2 Managing Security Using a Default Security Configuration

These topic explain how to deploy Oracle Business Intelligence security using the embedded WebLogic LDAP Server with the sample application.

By deploying the default embedded WebLogic LDAP Server with the sample application, you can use its default users, groups, and application roles. You can also develop your own users, groups, and application roles.

You can migrate users (with their encrypted passwords), groups, roles and policies from the embedded WebLogic LDAP server and into another one. See Exporting and Importing Information in the Embedded LDAP Server in Administering Security for Oracle WebLogic Server.

Working with Users, Groups, and Application Roles

When you configure Oracle Business Intelligence with the Sample Application that is made available with the BI installation, a number of application roles are provided for you to use in order to provision users and groups that enable you to use BI functionality and access BI folders, reports, data columns and other objects.

For example, following a new installation of Oracle Business Intelligence, if you have selected to populate your initial service instance using the Sample Application, the user specified for creating the BI domain during the configuration step is assigned to the BIServiceAdministrator application role. In addition, the Sample Application provides the BIContentAuthor and BIConsumer application roles, these application roles are preconfigured to work together. For example, a user who is a member of the BIServiceAdministrator application role automatically inherits the BIContentAuthor and BIConsumer application roles and is therefore provisioned with all the privileges and permissions associated with all of these application roles. See Understanding the Default Security Configuration for this security configuration.

The Sample Application roles have appropriate permissions and privileges to enable them to work with the sample Oracle BI Presentation Catalog, BI Repository, and Policy Store. For example, the application role BIContentAuthor is preconfigured with permissions and privileges that are required to create dashboards, reports, actions, and so on.

The screen below shows application roles, groups and users that are preconfigured in the sample and starter applications installation.


Description of GUID-59113417-4DE4-4B88-8748-46FABEAA9FE5-default.png follows
Description of the illustration GUID-59113417-4DE4-4B88-8748-46FABEAA9FE5-default.png

When you initially configure your BI domain, a service instance is created based on one of the BI application archive (BAR) files that are included with the BI installation. Each BI application contains an application role that is tagged as the administration application role. The name of this administration application role is determined by the developer or author of the BI application archive. In the case of the sample, starter and empty applications available with the BI installation this administration application role is called BIServiceAdministrator. The authors of these applications have assigned specific permission sets and privileges to this application role to enable members of this application role to administer the system. When the BI service instance is created the BI system administrator specifies an owner (a user) for the service instance. The system assigns the administration application role to the service instance owner whenever a BI archive file is imported into the service instance.

Note:

When importing an 11g upgrade bundle into a 12c service instance, the system automatically tags the BIAdministrator application role as the administration application role.

See Installing and Configuring Oracle Business Intelligence and importServiceInstance in System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

You can use the sample application roles to deploy security. You can then create your own groups and application roles to meet your business needs. For example:

  • If you want to enable an employee called Fred to create dashboards and reports, you might create a new user called Fred and assign Fred to the default BIContentAuthors group.
  • If you want to assign Fred as a Sales dashboard author, create an application role called Sales_ Dashboard_ Author that has permissions to see Sales subject areas in the repository and edit Sales dashboards.
  • If you want to enable user Fred to perform BIContentAuthors and Sales_Dashboard_Author duties, create a new application role called BIManager that has both BIContentAuthors privileges and Sales_Dashboard_Author privileges.

See Understanding the Default Security Configuration.

Example of Users, Groups, and Application Roles Security Setup

This example uses a small set of users, groups, and application roles to illustrate how you might set up a security model. In this example, you want to implement the following:

  • Three users named User1, User2, and User3, who need to view business intelligence reports.
  • Two users named User4 and User5, who need to create business intelligence reports.
  • Two users named User6 and User7, who administer Oracle Business Intelligence.

The diagram shows the users, groups, and application roles that you would deploy to implement this example security model.


