Go to main content
1/13
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents and Other Resources
System Requirements and Certification
Conventions
New Features in Oracle Business Intelligence Security
New Features for 12
c
(12.2.1.3.0)
Lightweight Single Sign-On (SSO)
New Features for 12
c
(12.2.1.2.0)
New Features for 12
c
(12.2.1.1.0)
New Features for 12
c
(12.2.1.0)
1
Introduction to Security in Oracle Business Intelligence
High-Level Roadmap for Setting Up Security in
Oracle Business Intelligence
Overview of Security in
Oracle Business Intelligence
About Authentication
About Authorization
About Application Roles
About the Security Policy
About Users, Groups, and Application Roles
Using Tools to Configure Security in
Oracle Business Intelligence
Using
Oracle WebLogic Server
Administration Console
Using Oracle Fusion Middleware Control
Using
Oracle BI Administration Tool
Using
Presentation Services
Administration Page
Process for Setting Up Security in Oracle Business Intelligence
Terminology
2
Managing Security Using a Default Security Configuration
Working with Users, Groups, and Application Roles
Example of Users, Groups, and Application Roles Security Setup
Managing Users and Groups in the Embedded WebLogic LDAP Server
Assigning a User to a New Group, and a New Application Role
Creating a New User in the Embedded WebLogic LDAP Server
Creating a New Group in the Embedded WebLogic LDAP Server
Assigning a User to a Group in the Embedded WebLogic LDAP Server
Deleting a User
Changing a User Password in the Embedded WebLogic LDAP Server
Managing Application Roles and Application Policies Using Fusion Middleware Control
Displaying Application Policies and Application Roles Using Fusion Middleware Control
Creating and Deleting Application Roles Using
Fusion Middleware Control
Creating Application Roles
Creating Application Roles from Existing Roles
Assigning a Group to an Application Role
Deleting Application Roles
Creating Application Policies Using Fusion Middleware Control
Modifying Application Roles Using Fusion Middleware Control
Adding an Application Role to an Application Policy
Adding or Removing Members from an Application Role
Renaming an Application Role
Managing Metadata Repository Privileges Using the
Oracle BI Administration Tool
Setting Metadata Repository Privileges for an Application Role
Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic
Managing
Presentation Services
Privileges Using Application Roles
Setting Presentation Services Privileges for Application Roles
Encrypting Credentials in BI
Presentation Services
- Advanced Security Configuration Topic
Managing Data Source Access Permissions Using BI Publisher
Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store
Using runcat to Manage Security Tasks in the Oracle BI Presentation Catalog
3
Using Alternative Authentication Providers
Introduction
High-Level Steps for Configuring an Alternative Authentication Provider
Setting Up Groups and Users in the Alternative Authentication Provider
Configuring Oracle Business Intelligence to Use Alternative Authentication Providers
Reconfiguring Oracle Internet Directory as an Authentication Provider
Oracle Internet Directory Authenticator Provider Specific Reference
Reconfiguring Microsoft Active Directory as the Authentication Provider
Configuring User and Group Name Attributes in the Identity Store
Configuring User Name Attributes
Configuring Group Name Attributes
Configuring LDAP as the Authentication Provider and Storing Groups in a Database
Prerequisites
Creating a Sample Schema for Groups and Group Members
Configuring a Data Source and the BISQLGroupProvider Using
Oracle WebLogic Server
Administration Console
Configuring Oracle Internet Directory as the Primary Identity Store for Authentication Using
Oracle WebLogic Server
Installing the BISQLGroupProvider
Configuring the Data Source Using
Oracle WebLogic Server
Administration Console
Configuring the BISQLGroupProvider SQL Authenticator
Configuring the Virtualized Identity Store
Enabling Virtualization by Configuring the Identity Store
Configuring SSL Against LDAP
Configuring a Database Adaptor to Retrieve Group Information
Testing the Configuration by Adding a Database Group to an Application Role
Correcting Errors in the Adaptors
Configuring a Database as the Authentication Provider
Introduction and Prerequisites
Creating a Sample Schema for Users and Groups
Configuring a Data Source and SQL Authenticator Using the
Oracle WebLogic Server
Administration Console
Configuring a Data Source Using the
Oracle WebLogic Server
Administration Console
Configuring a SQL Authenticator Using the Oracle WebLogic Server Administration Console
SQL Authenticator Select Statement Reference
Configuring the Default Authenticator Control Flag
Reordering Authentication Providers
Configuring the Virtualized Identity Store
Configuring a Database Adaptor
Troubleshooting the SQL Authenticator
Adding a User to the Global Admin Role Using the
