It covers the following topics:
This chapter describes security concepts and options for a standalone implementation of Oracle BI Publisher that is not installed as part of the Oracle Business Intelligence Enterprise Edition.
Note the following:
If you have installed the Oracle BI Enterprise Edition, then see Security Guide for Oracle Business Intelligence Enterprise Edition for information about security.
If you have installed BI Publisher on its own and you plan to use Oracle Fusion Middleware Security, then see Understanding the Security Model. The following topics will be of interest in this chapter:
To configure BI Publisher with these other Oracle security models:
Oracle BI Server security
Oracle E-Business Suite security
Oracle Database security
Siebel CRM security
Use the information in this chapter to configure the following:
BI Publisher Security
Integration with an LDAP provider
Note:
Any identity store provider that is supported by Oracle WebLogic Server can be configured to be used with BI Publisher. Configuring BI Publisher to use an alternative external identity store is performed using the Oracle WebLogic Server Administration Console. See Customizing the Default Security Configuration.
Integration with a Single Sign-On provider
BI Publisher supports several options for authentication and authorization.
You can choose a single security model to handle both authentication and authorization; or, you can configure BI Publisher to use a Single Sign-On provider or LDAP provider for authentication with another security model to handle authorization.
A user is assigned one or multiple roles.
A role can grant any or all of the following:
Privileges to use functionality
Permissions to perform actions on catalog objects
Access to data sources
You can create a hierarchy of roles by assigning roles to other roles. In this way the privileges and permissions of multiple roles can roll up to higher level roles. The figure below shows an example of the hierarchy structure of User, Role, and Folder.
There are three options for setting up users and roles.
Set up users and roles in the BI Publisher Security Center
For this option, follow the instructions in this section.
Configure BI Publisher with your LDAP server
For this option, see Configuring BI Publisher to Use an LDAP Provider for Authentication and Authorization.
Set up users and roles in a supported Oracle security model. For this option, see Integrating with Other Oracle Security Models.
BI Publisher provides a set of functional roles to grant access to specific functionality within the application. Assign these roles to users based on their need to perform the associated tasks. These roles cannot be updated or deleted.
The table below shows the privileges granted to each functional role.
Role | Privilege |
---|---|
BI Publisher Scheduler |
View Export History Schedule |
BI Publisher Template Designer |
View Export History (public reports only) Enables access to Layout Editor Enables log on from Template Builder |
BI Publisher Developer |
View Export Schedule History Edit Report Enables access to Layout Editor Enables log on from the Template Builder Enables access to the Data Model Editor |
BI Publisher Administrator |
Enables the privileges of all other roles Grants access to the Administration page and all administration tasks |
Roles assigned these privileges cannot perform any actions on objects in the catalog until they are also granted permissions on the catalog objects.
To perform the actions allowed by the functional roles above, a role must also be granted permissions to access the objects in the catalog.
The table below describes permissions for roles.
Each of these permissions can be granted at the folder level to enable the operations on all items within a folder.
Permission | Description |
---|---|
Read |
Enables a role to display an object in the catalog. If the object resides within a folder, a role must be granted the Read permission on the object and its parent Folder. |
Write |
|
Delete |
Enables a role to delete an object. |
Run Report Online |
Enables a role to run a report and view it in the report viewer. |
Schedule Report |
Enables a role to schedule a report. |
View Report Output |
Enables a role to access the Report Job History for a report. |
It is important to note that for a report consumer to successfully run a report, his role must have read access to every object that is referenced by the report.
For example, a report consumer must run a report in a folder named Reports. The data model for this report, resides in a folder named Data Models. This report references a Sub Template stored in a folder named Sub Templates, and also references a Style Template stored in a folder named Style Templates. The report consumer's role must be granted Read access to all of these folders and the appropriate objects within.
Certain rules determine the behavior of privileges and permissions.
A role assigned a functional privilege cannot perform any actions in the catalog until catalog permissions are also assigned
A role can be assigned a set of permissions on catalog objects without being assigned any functional privileges
If a role is assigned a functional privilege, when catalog permissions are assigned, some permissions are inherited
A role assigned a functional role cannot perform any actions in the catalog until catalog permissions are granted.
Note that the functional roles themselves (BI Publisher Developer, BI Publisher Scheduler, and so on) cannot be directly assigned permissions in the catalog. The functional roles must first be assigned to a custom role and then the custom role is available in the catalog permissions table.
The permissions available directly in the catalog enable running reports, scheduling reports, and viewing report output.
Therefore if your enterprise includes report consumers who have no other reason to access BI Publisher except to run and view reports, then the roles for these users consist of catalog permissions only.
