Select Manage, then Identity.
  3. In the Identity Manager dialog, double-click an application role.
  4. In the Application Role <Name> dialog, click Permissions.
  5. In the Object Permissions tab view or configure the Read and Write permissions for that application role, in relation to objects and folders in the Presentation Catalog.
  6. In the Presentation pane, expand a folder, then right-click an object to display the Presentation Table <Table name> dialog.
  7. Click Permissions to display the Permissions <Table name> dialog.

Set Semantic Model Privileges for an Application Role

The semantic model for your instance includes a security policy that defines permissions for accessing different parts of the model, such as columns and subject areas.

The author of your data model uses the Model Administration Tool to maintain this security policy including assigning data model permissions to application roles.

When you import an application archive (BAR) file, Oracle Analytics Server uses the security policy for the data model in the archive file.

Best practice is to modify permissions for application roles, not modify permissions for individual users.

To view the permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of users and application roles and the permissions for the selected object.

  1. Open the semantic model in Model Administration Tool in Online mode.
  2. In the Presentation panel, navigate to the subject area or sub-folder for which you want to set permissions.
  3. Right-click the subject area or sub-folder, and select Properties to display the properties dialog.
  4. Click Permissions.
  5. In Permissions <subject area name> properties, click the Show all users/application roles if the check box is not checked.
  6. In the Permissions <subject area name> dialog, update User/Application Role permissions to match your security policy.

    For example, to enable users to create dashboards and reports, you might change the semantic model permissions for an application role from Read to Read/Write.

Manage Application Roles in the Semantic Model - Advanced Security Configuration Topic

Application role definitions are maintained in the policy store. The Administrator uses the Oracle Analytics Server Console to make any needed changes.

The semantic model maintains a copy of the policy store data to facilitate semantic model development. The Model Administration Tool displays application role data from the semantic model's copy; you aren't viewing the policy store data in real time. Policy store changes made while you are working with an offline semantic model aren't available in the Model Administration Tool until the policy store next synchronizes with the semantic model. The policy store synchronizes data with the semantic model copy whenever the BI Server restarts. If a mismatch in data is found, an error message is displayed.

While working with a semantic model in offline mode, you might discover that the available application roles do not satisfy the membership or permission grants needed at the time. A placeholder for an application role definition can be created in the Model Administration Tool to facilitate offline model development. But this is just a placeholder visible in the Model Administration Tool and isn't an actual application role. You can't create an actual application role in the Model Administration Tool.

An application role must be defined in the policy store for each application role placeholder created using the Model Administration Tool before bringing the semantic model back online. If a semantic model with role placeholders created while in offline mode is brought online before valid application roles are created in the policy store, then the application role placeholder disappears from the Model Administration Tool interface. Always create a corresponding application role in the policy store before bringing the semantic model back online when using role placeholders in offline semantic model development.

Manage Session Variables

System session variables are session variables that Oracle BI Server and Oracle Analytics Server Presentation Services use for specific purposes.

System session variables have reserved names that can't be used for other kinds of variables such as static or dynamic semantic model variables and non-system session variables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value.

See Work with Session Variables.

Manage Server Sessions

The Model Administration Tool Session Manager is used in online mode to monitor activity.

The Session Manager shows all users logged in to the session, all current query requests for each user, and variables and their values for a selected session. Additionally, an administrative user can disconnect any users and terminate any query requests with the Session Manager.

How often the Session Manager data is refreshed depends on the amount of activity on the system. To refresh the display at any time, click Refresh.

You can also use the Oracle Analytics Server Console to check which users are logged in to the session. See Monitor Users Who Are Signed In.

Use the Session Manager

The Session Manager contains an upper pane and a lower pane:

  • The top pane, the Session pane, shows users currently logged in to the BI Server. To control the update speed, from the Update Speed list, select Normal, High, or Low. Select Pause to keep the display from being refreshed.

  • The bottom pane contains two tabs:

    • The Request tab shows active query requests for the user selected in the Session pane.

    • The Variables tab shows variables and their values for a selected session. You can click the column headers to sort the data.

The tables describe the columns in the Session Manager dialog.

Column Name Description

Client Type

The type of client connected to the server.

Last Active Time

The time stamp of the last activity on the session.

Logon Time

The time stamp that shows when the session initially connected to the BI Server.

Repository

The logical name of the semantic model to which the session is connected.

Session ID

The unique internal identifier that the BI Server assigns each session when the session is initiated.

User

The name of the user connected.
Column Name Description

Last Active Time

The time stamp of the last activity on the query.

Request ID

The unique internal identifier that the BI Server assigns each query when the query is initiated.

Session ID

The unique internal identifier that the BI Server assigns each session when the session is initiated.

Start Time

The time of the individual query request.

  1. In the Model Administration Tool, open a semantic model in online mode and select Manage then Sessions.

  2. Select a session and click the Variables tab.

  3. To refresh the view, click Refresh.

  4. To close Session Manager, click Close.

Follow these steps to disconnect a user from a session.

  1. In the Model Administration Tool, open a semantic model in online mode and select Manage then Sessions.

  2. Select the user in the Session Manager top pane.

  3. Click Disconnect.

    The user session receives a message that indicates that the session was terminated by an administrative user. Any currently running queries are immediately terminated, and any outstanding queries to underlying databases are canceled.

  4. To close the Session Manager, click Close.

Follow these steps to terminate an active query.

  1. In the Model Administration Tool, open a semantic model in online mode and select Manage then Sessions.
  2. Select the user session that initiated the query in the top pane of the Session Manager.

    After the user is highlighted, any active query requests from that user are displayed in the bottom pane.

  3. Select the request that you want to terminate.
  4. Click Kill Request to terminate the selected request.

    The user receives a message indicating that the query was terminated by an administrative user. The query is immediately terminated, and any outstanding queries to underlying databases are canceled.

    Repeat this process to terminate any other requests.

  5. To close the Session Manager, click Close.