2 Managing Security Using the Default Security Configuration

This chapter explains how to deploy Oracle Business Intelligence using the default embedded WebLogic LDAP Server.

Note:

For a detailed list of security setup steps, see Section 1.8, "Detailed List of Steps for Setting Up Security In Oracle Business Intelligence".

By deploying the default embedded WebLogic LDAP Server, you can use the installed Users, Groups, and Application Roles that are installed and preconfigured out-of-the-box, as well as developing your own Users, Groups, and Application Roles. For more information about the installed Users, Groups, and Application Roles, see Section 2.2, "Working with the default Users, Groups, and Application Roles Installed Out-Of-The-Box".

This chapter contains the following sections:

2.1 Common Tasks for Managing Security Using the Default Security Configuration

Table 2-1 lists common authentication configuration tasks and provides links for obtaining more information.

Table 2-1 Task Map: Configuring Authentication for Oracle Business Intelligence

Task Description For Information

Add Users and Groups in Oracle WebLogic Server embedded directory server.

Add Users and Groups to the identity store, and map the Users to the appropriate Groups.

Section 2.4.3, "How to create a User in the Embedded WebLogic LDAP Server"

Section 2.4.4, "How to create a Group in the Embedded WebLogic LDAP Server"

Section 2.4.5, "How to add a User to a Group in the Embedded WebLogic LDAP Server"

Create Application Roles.

Create a new Application Role and define its permission grants in the corresponding Application Policy.

Section 2.5.2, "Creating Application Roles Using Fusion Middleware Control"

Modify the permissions for an Application Role.

Modify the permissions granted by an Application Role.

Section 2.5.4, "Modifying Application Roles Using Oracle Fusion Middleware Control"

Map each Group to an Application Role.

Map each Group to an appropriate Application Role to grant its permissions to group members.

Section 2.5.4, "Modifying Application Roles Using Oracle Fusion Middleware Control"

Modify permissions for a Repository Subject Area or Folder.

Modify permissions for a Repository Subject Area or Folder.

Section 2.6, "Managing Metadata Repository Privileges"

Modify Presentation Services catalog permission grants.

Modify the Presentation Catalog privilege grants for an Application Role.

Section 2.7, "Managing Oracle BI Presentation Catalog Privileges Using Application Roles"

2.2 Working with the default Users, Groups, and Application Roles Installed Out-Of-The-Box

When you install Oracle Business Intelligence, you get a number of preconfigured Users, Groups, and Application Roles that you can use to deploy Oracle Business Intelligence. For example, you get a User that is assigned to a BIAdministrators Group (with a name that is user-specified at installation time, for example Weblogic), a Group named 'BIAdministrators', and an Application Role named 'BIAdministrator'. The installed Users, Groups, and Application Roles are preconfigured to work together. For example, the installed BIConsumers Group is assigned to the BIConsumer Application Role. For a detailed description of the default security configuration, refer to Appendix B, "Understanding the Default Security Configuration".

Caution:

Oracle recommends that you do not modify the default Users, Groups, or Application Roles that are installed out-of-the-box, unless explicitly advised to do so by Oracle Support. Oracle recommends that you only modify copies that you have made of the installed Groups and Application Roles.

The installed Application Roles are preconfigured with appropriate permissions and privileges to enable them to work with the installed Oracle BI Presentation Catalog, BI Repository (RPD), and Policy Store. For example, the Application Role named BIAuthors is preconfigured with permissions and privileges that are required to create dashboards, reports, actions, and so on.

The figure below shows the Users, Groups, and Application Roles that are installed and preconfigured.

Figure 2-1 Installed Application Roles, Groups, and Users

This screenshot is described in surrounding text.

The following Groups are available:

  • BIConsumers (preconfigured with the BIConsumer Application Role).

  • BIAuthors (preconfigured with the BIAuthors Application Role).

  • BIAdministrators (preconfigured with the BIAdministrators Application Role).

The User that is specified at installation time (for example, Weblogic), is automatically assigned to the WebLogic Administrators Group and the Group named 'BIAdministrators'. This User has permissions to log in to the Oracle Business Intelligence tools to create and administer other Users.

Note: Groups are organized hierarchically, and inherit privileges from parent Groups. In other words, the BIAdministrator Group automatically inherits privileges from the Groups BIAuthors and BIConsumer. Oracle recommends that you do not change this hierarchy.

You can use the installed Groups and Application Roles to deploy security, and if required you can develop your own Groups and Application Roles to meet your business needs. For example:

  • If you want to enable an employee called Fred to create dashboards and reports, you might create a new User called 'Fred' and assign 'Fred' to the default BIAuthors Group.

  • If you want to enable user Fred to perform BIAuthors and BIAdministrator type duties, you might create a new Application Role called 'BIManager', which has both BIAuthors privileges and BIAdministrators privileges

  • If you want user Fred to be a Sales dashboard author, you might create an Application Role called 'Sales Dashboard Author' that has permissions to see Sales subject areas in the repository and edit Sales dashboards.

For detailed information about the installed Users, Groups, and Application Roles, see Appendix B, "Understanding the Default Security Configuration".

2.3 An Example Security Setup Using the Installed Groups and Application Roles

This example uses a small set of Users, Groups, and Application Roles to illustrate how you set up a security policy using the default Groups and Application Roles that are installed and pre-configured out-of-the-box. In this example, you want to implement the following:

  • Three users named User1, User2, and User3, who need to view business intelligence reports.