When a role is assigned one of the functional roles, and that role is granted permissions on a particular folder in the catalog, then some permissions are granted automatically based on the functional role.
For example, assume that you create a role called Financial Report Developer. You assign this role the BI Publisher Developer role. For this role to create reports in the Financial Reports folder in the catalog, you grant this role Read, Write, and Delete permissions on the folder. Because the BI Publisher Developer role includes the run report, schedule report, and view report history privileges, these permissions are automatically granted on any folder to which a role assigned the BI Publisher Developer role is granted Read access.
A role must be granted access to a data source to view reports that run against the data source or to build and edit data models that use the data source.
Add access to data sources in the Roles and Permissions page. See Granting Data Access.
This chapter details the procedures to configure users, roles, and data access.
You create roles on the Administration page.
To create a new role in BI Publisher:
To add data sources to a role, see Granting Data Access.
You create users in the Administration page.
For a role to access an object in the catalog, the role must be granted Read permissions on both the object and the folder in which the object resides.
Permissions can be granted at the folder level and applied to all the objects and subfolders it contains, or applied to individual objects.
To grant catalog permissions to a role:
Roles must be granted access to data sources to run or schedule certain reports or to create or edit certain data models.
A role must be granted access to a data source if the role must:
Run or schedule a report built on a data model that retrieves data from the data source
Create or edit a data model that retrieves data from the data source
To grant a role access to a data source:
Because permissions are granted in the catalog, it is very important to be aware of this design when creating roles for your organization and when structuring the catalog.
For example, assume that your organization requires the roles that are described in the table below.
Role | Required Permissions |
---|---|
Sales Report Consumer |
Needs to view and schedule Sales department reports. |
Financial Report Consumer |
Needs to view and schedule Financial department reports. |
Executive Report Consumer |
Needs to consume both Sales and Financial reports and executive level reports. |
Sales Report Developer |
Needs to create data models and reports for Sales department only. |
Financials Report Developer |
Needs to create data models and reports for Financials department only. |
Layout Designer |
Needs to design report layouts for all reports. |
You might consider setting up the catalog structure as described in the table below.
Folder | Contents |
---|---|
Sales Reports |
All reports for Sales Report Consumer. Also contains any Sub Templates and Style Templates associated with Sales reports. |
Sales Data Models |
All data models for Sales reports. |
Financials Reports |
All reports for Financials Report Consumer. Also contains any Sub Templates and Style Templates associated with Financials reports. |
Financials Data Models |
All data models for Financials reports |
Executive Reports |
All executive-level reports and data models. |
Set up the roles as follows:
Example Role Configuration
Sales Report Consumer:
Grant catalog permissions:
To the Sales Reports folder add the Sales Report Consumer and grant:
Read
Schedule Report
Run Report Online
View Report Online
Select Apply permissions to items within this folder
To the Sales Data Models folder add the Sales Report Consumer and grant:
Read
Grant Data Access:
On the Roles page, locate the role, then click Add Data Sources. Add all data sources used by Sales reports.
Financials Report Consumer
Grant catalog permissions:
To the Financials Reports folder add the Financials Report Consumer and grant:
Read
Schedule Report
Run Report Online
View Report Online
Select Apply permissions to items within this folder
To the Financials Data Models folder add the Financials Report Consumer and grant:
Read
Grant Data Access:
On the Roles page, locate the role, then click Add Data Sources. Add all data sources used by Financials reports.
Executive Report Consumer
Assign Roles:
On the Roles tab, assign the Executive Report Consumer the Sales Report Consumer and the Financials Report Consumer roles.
Grant catalog permissions:
To the Executive Reports folder add the Executive Report Consumer and grant:
Read
Schedule Report
Run Report Online
View Report Online
Select Apply permissions to items within this folder
Grant Data Access:
On the Roles tab, locate the role, then click Add Data Sources. Add all data sources used by Executive reports.
Sales Report Developer
Assign Roles:
On the Roles tab, assign the Sales Report Developer the BI Publisher Developer Role and the BI Publisher Template Designer Role.
Grant Data Access:
On the Roles tab, locate the Sales Report Developer and click Add Data Sources. Add all data sources from which Sales data models are built.
Grant Catalog Permissions:
In the catalog, to the Sales Data Models folder add the Sales Report Developer and grant:
Read, Write, Delete
To the Sales Reports folder, add the Sales Report Developer and grant:
Read, Write, Delete
Financials Report Developer
Assign Roles:
On the Roles tab, assign the Financials Report Developer the BI Publisher Developer Role, and the BI Publisher Template Designer Role.
Grant Data Access:
On the Roles tab, locate the Financials Report Developer and click Add Data Sources. Add all data sources from which Financials data models are built.
Grant Catalog Permissions:
In the catalog, to the Financials Data Models folder add the Financials Report Developer and grant:
Read, Write, Delete
To the Financials Reports folder, add the Financials Report Developer and grant:
Read, Write, Delete
Layout Designer
Assign Roles:
On the Roles tab, assign the Layout Designer the BI Publisher Template Designer Role and the BI Publisher Developer Role.
Grant Catalog Permissions:
In the catalog, to the Financials Data Models and the Sales Data Models folders add the Layout Designer Role and grant:
Read
To the Financials Reports and Sales Reports folders, add the Layout Designer and grant:
Read, Write, Delete
You can use BI Publisher with an LDAP provider for authentication only or for both authentication and authorization.
Note:
By default, BI Publisher allows every LDAP user to log in to the system even when no BI Publisher-specific roles are assigned to the user. Users cannot perform any functions that require roles, such as creating reports or data models; however if a user is assigned a role that is assigned permissions on catalog objects (such as traverse and open) the user can perform those tasks.
To prevent users from logging in to BI Publisher unless they have a BI Publisher role assigned, see Disabling Users Without BI Publisher-Specific Roles from Logging In.
Configure BI Publisher to use an LDAP provider for authentication in conjunction with another security model for authorization.
BI Publisher can be integrated with the LDAP provider to manage users and report access.
Create the users and roles within the LDAP server, then configure the BI Publisher server to access the LDAP server.
In the BI Publisher security center module, assign folders to those roles. When users log in to the server, they have access to those folders and reports assigned to the LDAP roles.
Integrating the BI Publisher server with Oracle LDAP consists of three main tasks:
For information on supported LDAP servers, see System Requirements and Certification for the most up-to-date information on supported hardware and software.
This procedure must be performed in the LDAP provider. See the documentation for the provider for details on how to perform these tasks.
To set up users and roles:
To configure the BI Publisher server to recognize the LDAP server, update the Security properties in the BI Publisher Administration page.
Note:
Ensure that you understand your site's LDAP server configuration before entering values for the BI Publisher settings.
To configure the BI Publisher Server for the LDAP Server:
The figure below shows a sample of the LDAP security model entry fields from the Security Configuration page.
If you are configuring BI Publisher to use LDAP over SSL, then you must also configure Java keystore to add the server certificate to JVM. See Configuring BI Publisher for Secure Socket Layer (SSL) Communication.
To disable users without BI Publisher-specific roles from logging in to the BI Publisher server, set a configuration property in the xmlp-server-config.xml file.
The xmlp-server-config.xml file is located at:
$DOMAIN_HOME/bidata/components/bipublisher/repository/Admin/Configuration/xmlp-server-config.xml
In the xmlp-server-config.xml file, add the following property and setting:
<property name="REQUIRE_XMLP_ROLE_FOR_LOGIN" value="true"/>
Microsoft Active Directory supports the LDAP interface and therefore can be configured with BI Publisher using LDAP Security.
Configure support for Active Directory by adding users and system groups.
To configure the active directory:
Add users who must access BI Publisher.
Add the users under "Users" or any other organization unit in the Domain Root.
Add the BI Publisher system groups. The Scope of the groups must be Domain Local.
The table below describes the BI Publisher system groups that must be added.
BI Publisher System Group | Description |
---|---|
XMLP_ADMIN |
The administrator role for the BI Publisher server. You must assign the Administrator account used to access your LDAP server the XMLP_ADMIN group. |
XMLP_DEVELOPER |
Allows users to create and edit reports and data models. |
XMLP_SCHEDULER |
Allows users to schedule reports. |
XMLP_TEMPLATE_DESIGNER |
Allows users to connect to the BI Publisher server from the Template Builder for Word and to upload and download templates. Allows users to design layouts using the BI Publisher Layout Editor. |
Grant BI Publisher system groups to global groups or users.
You can grant BI Publisher system groups directly to users or through global groups.
Example 1: Grant Users the BI Publisher Administrator Role
Example 2: Grant Users Access to Scheduling Reports
The "HR Manager" global group is defined under "Users".
All users in this group need to schedule reports.
To achieve this, add HR Manager as a Member of the XMLP_SCHEDULER group.
You configure BI Publisher on the Administration page.
To configure BI Publisher:
If you are configuring BI Publisher to use LDAP over SSL, then you must also configure Java keystore to add the server certificate to JVM. For more information, see Configuring BI Publisher for Secure Socket Layer (SSL) Communication.
The User login name defined in Active Directory Users and Computers >User Properties >Account is used for the BI Publisher login name.
Add the Domain to the user name to log in to BI Publisher. For example: "scott_tiger@domainname.com".
Note the following:
The Attribute used for Login Username can be sAMAccountName instead of userPrincipalName.
You must use sAMAccountName for the Attribute used for Login Username when the "User logon name (pre-Windows 2000)" is required to use for the BI Publisher login username.
User names must be unique across all organization units.
Integrating a single sign-on (SSO) solution enables a user to log on (sign-on) and be authenticated once.
Thereafter, the authenticated user is given access to system components or resources according to the permissions and privileges granted to that user. BI Publisher can be configured to trust incoming HTTP requests authenticated by a SSO solution that is configured for use with Oracle Fusion Middleware and Oracle WebLogic Server. For information about configuring SSO for Oracle Fusion Middleware, see Securing Applications with Oracle Platform Security Services.
When BI Publisher is configured to use SSO authentication, it accepts authenticated users from whatever SSO solution Oracle Fusion Middleware is configured to use. If SSO is not enabled, then BI Publisher challenges each user for authentication credentials. When BI Publisher is configured to use SSO, a user is first redirected to the SSO solution's login page for authentication.
Configuring BI Publisher to work with SSO authentication requires minimally that the following be done:
Oracle Fusion Middleware and Oracle WebLogic Server are configured to accept SSO authentication. Oracle Access Manager is recommended in production environments.
BI Publisher is configured to trust incoming messages.
The HTTP header information required for identity propagation with SSO configurations (namely, user identity and SSO cookie) is specified and configured.
After SSO authorization has been implemented, BI Publisher operates as if the incoming web request is from a user authenticated by the SSO solution. User personalization and access controls such as data-level security are maintained in this environment.
Refer to the table below for SSO authentication configuration tasks and links providing more information.
Task | Description | For More Information |
---|---|---|
Configure Oracle Access Manager as the SSO authentication provider. |
Configure Oracle Access Manager to protect the BI Publisher URL entry points. |
Configuring SSO in an Oracle Access Manager Environment See Securing Applications with Oracle Platform Security Services |
Configure the HTTP proxy. |
Configure the web proxy to forward requests from BI Publisher to the SSO provider. |
|
Configure a new authenticator for Oracle WebLogic Server. |
Configure the Oracle WebLogic Server domain in which BI Publisher is installed to use the new identity store. |
Configuring a New Authenticator for Oracle WebLogic Server See Oracle WebLogic Server Administration Console Online Help |
Configure a new identity asserter for Oracle WebLogic Server. |
Configure the Oracle WebLogic Server domain in which BI Publisher is installed to use the SSO provider as an asserter. |
|
Enable BI Publisher to accept SSO authentication. |
Enable the SSO provider configured to work with BI Publisher. |
Configuring BI Publisher for Oracle Fusion Middleware Security |
Note:
For an example of an Oracle Business Intelligence SSO installation scenario, see Enterprise Deployment Guide for Oracle Business Intelligence.
Configure Oracle Access Manager as the SSO authentication provider for Oracle Fusion Middleware with WebLogic Server.
See Securing Applications with Oracle Platform Security Services .
After the Oracle Fusion Middleware environment is configured, in general the following must be done to configure BI Publisher:
Configure the SSO provider to protect the BI Publisher URL entry points.
Configure the web server to forward requests from BI Publisher to the SSO provider.
Configure the new identity store as the main authentication source for the Oracle WebLogic Server domain in which BI Publisher has been installed. For more information, see Configuring a New Authenticator for Oracle WebLogic Server.
Configure the Oracle Access Manager domain in which BI Publisher is installed to use an Oracle Access Manager asserter. For more information, see Configuring OAM as a New Identity Asserter for Oracle WebLogic Server.
After configuration of the SSO environment is complete, enable SSO authentication for BI Publisher. For more information, see Configuring BI Publisher for Oracle Fusion Middleware Security.
After installing BI Publisher, the Oracle WebLogic Server embedded LDAP server is the default authentication source (identity store). To use a new identity store (for example, OID), as the main authentication source, you must configure the Oracle WebLogic Server domain (where BI Publisher is installed).
For more information about configuring authentication providers in Oracle WebLogic Server, see Administering Security for Oracle WebLogic Server.
To configure a new authenticator in Oracle WebLogic Server:
Log in to Oracle WebLogic Server Administration Console and click Lock & Edit in the Change Center.
Select Security Realms from the left pane and click myrealm.
The default Security Realm is named myrealm.
Display the Providers tab, then display the Authentication sub-tab.
Click New to launch the Create a New Authentication Provider page.
Complete the fields as follows:
Name: OID Provider, or a name of your choosing.
Type: OracleInternetDirectoryAuthenticator
Click OK to save the changes and display the authentication providers list updated with the new authentication provider.
Click the newly added authenticator in the authentication providers table.
Navigate to Settings, then select the Configuration\Commontab:
Select SUFFICIENT from the Control Flag list.
Click Save.
Display the Provider Specific tab and specify the following settings using appropriate values for your environment:
Section Name | Field Name | Description |
---|---|---|
Connection |
Host |
The LDAP host name. For example, <localhost>. |
Connection |
Port |
The LDAP host listening port number. For example, 6050. |
Connection |
Principal |
The distinguished name (DN) of the user that connects to the LDAP server. For example, cn=orcladmin. |
Connection |
Credential |
The password for the LDAP administrative user entered as the Principal. |
Users |
User Base DN |
The base distinguished name (DN) of the LDAP server tree that contains users. For example, use the same value as in Oracle Access Manager. |
Users |
All Users Filter |
The LDAP search filter. For example, (&(uid=*) (objectclass=person)). The asterisk (*) filters for all users. Click More Info... for details. |
Users |
User From Name Filter |
The LDAP search filter. Click More Info... for details. |
Users |
User Name Attribute |
The attribute that you want to use to authenticate (for example, cn, uid, or mail). Set as the default attribute for user name in the directory server. For example, uid. Note: The value that you specify here must match the User Name Attribute that you are using in the authentication provider. |
Groups |
Group Base DN |
The base distinguished name (DN) of the LDAP server tree that contains groups (same as User Base DN). |
General |
GUID attribute |
The attribute used to define object GUIDs in LDAP. orclguid |
Click Save.
Perform the following steps to set up the default authenticator for use with the Identity Asserter:
At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab, and then select DefaultAuthenticator to display its configuration page.
Display the Configuration\Common tab and select 'SUFFICIENT' from the Control Flag list.
Click Save.
Perform the following steps to reorder Providers:
In the Providers tab, click Reorder to display the Reorder Authentication Providers page
Select a provider name and use the arrow buttons to order the list of providers as follows:
OID Authenticator (SUFFICIENT)
OAM Identity Asserter (REQUIRED)
Default Authenticator (SUFFICIENT)
Click OK to save your changes.
In the Change Center, click Activate Changes.
Restart Oracle WebLogic Server.
The Oracle WebLogic Server domain in which BI Publisher is installed must be configured to use an Oracle Access Manager asserter.
For more information about creating a new asserter in Oracle WebLogic Server, see Oracle WebLogic Server Administration Console Online Help.
To configure Oracle Access Manager as the new asserter for Oracle WebLogic Server:
Log in to Oracle WebLogic Server Administration Console.
In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm. Select Providers.
Click New. Complete the fields as follows:
Name: OAM Provider, or a name of your choosing.
Type: OAMIdentityAsserter.
Click OK.
Click Save.
In the Providers tab, perform the following steps to reorder Providers:
Click Reorder
In the Reorder Authentication Providers page, select a provider name, and use the arrows beside the list to order the providers as follows:
OID Authenticator (SUFFICIENT)
OAM Identity Asserter (REQUIRED)
Default Authenticator (SUFFICIENT)
Click OK to save your changes.
In the Change Center, click Activate Changes.
Restart Oracle WebLogic Server.
You can verify that Oracle Internet Directory is the new identity store (default authenticator) by logging back into Oracle WebLogic Server and verifying the users and groups stored in the LDAP server appear in the console.
Use Fusion Middleware Control to enable SSO authentication.
Set up Oracle Single Sign-On in the Identity Store Configuration page.
To set up Oracle Single Sign-On, first configure WebLogic Server using the instructions in Administering Security for Oracle WebLogic Server. BI Publisher must be configured to use Oracle Internet Directory as the default LDAP server.
Note:
When using Oracle SSO, BI Publisher assumes that a login user name can be derived from Osso-User-Dn, which is HTTP Header value. For example, if the Osso-User-Dn on HTTP Header looks like this:
cn=admin,cn=users, dc=us,dc=oracle,dc=com
Then BI Publisher assumes the value of first cn= is the login user name (that is, "admin" in this case).
Therefore if your Osso-User-Dn does not contain a login user name as the first cn value, then select "Other SSO Type" to configure the settings (even if you use Oracle SSO).