Home
/
Middleware
/
Oracle Business Intelligence Enterprise Edition
1/13
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents and Other Resources
System Requirements and Certification
Conventions
New Features in Oracle Business Intelligence Security
New Features for Oracle BI EE 12
c
(12.2.1)
1
Introduction to Security in Oracle Business Intelligence
1.1
High-Level Roadmap for Setting Up Security in Oracle Business Intelligence
1.2
Overview of Security in Oracle Business Intelligence
1.3
About Authentication
1.4
About Authorization
1.4.1
About Application Roles
1.4.2
About the Security Policy
1.5
About Users, Groups, and Application Roles
1.6
Using Tools to Configure Security in Oracle Business Intelligence
1.6.1
Using Oracle WebLogic Server Administration Console
1.6.2
Using Oracle Fusion Middleware Control
1.6.3
Using Oracle BI Administration Tool
1.6.4
Using Presentation Services Administration
1.7
Detailed List of Steps for Setting Up Security in Oracle Business Intelligence
1.8
Comparing the Oracle Business Intelligence 11
g
and 12
c
Security Models
1.9
Terminology
2
Managing Security Using a Default Security Configuration
2.1
Working with Users, Groups, and Application Roles
2.2
An Example Security Setup of Users, Groups, and Application Roles
2.3
Managing Users and Groups in the Embedded WebLogic LDAP Server
2.3.1
Assigning a User to a New Group, and a New Application Role
2.3.2
Creating a New User in the Embedded WebLogic LDAP Server
2.3.3
Creating a New Group in the Embedded WebLogic LDAP Server
2.3.4
Assigning a User to a Group in the Embedded WebLogic LDAP Server
2.3.5
(Optional) Changing a User Password in the Embedded WebLogic LDAP Server
2.4
Managing Application Roles and Application Policies Using Fusion Middleware Control
2.4.1
Displaying Application Policies and Application Roles Using Fusion Middleware Control
2.4.2
Creating and Deleting Application Roles Using Fusion Middleware Control
2.4.2.1
Overview
2.4.2.2
Creating an Application Role
2.4.2.3
Assigning a Group to an Application Role
2.4.2.4
Deleting an Application Role
2.4.3
Creating Application Policies Using Fusion Middleware Control
2.4.4
Modifying Application Roles Using Fusion Middleware Control
2.4.4.1
Adding or Removing Permission Grants from an Application Role
2.4.4.2
Adding or Removing Members from an Application Role
2.4.4.3
Renaming an Application Role
2.5
Managing Metadata Repository Privileges Using the Oracle BI Administration Tool
2.5.1
Overview
2.5.2
Setting Repository Privileges for an Application Role
2.5.3
Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic
2.6
Managing Presentation Services Privileges Using Application Roles
2.6.1
Overview
2.6.2
About Presentation Services Privileges
2.6.3
Setting Presentation Services Privileges for Application Roles
2.6.4
Encrypting Credentials in BI Presentation Services - Advanced Security Configuration Topic
2.7
Managing Data Source Access Permissions Using Oracle BI Publisher
2.8
Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store
2.9
Deleting a User
2.10
Using the runcat Command Line Interface to Manage Security-Related Tasks in the Oracle BI Presentation Catalog
3
Using Alternative Authentication Providers
3.1
Introduction
3.2
High-Level Steps for Configuring an Alternative Authentication Provider
3.3
Setting Up Groups and Users in the Alternative Authentication Provider
3.4
Configuring Oracle Business Intelligence to Use Alternative Authentication Providers
3.4.1
Reconfiguring Oracle Internet Directory as an Authentication Provider
3.4.2
Reconfiguring Microsoft Active Directory as the Authentication Provider
3.4.3
Configuring User and Group Name Attributes in the Identity Store
3.4.3.1
Configuring User Name Attributes
3.4.3.2
Configuring Group Name Attributes
3.4.4
Configuring LDAP as the Authentication Provider and Storing Groups in a Database
3.4.4.1
Prerequisites
3.4.4.2
Creating a Sample Schema for Groups and Group Members
3.4.4.3
Configuring a Data Source and the BISQLGroupProvider Using Oracle WebLogic Server Administration Console
3.4.4.4
Configuring the Virtualized Identity Store
3.4.4.5
Testing the Configuration by Adding a Database Group to an Application Role
3.4.4.6
Correcting Errors in the Adaptors
3.4.5
Configuring a Database as the Authentication Provider
3.4.5.1
Introduction and Prerequisites
3.4.5.2
Creating a Sample Schema for Users and Groups
3.4.5.3
Configuring a Data Source and SQL Authenticator Using the Oracle WebLogic Server Administration Console
3.4.5.4
Configuring the Virtualized Identity Store
3.4.5.5
Troubleshooting the SQL Authenticator
3.4.5.6
Correcting Database Adapter Errors by Deleting and Recreating the Adapter
3.4.6
Configuring Identity Store Virtualization Using Fusion Middleware Control
3.4.7
Configuring Multiple Authentication Providers so that When One Fails, Users from Others can Still Log In to Oracle Business Intelligence
3.4.8
Setting the JAAS Control Flag Option
3.4.9
Configuring a Single LDAP Authentication Provider as the Authenticator
3.4.9.1
Configuring Oracle Internet Directory LDAP Authentication as the Only Authenticator
3.4.9.2
Troubleshooting
3.5
Resetting the BI System User Credential
4
Enabling SSO Authentication
4.1
SSO Configuration Tasks for Oracle Business Intelligence
4.2
Understanding SSO Authentication and Oracle Business Intelligence
4.2.1
How an Identity Asserter Works
4.2.2
How Oracle Business Intelligence Operates with SSO Authentication
4.3
SSO Implementation Considerations
4.4
Configuring SSO in an Oracle Access Manager Environment
4.4.1
Configuring a New Authenticator for Oracle WebLogic Server
4.4.2
Configuring Oracle Access Manager as a New Identity Asserter for Oracle WebLogic Server
4.5
Configuring Custom SSO Environments
4.6
Configuring SSO With SmartView
4.7
Enabling Oracle Business Intelligence to Use SSO Authentication
4.7.1
Enabling and Disabling SSO Authentication Using WLST Commands
4.7.2
Enabling SSO Authentication Using Fusion Middleware Control
4.8
Enabling the Online Catalog Manager to Connect
5
Configuring SSL in Oracle Business Intelligence
5.1
What is SSL?
