Object Permissions

You can set up object permissions in your repository to control access to Presentation layer and Business Model and Mapping layer objects

You set object permissions using the Oracle BI Administration Tool.

To set up object permissions:

  • Set the data access for specific application roles.

  • Specify functional groups when multiple application roles have different levels of access to the same object.

  • Select individual objects in the Presentation layer.

Set up object permissions for application roles when you want to define data access permissions for a set of objects that are common to users assigned the specific application role. You should set up object permissions for specific application roles rather than for individual users to simplify data access management.

The following image shows how object permissions can restrict users from viewing specific repository object. Security rules are applied to all incoming client queries, and cannot be breached, even when the Logical SQL query is modified. In this example, the Administrator application role has been granted access to the Booked Amount column allowing the Administrator to view the returned results. The user, Anne Green, who is not a member of an application role with access to the Booked Amount column, cannot see the column in the Subject Area pane of Oracle BI Answers. Even if the query is modified, results are not returned for the Booked Amount column because of the application role-based object permissions have been set.

  • If an application role has permissions on an object from multiple sources, for example, explicitly and through one or more additional application roles, the permissions are applied based on the order of precedence.

  • If you explicitly deny access to an object that has child objects, users who are members of the individual application role are denied access to the child objects. For example, if you explicitly deny access to a particular logical table, you are implicitly denying access to all of the logical columns associated with that table.

  • Object permissions do not apply to repository and session variables, so values in these variables are not secure. Anyone who knows or can guess the name of the variable can use it in an expression in Oracle BI Answers or in a Logical SQL query. Do not put sensitive data like passwords in session or repository variables.

  • You can control the level of privilege is granted by default to the AuthenticatedUser application role. The AuthenticatedUser is the default application role associated with new repository objects.

    The AuthenticatedUser application role means any authenticated user. The AuthenticatedUser application role is internal to the Oracle BI Repository. The AuthenticatedUser application role appears in the Permissions dialog for connection pools and Presentation layer objects. The AuthenticatedUser does not appear in the list of application roles in the Identity Manager.

    Update the DEFAULT_PRIVILEGES parameter in the NQSConfig.INI file. See Security Section Parameters in System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.