1 Overview of Security Integration for Oracle BI Applications

This topic describes key concepts related to security in Oracle Business Intelligence Applications (Oracle BI Applications).

Security administrators can read this topic to understand Oracle BI Applications security and its preconfigured implementation.

• Terminology Used in Security
• What Security Components Are Installed By Default?
• High-Level Steps for Setting Up Security in Oracle BI Applications
• What Tools Configure Security in Oracle BI Applications?
• Duty Roles for Access to Functional Setup Manager or Configuration Manager
• Configuration Manager Permissions Reference
• Functional Setup Manager Permissions Reference
• About Managing Presentation Services Catalog Privileges in Oracle BI
• What Security Levels Does Oracle BI Applications Use?
• Related Documentation for Oracle BI Applications Security

Terminology Used In Security

As you familiarize yourself with security concepts across different parts of the BI stack, there are differences in terminology that is used in the software and documentation.

Description of the illustration security1.gif

• Enterprise Roles are also referred to as Groups, or Job Roles. For example:

  - the term Enterprise Role is used in this guide, and in Oracle Fusion Applications.

  - the term Group is used in Oracle WebLogic Server Administration Console and Oracle BI Administration Tool.

  This guide uses the term Enterprise Role unless referring to tools that use the term Group or Job Role.

• Duty Roles are also referred to as Application Roles. For example:

  - the term Duty Role is used in this guide and in Oracle Fusion Applications.

  - the term Application Role is used in Oracle Enterprise Manager Fusion Middleware Control and Oracle WebLogic Server Administration Console.

  This guide uses the term Duty Role unless referring to tools that use the term Application Role.

• Lightweight Directory Access Protocol (LDAP) refers to the Authentication Provider. For example, Oracle WebLogic Server, Oracle Internet Directory (OID), or a proprietary LDAP server and tools.

What Security Components Are Installed By Default?

After installing Oracle BI Applications on the Oracle Analytics platform, you get the following ready-to-use security components.

• Oracle WebLogic Server LDAP, containing a set of default Enterprise Roles.

  This LDAP also contains system Users that are required for BI components.

• Oracle BI Applications

Description of the illustration default_security.gif

For illustrative purposes, it is assumed that you are using the default Oracle WebLogic Server LDAP and Policy Store to deploy Oracle BI Applications. For example, you might use the default security components for testing, and then migrate the Users and Enterprise Roles to a different LDAP (for example, Oracle Internet Directory) for production. If you to deploy a different LDAP, such as Oracle Internet Directory, then you can migrate Users and Enterprise Roles from Oracle WebLogic Server LDAP to that LDAP.

High-Level Steps for Setting Up Security in Oracle BI Applications

Here are the high-level steps for setting up security in Oracle BI Applications.

This content in this guide supplements Managing Security for Oracle Analytics Server, and contains additional security information that is specific to Oracle BI Applications running on Oracle Analytics Server. In addition to the content in this guide, Oracle Business Intelligence Applications Functional Configuration Reference contains the security-related help topics that are included in the product UI.

1. Familiarize yourself with the overview of security concepts, tools, and terminology, in particular, Duty Roles and how they control user privileges.
2. During Oracle BI Applications installation, the provisioning process creates a set of default Enterprise Roles in the Oracle WebLogic Server LDAP that is embedded by default, and a set of default Duty Roles in the Policy Store.
3. Create a user account in LDAP for each Oracle BI Applications Configuration Manager (Configuration Manager), FSM, and ODI User, and assign an appropriate Duty Role to each User.

   • A User for administration in FSM must be assigned to an Enterprise Role associated with the Duty Role 'BIA_ADMINISTRATOR_DUTY'.

   • A User for Load Plan administration in Configuration Manager must be assigned to an Enterprise Role associated with the Duty Role 'BIA_LOAD_PLAN_DEVELOPER_DUTY'.

   • A User for Implementation Plan administration in FSM must be assigned to an Enterprise Role associated with the Duty Role 'BIA_IMPLEMENTATION_MANAGER_DUTY'.

4. Create a user account in LDAP for every BI dashboard and report user (BI Users).
5. Assign each BI User to the appropriate Enterprise Roles.
   To provision BI Users for the Offerings that you are deploying, use FSM tasks to set up security for your Offerings and Functional Areas. See Setting Up Security with Functional Setup Manager.

   For each Offering and Functional Area, the FSM Tasks for security typically specify:

   • Init Blocks that you need to enable.

   • Duty Roles that BI Users require.

   • Additional setup steps to perform (where required).

See How to Define New Groups and Mappings for Users and BI Roles in Oracle Business Intelligence Applications Functional Configuration Reference.

What Tools Configure Security in Oracle BI Applications?

