Go to main content
1/80
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents and Other Resources
System Requirements and Certification
Conventions
New Features in Oracle Business Intelligence Security
New Features for 12c (12.2.1.2.0)
New Features for 12c (12.2.1.1.0)
New Features for 12c (12.2.1.0)
1
Introduction to Security in Oracle Business Intelligence
High-Level Roadmap for Setting Up Security in Oracle Business Intelligence
Overview of Security in Oracle Business Intelligence
About Authentication
About Authorization
About Application Roles
About the Security Policy
About Users, Groups, and Application Roles
Using Tools to Configure Security in Oracle Business Intelligence
Using Oracle WebLogic Server Administration Console
Using Oracle Fusion Middleware Control
Using Oracle BI Administration Tool
Using Presentation Services Administration Page
Process for Setting Up Security in Oracle Business Intelligence
Comparing the Oracle Business Intelligence 11g and 12c Security Models
Terminology
2
Managing Security Using a Default Security Configuration
Working with Users, Groups, and Application Roles
An Example Security Setup of Users, Groups, and Application Roles
Managing Users and Groups in the Embedded WebLogic LDAP Server
Assigning a User to a New Group, and a New Application Role
Creating a New User in the Embedded WebLogic LDAP Server
Creating a New Group in the Embedded WebLogic LDAP Server
Assigning a User to a Group in the Embedded WebLogic LDAP Server
Deleting a User
Changing a User Password in the Embedded WebLogic LDAP Server
Managing Application Roles and Application Policies Using Fusion Middleware Control
Displaying Application Policies and Application Roles Using Fusion Middleware Control
Creating and Deleting Application Roles Using Fusion Middleware Control
Creating Application Roles
Creating Application Roles From Existing Roles
Assigning a Group to an Application Role
Deleting Application Roles
Creating Application Policies Using Fusion Middleware Control
Modifying Application Roles Using Fusion Middleware Control
Adding or Removing Permission Grants from an Application Role
Adding or Removing Members from an Application Role
Renaming an Application Role
Managing Metadata Repository Privileges Using the Oracle BI Administration Tool
Setting Metadata Repository Privileges for an Application Role
Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic
Managing Presentation Services Privileges Using Application Roles
Setting Presentation Services Privileges for Application Roles
Encrypting Credentials in BI Presentation Services - Advanced Security Configuration Topic
Managing Data Source Access Permissions Using BI Publisher
Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store
Using runcat to Manage Security Tasks in the Oracle BI Presentation Catalog
3
Using Alternative Authentication Providers
Introduction
High-Level Steps for Configuring an Alternative Authentication Provider
Setting Up Groups and Users in the Alternative Authentication Provider
Configuring Oracle Business Intelligence to Use Alternative Authentication Providers
Reconfiguring Oracle Internet Directory as an Authentication Provider
Oracle Internet Directory Authenticator Provider Specific Reference
Reconfiguring Microsoft Active Directory as the Authentication Provider
Configuring User and Group Name Attributes in the Identity Store
Configuring User Name Attributes
Configuring Group Name Attributes
Configuring LDAP as the Authentication Provider and Storing Groups in a Database
Prerequisites
Creating a Sample Schema for Groups and Group Members
Configuring a Data Source and the BISQLGroupProvider Using Oracle WebLogic Server Administration Console
Configuring Oracle Internet Directory as the Primary Identity Store for Authentication Using Oracle WebLogic Server
Installing the BISQLGroupProvider
Configuring the Data Source Using Oracle WebLogic Server Administration Console
Configuring the BISQLGroupProvider SQL Authenticator
Configuring the Virtualized Identity Store
Enabling Virtualization by Configuring the Identity Store
Configuring SSL Against LDAP
Configuring a Database Adaptor to Retrieve Group Information
Testing the Configuration by Adding a Database Group to an Application Role
Correcting Errors in the Adaptors
Configuring a Database as the Authentication Provider
Introduction and Prerequisites
Creating a Sample Schema for Users and Groups
Configuring a Data Source and SQL Authenticator Using the Oracle WebLogic Server Administration Console
Configuring a Data Source Using the Oracle WebLogic Server Administration Console
Configuring a SQL Authenticator Using the Oracle WebLogic Server Administration Console
SQL Authenticator Select Statement Reference
Configuring the Default Authenticator Control Flag
Reordering Authentication Providers
Configuring the Virtualized Identity Store
Configuring a Database Adaptor
Troubleshooting the SQL Authenticator
