Managing Authorization

After a user is authenticated, further access to BI Publisher resources is controlled by the granting of permissions, also known as authorization.

The policy store contains the system and application-specific policies and roles required for BI Publisher. A policy store can be file-based or LDAP-based and holds the mapping definitions between the default BI Publisher application roles, permissions, users and groups. BI Publisher permissions are granted by mapping users and groups from the identity store to application roles and permission grants located in the policy store. These mapping definitions between users and groups (identity store) and the application roles (policy store) are also kept in the policy store.

Note:

Best practice is to map groups instead of individual users to application roles. Controlling membership in a group reduces the complexity of tracking access rights for multiple individual users. Group membership is controlled in the identity store.

The system-jazn-data.xml file is installed and configured as the default policy store. You can continue to use the default store and modify it as needed for your environment, or you can migrate its data to an LDAP-based provider. Oracle Internet Directory is the supported LDAP server in this release.

The policy store and credential store must be of the same type in your environment. That is, both must be either file-based or LDAP-based.

Permissions must be defined in a manner that BI Publisher understands. All valid BI Publisher permissions are premapped to application policies, which are in turn premapped to the default application roles. You cannot create new permissions in the policy store. However, you can customize the default application policy permission grants and application role mappings and you can create your own.

For more information about the default BI Publisher permissions grants, see Default Application Roles and Permissions. For more information about customizing application roles and permission grants, see Customizing the Policy Store.

Accessing Oracle Enterprise Manager Fusion Middleware Control

Fusion Middleware Control is a Web browser-based, graphical user interface that you can use to monitor and administer a farm.

A farm is a collection of components managed by Fusion Middleware Control. It can contain Oracle WebLogic Server domains, one Administration Server, one or more Managed Servers, clusters, and the Oracle Fusion Middleware components that are installed, configured, and running in the domain. During installation an Oracle WebLogic domain is created and BI Publisher is installed into that domain. If you performed a Simple or Enterprise installation type, this domain is named bifoundation_domain and is located within the WebLogic Domain in the Fusion Middleware Control target navigation pane.

Launch Fusion Middleware Control by entering its URL into a Web browser. The URL includes the name of the host and the administration port number assigned during the installation. This URL takes the following form: http://hostname:port_number/em. The default port is 7001. For more information about using Fusion Middleware Control, see Administering Oracle Fusion Middleware.

To display the Security menu in Fusion Middleware Control:

1. Log into Oracle Enterprise Manager Fusion Middleware Control by entering the URL in a Web browser.

   For example, http://hostname:7001/em.

2. Enter the BI Publisher administrative user name and password and click Login.

   The password is the one you supplied during the installation of BI Publisher. If these values have been changed, then use the current administrative user name and password combination.

3. From the target navigation pane, open WebLogic Domain to display bifoundation_domain. Display the Security menu by selecting one of the following methods:

   • Right-click bifoundation_domain to display the Security menu. Select Security to display a submenu.

   • From the content pane, display the WebLogic Domain menu and select Security. Select Security to display a submenu.

Managing the Policy Store Using Fusion Middleware Control

Use Fusion Middleware Control to manage the BI Publisher application policies and application roles maintained in the policy store whether it is file-based or LDAP-based.

For more information about configuring an LDAP-based policy store, see Configuring a New Policy Store and Credential Store Provider.

Caution:

Oracle recommends you make a copy of the original system-jazn-data.xml policy file and place it in a safe location. Use the copy of the original file to restore the default policy store configuration, if needed. Changes to the default security configuration might lead to an unwanted state. The default installation location is MW_HOME/user_projects/domain/your_domain/config/fmwconfig.

The following are common policy store management tasks:

• Modifying the membership of an application role. See Modifying Membership in an Application Role.

• Modifying the permission grants for an application role. See Changing Permission Grants for an Application Policy.

• Creating a new application role from the beginning. See Creating Application Roles Using Fusion Middleware Control.

• Creating a new application role based on an existing application role. See Creating Application Roles Using Fusion Middleware Control.

Modifying Application Roles Using Fusion Middleware Control

Members can be added or deleted from an application role using Fusion Middleware Control.

You must perform these tasks while in the WebLogic Domain that BI Publisher is installed in. For example, bifoundation_domain.

Caution:

Be very careful when changing the permission grants and membership for the default application roles. Changes could result in an unusable system.

Modifying Membership in an Application Role

Valid members of an application role are users, groups, or other application roles.

The process of becoming a member of an application role is called mapping. That is, being mapped to an application role is to become a member of an application role. Best practice is to map groups instead of individual users to application roles for easier maintenance.

To add or remove members from an application role:

1. Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

   For information about navigating to the Security menu, see Accessing Oracle Enterprise Manager Fusion Middleware Control.

2. Choose Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.
3. Select the cell next to the application role name and click Edit to display the Edit Application Role page.

   You can add or delete members from the Edit Application Role page. Valid members are application roles, groups, and users.

4. Select from the following options:

   • To delete a member: From Members, select from Name the member to activate the Delete button. Click Delete.

   • To add a member: Click the Add button that corresponds to the member type being added. Select from Add Application Role, Add Group, and Add User.

5. If adding a member, complete Search and select from the available list. Use the shuttle controls to move the member to the selected field. Click OK.

   The added member displays in the Members column corresponding to the application role modified in the Application Roles page.