Using Tools to Configure Security in Oracle Business Intelligence

To configure security in Oracle Business Intelligence, you use the following tools:

Note:

To see an example of using the Oracle Business Intelligence tools to configure the installed users, groups, and application roles, see An Example Security Setup of Users, Groups, and Application Roles.

The diagram summarizes the tools that you use to configure security in an example installation of Oracle Business Intelligence that uses the embedded WebLogic LDAP Server.


Description of GUID-7F962601-BD41-48E7-942F-40A8A64AC19E-default.gif follows
Description of the illustration GUID-7F962601-BD41-48E7-942F-40A8A64AC19E-default.gif

For more information about managing security, see Managing Security Using a Default Security Configuration).

Using Oracle WebLogic Server Administration Console

You use Oracle WebLogic Server Administration Console to manage the WebLogic LDAP Server that enables you to authenticate users and groups.

Oracle WebLogic Server is automatically installed and serves as the default administration server. The Oracle WebLogic Server Administration Console is browser-based and is used, among other things, to manage the embedded directory server.

Note that when you configure Oracle Business Intelligence the initial security configuration uses the embedded Weblogic LDAP directory - the default authenticator - as the Identity Store. However, whereas in 11g the BI installation seeded some specific users and groups into this LDAP directory, in 12c we no longer seed default BI groups into this directory. Consequently, if your application expects LDAP groups such as BIConsumers, BIContentAuthors and BIServiceAdministrators to exist in the Identity Store, you will need to add these groups manually or configure the domain to use a different Identity Store where these groups are already provisioned after the initial BI configuration has finished.

You launch the Oracle WebLogic Server Administration Console by entering its URL into a web browser. The default URL takes the following form: http://hostname:port_number/console. The port number is the same as used for the Administration server; 9500 is the default port. For more information about using theOracle WebLogic Server Administration Console, see Oracle WebLogic Server Administration Console Online Help.

To log in to the Oracle WebLogic Server Administration Console:

  1. Display the Oracle WebLogic Server login page by entering its URL into a web browser.
  2. Log in using the Oracle Business Intelligence administrative user and password credentials and click Login.

    The user name and password were supplied during the installation of Oracle Business Intelligence. If these values have since been changed, then use the current administrative user name and password combination.

    The Administration Console displays.


    Description of GUID-55B585A6-85CA-4969-BEBF-AA96AFD5871E-default.gif follows
    Description of the illustration GUID-55B585A6-85CA-4969-BEBF-AA96AFD5871E-default.gif

  3. Use the tabs and options in the Domain Structure as required to configure users, groups, and other options.

Note:

If you use an alternative authentication provider, such as Oracle Internet Directory instead of the default the WebLogic LDAP Server, then you must use the alternative authentication provider administration application (for example an administration console) to manage users and groups.

Using Oracle Fusion Middleware Control

Fusion Middleware Control is a web browser-based graphical user interface that enables you to administer a collection of components.

The components consist of Oracle WebLogic Server domains, one Administration Server, one or more Managed Servers, clusters, and the Fusion Middleware Control components that are installed, configured, and running in the domain. During configuration of Oracle Business Intelligence an Oracle WebLogic Server domain is created and Oracle Business Intelligence is configured into that domain. The domain is named bi (in Enterprise installations), and is found under the WebLogic Domain folder in the Fusion Middleware Control navigation pane.

You use Oracle Fusion Middleware Control to manage Oracle Business Intelligence security as follows:

  • Manage the application roles and application policies that control access to Oracle Business Intelligence resources.
  • Configure multiple authentication providers for Oracle Business Intelligence.

To log in to Fusion Middleware Control, open a web browser and enter the Fusion Middleware Control URL, in the following format:

http://hostname.domain:port/em

The port number is the number of the Administration Server, and the default port number is 9500.

For more information about using Fusion Middleware Control, see Administering Oracle Fusion Middleware.

To use Fusion Middleware Control:

  1. Enter the URL in a web browser. For example: 
    http://host1.example.com:9500/em

    The Fusion Middleware Control login page is displayed, as shown in the screen below.