Description of GUID-4613974B-199C-40DB-A29E-01FACBC2B625-default.png follows
Description of the illustration GUID-4613974B-199C-40DB-A29E-01FACBC2B625-default.png

The diagram shows the following:

  • The group named BIConsumers contains User1, User2, and User3. Users in the group BIConsumers are assigned to the application role named BIConsumer, which enables the users to view reports.
  • The group named BIContentAuthors contains User4 and User5. Users in the group BIContentAuthors are assigned to the application role named BIContentAuthor, which enables the users to create reports.
  • The group named BIServiceAdministrators contains User6 and User7. Users in the group BIServiceAdministrators are assigned to the application role named BIServiceAdministrator, which enables the users to manage repositories.

See:

  1. Create seven users named User1 to User 7.
  2. Create the groups BIConsumers and BIContentAuthors and BIServiceAdministrators.
  3. Assign the users to the default groups, as follows:
    1. Assign User1, User2, and User3 to the group named BIConsumers.
    2. Assign User4 and User5 to the group named BIContentAuthors.
    3. Assign User6 and User7 to the group named BIServiceAdministrators
  4. Assign the groups to the sample application roles as follows:
    1. Make the BIConsumers group a member of the BIConsumer application role.
    2. Make the BIContentAuthors group a member of the BIContentAuthor application role.
    3. Make the BIServiceAdministrators group a member of the BIServiceAdministrator application role.

Managing Users and Groups in the Embedded WebLogic LDAP Server

This section explains how to manage users and groups in the Embedded WebLogic LDAP Server, and contains the following topics:

Assigning a User to a New Group, and a New Application Role

You can extend the security model by creating users, and assigning the users to new groups, and application roles.

For example, you can create a user named, Jim, and assign Jim to the BIMarketingGroup group that is assigned to an application role named BIMarketingRole.

The process for assigning a user to a group, and an application role is as follows:

  1. Launch WebLogic Administration Console.
  2. Create a new user.
  3. Create a new group.
  4. Assign the user to the group.
  5. Create an application role and assign it to the new group.
  6. Edit the Oracle BI repository and set up the privileges for the new application role.
  7. Edit the Oracle BI Presentation Catalog and set up the privileges for the new user and group.

Creating a New User in the Embedded WebLogic LDAP Server

You typically create a separate user for each business user in your Oracle Business Intelligence environment. For example, you might plan to deploy 30 report consumers, 3 report authors, and 1 administrator. In this case, you would use Oracle WebLogic Server Administration Console to create 34 users, which you would then assign to appropriate groups.

All users who are able to log in are given a basic level of operational permissions conferred by the built-in Authenticated User application role. The author of the BI application that is imported into your service instance might have designed the security policy so that all authenticated users are members of an application role that grants privileges in the BI application. See Security Configuration Using the Sample Application

DefaultAuthenticator is the name for the default authentication provider.

  1. Log in to the Oracle WebLogic Server Administration Console.
  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane, and then click the realm you are configuring, for example, myrealm.
  3. Select Users and Groups tab, then Users. Click New.
  4. In Create a New User, in Name, type the name of the user.
  5. (Optional) In Description, provide additional information about the user.
  6. From the Provider list, select the authentication provider that corresponds to the identity store where the user information is contained.
  7. In Password, type a password for the user that is at least 8 characters long.
  8. In Confirm Password, retype the user password.
  9. Click OK.

Creating a New Group in the Embedded WebLogic LDAP Server

You can create a separate group for each functional type of business user in your Oracle Business Intelligence environment.

A typical deployment might require three groups: BIConsumers, BIContentAuthors, and BIServiceAdministrators. You could create groups with those names and configure the group to use with Oracle Business Intelligence, or you might create your own custom groups.

See Example of Users, Groups, and Application Roles Security Setup.

DefaultAuthenticator is the default authentication provider.