Use these tools to manage security settings in Oracle BI Applications.

• Oracle BI Applications Functional Setup Manager (FSM)

  Use FSM informational tasks to set up security for Oracle BI Applications offerings and modules. See Setting Up Security with Functional Setup Manager.

• Oracle BI Administration Tool

  Use Oracle BI Administration Tool to perform tasks such as setting permissions for business models, tables, columns, and subject areas; specifying filters to limit data accessibility; and setting authentication options. See Work with Logical Tables, Joins, and Columns in Managing Metadata Repositories for Oracle Analytics Server.

• Oracle BI Presentation Services Administration

  Use Oracle BI Presentation Services Administration to perform tasks such as setting permissions to Presentation Catalog objects, including dashboards and dashboard pages. See Managing Security for Oracle Analytics Server.

• Oracle Enterprise Manager Fusion Middleware Control

  Use Oracle Enterprise Manager Fusion Middleware Control to manage the policy store, Duty Roles, and permissions for determining functional access. See Securing Resources Using Roles and Policies for Oracle WebLogic Server.

• Oracle WebLogic Server Administration Console

  Use the Administration Console to manage Users and Enterprise Roles/Groups in the Oracle WebLogic Server LDAP. You can also use the Administration Console to manage security realms, and to configure alternative authentication providers. See Managing Security for Oracle Analytics Server.

Duty Roles for Access to Functional Setup Manager or Configuration Manager

Duty Roles define a set of permissions granted typically to an Enterprise Role.

To access Configuration Manager or FSM (for Oracle BI Applications), a User must be assigned to an Enterprise Role that is associated with one of the following Duty Roles:

• BI Applications Administrator Duty (BIA_ADMINISTRATOR_DUTY)

  Users with the BI Applications Administrator Duty Role have access to all Oracle BI Applications Configuration Manager User Interfaces and all FSM User Interfaces.

• BI Applications Implementation Manager (BIA_IMPLEMENTATION_MANAGER_DUTY)

  Users with the BI Applications Implementation Manager Duty Role have access to Oracle BI Applications Configuration Manager Overview page and the Export and Import of Setup Data. In FSM, these users have access to Configure Offerings and Manage Implementation Projects User Interfaces but cannot execute a setup task.

• BI Applications Functional Developer (BIA_FUNCTIONAL_DEVELOPER_DUTY)

  Users with the BI Applications Functional Developer Duty Role have access to Oracle BI Applications Configuration Manager User Interfaces, except for the System Setup screens. In FSM, these users have access to the list of functional setup tasks assigned to them and have the ability to execute the setup tasks.

• BI Applications Load Plan Developer (BIA_LOAD_PLAN_DEVELOPER_DUTY)

  Users with the BI Applications Load Plan Developer Duty Role have access to the Load Plans page, where they can create, edit, delete, generate, execute and monitor load plans. Users with this role can view and edit fact groups, data load parameters, domains mappings, and schedules associated with a load plan.

• BI Applications Load Plan Operator (BIA_LOAD_PLAN_OPERATORY_DUTY)

  Users with the BI Applications Load Plan Operator Duty Role have limited access to the Load Plans page, where they can view the generation status and execution status details of load plans but are not able to modify them.

To grant users access to Oracle BI Applications components, see User Access to Configuration Manager, FSM, and Oracle Data Integrator in Oracle Business Intelligence Applications Installation Guide.

Configuration Manager Permissions Reference

The screens you can view in Configuration Manager depend on the duty roles to which you are assigned.

This table shows the list of Configuration Manager screens visible to each of the Oracle BI Applications roles.

Oracle BI Applications Duty Role	Configuration Manager screen	Associated Privilege
BI Applications Administrator	Overview	BIA_OVERVIEW_PRIV
BI Applications Administrator	System Setups - Define Oracle BI Applications Instance	BIA_DEFINE_INSTANCE_PRIV
BI Applications Administrator	System Setups - Manage Oracle BI Applications	BIA_MANAGE_INSTANCE_PRIV
BI Applications Administrator	System Setups - Manage Preferred Currencies	BIA_MANAGE_INSTANCE_PRIV
BI Applications Administrator	Functional Configurations - 'Perform Functional Configurations' link to launch FSM	BIA_FUNCTIONAL_SETUPS_PRIV
BI Applications Administrator	Setup Data Maintenance and Administration - Manage Domains and Mappings	BIA_CONFIGURE_DOMAINS_PRIV
BI Applications Administrator	Setup Data Maintenance and Administration - Manage Data Load Parameters	BIA_CONFIGURE_DATALOAD_PARAMS_PRIV
BI Applications Administrator	Setup Data Maintenance and Administration - Manage Reporting Parameters	BIA_CONFIGURE_RPD_PARAMS_PRIV
BI Applications Administrator	Setup Data Export and Import - Export Setup Data	BIA_EXPORT_SETUPS_PRIV
BI Applications Administrator	Setup Data Export and Import - Import Setup Data	BIA_IMPORT_SETUPS_PRIV
BI Applications Functional Developer	Overview	BIA_OVERVIEW_PRIV
BI Applications Functional Developer	Functional Configurations - 'Perform Functional Configurations' link to launch FSM	BIA_FUNCTIONAL_SETUPS_PRIV
BI Applications Functional Developer	Setup Data Maintenance and Administration - Manage Domains and Mappings	BIA_CONFIGURE_DOMAINS_PRIV
BI Applications Functional Developer	Setup Data Maintenance and Administration - Manage Data Load Parameters	BIA_CONFIGURE_DATALOAD_PARAMS_PRIV
BI Applications Functional Developer	Setup Data Maintenance and Administration - Manage Reporting Parameters	BIA_CONFIGURE_RPD_PARAMS_PRIV
BI Applications Functional Developer	Setup Data Export and Import - Export Setup Data	BIA_EXPORT_SETUPS_PRIV
BI Applications Functional Developer	Setup Data Export and Import - Import Setup Data	BIA_IMPORT_SETUPS_PRIV
BI Applications Implementation Manager	Overview	BIA_OVERVIEW_PRIV
BI Applications Implementation Manager	Setup Data Export and Import - Export Setup Data	BIA_EXPORT_SETUPS_PRIV
BI Applications Implementation Manager	Setup Data Export and Import - Import Setup Data	BIA_IMPORT_SETUPS_PRIV

Functional Setup Manager Permissions Reference

FSM roles are associated with Oracle BI Applications roles.

• The BI Applications Administrator role (BIA_ADMINISTRATOR_DUTY) is associated to the following FSM roles:

  • ASM_FUNCTIONAL_SETUPS_DUTY

  • ASM_IMPLEMENTATION_MANAGER_DUTY

  • ASM_APPLICATION_DEPLOYER_DUTY

  • ASM_APPLICATION_REGISTRATION_DUTY

  • ASM_LOGICAL_ ENTITY_MODELING_DUTY

  • ASM_SETUP_OBJECTS_PROVIDER_DUTY

• The BI Applications Implementation Manager role (BIA_IMPLEMENTATION_MANAGER_DUTY) is associated to the following Functional Setup Manager duty:

  • ASM_IMPLEMENTATION_MANAGER_DUTY

• The BI Applications Functional Developer role (BIA_FUNCTIONAL_DEVELOPER_DUTY) is associated to the following Functional Setup Manager duty:

  • ASM_FUNCTIONAL_SETUPS_DUTY

About Managing Presentation Services Catalog Privileges in Oracle Analytics

When you add a new catalog privilege to a Duty Role in Oracle BI Presentation Services, the change is not immediately reflected in the Oracle Analytics environment.

To register the catalog privilege, both the administrator and the user must perform the following tasks:

• The Oracle BI administrator must reload the Oracle BI Server metadata through Oracle BI Presentation Services. To reload the metadata in Oracle BI Answers, click My Profile and select Administration, and then click Reload Files and Metadata.

  To manage Presentation Services catalog privileges, see Managing Security for Oracle Analytics Server.

• Users belonging to that Duty Role must log out from the Oracle BI Applications (or from Siebel or Oracle EBS operational application if the user is looking at Oracle BI dashboards using an embedded application) and then log in again.

What Security Levels Do Oracle BI Applications Use?

Security in Oracle BI Applications can be classified broadly into three levels.

• Object-level security. Object-level security controls the visibility to business logical objects based on a user's role. You can set up object-level security for metadata repository objects, such as business models and subject areas, and for Web objects, such as dashboards and dashboard pages, which are defined in the Presentation Catalog.

• Data-level security. Data-level security controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI Answers, and so on) based on the user's association to data in the transactional system.

• User-level security (authentication of users). User-level security refers to authentication and confirmation of the identity of a user based on the credentials provided.

About Object-Level Security

Duty Roles control access to metadata objects, such as subject areas, tables and columns. For example, users in a particular department can view only the subject areas that belong to their department.

Metadata Object-Level Security in the Oracle BI Repository

Metadata object security is configured in the Oracle BI Repository, using the Oracle BI Administration Tool. The Everyone Duty Role is denied access to each of the subject areas. Each subject area is configured to give explicit read access to selected related responsibilities. This access can be extended to tables and columns. By default in Oracle BI Applications, only permissions at the subject area level have been configured.