  • Two users named User4 and User5, who need to create business intelligence reports.

  • Two users named User6 and User7, who administer Oracle Business Intelligence.

The figure below shows the Users, Groups, and Application Roles that you would deploy to implement this security model.

Figure 2-2 Example Groups, Application Roles, and Users

This diagram is described in surrounding text.

The example above shows the following:

  • The Group named 'BIConsumers' contains User1, User2, and User3. Users in the Group 'BIConsumers' are assigned the Application Role named 'BIConsumer', which enables the users to view reports.

  • The Group named 'BIAuthors' contains User4 and User5. Users in the Group 'BIAuthors' are assigned the Application Role named 'BIAuthors', which enables the users to create reports.

  • The Group named 'BIAdministrators' contains User6 and User7. Users in the Group 'BIAdministrators' are assigned the Application Role named 'BIAdministrator', which enables the users to manage responsibilities.

To implement this example security model, you would do the following:

  1. Create seven users named User1 to User 7, as described in Section 2.4.3, "How to create a User in the Embedded WebLogic LDAP Server".

  2. Assign the users to the installed and preconfigured Groups, as follows:

    • Assign User1, User2, and User3 to the preconfigured Group named BIConsumers.

    • Assign User4 and User5 to the preconfigured Group named BIAuthors.

    • Assign User6 and User7 to the preconfigured Group named BIAdministrators.

    For more information, see in Section 2.4.5, "How to add a User to a Group in the Embedded WebLogic LDAP Server".

2.4 Creating Users and Groups in the Embedded WebLogic LDAP Server

This section explains how to create and manage Users and Groups in the Embedded WebLogic LDAP Server, and contains the following topics:

2.4.1 Overview to Setting Up Users, Groups, and Application Roles

This section summarizes what you must do to set up Users, Groups, and Application Roles.

The simplest way to set up security is to create Users and assign them to the default Groups (that is, BIConsumers, BIAuthors, or BIAdministrators). For example, you might create a user called Fred and assign Fred to the default Group named BIAuthors. The Group BIAuthors is pre-configured with the privileges it requires to access the other BI components, such as the metadata repository (RPD) and Presentation Catalog. For detailed steps, see Section 2.4.1.1, "How to map a User to a Default Group".

If the default Groups (that is, BIConsumers, BIAuthors, or BIAdministrators) do not meet your business requirements, you can extend the default security model by creating your own Groups and Application Roles. For example, you might want to create a user called Jim and assign Jim to a new Group called BIMarketingGroup that is mapped to a new Application Role named BIMarketingRole. For detailed steps, see Section 2.4.1.2, "How to create Your Own Groups and Application Roles".

2.4.1.1 How to map a User to a Default Group

To create a new User and assign that User to one of the installed Groups, do the following:

  1. Launch WebLogic Administration Console as described in Section 2.4.2, "How to Launch Oracle WebLogic Server Administration Console".

  2. Create a new User as described in Section 2.4.3, "How to create a User in the Embedded WebLogic LDAP Server".

  3. Assign the new User to one of the installed Groups (that is, BIConsumers, BIAuthors, or BIAdministrators) as described in Section 2.4.5, "How to add a User to a Group in the Embedded WebLogic LDAP Server".

2.4.1.2 How to create Your Own Groups and Application Roles

If you want to create a new User and assign that User to a new Group that you have created, do the following:

  1. Launch WebLogic Administration Console as described in Section 2.4.2, "How to Launch Oracle WebLogic Server Administration Console".

  2. Create a new User as described in Section 2.4.3, "How to create a User in the Embedded WebLogic LDAP Server".

  3. Create a new Group as described in Section 2.4.4, "How to create a Group in the Embedded WebLogic LDAP Server".

  4. Create a new Application Role and assign it to the new Group as described in Section 2.5.2.2, "How to Create an Application Role".

    If you simply want to map a Group to an Application Role, follow the steps in Section 2.5.2.3, "How to map a Group to an Application Role".

  5. Edit the repository (RPD file) and set up the privileges for the new Application Role as described in Section 2.6.2, "How to Set Repository Privileges for an Application Role".

  6. Edit the Presentation Catalog and set up the privileges for the new User and Group as described in Section 2.7.3, "How to Set Catalog Privileges for an Application Role".

2.4.2 How to Launch Oracle WebLogic Server Administration Console

Oracle WebLogic Server is automatically installed and serves as the default administration server. The Administration Console is browser-based and is used to manage the embedded directory server that is configured as the default authenticator. It is launched by entering its URL into a web browser. The default URL takes the following form: http://hostname:port_number/console. The port number is the number of the administration server. By default, the port number is 7001. For more information about using the Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.

To launch the Oracle WebLogic Server Administration Console:

  1. Log in to Oracle WebLogic Serverr by entering its URL into a Web browser.

    For example, http://hostname:7001/console.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_login.gif

  2. Log in using the Oracle Business Intelligencer administrative user and password and click Login.

    The user name and password combination is the one you supplied during the installation of Oracle Business Intelligence. If these values have been changed, then use the current administrative user name and password combination.