    Description of GUID-D932B1AA-B9B0-4D7F-BAF8-DDA07E24FAC0-default.gif follows
    Description of the illustration GUID-D932B1AA-B9B0-4D7F-BAF8-DDA07E24FAC0-default.gif

  2. Enter the system administrator user name and password and click Login.

    This system-wide administration user name and password was specified during the installation process, and you can use it to log in toOracle WebLogic Server Administration Console, Fusion Middleware Control, and Oracle Business Intelligence.

    Alternatively, enter any other user name and password that has been granted the WebLogic Global Admin role.

    Fusion Middleware Control opens, as shown in the screen below.


    Description of GUID-FD211A4C-C4E3-4712-96F2-D0FEF0BA2130-default.gif follows
    Description of the illustration GUID-FD211A4C-C4E3-4712-96F2-D0FEF0BA2130-default.gif

  3. From the main page, click the target navigation icon in the top left of the page, then expand the Business Intelligence folder.
  4. Select biinstance to display pages specific to Oracle Business Intelligence.
  5. Manage Oracle Business Intelligence security using Fusion Middleware Control as follows:

Using Oracle BI Administration Tool

You use the Oracle BI Administration Tool to configure permissions for users and application roles against objects in the metadata repository.

To use the Administration Tool:

  1. Log in to the Administration Tool.

    Note:

    If you log in to the Administration Tool in online mode, then you can view all users from the WebLogic Server. If you log in to the Administration Tool in offline mode, then you can only view references to users that have previously been assigned metadata repository permissions directly in the RPD. Please note that best practice is to assign metadata repository permissions to application roles rather than directly to users.

  2. (Optional) Select Manage, then Identity to display the Identity Manager dialog.

    The screen below shows the Identity dialog.


    Description of GUID-2A8FE507-072D-4653-9F57-EF6583FD2BF2-default.gif follows
    Description of the illustration GUID-2A8FE507-072D-4653-9F57-EF6583FD2BF2-default.gif

    If you double-click an application role to display the Application Role <Name> dialog, then click Permissions, you can use the Object Permissions tab to view or configure (in the repository) the Read and Write permissions for that application role, in relation to objects and folders in the Oracle BI Presentation Catalog.


    Description of GUID-7D394AFA-E208-442B-A4A3-AC991D820BBD-default.gif follows
    Description of the illustration GUID-7D394AFA-E208-442B-A4A3-AC991D820BBD-default.gif

  3. Close Identity Manager.
  4. In the Presentation pane, expand a folder, then right-click an object to display the Presentation Table <Table name> dialog.
  5. Click Permissions to display the Permissions <Table name> dialog.

    The screen below shows users and some application roles and the radio buttons Read, Read/Write, No Access, and Default that you use to set the permissions for the application roles.


    Description of GUID-A8531E8C-279F-4A48-AFD8-76410C890BBB-default.gif follows
    Description of the illustration GUID-A8531E8C-279F-4A48-AFD8-76410C890BBB-default.gif

Using Presentation Services Administration Page

You use the Presentation Services Administration page to configure user privileges.

To use the Presentation Services Administration page:

  1. Log in to Oracle Business Intelligence with Administrator privileges.
  2. Select the Administration link to display the Administration page.
  3. Select the Manage Privileges link.

    The screen below shows application roles listed against the privileges to which they are assigned.


    Description of GUID-6BEC5158-AF12-4D49-92C3-B8FF6845D628-default.gif follows
    Description of the illustration GUID-6BEC5158-AF12-4D49-92C3-B8FF6845D628-default.gif

  4. Select a link (for example BIContentAuthor) for a particular privilege (for example, Access to KPI Builder), to display the Privilege <Privilege name> dialog.
  5. Click the Add users/roles icon (+) to display the Add Application Roles and Users dialog.

    Use this dialog to assign application roles (for example, BIServiceAdministrator, BIContentAuthor, and BIConsumer) to this privilege.

    Note:

    Best practice is to assign Presentation Services permissions to application roles rather than directly to users.


    Description of GUID-CE6D851D-D487-4B37-B510-83C6AD5054FC-default.gif follows
    Description of the illustration GUID-CE6D851D-D487-4B37-B510-83C6AD5054FC-default.gif