  1. Launch Oracle WebLogic Server Administration Console.
  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.
  3. Click the Users and Groups tab, and then click Groups.
  4. Click New.
  5. In Create a New Group, in the Name field, type a group names that is unique.
  6. (Optional) In the Description field, type a brief note about the composition of the group.
  7. From the Provider list, select the authentication provider that corresponds to the identity store where the group information is contained.
  8. Click OK

Assigning a User to a Group in the Embedded WebLogic LDAP Server

You typically assign each user to an appropriate group. For example, a typical deployment might require user IDs created for report consumers to be assigned to a group named BIConsumers. In this case, you could either assign the users to the default group named BIConsumers, or you could assign the users to your own custom group that you have created.

See Example of Users, Groups, and Application Roles Security Setup and Using Oracle WebLogic Server Administration Console.

  1. Launch Oracle WebLogic Server Administration Console.
  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring, for example, myrealm.
  3. Select Users and Groups tab, then Users.
  4. In the Users table select the user you want to add to a group.
  5. Select the Groups tab.
  6. Select a group or groups from the Available list.
  7. Click Save.

Deleting a User

When a user is no longer required you must completely remove their user ID from the system to prevent an identical, newly-created user from inheriting the old user's access permissions. This situation can occur because authentication and access permissions are associated with user ID.

You delete a user by removing the user from the policy store, the Oracle BI Presentation Catalog, the metadata repository, and the identity store.

See Delete Users Command in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

If you are using an identity store other than Oracle WebLogic Server LDAP, follow the appropriate instructions for your identity store.

If you have assigned the user to any application roles, you must update the application roles to remove all references to that user.

  1. Delete the user from the policy store.
  2. Delete the user from the Oracle BI Presentation Catalog, and the metadata repository using the deleteusers command.
  3. Log in to the Oracle WebLogic Server Administration Console.
  4. Select Security Realms, and select the realm containing the user, for example, myrealm.
  5. Click Users and Groups tab, then click Users.
  6. Select a user, click Delete.
  7. In Delete Users, click Yes.
  8. Click OK.

Changing a User Password in the Embedded WebLogic LDAP Server

Perform this optional task to change the default password for a user.

If you change the password of the system user, you also need to change it in the credential store.

  1. In Oracle WebLogic Server Administration Console, select Security Realms, and click the realm you are configuring, for example, myrealm.
  2. Select the Users and Groups tab, and then click Users.
  3. In the Users table, select the user receiving the changed password.
  4. In the user's Settings page, select the Passwords tab.
  5. Type the password in the New Password and Confirm Password fields.
  6. Click Save.

Managing Application Roles and Application Policies Using Fusion Middleware Control

Application roles and application policies provide permissions for users and groups.

After creating a service instance or importing a BI application archive (BAR) file into a service instance, you should check the security policy in the service instance to ensure that users and groups from your Identity Store are mapped correctly to the application roles defined in the service instance. Each BI application archive file can contain its own security policy. As a best practice, check the security policy on your service instance after importing a BI application archive file.

A BI application archive file that has the BI metadata for an application contains pre-defined application roles that you can use to provision users with permissions. For example, the sample application contains the application roles, BIConsumer, BIContentAuthor, and BIServiceAdministrator. To provision users with permissions and privileges, you map users and groups from the Identity Store, usually an LDAP directory, to the defined application roles.

Important:

You use Oracle Enterprise Manager Fusion Middleware Control to manage operations on permission grants. You must use Oracle WebLogic Scripting Tool (WLST) commands to perform operations on permission set grants. See grantEntitlement and revokeEntitlement. See OPPS Security Store WLST Commands in Oracle Fusion Middleware WLST Command Reference for Infrastructure Security guide.

If you want to create a more complex or fine grained security model, you can create your own application roles and application policies. For example, you might want to limit report authors in a Marketing department to write-access only to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. You can create a new application role, called BIContentMarketing, and provide the role with appropriate privileges.