5.1.1
Using SSL in Oracle Business Intelligence
5.1.2
Creating Certificates and Keys in Oracle Business Intelligence
5.2
Enabling End-to-End SSL
5.2.1
Configuring a Standard Non-SSL BIEE System
5.2.2
Configuring WebLogic SSL
5.2.2.1
Starting Only the Administration Server
5.2.2.2
Configuring HTTPS Ports
5.2.2.3
Configuring Internal WebLogic Server LDAP to Use LDAPs
5.2.2.4
Configuring Internal WebLogic Server LDAP Trust Store
5.2.2.5
Disable HTTP
5.2.2.6
Restart
5.2.2.7
Configure OWSM to Use t3s
5.2.2.8
Restart System
5.3
Enabling BIEE Internal SSL
5.4
Disabling Internal SSL
5.5
Exporting Trust and Identity for Clients
5.6
Configuring SSL for Clients
5.6.1
Exporting Client Certificates
5.6.2
Using SASchInvoke when BI Scheduler is SSL-Enabled
5.6.3
Configuring Oracle BI Job Manager
5.6.4
Enabling the Online Catalog Manager to Connect
5.6.5
Configuring the Oracle BI Administration Tool to Communicate Over SSL
5.6.6
Configuring an ODBC DSN for Remote Client Access
5.6.7
Configuring Oracle BI Publisher to Communicate Over SSL
5.7
Checking Certificate Expiry
5.8
Replacing the Certificates
5.9
Update Certificates After Changing Listener Addresses
5.10
Adding New Servers
5.11
Scaling Out an SSL-Enabled System
5.12
Enabling SSL in a Configuration Template Configured System
5.13
Manually Configuring SSL Cipher Suite
5.14
Configuring SSL Connections to External Systems
5.14.1
Configuring SSL for the SMTP Server Using Fusion Middleware Control
5.14.2
Configuring SSL when Using Multiple Authenticators
5.15
WebLogic Artifacts Reserved for BIEE Internal SSL Use
5.16
Enabling BI Composer to Launch in an SSL Environment
A
Legacy Security Administration Options
A.1
Legacy Authentication Options
A.1.1
Setting Up LDAP Authentication Using Initialization Blocks
A.1.1.1
Setting Up an LDAP Server
A.1.1.2
Defining a USER Session Variable for LDAP Authentication
A.1.1.3
Setting the Logging Level
A.1.2
Setting Up External Table Authentication
A.1.3
About Oracle BI Delivers and External Initialization Block Authentication
A.1.4
Order of Authentication
A.1.5
Authenticating by Using a Custom Authenticator Plug-In
A.1.6
Managing Session Variables
A.1.7
Managing Server Sessions
A.1.7.1
Using the Session Manager
A.2
Alternative Authorization Options
A.2.1
Changes Affecting Security in Presentation Services
A.2.2
Managing Catalog Privileges Using Catalog Groups
A.2.3
Setting Up Authorization Using Initialization Blocks
B
Understanding the Default Security Configuration
B.1
About Securing Oracle Business Intelligence
B.2
About the Security Framework
B.2.1
Oracle Platform Security Services
B.2.2
Oracle WebLogic Server Domain
B.3
Key Security Elements
B.4
Security Configuration Using the Sample Application
B.4.1
Default Authentication Provider
B.4.1.1
Groups and Members
B.4.1.2
Default Users and Passwords
B.4.2
Policy Store Provider
B.4.2.1
Oracle Business Intelligence Permissions
B.5
Granting Permissions To Users Using Groups and Application Roles
B.5.1
Permission Inheritance and Role Hierarchy
B.6
Common Security Tasks After Installation
B.6.1
Common Security Tasks to Evaluate Oracle Business Intelligence
B.6.2
Common Security Tasks to Implement Oracle Business Intelligence
C
Troubleshooting Security in Oracle Business Intelligence
C.1
Resolving User Login Authentication Failure Issues
C.1.1
Authentication Concepts
C.1.1.1
Authentication Defaults on Install
C.1.1.2
Using Oracle WebLogic Server Administration Console and Fusion Middleware Control to Configure Oracle Business Intelligence
C.1.1.3
WebLogic Domain and Log Locations
C.1.1.4
Oracle Business Intelligence Key Login User Accounts
C.1.1.5
Oracle Business Intelligence Login Overview
C.1.2
Identifying Causes of User Login Authentication Failure
C.1.3
Resolving User Login Authentication Failures
C.1.3.1
Single User Cannot Log in to Oracle Business Intelligence
C.1.3.2
Users Cannot Log in to Oracle Business Intelligence Due to Misconfigured Authenticators
C.1.3.3
Users Cannot Log in to Oracle Business Intelligence When Oracle Web Services Manager is not Working
C.1.3.4
Users Cannot Log in to Oracle Business Intelligence - Is BI System User Authentication Working?