Note:

The Siebel Communications and Financial Analytics industry applications have tables and columns that are industry-specific, and, therefore, hidden from other Duty Roles.

Oracle Analytics supports hierarchies within Duty Roles. In the policy store, there are certain Duty Roles that are parent Duty Roles, which define the behavior of all the child Duty Roles. Inheritance is used to enable permissions to ripple through to child Duty Roles.

Metadata Object-Level Security in Presentation Services

Access to Oracle BI Presentation Services objects, such as dashboards, pages, reports, and Web folders, is controlled using Duty Roles. To manage object-level security in Presentation Services, see Managing Security for Oracle Analytics Server.

About Data-Level Security

Data-level security defines what a user in an OLTP application can access inside a report. The same report, when run by two different users, can bring up different data. This is similar to how the My Opportunities view in an operational application displays different data for different users. However, the structure of the report is the same for all users, unless a user does not have access to the report subject area, in which case the report displays an error.

During installation and configuration, you must make sure the correct Duty Roles and initialization blocks are set up for your environment.

Initialization Blocks Used for Data-Level Security in Oracle BI Applications

Initialization blocks are deployed as part of your configuration using guidance provided in FSM tasks. See Setting Up Security with Functional Setup Manager.

To use FSM tasks, see Roadmap for Functional Configuration in Oracle Business Intelligence Applications Configuration Guide.

To use initialization blocks in Oracle Analytics, see Work with Initialization Blocks.

About Data-Level Security Design in Oracle BI Applications

Oracle BI Applications maintains data-level security Duty Roles that are assigned dynamically to every user at the session level. Each Duty Role has a set of filters associated with it that determines the data that each user is allowed to see. A user is assigned a Duty Role through the Authorization initialization block.

The data security design has the following features:

• Drill down. The user can drill down on a particular position in the position hierarchy to slice the data by the next position level in the hierarchy. For example, if the initial report is defined as:

  select Top Level Position, Revenue from RevenueStar

  then by drilling down on a value of MyPosition in the TopLevelPosition hierarchy, the report will become:

  Select Level8 Position, Revenue, where TopLevelPosition = 'MyPosition'

• Personalized reports. Users at different levels of the Position hierarchy can use the same Position-based reports but with each user seeing the data corresponding to his or her level. In such reports, Position is a dynamic column.

  For example, if a report is defined as:

  select Position, Revenue from RevenueStar

  the logical query for the user at the top level of the hierarchy will be:

  select Top Level Position, Revenue from RevenueStar

  The logical query for the user at the next level of the hierarchy will be:

  select Level8 Position, Revenue from RevenueStar

• CURRENT Position hierarchy columns. Position hierarchy columns with the prefix CURRENT contain the Current Position hierarchy at any point of time. This feature allows users to see the same data associated with the employee holding the Current Employee position at the time the report runs. This type of Analysis is called As Is.

• Additional Position hierarchy columns. The columns EMP_LOGIN and EMPLOYEE_FULL_NAME are used at every level of the Position hierarchy to store additional information about an employee holding a particular position. In the Logical layer, the Employee path and Position path are two drill down paths under the Position hierarchy that allow the user to drill down on a position to see all positions under it. It also allows an employee to see all the employees reporting to him or her.

Implement Data-Level Security in the Oracle BI Repository

Data-level security in Oracle BI Applications is implemented in three major steps.

1. Set up initialization blocks that obtain specific security-related information when a user logs in, for example, the user's hierarchy level in the organization hierarchy, or the user's responsibilities.

   Initialization blocks obtain Dimension Ids for each user session in order to restrict row-level access to factual or dimensional data. See About Data-Level Security for a description of the preconfigured initialization blocks.

2. Set up the joins to the appropriate security tables in the metadata physical and logical layers.
3. Set up the data filters for each Duty Role on each logical table that needs to be secured.

   See Apply Data Access Security to Repository Objects in Managing Metadata Repositories for Oracle Analytics Server.

About User-Level Security

User security concerns the authentication and confirmation of the identity of the user based on the credentials provided, such as user name and password. By default, user-level security is set up in the embedded Oracle WebLogic Server LDAP and Policy Store in Oracle Analytics Server.

See Managing Security for Oracle Analytics Server.

Related Documentation for Oracle BI Applications Security

Oracle offers additional documentation to help you configure security for Oracle BI Applications.

When configuring security in Oracle BI Applications, in some circumstances you might need to refer to security in other areas:

• Oracle Fusion Applications security; see the Fusion Applications Security documentation.

• Oracle Analytics Server security implementation; see Oracle Analytics Server documentation Oracle Analytics Server documentation:

  • Managing Security for Oracle Analytics Server

  • Managing Metadata Repositories for Oracle Analytics Server