See:

Displaying Application Policies and Application Roles Using Fusion Middleware Control

You can display application policies and application roles that are assigned to permission set grants in Fusion Middleware Control.

Fusion Middleware Control displays permission grants and permission set grants. You can only carry out operations on the permission grants. If you add a permission grant to your application role using Fusion Middleware Control, you can delete the application role through Fusion Middleware Control.

You need to use WLST commands to manage permission set grants. See OPSS Security Store WLST Commands in Fusion Middleware WLST Command Reference for Infrastructure Security.

  1. Log in to Fusion Middleware Control.
  2. Select the Target Navigation icon to open the navigation pane.
  3. From the navigation pane, expand the Business Intelligence folder, and select biinstance.
  4. Select one of the following options:

    • Right-click biinstance, selectSecurity, and then select Application Policies or Application Roles.

    • Alternatively from the content pane, click Business Intelligence Instance to display a menu, then choose Security, and Application Policies or Application Roles.

      Other Fusion Middleware Control Security menu options are not available from these menus.

  5. Select Application Policies or Application Roles to display either the Application Policies page or the Application Roles page.

Creating and Deleting Application Roles Using Fusion Middleware Control

Use Fusion Middleware Control to create, delete, and manage application roles.

In a new Oracle Business Intelligence deployment, you create an application role for each type of business user activity in your Oracle Business Intelligence environment. For example, a deployment based on the sample application or the starter application might include the BIConsumer, BIContentAuthor, and BIServiceAdministrator application roles. As a BI system administrator or service administrator, you should not change the application roles or the permission sets assigned to the application roles that have been delivered in a BAR file.

Oracle Business Intelligence application roles represent a role that is assigned to a user. For example, the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline. The service instance administrator can create and modify application roles. Keeping application roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new application roles to match business roles for your environment without changing the groups defined in the corporate directory server. To control authorization requirements, you can then assign existing groups of users from the directory server to application roles.

Before creating a new application role and adding the application role to the your Oracle Business Intelligence service instance, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. See Granting Permissions To Users Using Groups and Application Roles.

See Managing the Policy Store in Securing Applications with Oracle Platform Security Services.

See Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic.

Creating Application Roles

Create application roles in Fusion Middleware Control using these steps.

You can also add members to the application role. See Characters in Application Role Names in Securing Applications with Oracle Platform Security Services.

You can create application roles by copying an existing role, see Creating Applications Roles From Existing Roles.

Valid members of an application role are users, groups, and other application roles.

Membership for an application role is controlled using the Application Roles page in Fusion Middleware Control.

The permission and permission set grant definitions are set in the application policy, then the application policy is granted to the application role, see Creating Application Policies Using Fusion Middleware Control. Permission and permission set grants are displayed in the Application Policies page in Fusion Middleware Control.

  1. Log in to Fusion Middleware Control, and select the Application Roles page.
  2. In Application Roles, verify that the value in the Application Stripe field is obi, and click the search icon next to Role Name.
  3. Click Create.
  4. In Application Role, in Role Name, type a name for the application role without invalid special characters and spaces.
  5. In Display Name, type the name for the application role that displays in the user interface.
  6. (Optional) In Description , type a explanation for the use of the application role.
  7. In the Members section, click Add.
  8. In Add Principal, from the Type list, select Application Role, Group, or Users.
  9. (Optional) In the Principal Name and Display Name fields, enter search criteria, and click Search.
  10. In the Searched Principals, select a result, and click OK.

Creating Application Roles from Existing Roles

You can create an application role by copying an existing application role.

The copy contains the same members as the original, and is made a grantee of the same application policy as is the original. You can make modifications to customize the new application role.

See Characters in Application Role Names in Securing Applications with Oracle Platform Security Services.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. From the list Application Stripe list, select obi.
  3. Click the search icon next to Role Name.
  4. Select the application role you want to copy from the list.
  5. Click Create Like.
  6. In the General section, in Role Name, type the name of the application role without using any invalid characters or spaces.
  7. (Optional) In Display Name, type the display name for the application role
  8. (Optional) In Description, type a description for the use of the application role.
  9. In the Members section, click Add.

    The Members section displays the same application roles, groups, or users that are assigned to the original role.

  10. In Add Principal, from the Type list, select an Application Role.
  11. (Optional) In the Principal Name and Display Name fields, type your search criteria, and click Search.
  12. In Searched Principals, select a result, and click OK.
  13. Modify the members as appropriate, and click OK.

Assigning a Group to an Application Role

You assign a group to an application role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an application role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the application role named BIConsumerMarketing.

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. If necessary, select Application Stripe and obi from the list, then click the search icon next to Role Name.
  3. Select an application role in the list and click Edit to display the Edit Application Role dialog.
  4. From Role Name, select an application role to use.
  5. (Optional) In Display Name, type the application role name to display in the user interface.
  6. (Optional) In Description, type a brief description for the use of the application role.
  7. In the Members section, click Add to add the group that you want to assign to the Roles list.

    For example, if a group for marketing report consumers named BIMarketingGroup require an application role called BIConsumerMarketing, then add the group named BIMarketingGroup to Roles list.

  8. Click OK to return to the Application Roles page.

Deleting Application Roles

You must not delete an application role without first consulting your system administrator.

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. Select the application role you want to delete.
  3. Click Delete, then click Yes, to confirm deletion of the application role.

Creating Application Policies Using Fusion Middleware Control

You can create application policies based on the default application policies, or you can create your own application policies.

Oracle Business Intelligence Enterprise Edition 12c uses permission sets as well as permissions. A permission set is a collection of permissions, also known as an entitlement. All of the permissions available with Oracle BI EE 12c are grouped into permission sets. When the sample or starter application is imported into a service instance, you see the permission sets that have been assigned to the application roles. When an Oracle BI EE 11g upgrade bundle is imported into a service instance you see the permissions from your Oracle BI EE 11g system, supplemented by new permission sets assigned to the migrated application roles

Fusion Middleware Control only allows you to view permission set grants. It does not allow you to change the permission set grants against an application role. InFusion Middleware Control, you can modify permission grants against application roles. In Oracle BI EE 12c, if you need to update permission set grants against an application role you need to use the WLST command line, see Managing Policies with WLST in Securing Applications with Oracle Platform Security Services.

You can create an application policy using on an existing application policy.

The Principal represents the name of the policy grantee.

  1. Log in to Fusion Middleware Control, and display the Application Policies page.
  2. Select obi from the Application Stripe list, then click the search icon next to Name.
  3. Select an existing policy from the table.
  4. Click Create Like to display the Create Application Grant Like page.
  5. Click Add Application Role in the Grantee area to display the Add Application Role dialog and add application roles to a policy.
  6. Complete the Search area and click the blue search button next to the Display Name field.
  7. Select from the Searched Principals list and click OK.

    The Create Application Grant Like page displays with the selected application role added as Grantee.

  8. Click OK to return to the Application Policies page.

Modifying Application Roles Using Fusion Middleware Control

You can modify an application role by changing permission set grants of the corresponding application policy, if the application role is a grantee of the application policy, or by changing its members, and by renaming or deleting the application role as follows:

See Managing Policies with Fusion Middleware Controlin Securing Applications with Oracle Platform Security Services.

Adding an Application Role to an Application Policy

Use this procedure to change the permission grants for an application role by adding the application role to an application policy using Fusion Middleware Control.

