After a user is authenticated, further access to BI Publisher resources is controlled by the granting of permissions, also known as authorization.
The policy store contains the system and application-specific policies and roles required for BI Publisher. A policy store can be file-based or LDAP-based and holds the mapping definitions between the default BI Publisher application roles, permissions, users and groups. BI Publisher permissions are granted by mapping users and groups from the identity store to application roles and permission grants located in the policy store. These mapping definitions between users and groups (identity store) and the application roles (policy store) are also kept in the policy store.
Note:
Best practice is to map groups instead of individual users to application roles. Controlling membership in a group reduces the complexity of tracking access rights for multiple individual users. Group membership is controlled in the identity store.
The system-jazn-data.xml file is installed and configured as the default policy store. You can continue to use the default store and modify it as needed for your environment, or you can migrate its data to an LDAP-based provider. Oracle Internet Directory is the supported LDAP server in this release.
The policy store and credential store must be of the same type in your environment. That is, both must be either file-based or LDAP-based.
Permissions must be defined in a manner that BI Publisher understands. All valid BI Publisher permissions are premapped to application policies, which are in turn premapped to the default application roles. You cannot create new permissions in the policy store. However, you can customize the default application policy permission grants and application role mappings and you can create your own.
For more information about the default BI Publisher permissions grants, see Default Application Roles and Permissions. For more information about customizing application roles and permission grants, see Customizing the Policy Store.
Fusion Middleware Control is a Web browser-based, graphical user interface that you can use to monitor and administer a farm.
A farm is a collection of components managed by Fusion Middleware Control. It can contain Oracle WebLogic Server domains, one Administration Server, one or more Managed Servers, clusters, and the Oracle Fusion Middleware components that are installed, configured, and running in the domain. During installation an Oracle WebLogic domain is created and BI Publisher is installed into that domain. If you performed a Simple or Enterprise installation type, this domain is named bifoundation_domain and is located within the WebLogic Domain in the Fusion Middleware Control target navigation pane.
Launch Fusion Middleware Control by entering its URL into a Web browser. The URL includes the name of the host and the administration port number assigned during the installation. This URL takes the following form: http://hostname:port_number/em
. The default port is 7001. For more information about using Fusion Middleware Control, see Administering Oracle Fusion Middleware.
To display the Security menu in Fusion Middleware Control:
Use Fusion Middleware Control to manage the BI Publisher application policies and application roles maintained in the policy store whether it is file-based or LDAP-based.
For more information about configuring an LDAP-based policy store, see Configuring a New Policy Store and Credential Store Provider.
Caution:
Oracle recommends you make a copy of the original system-jazn-data.xml policy file and place it in a safe location. Use the copy of the original file to restore the default policy store configuration, if needed. Changes to the default security configuration might lead to an unwanted state. The default installation location is MW_HOME/user_projects/domain/your_domain/config/fmwconfig
.
The following are common policy store management tasks:
Modifying the membership of an application role. See Modifying Membership in an Application Role.
Modifying the permission grants for an application role. See Changing Permission Grants for an Application Policy.
Creating a new application role from the beginning. See Creating Application Roles Using Fusion Middleware Control.
Creating a new application role based on an existing application role. See Creating Application Roles Using Fusion Middleware Control.
Members can be added or deleted from an application role using Fusion Middleware Control.
You must perform these tasks while in the WebLogic Domain that BI Publisher is installed in. For example, bifoundation_domain.
Caution:
Be very careful when changing the permission grants and membership for the default application roles. Changes could result in an unusable system.
Valid members of an application role are users, groups, or other application roles.
The process of becoming a member of an application role is called mapping. That is, being mapped to an application role is to become a member of an application role. Best practice is to map groups instead of individual users to application roles for easier maintenance.
To add or remove members from an application role: