Enabling Users to Perform Specific Actions in Essbase and Associated Tools

You enable users to perform specific actions in Essbase and associated tools (for example, read and write, use calculations, use filters, use specific filters) by granting resource permission definitions to application roles.

Appropriate resource permissions must be defined first (see Configuring Data-Level Security Using Essbase Filters and Configuring Access to Essbase Calculations). Resource permissions contain definitions of Essbase actions that a user can perform in an Essbase application. Essbase actions are derived from Essbase resource types, which are linked to resource permissions.

Resources are hierarchical; therefore global, cluster, and application level resources are listed.

Note:

The Essbase actions described here are not the same as actions in Oracle Business Intelligence.

The installation process grants default Essbase resource permissions to existing application roles in Oracle Business Intelligence.

For more details about the default Essbase resource permissions configured by default when you install Essbase with Oracle Business Intelligence, see Resource Permissions Reference for Essbase and Associated Tools.

Note:

The BIConsumer application role is granted to all users, and has oracle.essbase.server /EssbaseCluster-1 access and oracle.essbase.application /EssbaseCluster-1 user_filter. This gives all users access to Essbase by default.

Note:

Resource permissions are stored by default in a file-based shared policy store, but you can reassociate them to an OID LDAP shared policy store. SeeUsing Alternative Authentication Providers in Security Guide for Oracle Business Intelligence Enterprise Edition.

Note:

Parent roles inherit permission grants through child group or role members. Permission grants are cumulative; for example, a user who has a grant of oracle.essbase (filter) through an application role but not granted through another role, is still considered to have the oracle.essbase (filter) role.

Use the following steps to grant resource permissions to users and application roles.

1. If you are granting resource permission definitions to Essbase filters or Essbase calculations, then the filters or calculations must already exist.
   If they do not exist, then follow one of these links:

   • Configuring Resource Permission Definitions for Essbase Filters
   • Configuring Resource Permission Definitions for Essbase Calculations
2. Log in to Oracle Fusion Middleware.
   See Logging into Fusion Middleware Control to Manage Oracle Business Intelligence.
3. Select Business Intelligence, then coreapplication.
4. From the Business Intelligence Instance menu (or right-click coreapplication), select Security and Application Policies.
5. Select the obi Application Stripe.
6. Select a Principal Type and click Search to display a list of application roles.

   Best practice is to assign permissions to application roles.

   This search returns only principals that already have policies or permissions assigned. If you have a new application role that does not have any permissions yet, then you must click Create or Create Like.

   Note:

   Non-Essbase permissions might also be displayed for the selected principal.

7. Click Create to display the Create Application Grant page.
8. Click Add in the Grantee section, to add an application role.
9. Select Application Role from the Type list and click the Search arrow.
10. Click OK.
11. Click Add in the Permissions section to display the Add Permission page.
12. Click Resource Types and select an appropriate resource type from the list.
    For example, select oracle.essbase.application.
13. Click the Search Arrow button to confirm your selection.

    Note:

    There is no synchronization between the filters or applications created in EAS and the list returned in the policy store. Therefore, you must manually enter the Resource Name in the following steps the first time that you provision a particular resource (server, application, filter or calculation).

14. Click Continue to display the Add Permission page.
15. Enter appropriate information into the Resource Name and Resource Type fields.

    For example, to configure access permissions to use any filters within the Demo application, enter the following information:

    Resource Type - oracle.essbase.application

    Resource Name - /EssbaseCluster-1/Demo

    Permission Actions - use_filter

    For more examples of what to enter in the Resource Type, Resource Name, and Permission Actions fields when you grant resource permissions to filters or calculations, see the following:

    • Configuring Resource Permission Definitions for Essbase Filters
    • Configuring Resource Permission Definitions for Essbase Calculations

    Note:

    You can also manually enter permission actions for the resource into the Permission Actions field. Essbase actions are hierarchical, such that actions higher in the list include the lower members. For example, selecting read grants read and restart permissions to the /EssbaseCluster-1/Demo Essbase application.

16. Click Select.
17. Click OK.