Default Security Configuration

Access control of system resources is achieved by requiring users to authenticate at login and by restricting users to only those resources for which they are authorized.

A default security configuration is available for immediate use after BI Publisher is installed and is configured to use the Oracle Fusion Middleware security model. BI Publisher is installed into the Oracle WebLogic Server domain and uses its security realm. The default configuration includes three predefined security stores available for managing user identities, credentials, and BI Publisher-specific permission grants. Users can be added to predefined groups that are mapped to preconfigured application roles. Each application role is preconfigured to grant specific BI Publisher permissions.

The BI Publisher default security stores are configured as described in the table below during installation.

Store Name	Purpose	Default Provider	Options
Identity store	Used to control authentication. Stores the users and groups, and the users group for Oracle WebLogic Server embedded directory server.	Oracle WebLogic Server embedded directory server. Managed with Oracle WebLogic Server Administration Console.	BI Publisher can be configured to use alternative authentication providers. For a complete list, see System Requirements and Certification.
Policy store	Used to control authorization. Stores the application role definitions and the mapping definitions between groups and application roles.	system.jazn-data.xml file. Default installation location is `MW_HOME/user_projects/domain/your_domain/config/fmwconfig` Managed with Oracle Enterprise Manager Fusion Middleware Control.	BI Publisher can be configured to use Oracle Internet Directory as the policy store provider.
Credential store	Stores the passwords and other security-related credentials either supplied or system-generated.	cwallet.sso file. Managed using Fusion Middleware Control.	BI Publisher can be configured to use Oracle Internet Directory as the credential store provider.

Default Users and Groups

Default user and group names can be changed to different values and new names can be added by an administrative user using Oracle WebLogic Server Administration Console.

The table below lists the default user names and passwords added to the BI Publisher identity store provider after installation.

Default User Name and Password	Purpose	Description
Name: administrator user Password: user supplied	Is the administrative user.	This user name is entered by the person performing the installation, it can be any desired name, and does not need to be named Administrator. The password entered during installation can be changed later using the administration interface for the identity store provider. This single administrative user is shared by BI Publisher and Oracle WebLogic Server. This user is automatically made a member of the Oracle WebLogic Server default Administrators group after installation. This enables this user to perform all Oracle WebLogic Server administration tasks, including the ability to manage Oracle WebLogic Server's embedded directory server.

Default User Name and Password

Purpose

Description

Name:

administrator user

Password:

user supplied

Is the administrative user.

This user name is entered by the person performing the installation, it can be any desired name, and does not need to be named Administrator.

The password entered during installation can be changed later using the administration interface for the identity store provider.

This single administrative user is shared by BI Publisher and Oracle WebLogic Server. This user is automatically made a member of the Oracle WebLogic Server default Administrators group after installation. This enables this user to perform all Oracle WebLogic Server administration tasks, including the ability to manage Oracle WebLogic Server's embedded directory server.

No default groups are created during the installation of BI Publisher.

Default Application Roles and Permissions

Permissions in BI Publisher are granted by specific roles. Permissions can also be inherited from group and application role hierarchies.

The table below lists the BI Publisher permissions and the application role that grants these permissions. This mapping exists in the default policy store.

The table also lists the permissions explicitly granted by membership in the corresponding default application role. Permissions can also be inherited from group and application role hierarchies. For more information about permission inheritance, see Permission Grants and Inheritance.

BI Publisher Permission	Description	Default Application Role Granting Permission Explicitly
oracle.bi.publisher.administerServer	Enables the Administration link to access the Administration page and grants permission to set any of the system settings. Important: See Granting the BIServiceAdministrator Role Catalog Permissions for additional steps required to grant the BIServiceAdministrator permissions on Shared Folders.	BIServiceAdministrator
oracle.bi.publisher.developDataModel	Grants permission to create or edit data models.	BIContentAuthor
oracle.bi.publisher.developReport	Grants permission to create or edit reports, style templates, and sub templates. This permission also enables connection to the BI Publisher server from the Template Builder.	BIContentAuthor
oracle.bi.publisher.runReportOnline	Grants permission to open (execute) reports and view the generated document in the report viewer.	BIConsumer
oracle.bi.publisher.scheduleReport	Grants permission to create or edit jobs and also to manage and browse jobs.	BIConsumer
oracle.bi.publisher.accessReportOutput	Grants permission to browse and manage job history and output.	BIConsumer
BIConsumer permissions granted implicitly	The authenticated role is a member of the BIConsumer role by default and, as such, all authenticated role members are granted the permissions of the BIConsumer role implicitly.	Authenticated Role

The authenticated role is a special application role provided by the Oracle Fusion Middleware security model and is made available to any application deploying this security model. BI Publisher uses the authenticated application role to grant permissions implicitly derived by the role and group hierarchy of which the authenticated role is a member. The authenticated role is a member of the BIConsumer role by default and, as such, all authenticated role members are granted the permissions of the BIConsumer role implicitly. By default, every authenticated user is automatically added to the BIConsumers group. The authenticated role is not stored in the obi application stripe and is not searchable in the BI Publisher policy store. However, the authenticated role is displayed in the administrative interface for the policy store, is available in application role lists, and can be added as a member of another application role. You can map the authenticated role to another user, group, or application role, but you cannot remove the authenticated role itself. Removal of the authenticated role would result in the inability to log in to the system and this right would need to be granted explicitly.

For more information about the Oracle Fusion Middleware security model and the authenticated role, see Securing Applications with Oracle Platform Security Services.

Granting the BIServiceAdministrator Role Catalog Permissions

The BIServiceAdministrator role is granted only Read permissions on the catalog by default.

This means that before a BIServiceAdministrator can manage Shared Folders the BIServiceAdministrator role must be granted Write and Delete permissions on the Shared Folders node. See Granting Catalog Permissions for a detailed description of granting permissions in the catalog.