For permission grant changes, you can perform these tasks in Fusion Middleware Control. To change permission set grants, you must use Oracle WebLogic Server Administration Console.
  1. Log in to Fusion Middleware Control
  2. Click Target Navigation.
  3. In Target Navigation, expand Business Intelligence, and select the biinstance.
  4. From the biinstance list, select Security, and then select Application Policies.
  5. In Application Policies, from the Application Stripe, select obi.
  6. Click the arrow next to Principle Role to search the associated application roles.
  7. From the Principal column, select an application role, and click Edit.
  8. In Grantee, click Add.
  9. In the Add Principal, search for an application role.
  10. After adding an application role, in Permissions, click Add.
  11. In Add Permission, select the permissions that you want to grant the application role.

Adding or Removing Members from an Application Role

You can add or delete members from an application role using Fusion Middleware Control.

You must perform these tasks in the WebLogic domain where Oracle Business Intelligence is installed, for example, in bifoundation_domain. Valid members of an application role are users, groups, or other application roles.

Assign groups instead of individual users to application roles as a best practice, and then assign users to the groups.

Note:

Be very careful when changing the permission grants and membership for the application role that is tagged as the administration application role, as changes to the permissions assigned to this application role could leave your system in an unusable state.

See Displaying Application Policies and Application Roles Using Fusion Middleware Control.

  1. Log in to Fusion Middleware Control, and display the Application Roles page.
  2. If not already displayed, select Application Stripe and obi from the list, then click the search icon next to Role Name.
  3. Select the cell next to the application role name and click Edit to display the Edit Application Role page.
  4. To delete a member, select the Name of the member to activate the Delete button, then click Delete.
  5. Click the Add to add a member.
    1. Select Application Role, Group, or Users from the Type field list.
    2. (Optional) Enter search details into Principal Name and Display Name fields.
    3. Click Search.
    4. From the Searched Principals, make your selection from the results.
    5. Click OK.
  6. Click OK in the Edit Application Role page to return to the Application Role page.

See Managing Application Roles in Securing Applications with Oracle Platform Security Services.

Renaming an Application Role

You cannot directly rename an existing application role. You can only update the display name.

To rename an application role you must create a new application role using the same application policies used for the deleted application role, and delete the old application role. When you create the new application role, you specify a new name. You must also update any references to the old application role with references to the new application role in both the Oracle BI Presentation Catalog and the metadata repository.

To rename an application role in the catalog and the metadata repository use the renameAppRoles command, as described in Rename Application Role Command in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

Managing Metadata Repository Privileges Using the Oracle BI Administration Tool

You use Identity Manager in the Oracle BI Administration Tool to manage permissions for application roles, and set access privileges for objects such as subject areas and tables.

Use the Oracle BI Administration Tool to configure security in the Oracle BI repository:

Setting Metadata Repository Privileges for an Application Role

The data model for your service instance includes a security policy that defines permissions for accessing different parts of the data model, such as columns and subject areas.

The author of your data model uses the administration tool to maintain this security policy including assigning data model permissions to application roles.

When you create a service instance or import a BI application archive file into a service instance, the security policy for the data model is imported from the BI application archive file.

See Setting Presentation Services Privileges for Application Roles, and Setting Permissions Using Command-Line Tools in XML Schema Reference for Oracle Business Intelligence Enterprise Edition.

Best practice is to modify permissions for application roles, not modify permissions for individual users.

To view the permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of users and application roles and the permissions for the selected object.

  1. Open the repository in the Oracle BI Administration Tool in Online mode.
  2. In the Presentation panel, navigate to the subject area or sub-folder for which you want to set permissions.
  3. Right-click the subject area or sub-folder, and select Properties to display the properties dialog.
  4. Click Permissions.
  5. In Permissions <subject area name> properties, click the Show all users/application roles if the check box is not checked.
  6. In the Permissions <subject area name> dialog, update User/Application Role permissions to match your security policy.

    For example, to enable users to create dashboards and reports, you might change the repository permissions for an application role from Read to Read/Write.

Managing Application Roles in the Metadata Repository - Advanced Security Configuration Topic

Application role definitions are maintained in the policy store and any changes must be made using the administrative interface.