    The Administration Console displays.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_adminconsole.gif

2.4.3 How to create a User in the Embedded WebLogic LDAP Server

You typically create a separate User for each business user in your Oracle Business Intelligence environment. For example, you might plan to deploy 30 report consumers, three report authors, and 1 administrator. In this case, you would use Oracle WebLogic Server Administration Console to create 34 Users, which you would then assign to appropriate Groups (for example, you might use the preconfigured Groups named BIConsumers, BIAuthors, and BIAdministrators).

Tip:

For an example security model showing a set of Users, Groups, and Application Roles, see Section 2.3, "An Example Security Setup Using the Installed Groups and Application Roles".

Repeat this task for each User that you want to deploy

To create a user in the default directory server:

  1. Launch Oracle WebLogic Server Administration Console.

    For more information, see Section 2.4.2, "How to Launch Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  3. Select Users and Groups tab, then Users. Click New.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_usertab.gif

  4. In the Create a New User page provide the following information:

    • Name: Enter the name of the user. See online help for a list of invalid characters.

    • (Optional) Description: Enter a description.

    • Provider: Select the authentication provider from the list that corresponds to the identity store where the user information is contained. DefaultAuthenticator is the name for the default authentication provider.

    • Password: Enter a password for the user that is at least 8 characters long.

    • Confirm Password: Re-enter the user password.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration wls_newuser.gif

  5. Click OK.

    The user name is added to the User table.

2.4.4 How to create a Group in the Embedded WebLogic LDAP Server

You typically create a separate Group for each functional type of business user in your Oracle Business Intelligence environment. For example, a typical deployment might require three Groups: BIConsumers, BIAuthors, and BIAdministrators. In this case, you could either use the preconfigured Groups named BIConsumers, BIAuthors, and BIAdministrators that are installed with Oracle Business Intelligence, or you might create your own custom Groups.

Tip:

For an example security model showing a set of Users, Groups, and Application Roles, see Section 2.3, "An Example Security Setup Using the Installed Groups and Application Roles".

Repeat this task for each Group that you want to deploy

To create a group in the default directory server:

  1. Launch Oracle WebLogic Server Administration Console.

    For more information, see Section 2.4.2, "How to Launch Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  3. Select Users and Groups tab, then Groups. Click New

  4. In the Create a New Group page provide the following information:

    • Name: Enter the name of the Group. Group names are case insensitive but must be unique. See online help for a list of invalid characters.

    • (Optional) Description: Enter a description.

    • Provider: Select the authentication provider from the list that corresponds to the identity store where the group information is contained. DefaultAuthenticator is the name for the default authentication provider.

  5. Click OK

    The group name is added to the Group table.

2.4.5 How to add a User to a Group in the Embedded WebLogic LDAP Server

You typically add each User to an appropriate Group. For example, a typical deployment might require User IDs created for report consumers to be assigned to a Group named BIConsumers. In this case, you could either assign the Users to the default Group named BIConsumers, or you could assign the Users to your own custom Group that you have created.

Tip:

For an example security model showing a set of Users, Groups, and Application Roles, see Section 2.3, "An Example Security Setup Using the Installed Groups and Application Roles".

Repeat this task to assign each User to an appropriate Group.

To add a user to a group in the default directory server:

  1. Launch Oracle WebLogic Server Administration Console.

    For more information, see Section 2.4.2, "How to Launch Oracle WebLogic Server Administration Console".

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  3. Select Users and Groups tab, then Users.

  4. In the Users table select the user you want to add to a group.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_usertogroup.gif

  5. Select the Groups tab.

  6. Select a group or groups from the Available list box.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_group.gif

  7. Click Save.

2.4.6 (Optional) How to change a User password in the Embedded WebLogic LDAP Server

Perform this optional task if you want to change the default password for a User.

To change a user password in the default directory server:

  1. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

  2. Select Users and Groups tab, then Users

  3. In the Users table select the user you want to change the password for. The user's Settings page displays.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration wls_settings.gif

  4. Select the Passwords tab and enter the password in the New Password and Confirm Password fields.

  5. Click Save.

2.5 Managing Application Roles and Application Policies Using Fusion Middleware Control

In Oracle Business Intelligence, you use Fusion Middleware Control to mange Application Roles and Application Policies that provide permissions for Users and Groups. For detailed information about using Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide.

Tip:

If you are using the default Groups (that is, BIConsumers, BIAuthors, and BIAdministrators) that are installed with the default embedded WebLogic LDAP Server, then these Groups are mapped to an appropriate Application Role (that is, BIConsumer, BIAuthor, or BIAdministrator). No additional steps are required to map the default Groups to Application Roles.

The simplest way to set up security is to map your Groups to the default Application Roles that are installed and pre-configured out-of-the-box, (that is, BIConsumer, BIAuthor, and BIAdministrator). Each default Group is pre-configured to use the appropriate default Application Role. For example, the default Group named BIAuthors is mapped to the default Application Role named BIAuthor. In other words, any Users that you add to the default Group named BIAuthors automatically have the privileges required to create reports and perform related duties.

If you want to create a more complex or fine grained security model, you might create your own Application Roles and Application Policies as described in this section. For example, you might want report authors in a Marketing department to only have write-access to the Marketing area of the metadata repository and Presentation Catalog. To achieve this, you might create a new Application Role called BIAuthorMarketing, and provide it with appropriate privileges.