C.1.3.5
Users Cannot Log in to Oracle Business Intelligence - Is the External Identity Store Configured Correctly?
C.1.3.6
Users Can Log in With Any or No Password
C.1.3.7
Have Removed Default Authenticator and Cannot Start WebLogic Server
C.2
Resolving Inconsistencies with the Identity Store
C.2.1
User Is Deleted from the Identity Store
C.2.2
User Is Renamed in the Identity Store
C.2.3
Group Associated with User Name Does Not Exist in the Identity Store
C.3
Resolving Inconsistencies with the Policy Store
C.3.1
Application Role Was Deleted from the Policy Store
C.3.2
Application Role Is Renamed in the Policy Store
C.4
Resolving SSL Communication Problems
C.5
Resolving Custom SSO Environment Issues
C.6
Resolving RSS Feed Authentication When Using SSO
D
Managing Security for Dashboards and Analyses
D.1
Managing Security for Users of Oracle BI Presentation Services
D.1.1
Where Are Oracle BI Presentation Services Security Settings Made?
D.1.2
What Are the Security Goals in Oracle BI Presentation Services?
D.1.3
How Are Permissions and Privileges Assigned to Users?
D.2
Using Oracle BI Presentation Services Administration Pages
D.2.1
Understanding the Administration Pages
D.2.2
Working with Catalog Groups
D.2.2.1
Migrating Catalog Groups to Application Roles
D.2.2.2
Creating Catalog Groups
D.2.2.3
Deleting Catalog Groups
D.2.2.4
Editing Catalog Groups
D.2.3
Managing Presentation Services Privileges
D.2.3.1
What Are Presentation Services Privileges?
D.2.3.2
Setting Presentation Services Privileges for Application Roles
D.2.3.3
Default Presentation Services Privilege Assignments
D.2.4
Managing Sessions in Presentation Services
D.3
Determining a User's Privileges and Permissions in Oracle BI Presentation Services
D.3.1
Rules for Determining a User's Privileges or Permissions
D.3.1.1
Task 1 - Check for an explicit record for this user
D.3.1.2
Task 2 - Check for records for this user's Catalog groups (deprecated behavior for 10g backwards compatibility only)
D.3.1.3
Task 3 - Check records for this user's application roles
D.3.1.4
Task 4 - Fall back default behavior
D.3.1.5
Task 5 - No matching records at all
D.3.2
Example of Determining a User's Privileges with Application Roles
D.3.3
Example of Determining a User's Permissions with Application Roles
D.3.4
Example of Determining a User's Privileges with Deprecated Catalog Groups
D.3.5
Example of Determining a User's Permissions with Deprecated Catalog Groups
D.4
Providing Shared Dashboards for Users
D.4.1
Understanding the Catalog Structure for Shared Dashboards
D.4.2
Creating Shared Dashboards
D.4.3
Testing the Dashboards
D.4.4
Releasing Dashboards to the User Community
D.5
Controlling Access to Saved Customization Options in Dashboards
D.5.1
Overview of Saved Customizations in Dashboards
D.5.2
Administering Saved Customizations
D.5.2.1
Privileges for Saved Customizations
D.5.2.2
Permissions for Saved Customizations
D.5.3
Permission and Privilege Settings for Creating Saved Customizations
D.5.4
Example Usage Scenario for Saved Customization Administration
D.6
Enabling Users to Act for Others
D.6.1
Why Enable Users to Act for Others?
D.6.2
What Are the Proxy Levels?
D.6.3
Process of Enabling Users to Act for Others
D.6.3.1
Defining the Association Between Proxy Users and Target Users
D.6.3.2
Creating Session Variables for Proxy Functionality
D.6.3.3
Modifying the Configuration File Settings for Proxy Functionality
D.6.3.4
Creating a Custom Message Template for Proxy Functionality
D.6.3.5
Assigning the Proxy Privilege
Scripting on this page enhances content navigation, but does not change the content in any way.