1. Managing Security for Oracle Analytics Server
  2. Get Started with Security
  3. Terminology

Terminology

The following terms are used throughout this guide:

Application Policy

Oracle Analytics Server permissions are granted by its application roles. In the default security configuration, each role conveys a predefined set of permissions. An application policy is a collection of Java EE and JAAS policies that are applicable to a specific application. The application policy is the mechanism that defines the permissions each application role grants. Permission grants are managed in the application policy corresponding to an application role.

Application Role

Represents a role a user has when using Oracle Analytics Server. Is also the container used by Oracle Analytics Server to grant permissions to members of a role. Application roles are managed in the Oracle Analytics Server console.

Authentication

The process of verifying identity by confirming the credentials presented during log in.

Authentication Provider

A security provider used to access user and group information and responsible for authenticating users. Oracle Analytics Server default authentication provider is Oracle WebLogic Server embedded directory server and is named DefaultAuthenticator.

Authorization

The process of granting an authenticated user access to a resource in accordance to their assigned privileges.

Catalog Groups

Catalog groups are not supported in Oracle Analytics Server.

Catalog Permissions

These rights grant access to objects that are stored in the Oracle Analytics Server Presentation Catalog. The rights are stored in the catalog and managed by Presentation Services.

Catalog Privileges

These rights grant access to features of the Oracle Analytics Server Presentation Catalog. The rights are stored in the catalog and managed by Presentation Services. These privileges are either granted or denied.

Credential Store

An Oracle Analytics Server credential store is a file used to securely store system credentials used by the software components. This file is automatically replicated across all machines in the installation.

Credential Store Provider

The credential store is used to store and manage credentials securely that are used internally between Oracle Analytics Server components. For example, SSL certificates are stored here.

Encryption

A process that enables confidential communication by converting plain text information (data) to unreadable text which can be read-only with the use of a key. Secure Sockets Layer (SSL) enables secure communication over TCP/IP networks, such as web applications communicating through the Internet.

Identity Store

An identity store contains user name, password, and group membership information. In Oracle Analytics Server, the identity store is typically a directory server and is what an authentication provider accesses during the authentication process. For example, when a user name and password combination is entered at log in, the authentication provider searches the identity store to verify the credentials provided. Oracle Analytics Server can be re-configured to use alternative identity stores.

Impersonation

Impersonation is a feature used by Oracle Analytics Server components to establish a session on behalf of a user without employing the user's password. For example, impersonation is used when Oracle BI Scheduler executes an Agent.

Oracle WebLogic Server Domain

A logically related group of Oracle WebLogic Server resources that includes an instance known as the Administration Server. Domain resources are configured and managed in the Oracle WebLogic Server Administration Console.

Permission Set

Represents a set of permissions.

Policy Store Provider

The policy store is the repository of system and application-specific policies. It holds the mapping definitions between the default Oracle Analytics Server application roles, permissions, users and groups all configured as part of installation. Oracle Analytics Server permissions are granted by assigning users and groups from the identity store to application roles and permission grants located in the policy store.

Policy Store

Contains the definition of application roles, application policies, and the members assigned such as users, groups, and application roles to application roles. The default policy store is a file that is automatically replicated across all machines in an Oracle Analytics Server installation. A policy store can be database-based or LDAP-based.

Secure Sockets Layer (SSL)

Provides secure communication links. Depending upon the options selected, SSL might provide a combination of encryption, authentication, and repudiation. For HTTP based links the secured protocol is known as HTTPS.

Security Policy

The security policy defines the collective group of access rights to Oracle Analytics Server resources that an individual user or a particular application role have been granted. Where the access rights are controlled is determined by which Oracle Analytics Server component is responsible for managing the resource being requested. A user's security policy is the combination of permission and privilege grants governed by the following elements:

  • Oracle Analytics Server Presentation Catalog:

    Defines which Oracle Analytics Server Presentation Catalog objects and Presentation Services functionality can be accessed by users. Access to this functionality is managed in Oracle Analytics Server user interface. These permissions and privileges can be granted to individual users or by membership in corresponding application roles.

  • Semantic Model:

    Defines access to the specified metadata within the semantic model. Access to this functionality is managed in the Model Administration Tool. These permissions and privileges can be granted to individual users or by membership in corresponding application roles.

  • Policy Store:

    Defines which Oracle Analytics Server and Publisher functionality can be accessed. You use the grant and revoke scripts to manage access to functionality by application role.

Security Realm

During deployment an Oracle WebLogic Server domain is created and Oracle Analytics Server is deployed into that domain. Security for an Oracle WebLogic Server domain is managed in its security realm. A security realm acts as a scoping mechanism. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. Only one security realm can be active for the domain. Oracle Analytics Server authentication is performed by the authentication provider configured for the default security realm for the WebLogic Server domain in which it is installed. Oracle WebLogic Server Administration Console is the Model Administration Tool for managing an Oracle WebLogic Server domain.

Single Sign-On

A method of authorization enabling a user to authenticate once and gain access to multiple software application during a single browser session.

Users and Groups

A user is an entity that can be authenticated. A user can be a person, such as an application user, or a software entity, such as a client application. Every user is given a unique identifier within in the identity store.