Caution:

If you are deploying the default Policy Store, then Oracle recommends that you make a copy of the original system-jazn-data.xml policy file and place it in a safe location. Use the copy of the original file to restore the default policy store configuration, if needed. Changes to the default security configuration might lead to an unwanted state. The default location is MW_HOME/user_projects/domain/your_domain/config/fmwconfig.

To set up the Application Roles that you want to deploy, do the following:

2.5.1 Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security

This section explains how to start Oracle Fusion Middleware Control and Locate the pages used to manage security components.

2.5.1.1 Overview

Fusion Middleware Control is a Web browser-based, graphical user interface that you can use to monitor and administer a farm. A farm is a collection of components managed by Fusion Middleware Control. It can contain Oracle WebLogic Server domains, one Administration Server, one or more Managed Servers, clusters, and the Oracle Fusion Middleware components that are installed, configured, and running in the domain. During installation an Oracle WebLogic Server domain is created and Oracle Business Intelligence is installed into that domain. If you performed a Simple or Enterprise installation type, this domain is named bifoundation_domain and is located under WebLogic Domain in the Fusion Middleware Control target navigation pane.

Launch Fusion Middleware Control by entering its URL into a Web browser. The URL includes the name of the host and the administration port number assigned during the installation. This URL takes the following form: http://hostname:port_number/em. The default port is 7001.

There are several methods available for accessing the common Fusion Middleware Control security pages used when managing the Oracle Business Intelligence security configuration. Depending upon the access point used in the target navigation pane, the obi application stripe is pre-selected for you. The access points are as follows:

This screenshot or diagram is described in surrounding text.
Description of the illustration em_navtree.gif

  • From coreapplication - You can reach the Application Policies and Application Roles pages using a shortcut menu. The obi application stripe is pre-selected and the Oracle Business Intelligence Application Policies or Application Roles are displayed. You cannot reach all Fusion Middleware Control Security menu options from this shortcut menu.

    For more information, see Section 2.5.1.2, "How to display the Security Menu from coreapplication".

  • From bifoundation_domain - If you select either Application Policies or Application Roles from the Security menu, the obi application stripe must be selected and a search initiated. All Fusion Middleware Control Security menu options are available from this method.

    For more information, see Section 2.5.1.3, "How to display the Security Menu from bifoundation_domain".

For more information about using Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide.

2.5.1.2 How to display the Security Menu from coreapplication

To display the Security menu in Fusion Middleware Control from coreapplication:

Using one of the following methods provides a shortcut for accessing the Application Policies or Application Roles pages with the obi application stripe pre-selected and the corresponding Oracle Business Intelligence policies or roles displaying.

  1. Log in to Fusion Middleware Control by entering the URL in a Web browser.

    For example, http://hostname:port_number/em.

    The Fusion Middleware Control login page displays. This screenshot or diagram is described in surrounding text.
    Description of the illustration em_login.gif

  2. Enter the Oracle Business Intelligence administrative user name and password and click Login

    The password is the one you supplied during the installation of Oracle Business Intelligence. If these values have been changed, then use the current administrative user name and password combination.

  3. From the target navigation pane, open Business Intelligence and select coreapplication. Display the Security menu by selecting one of the following methods:

    • Right-click coreapplication, then select Security to display a submenu with Application Policies and Application Roles as options.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration coreapp_security_navigation.gif

    • From the content pane, select the Business Intelligence Instance menu, then select Security to display a submenu with Application Policies and Application Roles as options.

  4. Select Application Policies or Application Roles as needed. The obi application stripe is selected and the corresponding Oracle Business Intelligence policies or roles are displayed.

2.5.1.3 How to display the Security Menu from bifoundation_domain

To display the Security menu in Fusion Middleware Control from bifoundation_domain:

Using one of the following methods requires you later select the obi application stripe to search for the Oracle Business Intelligence Application Policies or Application Roles.

  1. Log in to Fusion Middleware Control by entering the URL in a Web browser.

    For example, http://hostname:port_number/em.

    The Fusion Middleware Control login page displays.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_login.gif

  2. Enter the Oracle Business Intelligence administrative user name and password and click Login.

    The password is the one you supplied during the installation of Oracle Business Intelligence. If these values have been changed, then use the current administrative user name and password combination.

  3. From the target navigation pane, open WebLogic Domain and select bifoundation_domain. Display the Security menu by selecting one of the following methods:

2.5.2 Creating Application Roles Using Fusion Middleware Control

This section explains how to create and manage Application Roles using Oracle Fusion Middleware Control, and contains the following topics:

2.5.2.1 Overview to creating and managing Application Roles

In a new Oracle Business Intelligence deployment, you typically create a Application Roles for each type of business user activity in your Oracle Business Intelligence environment. For example, a typical deployment might require three Application Roles: BIConsumer, BIAuthors, and BIAdministrator. In this case, you could either use the preconfigured Application Roles named BIConsumer, BIAuthor, and BIAdministrator that are installed with Oracle Business Intelligence, or you could create your own custom Application Roles. For more information about the installed Application Roles that are available out-of-the-box, see Section 2.2, "Working with the default Users, Groups, and Application Roles Installed Out-Of-The-Box".

Oracle Business Intelligence Application Roles represent a role that a user has. For example, having the Sales Analyst Application Role might grant a user access to view, edit and create reports on a company's sales pipeline. You can create new Application Roles to supplement or replace the default roles configured during installation. Keeping Application Roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new Application Roles to match business roles for your environment without needing to change the groups defined in the corporate directory server. To control authorization requirements more efficiently, you can then map existing groups of users from the directory server to Application Roles.

Note:

Before creating a new Application Role and adding it to the default Oracle Business Intelligence security configuration, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. For more information, see Section B.4.4, "How Permissions Are Granted Using Application Roles".

For more information about creating Application Roles, see "Managing Policies with Fusion Middleware Control" in Oracle Fusion Middleware Security Guide.

Note: For advanced-level information about using a BI repository in offline mode, see Section 2.6.3.1, "About Managing Application Roles in the Metadata Repository".

2.5.2.2 How to Create an Application Role

There are two methods for creating a new Application Role:

  • Create New - A new Application Role is created. Members can be added at the same time or you can save the new role after naming it and add members later.

  • Copy Existing - A new Application Role is created by copying an existing Application Role. The copy contains the same members as the original, and is made a Grantee of the same Application Policy as is the original. Modifications can be made as needed to the copy to further customize the new Application Role.

Membership in an Application Role is controlled using the Application Roles page in Fusion Middleware Control. Valid members of an Application Role are users, groups, and other Application Roles.

Permission grants are controlled in the Application Policies page in Fusion Middleware Control. The permission grant definitions are set in the Application Policy, then the Application Policy is granted to the Application Role. For more information, see Section 2.5.3, "Creating Application Policies Using Fusion Middleware Control".

To create a new Application Role:

  1. Log in to Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

    For information, see Section 2.5.1, "Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security".

    Whether or not the obi application stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Roles page.

  2. If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name. This screenshot or diagram is described in surrounding text.

    The Oracle Business Intelligence Application Roles display. The following figure shows the default Application Roles. This screenshot or diagram is described in surrounding text.
    Description of the illustration em_defaultroles.gif

  3. Click Create to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:

    In the General section:

    • Role Name - Enter the name of the Application Role

    • (Optional) Display Name - Enter the display name for the Application Role.

    • (Optional) Description - Enter a description for the Application Role.

    In the Members section, select the users, groups, or Application Roles to be mapped to the Application Role. Select Add Application Role or Add Group or Add Users accordingly. To search in the dialog box that displays:

    • Enter a name in Name field and click the blue button to search.

    • Select from the results returned in the Available box.

    • Use the shuttle controls to move the desired name to the Selected box.

    • Click OK to return to the Create Application Role page.

    • Repeat the steps until all desired members are added to the Application Role.

  4. Click OK to return to the Application Roles page.

    The Application Role just created displays in the table at the bottom of the page.

To create an Application Role based on an existing one:

  1. Log in to Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

    For information, see Section 2.5.1, "Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security".

    Whether or not the obi application stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Roles page.

  2. If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence Application Roles display.

  3. Select the Application Role you want to copy from the list to enable the action buttons.

  4. Click Create Like to display the Create Application Role Like page.

    The Members section is completed with the same Application Roles, groups, or users that are mapped to the original role.

  5. Complete the Role Name, Display Name, and Description fields.

    The following figure shows a new Application Role that is based upon the default BIAuthor Application Role and has been named MyNewRole.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newrole01.gif

  6. Modify the members as appropriate and click OK.

    The just created Application Role displays in the table at the bottom of the page. The following figure shows the example MyNewRole that is based upon the default BIAuthor Application Role.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newrole02.gif

2.5.2.3 How to map a Group to an Application Role

You map a Group to an Application Role to provide Users in that Group with appropriate security privileges. For example, a Group for marketing report consumers named BIMarketingGroup might require an Application Role called BIConsumerMarketing, in which case you map the Group named BIMarketingGroup to the Application Role named BIConsumerMarketing.

To map a Group to an Application Role:

  1. Log in to Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

    For information, see Section 2.5.1, "Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security".

    Whether or not the obi application stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Roles page.

  2. If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name. This screenshot or diagram is described in surrounding text.

    The Oracle Business Intelligence Application Roles display. The following figure shows the default Application Roles. This screenshot or diagram is described in surrounding text.
    Description of the illustration em_defaultroles.gif

  3. Select an Application Role in the list and click Edit to display an edit dialog, and complete the fields as follows:

  4. In the Members section, use the Add Group option to add the Group that you want to map to the Roles list.

    For example, if a Group for marketing report consumers named BIMarketingGroup require an Application Role called BIConsumerMarketing, then add the Group named BIMarketingGroup to Roles list.

  5. Click OK to return to the Application Roles page.

2.5.3 Creating Application Policies Using Fusion Middleware Control

You can create Application Roles based on existing Application Policies that are installed and configured out-of-the-box, or you can create your own Application Policies.

All Oracle Business Intelligencer permissions are provided after installation and you cannot create new permissions. The Application Policy is the mechanism that defines the permissions grants. Permission grants are controlled in the Fusion Middleware Control Application Policies page. The permission grants are defined in an Application Policy. An Application Role, user, or group, is then mapped to an Application Policy. This process makes the Application Role a Grantee of the Application Policy.

There are two methods for creating a new Application Policy:

  • Create New - A new Application Policy is created and permissions are added to it.

  • Copy Existing - A new Application Policy is created by copying an existing Application Policy. The copy is named and existing permissions are removed or permissions are added.

For more information about creating Application Policies, see "Managing Policies with Fusion Middleware Control" in Oracle Fusion Middleware Security Guide.

To create a new Application Policy:

  1. Log in to Fusion Middleware Control, navigate to Security, then select Application Policies to display the Application Policies page.

    For information, see Section 2.5.1, "Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security".

    Whether or not the obi application stripe is pre-selected and the Oracle Business Intelligence Application Policies are displayed depends upon the method used to navigate to the Application Policies page.

  2. If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence Application Policies are displayed. The Principal column displays the name of the policy Grantee.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_createpolicy.gif

  3. Click Create to display the Create Application Grant page.

  4. To add permissions to the policy being created, click Add in the Permissions area to display the Add Permission dialog.

    • Complete the Search area and click the blue search button next to the Resource Name field.

      All permissions located in the obi application stripe are displayed.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicypermission.gif

    • Select the desired Oracle Business Intelligencer permission and click OK. Repeat until all desired permissions are selected. Selecting non-Oracle Business Intelligence permissions have no effect in the policy.

    • To remove any items, select it and click Delete.

    You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.

  5. To add an Application Role to the policy being created, click Add Application Role in the Grantee area to display the Add Application Role dialog.

    • Complete the Search area and click the blue search button next to the Resource Name field.

    • Select from the Available Roles list and use the shuttle controls to move it to Selected Roles.

    • Click OK.

    You are returned to the Application Policies page. The Principal and Permissions of the policy created are displayed in the table. The following figure shows the new Application Policy just created with MyNewRole Application Role as the Grantee (Principal).

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newpolicy06.gif

To create an Application Policy based on an existing one:

  1. Log in to Fusion Middleware Control, navigate to Security, then select Application Policies to display the Application Policies page.

    For information, see Section 2.5.1, "Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security".

    Whether or not the obi application stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Policies page.

  2. If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence Application Policies are displayed. The Principal column displays the name of the policy Grantee.

  3. Select an existing policy from the table.

    The following figure shows the BIAuthor Principal selected with the Create Like button activated, which is used as an example in this procedure.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newpolicy01.gif

  4. Click Create Like to display the Create Application Grant Like page. The Permissions table is automatically filled in with permissions granted by the policy selected.

    The following figure shows the Create Application Grant Like dialog after the BIAuthor policy has been selected. Note that the Permissions section is completed with the permission grants for the BIAuthor policy.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_newpolicycopy.gif

  5. To remove any items, select it and click Delete.

  6. To add Application Roles to the policy, click Add Application Role in the Grantee area to display the Add Application Role dialog.

    The following figures use the MyNewRole Application Role as an example.

    • Complete the Search area and click the blue search button next to the Resource Name field. The Application Roles matching the search are displayed.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicy03.gif

    • Select from the Available Roles list and use the shuttle controls to move it to Selected Roles. The Create Application Grant Like page displays with the selected Application Role added as Grantee.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicy04.gif

    • Click OK. You are returned to the Create Application Grant Like dialog and the Grantee section is completed.

      This screenshot or diagram is described in surrounding text.
      Description of the illustration em_newpolicy05.gif

    • Click OK to return to the Application Policies page.

      The Principal and Permissions of the Application Policy just created are displayed in the table.

This screenshot or diagram is described in surrounding text.
Description of the illustration em_newpolicy06.gif

2.5.4 Modifying Application Roles Using Oracle Fusion Middleware Control

The members of an Application Role can be changed using Oracle Fusion Middleware Control. If an Application Role is the Grantee of an Application Policy, the permissions grants are changed by modifying the permission grants of the corresponding Application Policy.

Caution:

Oracle recommends that you do not change the permission grants and membership for the default Application Roles name BIConsumer, BIAuthor, and BIAdministrator.

For more information about managing Application Policies and Application Roles, see "Managing Policies with Fusion Middleware Control" in Oracle Fusion Middleware Security Guide.

2.5.4.1 Modifying the Permission Grants for an Application Role

Use this procedure if you want to change the permission grants for an Application Role This is done by modifying the permissions grants for the Application Policy the Application Role is a Grantee of.

To add or remove permission grants from an Application Policy:

  1. Log in to Fusion Middleware Control, navigate to Security, then select Application Policies to display the Application Policies page.

    For more information, see Section 2.5.1, "Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security".

    Whether or not the obi stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Policies page.

  2. If necessary, select Select Application Stripe to Search, then select obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence Application Policies are displayed. The Principal column displays the name of the policy Grantee.

  3. Select the Application Role from the Principal column and click Edit.

  4. Add or delete permissions from the Edit Application Grant view and click OK to save the changes.

2.5.4.2 Modifying Membership of an Application Role

Members can be added or deleted from an Application Role using Fusion Middleware Control. You must perform these tasks while in the WebLogic Domain that Oracle Business Intelligence is installed in. For example, bifoundation_domain. Valid members of an Application Role are users, groups, or other Application Roles. Being mapped to an Application Role is to become a member of an Application Role. Best practice is to map groups instead of individual users to Application Roles.

Note:

Be very careful when changing the permission grants and membership for the default Application Roles. For example, the BISystem Application Role provides the permissions required for system communication and changes to it could result in an unusable system.

To add or remove members from an Application Role:

  1. Log in to Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

    For information about navigating to the Security menu, see Section 2.5.1, "Starting Oracle Fusion Middleware Control and Locate the Pages for Managing Security".

