15.5 End-to-End Security Scenarios

This section describes end-to-end security scenarios that involve both authentication and authorization.

The following table describes JPS-based security scenarios.

Table 15-6 JPS-Based Security Scenarios

Security Scenario Description

JPS-OID Authorization with Single-Sign-On Authentication for Reports Servlet

  

This scenario involves the following:

  • Single Sign-On for authentication

  • JPS-OID for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

  1. Enable Single Sign-On. See Enabling and Disabling Single Sign-On.

  2. Enable JPS-based security by editing reports server config file.

  3. Ensure that all users that are present in the Oracle Internet Directory used by Single Sign-On are in the ID store used by JPS. Alternatively, configure JPS to point to the ID store used by Single Sign-On.

  4. Add the following property in the jps-config-jse.xml file:

    <property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>

  5. Configure JPS Oracle Internet Directory as a policy store. Alternatively you can use the database as policy store which is the default policy store. See Configuring an External Oracle Internet Directory as Policy Store When Using JPS-Based Security.

  6. Create security policies. Refer to Section 6.3.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies defined in Oracle Internet Directory.

  7. Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.

JPS-OID Authorization with JPS-OID as ID Store for Other Reports Clients

  

This scenario involves the following:

  • JPS-OID for authentication

  • JPS-OID for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

  1. Enable JPS-based security by editing reports server config file.

  2. Add the following property in the jps-config-jse.xml file:

    <property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>

  3. Configure JPS-OID as an ID store. See Configuring External Oracle Internet Directory as ID Store When Using JPS-Based Security.

  4. Configure JPS-OID as a policy store. Alternatively you can use the database as policy store which is the default policy store. See Configuring an External Oracle Internet Directory as Policy Store When Using JPS-Based Security.

  5. Create security policies. Refer to Section 6.3.2, "Defining Security Policies for Reports" to use Oracle Enterprise Manager to update the report security policies defined in Oracle Internet Directory.

  6. Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.

JAZN-XML Authorization with Single Sign-On Authentication for Reports Servlet

  

This scenario involves the following:

  • Single Sign-On for authentication

  • JAZN-XML for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

  1. Enable Single Sign-On. See Enabling and Disabling Single Sign-On.

  2. Enable JPS-based security. by editing reports server config file.

  3. Ensure that all users that are present in the Oracle Internet Directory used by Single Sign-On are in the ID store used by JPS. Alternatively, configure JPS to point to the ID store used by Single Sign-On.

  4. Add the following property in the jps-config-jse.xml file:

    <property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>

  5. Create security policies. Refer to Section 6.3.2, "Defining Security Policies for Reports".

  6. Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.

  7. If the system-jazn-data.xml file is used as the policy store, search for the "reports" application in the system-jazn-data.xml file. Database is used as default policy store. It is not recommended to change this to file based policy store (system-jazn-data.xml). To use JPS to authorize users in Oracle Internet Directory, add the corresponding users in the member section of the system-jazn-data.xml file. See Section 15.4.2, "Additional Step When Using JPS for Authorization".

JAZN-XML Authorization with JPS-OID Authentication for Other Reports Clients

  

This scenario involves the following:

  • JPS-OID for authentication

  • JAZN-XML for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

  1. Enable JPS-based security by editing reports server config file.

  2. Add the following property in the jps-config-jse.xml file:

    <property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/>

  3. Configure JPS-OID as an ID store. See Configuring External Oracle Internet Directory as ID Store When Using JPS-Based Security.

  4. Create security policies. Refer to Section 6.3.2, "Defining Security Policies for Reports" to update the report security policies defined in Oracle Internet Directory.

  5. Map users to application roles. For more information about mapping users to application roles, see Mapping Users to Application Roles.

  6. If the system-jazn-data.xml file is used as the policy store, search for the "reports" application in the system-jazn-data.xml file. Database is used as default policy store. It is not recommended to change this to file based policy store (system-jazn-data.xml). To use JPS to authorize users in Oracle Internet Directory, add the corresponding users in the member section of the system-jazn-data.xml. See Section 15.4.2, "Additional Step When Using JPS for Authorization".

The following table describes Portal-based security scenarios.

Table 15-7 Portal-Based Security Scenarios

Security Scenario Description

Portal-Based Authorization with Single-Sign-On Authentication for Reports Servlet

  

This scenario involves the following:

  • Single Sign-On for authentication

  • Portal-based authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

  1. Enable Single Sign-On. See Enabling and Disabling Single Sign-On.

  2. Enable Portal based security by editing reports server config file. If you have enabled JPS-based security, switch to Portal-based security.

  3. Create security policies in Oracle Portal. For more information about creating security policies in Oracle Portal, see the Securing Oracle Portal chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal.

  4. Map users to application roles. For more information about mapping users to application roles, see Section 16.1, "Creating Reports Users and Named Groups"

Portal-Based Authorization with Oracle Internet Directory as ID Store for Other Reports Clients

  

This scenario involves the following:

  • Oracle Internet Directory for authentication

  • Portal-based for authorization (policies)

To use this combination of authentication and authorization, complete the following steps:

  1. Configure Oracle Internet Directory as an ID store. See Configuring External Oracle Internet Directory as ID Store.

  2. Enable Portal based security by editing reports server config file. If you have enabled JPS-based security, switch to Portal-based security.

  3. Create security policies in Oracle Portal. For more information about creating security policies in Oracle Portal, see the Securing Oracle Portal chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal.

  4. Map users to application roles. For more information about mapping users to application roles, see Section 16.1, "Creating Reports Users and Named Groups"