Alternative Authorization Options

For backward capability, this release supports the ability to set application role membership for users using initialization blocks, when authentication is also being performed by initialization blocks.

Note:

It is not possible to set application role membership using initialization blocks, when authentication is performed by Oracle Platform Security Services.

This section contains the following topics:

• Changes Affecting Security in Presentation Services

• Setting Up Authorization Using Initialization Blocks

Changes Affecting Security in Presentation Services

If you have upgraded from a previous release, the best practice is to begin managing catalog privileges and catalog objects using application roles maintained in the policy store.

Oracle Business Intelligence uses the Oracle Fusion Middleware security model and its resources are protected by a role-based system. This has significance for upgrading users as the following security model changes affect privileges in the Oracle BI Presentation Catalog:

• Authorization is now based on fine-grained JAAS permissions. Users are granted permissions by membership in corresponding application roles.

• Users and groups are maintained in the identity store and are no longer maintained in the BI Server.

• Privileges continue to be stored in the Oracle BI Presentation Catalog and cannot be accessed from the administrative interfaces used to manage the policy store.

• The Everyone Catalog group is no longer available and has been replaced by the AuthenticatedUser application role. Members of the Everyone Catalog group automatically become members of AuthenticatedUser role after upgrade.

Setting Up Authorization Using Initialization Blocks

Use these steps to set application role membership for users using initialization blocks.

• Initialization blocks to set ROLES or GROUP session variables only function when the user fails to authenticate through an authenticator configured in the WebLogic security realm, and the user instead authenticates through an initialization block.

• You must set up an initialization block to set the values of ROLES or GROUP, enabling the BI Server to make the values of both variables the same.

• When using an initialization block to set ROLES or GROUP session variables, set the values of the variables to match by name against one or more application roles configured using Fusion Middleware Control, for example, BIConsumer. Users are assigned these application roles and associated permissions during authentication.

• See Managing Application Roles and Application Policies Using Fusion Middleware Control.

• When using initialization blocks to set ROLES or GROUP session variables, the association of groups to application roles is performed using the logic previously described. Assignment of groups to application roles in the policy store is not used in this case.

See Using Variables in the Oracle BI Repository in the Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

1. Open a repository in the Administration Tool in either offline or online mode.
2. Select Manage, then Variables from the Administration Tool menu.
3. Select the Session -> Initialization Blocks .
4. Right-click in the right pane and select New Initialization Block.
5. In Session Variable - Initialization, enter Authorization in the Name field.
6. Click Edit Data Source.
7. Select Database from the Data Source Type list.
8. Enter the SQL statement to returns a list of groups, or a single group if row-wise initialization is not used.
9. Click Browse to select a connection pool.
10. Click Select.
11. Click OK.
12. Click OK.
13. Click Edit Data Target.
14. Click New.
15. Enter ROLES in the Name field.
16. Click OK.
17. Click Yes to the warning message about the ROLES session variable having a special purpose.
18. Click OK.
19. Clear the Required for Authentication checkbox.
20. Click OK.