    Whether or not the obi application stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Roles page

  2. If necessary, select Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name.

    The Oracle Business Intelligence Application Roles are displayed.

  3. Select the cell next to the Application Role name and click Edit to display the Edit Application Role page.

    You can add or delete members from the Edit Application Role page. Valid members are Application Roles, groups, and users.

  4. From Members, select from the following options:

    • To delete a member: Select the Name of the member to activate the Delete button. Click Delete.

    • To add a member: Click the Add button that corresponds to the member type being added. Select from Add Application Role, Add Group, and Add User.

  5. If adding a member, complete Search and select from the available list. Use the shuttle controls to move the member to the selected field. Click OK.

    For example, the following figure shows the Add Group dialog and after the Report_Dev group has been selected.

    This screenshot or diagram is described in surrounding text.

    The added member displays in the Members column corresponding to the Application Role modified in the Application Roles page. For example, the following figure shows the Edit Application Role page for the MyNewRole Application Role after the Report_Dev group has been added.

    This screenshot or diagram is described in surrounding text.

  6. Click OK in the Edit Application Role page to return to the Application Roles page.

    The members just added to the Application Role display in the Members section. If members were deleted, they no longer display.

    The following figure shows the MyNewRole Application Role with the just added member Report_Dev group displaying.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration em_group2role.gif

For additional information, see "Managing Application Roles" in Oracle Fusion Middleware Security Guide.

2.6 Managing Metadata Repository Privileges

This section explains how to use Oracle BI Administration Tool to configure security in the metatdata repository (that is, the RPD file), and contains the following topics:

2.6.1 Overview

You use Security Manager in Oracle BI Administration Tool to manage permissions for Application Roles, and set access privileges for objects such as subject areas and tables. For an overview to using Oracle BI Administration Tool to configure security, see Section 1.7.3, "About Using Oracle BI Administration Tool".

Note:

Oracle Business Intelligence Applications customers should read this section to understand the basics about security and setting up authentication, and then refer to the security and configuration information provided in the Oracle Business Intelligence Applications documentation.

2.6.2 How to Set Repository Privileges for an Application Role

The default Application Roles (that is, BIConsumer, BIAuthor, and BIAdministrator) are pre-configured with permissions for accessing the metadata repository. If you create a new Application Role, you must set appropriate repository permissions for the new Application Role, to enable that role to access the metadata repository (RPD).

Note: In addition, you might map catalog privileges to a new Application Role in Presentation Catalog (for more information, see Section 2.7.3, "How to Set Catalog Privileges for an Application Role".

To set repository permissions for an Application Role:

  1. Open the repository in the Oracle BI Administration Tool (in Online mode).

  2. In the Presentation panel, navigate to the subject area or sub-folder for which you want to set permissions.

  3. Right-click the subject area or sub-folder and choose Properties to display the properties dialog.

    For example, to provide access to the Paint subject area, right-click Paint.

  4. Click Permissions to display the Permissions <Name> dialog.

    Note: Ensure that the Show all users/application roles check box is selected.

    This screenshot or diagram is described in surrounding text.

  5. Use the Permissions <Name> dialog to change the security permissions for Application Roles in the User/Application Role list.

    For example, to enable Users to create dashboards and reports, you might change the repository permissions for an Application Role named BISalesAnalysis from 'Read' to 'Read/Write'.

    Note: Best practice is to modify permissions for Application Roles, not modify permissions for individual Users.

Tip:

To see all permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of Users and Application Roles and what permissions that have for the selected object.

2.6.3 Advanced Security Configuration Topics

This section contains advanced topics.

2.6.3.1 About Managing Application Roles in the Metadata Repository

Application Role definitions are maintained in the policy store and any changes must be made using the administrative interface. The repository maintains a copy of the policy store data to facilitate repository development. Oracle BI Administration Tool displays Application Role data from the repository's copy; you are not viewing the policy store data in real time. Policy store changes made while you are working with an offline repository are not available in the Administration Tool until the policy store next synchronizes with the repository. The policy store synchronizes data with the repository copy whenever BI Server restarts; if a mismatch in data is found, an error message is displayed.

While working with a repository in offline mode, you might discover that the available Application Roles do not satisfy the membership or permission grants needed at the time. A placeholder for an Application Role definition can be created in Administration Tool to facilitate offline repository development. But this is just a placeholder visible in Administration Tool and is not an actual Application Role. You cannot created an actual Application Role in Administration Tool. You can create an Application Role only in the policy store, using the administrative interface available for managing the policy store.

An Application Role must be defined in the policy store for each Application Role placeholder created using Administration Tool before bringing the repository back online. If a repository with role placeholders created while in offline mode is brought online before valid Application Roles are created in the policy store, then the Application Role placeholder disappears from the Administration Tool interface. Always create a corresponding Application Role in the policy store before bringing the repository back online when using role placeholders in offline repository development.

For more information about how to create a placeholder for an Application Role during repository development, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

2.7 Managing Presentation Catalog Privileges Using Application Roles

This section explains how to manage Oracle BI Presentation Catalog privileges using Application Roles, and contains the following topics:

2.7.1 Overview

BI Presentation Server uses Presentation Catalog privileges to control access to features such as Answers, Delivers, and BI Publisher. The default Oracle Business Intelligence Application Roles (BIAdministrator, BIAuthor, BIConsumer) are automatically configured with these privileges during installation, in addition to the Oracle Business Intelligence Application Policy permissions.

Systems upgraded from a previous release can continue to use catalog groups to grant these privileges, but this is not considered a best practice. Best practice is to use Application Roles to manage privileges, which streamlines the security management process. For example, using the same set of Application Roles throughout the system eliminates the need to manage a separate set of catalog groups and member lists. For more information regarding how to continue using upgraded catalog groups to manage Presentation Catalog privileges, see Section A.2.1, "Changes Affecting Security in Presentation Services".

Note:

Mapping an Application Role to become a member of a catalog group creates complex group inheritance and maintenance situations and is not considered a best practice.

When Groups are mapped to Application Roles, the Group members are automatically granted associated Presentation Catalog privileges. This is in addition to the Oracle Business Intelligence permissions.

Tip:

A list of Application Roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services.

2.7.2 About Presentation Catalog Privileges

Presentation Catalog privileges are maintained in BI Presentation Catalog. Presentation Services privileges control access only to Presentation Catalog features. These privileges grant or deny access rights to Presentation Services features and have no effect in other Oracle Business Intelligence components.

Being a member of a group mapped to a default Application Role grants Presentation Catalog privileges, in addition to the Oracle Business Intelligence permissions discussed in Section B.4.1.3, "Default Application Roles, Permission Grants, and Group Mappings". The Presentation Catalog privileges granted by a default Application Role can be modified by adding or removing default privilege grants using the Manage Privileges page.

Whenever a new catalog is created, it is populated with the default Application Role to Presentation Catalog privilege mappings. If you have changed the default mappings and want to see the default associations, create a new catalog by pointing to a file location where no catalog exists. When Oracle BI Presentation Server starts, a catalog is created as part of the initialization process.

Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or Application Role hierarchy.

2.7.3 How to Set Catalog Privileges for an Application Role

If you create an Application Role, you must set appropriate privileges for the Application Role in the BI Presentation Catalog to enable that role to perform various functional tasks. For example, you might want Users with an Application Role named BISalesAdministrator to be able to create Actions in Oracle Business Intelligence. In this case, you would grant them a privilege named 'Create Invoke Action'.

Presentation Catalog privileges are stored in the BI Presentation Server and cannot be accessed from the administrative interfaces used to manage the policy store. If you have created a new Application Role to grant Oracle Business Intelligence permissions, then you must the set Presentation Catalog privileges to that new role in addition to any Oracle Business Intelligence permissions.

Note:

Presentation Catalog privileges can be mapped to a new Application Role programmatically using SecurityService Service. For more information, see "SecurityService Service" in Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition

To set BI Presentation Catalog privileges for an Application Role:

  1. Log in to Oracle Business Intelligence as a User with Administrator privileges.

  2. From the Home page in Presentation Services, select Administration to display the Administration page.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration biadmin_admin_nav.gif

    Note: If you log in as a User without Administrator privileges, the Administration option is not displayed.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration biadmin_security.gif

  3. In the Security area, click Manage Privileges to display the Manage Privileges page.

    The screenshot below shows the Manage Privileges page with Application Roles highlighted for BI Presentation Catalog privileges.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration biadmin_pspriv.gif

  4. Click an Application Role next to the privilege that you want to edit to display the Manage Privileges page.

    For example, to edit the privilege named 'Access to Scorecard' for the Application Role named BIConsumer, click the BIConsumer link next to Access\Access to Scorecard. The example screenshot below shows the Privilege dialog for the Access to Scorecard privilege.

    This screenshot or diagram is described in surrounding text.
    Description of the illustration admin_per6.gif

    Use the Privilege dialog to change permissions, grant privileges to Application Roles, and revoke privileges from an Application Role. For example, to grant the selected privilege to an Application Role, you must add the Application Role to the Permissions list.

  5. To add an Application Role to the Permissions list, do the following:

    1. Click Add Users/Roles.

    2. Select Application Roles from the list and click Search.

    3. Select the Application Role from the results list.

    4. Use the shuttle controls to move the Application Role to the Selected Members list.

    5. Click OK.

  6. Set the permission for the Application Role by selecting Granted or Denied in the Permission drop down list.

    Note: Explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of Group or Application Role hierarchy.

  7. Save your changes.

Note:

Existing catalog groups are migrated during the upgrade process. Moving an existing Presentation Catalog security configuration to the role-based Oracle Fusion Middleware security model based requires that each catalog group be replaced with a corresponding Application Role. To duplicate an existing Presentation Services configuration, replace each catalog group with a corresponding Application Role that grants the same Presentation Catalog privileges. You can then delete the original catalog group from Presentation Services.

2.7.4 Advanced Security Configuration Topics

This section contains advanced topics.

2.7.4.1 About Encryption in BI Presentation Services

The Oracle BI Server and Oracle BI Presentation Services client support industry-standard security for login and password encryption. When an end user enters a user name and password in the Web browser, the Oracle BI Server uses the Hyper Text Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the Oracle BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit), preventing unauthorized users from accessing data or Oracle Business Intelligence metadata.

At the database level, Oracle Business Intelligence administrative users can implement database security and authentication. Finally, a proprietary key-based encryption provides security to prevent unauthorized users from accessing the metadata repository.