Managing Application Roles and Application Policies Using Fusion Middleware Control

Application roles and application policies provide permissions for users and groups.

See Administering Oracle Fusion Middleware:

Tip:

After creating a new service instance or importing a BI application archive (BAR) file into a service instance, you should first check the security policy in the service instance to ensure that the users and groups from your Identity Store are mapped correctly to the application roles defined in the service instance. Each BI application archive file can contain its own security policy. Therefore it is good practice to check the security policy on your service instance after importing a BI application archive file..

Typically a BI application archive file that contains the BI metadata for an application will contain pre-defined application roles that can be used to provision users with permission to use BI functionality and access BI folders, analyses, subject areas etc. For example, the sample application contains the sample application roles BIConsumer, BIContentAuthor and BIServiceAdministrator. In order to provision users with permissions and privileges, you map users and (where possible) groups from the Identity Store (usually an LDAP directory) to the defined application roles. You use Oracle Enterprise Manager Fusion Middleware Control or Oracle WebLogic Scripting Tool (WLST) to perform this task.

If you want to create a more complex or fine grained security model, you might create your own application roles and application policies as described in this section. For example, you might want report authors in a Marketing department to only have write-access to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. To achieve this, you might create a new application role called BIContentMarketing, and provide it with appropriate privileges.

To set up the application roles that you want to deploy, do the following:

Displaying Application Policies and Application Roles Using Fusion Middleware Control

This section explains how to use Fusion Middleware Control to access the pages that manage application roles and application policies.

  1. Log in to Fusion Middleware Control.
  2. Select the Target Navigation icon to open the navigation pane.
  3. From the navigation pane expand the Business Intelligence folder and select biinstance.
  4. Choose one of the following options:

    • Right-click biinstance and choose Security from the menu, then Application Policies or Application Roles.


      Description of GUID-9696649D-4131-42CE-9A19-F60C07B6FB6A-default.gif follows
      Description of the illustration GUID-9696649D-4131-42CE-9A19-F60C07B6FB6A-default.gif

    • Alternatively from the content pane, click Business Intelligence Instance to display a menu, then choose Security, and Application Policies or Application Roles.

      Other Fusion Middleware Control Security menu options are not available from these menus.

  5. (Optional) An alternative option to Steps 3 and 4 is to expand the WebLogic Domain folder, right-click on the domain name.
  6. Choose Application Policies or Application Roles to display either the Application Policies page or the Application Roles page.
    • If the obi application stripe is displayed by default

      Oracle Business Intelligence policies or roles are displayed.

    • If the obi application stripe is not displayed by default

      You must search using the obi application stripe to display Oracle Business Intelligence policies or roles.

    The screen below shows the Application Policies page.


    Description of GUID-2F551A1E-4C7E-4AF6-8D92-05C259FF0A63-default.gif follows
    Description of the illustration GUID-2F551A1E-4C7E-4AF6-8D92-05C259FF0A63-default.gif

    The screen below shows the Application Roles page.


    Description of GUID-3B338C87-B05F-46F9-AAD7-25B97FEA61E8-default.gif follows
    Description of the illustration GUID-3B338C87-B05F-46F9-AAD7-25B97FEA61E8-default.gif

Creating and Deleting Application Roles Using Fusion Middleware Control

This section explains how to work with application roles, and how to create, delete, and manage application roles using Fusion Middleware Control.

In a new Oracle Business Intelligence deployment, you typically create an application role for each type of business user activity in your Oracle Business Intelligence environment. For example, a typical deployment based on either the sample application or the starter application might include three application roles: BIConsumer, BIContentAuthor, and BIServiceAdministrator. As a BI system administrator or service administrator, you should not change the application roles or the permission sets assigned to the application roles that have been delivered in a BAR file.

Oracle Business Intelligence application roles represent a role that a user has. For example, having the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline. The administrator of a service instance can create and modify application roles in your service instance. Keeping application roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new application roles to match business roles for your environment without needing to change the groups defined in the corporate directory server. To control authorization requirements more efficiently, you can then assign existing groups of users from the directory server to application roles.

Before creating a new application role and adding it to the your Oracle Business Intelligence service instance, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. See Granting Permissions To Users Using Groups and Application Roles.

See Managing the Policy Store in Securing Applications with Oracle Platform Security Services.

See Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic.

Creating Application Roles

In Fusion Middleware Control, you can create application roles using these steps.

You can add members at the same time, or you can name and save the new role and at another time, add members. See Characters in Application Role Names in Securing Applications with Oracle Platform Security Services.

You can create application roles by copying an existing role, see Creating Applications Roles From Existing Roles.

Valid members of an application role are users, groups, and other application roles.

Membership for an application role is controlled using the Application Roles page in Fusion Middleware Control.

The permission and permission set grant definitions are set in the application policy, then the application policy is granted to the application role, see Creating Application Policies Using Fusion Middleware Control. Permission and permission set grants are controlled in the Application Policies page in Fusion Middleware Control.

