Managing Security for Users of Presentation Services

As a system administrator, you must configure a business intelligence system to ensure that all functionality including administrative functionality is secured by providing access only to authorized users that are allowed to perform appropriate operations. You must configure the system to secure all middle-tier communications.

This overview section contains the following topics:

Security Settings in Presentation Services

Security settings that affect users of Presentation Services are made in the following Oracle Analytics Server components:

Use the Model Administration Tool to perform the following tasks:
- Set permissions for business models, tables, columns, and subject areas.
- Specify database access for each user.
- Specify filters to limit the data accessible by users.
- Set authentication options.
Presentation Services Administration enables setting privileges for users to access features and functions such as editing views and creating agents and prompts.
Presentation Services enables assigning permissions for objects in the Presentation Catalog.

Note:

Security Administrators should advise report users to not edit Subject Area security privileges within Presentation Services. The Security Administrator should enforce data security.

What Are the Security Goals in Oracle BI Presentation Services?

This topic provides guidelines for security with Oracle BI Presentation Services.

When maintaining security in Presentation Services, you must ensure the following:

Only the appropriate users can sign in and access Presentation Services. You must assign sign-in rights and authenticate users through the BI Server.

Authentication is the process of using a user name and password to identify someone who is logging on. Authenticated users are then given appropriate authorization to access a system, in this case Presentation Services. Presentation Services doesn't have its own authentication system; it relies on the authentication system that it inherits from the BI Server.

All users who sign in to Presentation Services are granted the AuthenticatedUser role and any other roles that they were assigned in Fusion Middleware Control.

For information about authentication, see About Authentication.
Users can access only the objects that are appropriate to them. You apply access control in the form of permissions, as described in Visualizing Data in Oracle Analytics Server.
Users have the ability to access features and functions that are appropriate to them. You apply user rights in the form of privileges. Example privileges are Edit system wide column formats and Create agents.

Users are either granted or denied a specific privilege. These associations are created in a privilege assignment table, as described in Managing Presentation Services Privileges.

You can configure Oracle Analytics Server to use the single sign-on feature from the web server. Presentation Services can use this feature when obtaining information for end users. See Enable SSO Authentication.

How Are Permissions and Privileges Assigned to Users?

When you assign permissions and privileges in Presentation Services, you can assign them in one of the following ways:

To application roles — This is the recommended way of assigning permissions and privileges. Application roles provide much easier maintenance of users and their assignments. An application role defines a set of permissions granted to a user or group that has that role in the system's identity store. An application role is assigned in accordance with specific conditions. As such, application roles are granted dynamically based on the conditions present at the time authentication occurs.

See About Application Roles.
To individual users — You can assign permissions and privileges to specific users, but such assignments can be more difficult to maintain and so this approach isn't recommended.