The repository maintains a copy of the policy store data to facilitate repository development. The Oracle BI Administration Tool displays application role data from the repository's copy; you are not viewing the policy store data in real time. Policy store changes made while you are working with an offline repository are not available in the Administration Tool until the policy store next synchronizes with the repository. The policy store synchronizes data with the repository copy whenever the BI Server restarts; if a mismatch in data is found, an error message is displayed.

While working with a repository in offline mode, you might discover that the available application roles do not satisfy the membership or permission grants needed at the time. A placeholder for an Application Role definition can be created in the Administration Tool to facilitate offline repository development. But this is just a placeholder visible in the Administration Tool and is not an actual application role. You cannot create an actual application role in the Administration Tool. You can create an application role only in the policy store, using the administrative interface available for managing the policy store.

An application role must be defined in the policy store for each application role placeholder created using the Administration Tool before bringing the repository back online. If a repository with role placeholders created while in offline mode is brought online before valid application roles are created in the policy store, then the application role placeholder disappears from the Administration Tool interface. Always create a corresponding application role in the policy store before bringing the repository back online when using role placeholders in offline repository development.

Managing Presentation Services Privileges Using Application Roles

The catalog for your service instance includes a security policy for Presentation Services privileges. These privileges confer permissions for accessing specific Presentation Services functionality such as access to answers, access to dashboards as well as permissions on catalog objects such as folders and analyses.

When you create a service instance or import a BI application archive file into a service instance, the security policy for the catalog, Presentation Services Privileges, is imported from the BI application archive file. The service administrator can modify the catalog security policy.

You use application roles to manage privileges.

When groups are assigned to application roles, the group members are automatically granted associated privileges in Presentation Services. This is in addition to the Oracle Business Intelligence permissions.

Tip:

A list of application roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services.

About Presentation Services Privileges

Presentation Services privileges are managed in the Presentation Services Administration Manage Privileges page, and they grant or deny access to Presentation Services features, such as the creation of analyses and dashboards. Presentation Services privileges have no effect in other Oracle Business Intelligence components.

Being a member of an application role that has been assigned Presentation Services privileges will grant those privileges to the user. The Presentation Services privileges assigned to application roles can be modified by adding or removing privilege grants using the Manage Privileges page in Presentation Services Administration.

Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

Setting Presentation Services Privileges for Application Roles

If you create an application role, you must set appropriate Presentation Services privileges to enable users with the application role to perform various functional tasks.

For example, you might want users with an application role named BISalesAdministrator to be able to create Actions in Oracle Business Intelligence. In this case, you would grant them a privilege named Create Invoke Action.

Presentation Services privileges cannot be assigned using the administrative interfaces used to manage the policy store. If you create a new application role to grant Oracle Business Intelligence permissions, then you must set Presentation Services privileges for the new role in addition to any Oracle Business Intelligence permissions.

Note:

You can assign Presentation Services privileges to a new application role programmatically, see SecurityService Service in Integrator's Guide for Oracle Business Intelligence Enterprise Edition

If you log in as a user without Administrator privileges, the Administration option is not displayed.

Explicitly denying a Presentation Services permission takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

Existing Catalog groups are migrated during the upgrade process. Moving an existing Oracle BI Presentation Catalog security configuration to the role-based Oracle Fusion Middleware security model based requires that each Catalog group be replaced with a corresponding application role. To duplicate an existing Presentation Services configuration, replace each Catalog group with a corresponding application role that grants the same Oracle BI Presentation Catalog privileges. You can then delete the original Catalog group from Presentation Services.

  1. Log in to Oracle BI Presentation Services as a user with Administrator privileges.
  2. From the Home page in Presentation Services, select Administration.
  3. In the Security area, click Manage Privileges.
  4. Click an application role next to the privilege that you want to administer.

    For example, to administer the privilege named Access to Scorecard for the application role named BIConsumer, you would click the BIConsumer link next to Access to Scorecard.