  1. Log in to Fusion Middleware Control, and select the Application Roles page.
  2. In Application Roles, verify that the value in the Application Stripe field is obi, and click the search icon next to Role Name.
  3. Click Create.
  4. In the Application Role page, in Role Name, type a name for the application role without invalid special characters and spaces.
  5. In Display Name, type the name for the application role that displays in the user interface.
  6. (Optional) In Description , type a explanation for the use of the application role.
  7. In the Members section, click Add.
  8. In Add Principal, from the Type list, select Application Role, Group, or Users.
  9. (Optional) In the Principal Name and Display Name fields, enter search criteria, and click Search.
  10. In the Searched Principals, select a result, and click OK.

Creating Application Roles From Existing Roles

There are two methods for creating a new application role:

Creates an application role by copying an existing application role. The copy contains the same members as the original, and is made a grantee of the same application policy as is the original. Modifications can be made as needed to the copy to further customize the new application role.

See Characters in Application Role Names in Securing Applications with Oracle Platform Security Services

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. From the list Application Stripe list, select obi.
  3. Click the search icon next to Role Name.
  4. Select the application role you want to copy from the list.
  5. Click Create Like.
  6. In the General section, in Role Name , type the name of the application role without using any invalid characters or spaces.
  7. (Optional) In Display Name, type the display name for the application role
  8. (Optional) In Description, type a description for the use of the application role.
  9. In the Members section, click Add.

    The Members section displays the same application roles, groups, or users that are assigned to the original role.

  10. In Add Principal, from the Type list, select an Application Role, Group, or Users.
  11. (Optional) In the Principal Name and Display Name fields, type your search criteria, and click Search.
  12. In Searched Principals, select a result, and click OK.
  13. Modify the members as appropriate, and click OK.

Assigning a Group to an Application Role

You assign a group to an application role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an application role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the application role named BIConsumerMarketing.

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. If necessary, select Application Stripe and obi from the list, then click the search icon next to Role Name.
  3. Select an application role in the list and click Edit to display the Edit Application Role dialog, and complete the fields as follows:

    In the General section:

    • Role Name - The name of the application role, this field is read only.
    • Display Name - The display name for the application role.
    • Description - A description for the application role.
  4. In the Members section, click Add to add the group that you want to assign to the Roles list.

    For example, if a group for marketing report consumers named BIMarketingGroup require an application role called BIConsumerMarketing, then add the group named BIMarketingGroup to Roles list.

  5. Click OK to return to the Application Roles page.

Deleting Application Roles

You must not delete an application role without first consulting your system administrator.

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. Select the application role you want to delete.
  3. Click Delete, then click Yes, to confirm deletion of the application role.

Creating Application Policies Using Fusion Middleware Control

You can create application policies based on the default application policies, or you can create your own application policies.

Application policies do not apply privileges to the metadata repository or Oracle BI Presentation Catalog objects and functionality.

All Oracle Business Intelligence permissions and permission sets are provided as part of the installation and you cannot create new permissions. The application policy is the mechanism that defines the permission set and permissions grants. Permission set and permissions grants are controlled in the Fusion Middleware Control Application Policies page. The permission set and permission grants are defined in an application policy. An application role, user, or group, is then assigned to an application policy. This process makes the application role a grantee of the application policy.

There are two methods for creating a new application policy:

  • Create a new application policy and add permissions to the policy.
  • Create new application policy by copying an existing application policy. The copy is named and existing permissions are removed or permissions are added.

    Note:

    Oracle Business Intelligence 12c makes use of permission sets as well as permissions. A permission set is a collection of permissions. It is also known as an entitlement. All of the permissions available with BI 12c are grouped into permission sets. When the either the sample or starter application is imported into a service instance you will see the permission sets that have been assigned to the application roles. When an 11g upgrade bundle is imported into a service instance you will see the permissions from your 11g system, supplemented by new permission sets assigned to the migrated application roles

    Note:

    Fusion Middleware Control only allows you to view permission set grants. It does not allow you to change the permission set grants against an application role. Fusion Middleware Control does allow you to modify permission grants against application roles. In 12c, if you need to update permission set grants against an application role you need to use the WLST command line, see Managing Application Policies with WLST Commands in Securing Applications with Oracle Platform Security Services.

See Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.

  1. Log in to Fusion Middleware Control, and display the Application Policies page.
  2. Select obi from the Application Stripe list, then click the search icon next to Name.
    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.

    Description of GUID-2CCC2403-A64B-4F6E-979E-A74C0719D5ED-default.gif follows
    Description of the illustration GUID-2CCC2403-A64B-4F6E-979E-A74C0719D5ED-default.gif

  3. Click Create to display the Create Application Grant page.
  4. To add permissions to the policy being created, click Add in the Permissions area to display the Add Permission dialog.
    • Complete the Search area and click the blue search button next to the Resource Name field.
      All permissions for the selected class are displayed.

      Description of GUID-B1705E1D-9571-48CA-9F83-C02BCAA04FC5-default.gif follows
      Description of the illustration GUID-B1705E1D-9571-48CA-9F83-C02BCAA04FC5-default.gif

    • Select the desired Oracle Business Intelligence permission and click Continue.
    • Modify permission details if required in the Customize page, then click Select to add the permission.

      You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.

    • Repeat until all desired permissions are selected.

      Selecting non-Oracle Business Intelligence permissions have no effect in the policy.

    • To remove a permission, select it and click Delete.
  5. To add an application role, group, or user to the policy being created, click Add in the Grantee area to display the Add Principal page.
    • Complete the Search area and click the blue search button next to the Display Name field.
    • Select a principal from the Searched Principals list.
    • Click OK to display the Create Application Grant page.
    • Click OK.

    You are returned to the Application Policies page. The Principal and Permissions of the policy created are displayed in the tables.

You can also create an application policy based on an existing one.

  1. Log in to Fusion Middleware Control, and display the Application Policies page.
  2. Select obi from the Application Stripe list, then click the search icon next to Name.

    The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.

  3. Select an existing policy from the table.
    The following screen shows the BIContentAuthor Principal selected with the Create Like button activated, which is used as an example in this procedure.

    Description of GUID-FC913CCA-1281-41A5-85CF-70C60FE27EBC-default.gif follows
    Description of the illustration GUID-FC913CCA-1281-41A5-85CF-70C60FE27EBC-default.gif

  4. Click Create Like to display the Create Application Grant Like page. The Permissions table automatically displays permissions granted by the policy selected.
    The following screen shows the Create Application Grant Like dialog after the BIContentAuthor policy has been selected. Note that the Permissions section displays the permission grants for the BIContentAuthor policy.

    Description of GUID-AE829D2A-1319-4DC9-9832-2D3C6D474BF1-default.gif follows
    Description of the illustration GUID-AE829D2A-1319-4DC9-9832-2D3C6D474BF1-default.gif

  5. To remove any items, select it and click Delete.
  6. To add application roles to the policy, click Add Application Role in the Grantee area to display the Add Application Role dialog.

Description of GUID-EDEB09F8-2A7D-4C7F-A75B-D0256143A10D-default.gif follows
Description of the illustration GUID-EDEB09F8-2A7D-4C7F-A75B-D0256143A10D-default.gif

Modifying Application Roles Using Fusion Middleware Control

You can modify an application role by changing permission grants of the corresponding application policy, if the application role is a grantee of the application policy, or by changing its members, and by renaming or deleting the application role as follows:

See Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.

Adding or Removing Permission Grants from an Application Role

Use this procedure to change the permission grants for an application role by adding or removing the permission grants for the application policy which the application role is a grantee of.

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

Whether or not the obi stripe is pre-selected and the application policies are displayed depends on the method used to navigate to the Application Policies page.

  1. Log in to Fusion Middleware Control, and display the Application Policies page.
  2. If necessary, selectApplication Stripe andobi from the list, then click the search icon next to Role Name.
  3. Select the application role from the Principal column and click Edit.
  4. Add or delete permissions from the Edit Application Grant view and click OK to save the changes.

Adding or Removing Members from an Application Role

You can add or delete members from an application role using Fusion Middleware Control.

You must perform these tasks in the WebLogic domain where Oracle Business Intelligence is installed, for example, in bifoundation_domain. Valid members of an application role are users, groups, or other application roles.

Assign groups instead of individual users to application roles as a best practice, and then assign users to the groups.

Note:

Be very careful when changing the permission grants and membership for the application role that is tagged as the administration application role, as changes to the permissions assigned to this application role could leave your system in an unusable state.

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. If not already displayed, select Application Stripe and obi from the list, then click the search icon next to Role Name.
  3. Select the cell next to the application role name and click Edit to display the Edit Application Role page.
  4. To delete a member, select the Name of the member to activate the Delete button, then click Delete.
  5. To add a member click theAdd button.
    1. Select Application Role, Group, or Users from theType field list.
    2. (Optional) Enter search details into Principal Name and Display Name fields.
    3. Click Search.
    4. From theSearched Principals, make your selection from the results.
    5. Click OK.
  6. Click OK in the Edit Application Role page to return to the Application Role page.

See Managing Application Roles in Securing Applications with Oracle Platform Security Services.

Renaming an Application Role

You cannot directly rename an existing application role; you can only update the display name. To rename an application role you must create a new application role (using the same application policies used for the deleted application role), and delete the old application role. When you create the new application role, you specify a new name. You must also update any references to the old application role with references to the new application role in both the Oracle BI Presentation Catalog and the metadata repository.

To rename an application role in the catalog and the metadata repository use the renameAppRoles command, as described in Rename Application Role Command in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.