Oracle WebLogic Server
Administration Console
An Incorrect Data Source Name is Specified for the SQLAuthenticator
Incorrect SQL Queries
Correcting Database Adapter Errors by Deleting and Recreating the Adapter
Configuring Identity Store Virtualization Using
Fusion Middleware Control
Configuring Multiple Authentication Providers
Setting the JAAS Control Flag Option
Configuring a Single LDAP Authentication Provider as the Authenticator
Configuring
Oracle Internet Directory
LDAP Authentication as the Only Authenticator
Task 1 - Enable Backup and Recovery
Task 2 - Configure the System to use WebLogic Server and an Alternative Authentication Provider
Task 3 - Identify or Create Essential Users Required in OID LDAP
Task 4 - Associate OID LDAP Groups with Global Roles in the WebLogic Console
Task 5 - Set User to Group Membership in OID LDAP
Task 6 - Remove the Default Authenticator
Task 7 - Restart the BI Services
Task 8 - Remove WebLogic Server Roles
Task 9 - Stop Alternative Methods of Authentication
Troubleshooting
Resetting the BI System User Credential
4
Enabling SSO Authentication
SSO Configuration Tasks for Oracle Business Intelligence
Understanding SSO Authentication and Oracle Business Intelligence
SSO Implementation Considerations
Configuring SSO in an Oracle Access Manager Environment
Configuring an OID Authenticator for Oracle WebLogic Server
Authentication Provider Source Reference
Configuring Oracle Access Manager as a New Identity Asserter for
Oracle WebLogic Server
Configuring Custom SSO Environments
Configuring Single Sign-On with Smart View
Enabling
Oracle Business Intelligence
to Use SSO Authentication
Enabling and Disabling SSO Authentication Using WLST Commands
Enabling SSO Authentication Using Fusion Middleware Control
Enabling the Online Catalog Manager to Connect
5
Configuring SSL in Oracle Business Intelligence
What is SSL?
Enabling End-to-End SSL
Configuring a Standard Non-SSL
Oracle BI EE
System
Configuring WebLogic SSL
Starting Only the Administration Server
Configuring HTTPS Ports
Configuring Internal WebLogic Server LDAP to Use LDAPs
Configuring Internal WebLogic Server LDAP Trust Store
Disabling HTTP
Restarting
Configuring OWSM to Use t3s
Restarting System
Enabling
Oracle BI EE
Internal SSL
Disabling Internal SSL
Exporting Trust and Identity for Clients
Configuring SSL for Clients
Exporting Client Certificates
Using SASchInvoke when BI Scheduler is SSL-Enabled
Configuring Oracle BI Job Manager
Connecting the Online Catalog Manager to Oracle BI Presentation Services
Configuring the
Oracle BI Administration Tool
to Communicate Over SSL
Configuring an ODBC DSN for Remote Client Access
Configuring Oracle BI Publisher to Communicate Over SSL
Checking Certificate Expiry
Replacing the Certificates
Update Certificates After Changing Listener Addresses
Adding New Servers
Enabling SSL in a Configuration Template Configured System
Enabling SSL Without Internal Business Intelligence SSL
Manually Configuring SSL Cipher Suite
Configuring SSL Connections to External Systems
Configuring SSL for the SMTP Server Using
Fusion Middleware Control
Configuring SSL when Using Multiple Authenticators
WebLogic Artifacts Reserved for
Oracle BI EE
Internal SSL Use
A
Legacy Security Administration Options
Lightweight SSO and Legacy Authentication Options
Legacy Authentication Options
Setting Up LDAP Authentication Using Initialization Blocks
Setting Up an LDAP Server
Defining a USER Session Variable for LDAP Authentication
Setting the Logging Level
Setting Up External Table Authentication
About Oracle BI Delivers and External Initialization Block Authentication
Order of Authentication
Authenticating by Using a Custom Authenticator Plug-In
Managing Session Variables
Managing Server Sessions
Using the Session Manager
Alternative Authorization Options
Changes Affecting Security in
Presentation Services
Setting Up Authorization Using Initialization Blocks
B
Understanding the Default Security Configuration
About Securing Oracle Business Intelligence
About the Security Framework
Oracle Platform Security Services
Oracle WebLogic Server
Key Security Elements
Security Configuration Using the Sample Application
Default Authentication Provider
Policy Store Provider
Granting Permissions To Users Using Groups and Application Roles
Permission Inheritance and Role Hierarchy
Common Security Tasks After Installation
C
Troubleshooting Security in
Oracle Business Intelligence
Resolving User Login Authentication Failure Issues
Authentication Concepts
Authentication Defaults on Install
Using
Oracle WebLogic Server
Administration Console and
Fusion Middleware Control
to Configure
Oracle Business Intelligence
WebLogic Domain and Log Locations
WebLogic Server Administrator User Account
Oracle Business Intelligence
Login Overview
Identifying Causes of User Login Authentication Failure
Resolving User Login Authentication Failures
Single User Cannot Log in to
Oracle Business Intelligence
Is Login Failure the Result of User Error?