    Use the Privilege <privilege_name> dialog to add application roles to the list of permissions, and grant and revoke permissions from application roles. For example, to grant the selected privilege to an application role, you must add the application role to the Permissions list.

  5. Add an application role to the Permissions list, as follows:
    1. Click Add Users/Roles.
    2. Select Application Roles from the list and click Search.
    3. Select the application role from the results list.
    4. Use the shuttle controls to move the application role to the Selected Members list.
    5. Click OK.
  6. Set the permission for the application role by selecting Granted or Denied in the Permission list.
  7. Save your changes.

Encrypting Credentials in BI Presentation Services - Advanced Security Configuration Topic

The BI Server and Presentation Services client support industry-standard security for login and password encryption.

When an end user enters a user name and password in a web browser, the BI Server uses the Hypertext Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit) to prevent unauthorized users from accessing data or Oracle Business Intelligence metadata.

At the database level, Oracle Business Intelligence administrative users can implement database security and authentication. Proprietary key-based encryption provides security to prevent unauthorized users from accessing the metadata repository.

Managing Data Source Access Permissions Using BI Publisher

You manage the data source access permissions stored in BI Publisher, using the BI Publisher Administration pages.

Data source access permissions control application role access to data sources. A user must be assigned to an application role which is granted specific data source access permissions that enable the user to perform the following tasks:

  • Create a data model against the data source.
  • Edit a data model against a data source.
  • View a report created with a data model built from the data source.

See Granting Data Access in Administrator's Guide for Oracle Business Intelligence Publisher.

Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store

Use this procedure to enable high availability in a clustered environment when using the default WebLogic LDAP identity store.

Configure the virtualize attribute to enable high availability of the default embedded Oracle WebLogic Server LDAP identity store in a clustered environment. When you set the virtualize attribute value to true, Oracle BI EE processes look to their local managed server where the processes can authenticate and perform lookups against a local copy of the embedded default Oracle WebLogic Server LDAP identity store.

Use lowercase for the property name virtualize . Use uppercase for the property name OPTIMIZE_SEARCH.

  1. Log in to Fusion Middleware Control.
  2. From the navigation pane expand the WebLogic Domain folder and select bi.
  3. Right-click bi and select Security, then Security Provider Configuration to display the Security Provider Configuration page.
  4. Expand Security Store Provider, and Identity Store Provider area, and click Configure to display the Identity Store Configuration page.
  5. In the Custom Properties area, use the Add option to add the following custom properties:

    • Property Name=virtualize Value=true

    • Property Name=OPTIMIZE_SEARCH Value=true

  6. Click OK to save the changes.
  7. Restart the Administration server, any Managed servers, and Oracle BI EE components.

Using runcat to Manage Security Tasks in the Oracle BI Presentation Catalog

You can invoke the command line utility on supported platforms for Oracle Business Intelligence such as Windows, Linux, IBM-AIX, Sun Solaris, and HP-UX.

Enter a command such as the following one on Linux for assistance in using the command line utility:

./runcat.sh -help

Use the following syntax to convert a permission for a catalog group into a permission for an application role.

runcat.cmd/runcat.sh -cmd replaceAccountInPermissions -old <catalog_group_name> -oldType group -new <application_role_name> -newType role -offline <catalog_path>

See Opening an Oracle BI Presentation Catalog in System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.

See Renaming an Application Role.

Reporting on Users Privileges for a Set of Oracle BI Presentation Catalog Items

Use the following syntax to report on all privileges in the Oracle BI Presentation Catalog, and who has those privileges. For example:

runcat.cmd/runcat.sh -cmd report -online http://localhost:8080/analytics/saw.dll -credentials c:/oracle/catmancredentials.properties -outputFile c:/temp/report.txt -delimiter "\t" -folder "/system/privs" -mustHavePrivilege -type "Security ACL" -fields "Path:Accounts" "Must Have Privilege"

For help use the following command:

runcat.sh -cmd report -help