Adding a User to the Global Admin Role Using the Oracle WebLogic Server Administration Console
An Incorrect Data Source Name is Specified for the SQLAuthenticator
Incorrect SQL Queries
Correcting Database Adapter Errors by Deleting and Recreating the Adapter
Configuring Identity Store Virtualization Using Fusion Middleware Control
Configuring Multiple Authentication Providers
Setting the JAAS Control Flag Option
Configuring a Single LDAP Authentication Provider as the Authenticator
Configuring Oracle Internet Directory LDAP Authentication as the Only Authenticator
Task 1 - Enable Backup and Recovery
Task 2 - Configure the System to use WebLogic Server and an Alternative Authentication Provider
Task 3 - Identify or Create Essential Users Required in OID LDAP
Task 4 - Associate OID LDAP Groups with Global Roles in the WebLogic Console
Task 5 - Set User to Group Membership in OID LDAP
Task 6 - Remove the Default Authenticator
Task 7 - Restart the BI Services
Task 8 - Remove WebLogic Server Roles
Task 9 - Stop Alternative Methods of Authentication
Troubleshooting
Resetting the BI System User Credential
4
Enabling SSO Authentication
SSO Configuration Tasks for Oracle Business Intelligence
Understanding SSO Authentication and Oracle Business Intelligence
SSO Implementation Considerations
Configuring SSO in an Oracle Access Manager Environment
Configuring a New Authenticator for Oracle WebLogic Server
Configuring Oracle Access Manager as a New Identity Asserter for Oracle WebLogic Server
Configuring Custom SSO Environments
Configuring SSO With SmartView
Enabling Oracle Business Intelligence to Use SSO Authentication
Enabling and Disabling SSO Authentication Using WLST Commands
Enabling SSO Authentication Using Fusion Middleware Control
Enabling the Online Catalog Manager to Connect
5
Configuring SSL in Oracle Business Intelligence
What is SSL?
Enabling End-to-End SSL
Configuring a Standard Non-SSL Oracle BI EE System
Configuring WebLogic SSL
Starting Only the Administration Server
Configuring HTTPS Ports
Configuring Internal WebLogic Server LDAP to Use LDAPs
Configuring Internal WebLogic Server LDAP Trust Store
Disabling HTTP
Restarting
Configuring OWSM to Use t3s
Restarting System
Enabling Oracle BI EE Internal SSL
Disabling Internal SSL
Exporting Trust and Identity for Clients
Configuring SSL for Clients
Exporting Client Certificates
Using SASchInvoke when BI Scheduler is SSL-Enabled
Configuring Oracle BI Job Manager
Connecting the Online Catalog Manager to Oracle BI Presentation Services
Configuring the Oracle BI Administration Tool to Communicate Over SSL
Configuring an ODBC DSN for Remote Client Access
Configuring Oracle BI Publisher to Communicate Over SSL
Checking Certificate Expiry
Replacing the Certificates
Update Certificates After Changing Listener Addresses
Adding New Servers
Enabling SSL in a Configuration Template Configured System
Manually Configuring SSL Cipher Suite
Configuring SSL Connections to External Systems
Configuring SSL for the SMTP Server Using Fusion Middleware Control
Configuring SSL when Using Multiple Authenticators
WebLogic Artifacts Reserved for Oracle BI EE Internal SSL Use
Enabling BI Composer to Launch in an SSL Environment
A
Legacy Security Administration Options
Legacy Authentication Options
Setting Up LDAP Authentication Using Initialization Blocks
Setting Up an LDAP Server
Defining a USER Session Variable for LDAP Authentication
Setting the Logging Level
Setting Up External Table Authentication
About Oracle BI Delivers and External Initialization Block Authentication
Order of Authentication
Authenticating by Using a Custom Authenticator Plug-In
Managing Session Variables
Managing Server Sessions
Using the Session Manager
Alternative Authorization Options
Changes Affecting Security in Presentation Services
Setting Up Authorization Using Initialization Blocks
B
Understanding the Default Security Configuration
About Securing Oracle Business Intelligence
About the Security Framework
Oracle Platform Security Services
Oracle WebLogic Server
Key Security Elements
Security Configuration Using the Sample Application
Default Authentication Provider
Policy Store Provider
Granting Permissions To Users Using Groups and Application Roles
Permission Inheritance and Role Hierarchy
Common Security Tasks After Installation
C
Troubleshooting Security in Oracle Business Intelligence
Resolving User Login Authentication Failure Issues
Authentication Concepts
Authentication Defaults on Install
Using Oracle WebLogic Server Administration Console and Fusion Middleware Control to Configure Oracle Business Intelligence
WebLogic Domain and Log Locations
Oracle Business Intelligence Key Login User Accounts
WebLogic Server Administrator User Account
Oracle Business Intelligence Login Overview
Identifying Causes of User Login Authentication Failure
Resolving User Login Authentication Failures
Single User Cannot Log in to Oracle Business Intelligence
Is Login Failure the Result of User Error?
Is User Account Locked?
Users Cannot Log in to Oracle Business Intelligence Due to Misconfigured Authenticators
Have You Specified the Correct Authenticator for the Identity Store or LDAP Server?
Is the Authenticator for the LDAP Server Configured Correctly?
Users Cannot Log in to Oracle Business Intelligence When Oracle Web Services Manager is not Working
Database Issues - OWSM Cannot Retrieve Policies
OracleSystemUser Issues - OWSM Cannot Retrieve Policies
Users Cannot Log in to Oracle Business Intelligence - Is the External Identity Store Configured Correctly?
Users Can Log in With Any or No Password
Have Removed Default Authenticator and Cannot Start WebLogic Server
Resolving Inconsistencies with the Identity Store
User Is Deleted from the Identity Store
User Is Renamed in the Identity Store
Group Associated with User Name Does Not Exist in the Identity Store
Resolving Inconsistencies with the Policy Store
Application Role Was Deleted from the Policy Store
Application Role Is Renamed in the Policy Store
Resolving SSL Communication Problems
Resolving Custom SSO Environment Issues
Resolving RSS Feed Authentication When Using SSO
D
Managing Security for Dashboards and Analyses
Managing Security for Users of Oracle BI Presentation Services
Security Settings in Oracle BI Presentation Services
What Are the Security Goals in Oracle BI Presentation Services?
How Are Permissions and Privileges Assigned to Users?
Using Oracle BI Presentation Services Administration Pages
Understanding the Administration Pages
Managing Presentation Services Privileges
What Are Presentation Services Privileges?
Default Presentation Services Privilege Assignments
Access to Oracle BI Enterprise Edition Actions
Access to Oracle BI for Microsoft Office Privilege
Save Content with HTML Markup Privilege
Identifying Privileges for KPIs, KPI Watchlists, and Scorecarding
Managing Sessions in Presentation Services
Determining a User's Privileges and Permissions in Oracle BI Presentation Services
Rules for Determining a User's Privileges or Permissions
Task 1 - Check for an explicit record for this user
Task 2 - Check for records for this user's Catalog groups (removed behavior for 10g backwards compatibility only)
Task 3 - Check records for this user's application roles
Task 4 - Fall back default behavior
Task 5 - No matching records at all
Example of Determining a User's Privileges with Application Roles
Example of Determining a User's Permissions with Application Roles
Example of Determining a User's Privileges with Removed Catalog Groups
Example of Determining a User's Permissions with Removed Catalog Groups
Providing Shared Dashboards for Users
Understanding the Catalog Structure for Shared Dashboards
Creating Shared Dashboards
Testing the Dashboards
Releasing Dashboards to the User Community
Controlling Access to Saved Customization Options in Dashboards
Overview of Saved Customizations in Dashboards
Administering Saved Customizations
Privileges for Saved Customizations
Permissions for Saved Customizations
Assigning Permissions to Dashboards
Assigning Permissions for Customizations on a Dashboard Page
Catalog Folder Structure for Saved Customizations
Permission and Privilege Settings for Creating Saved Customizations
Example Usage Scenario for Saved Customization Administration
Enabling Users to Act for Others
Why Enable Users to Act for Others?
What Are the Proxy Levels?
Process of Enabling Users to Act for Others
Defining the Association Between Proxy Users and Target Users
Creating Session Variables for Proxy Functionality
Modifying the Configuration File Settings for Proxy Functionality
Creating a Custom Message Template for Proxy Functionality
Scripting on this page enhances content navigation, but does not change the content in any way.