Is User Account Locked?
Users Cannot Log in to
Oracle Business Intelligence
Due to Misconfigured Authenticators
Have You Specified the Correct Authenticator for the Identity Store or LDAP Server?
Is the Authenticator for the LDAP Server Configured Correctly?
Users Cannot Log in to Oracle Business Intelligence When
Oracle Web Services Manager
is not Working
Database Issues - OWSM Cannot Retrieve Policies
OracleSystemUser Issues - OWSM Cannot Retrieve Policies
Users Cannot Log in to
Oracle Business Intelligence
- Is the External Identity Store Configured Correctly?
Users Can Log in With Any or No Password
Have Removed Default Authenticator and Cannot Start WebLogic Server
Resolving Inconsistencies with the Identity Store
User Is Deleted from the Identity Store
User Is Renamed in the Identity Store
Group Associated with User Name Does Not Exist in the Identity Store
Resolving Inconsistencies with the Policy Store
Application Role Was Deleted from the Policy Store
Application Role Is Renamed in the Policy Store
Resolving SSL Communication Problems
Resolving Custom SSO Environment Issues
Resolving RSS Feed Authentication When Using SSO
D
Managing Security for Dashboards and Analyses
Managing Security for Users of
Oracle BI Presentation Services
Security Settings in Oracle BI Presentation Services
What Are the Security Goals in
Oracle BI Presentation Services
?
How Are Permissions and Privileges Assigned to Users?
Using
Oracle BI Presentation Services
Administration Pages
Understanding the Administration Pages
Managing
Presentation Services
Privileges
What Are
Presentation Services
Privileges?
Default Presentation Services Privilege Assignments
Access to Oracle BI Enterprise Edition Actions
Access to Oracle BI for Microsoft Office Privilege
Save Content with HTML Markup Privilege
EnableSavingContentWithHTML
Identifying Privileges for KPIs, KPI Watchlists, and Scorecarding
Managing Sessions in
Presentation Services
Determining a User's Privileges and Permissions in
Oracle BI Presentation Services
Rules for Determining a User's Privileges or Permissions
Task 1 - Check for an explicit record for this user
Task 2 - Check for records for this user's Catalog groups
Task 3 - Check records for this user's application roles
Task 4 - Fall back default behavior
Task 5 - No matching records at all
Example of Determining a User's Privileges with Application Roles
Example of Determining a User's Permissions with Application Roles
Example of Determining a User's Privileges with Removed Catalog Groups
Example of Determining a User's Permissions with Removed Catalog Groups
Providing Shared Dashboards for Users
Understanding the Catalog Structure for Shared Dashboards
Creating Shared Dashboards
Testing the Dashboards
Releasing Dashboards to the User Community
Controlling Access to Saved Customization Options in Dashboards
Overview of Saved Customizations in Dashboards
Administering Saved Customizations
Permission and Privilege Settings for Creating Saved Customizations
Example Usage Scenario for Saved Customization Administration
Enabling Users to Act for Others
Why Enable Users to Act for Others?
What Are the Proxy Levels?
Process of Enabling Users to Act for Others
Defining the Association Between Proxy Users and Target Users
Creating Session Variables for Proxy Functionality
Modifying the Configuration File Settings for Proxy Functionality
Creating a Custom Message Template for Proxy Functionality
Scripting on this page enhances content navigation, but does not change the content in any way.