16.1 Creating Reports Users and Named Groups

If you use the security features in Oracle Portal to control access to your reports, you must register all of your Reports users in Oracle Internet Directory and assign security privileges to all of them through Oracle Portal.

Note:

If you have a large user population already entered into an LDAP-compatible directory, you can use Oracle Internet Directory features to synchronize the directories and save yourself the effort of entering your users individually. You'll find information about Oracle Internet Directory's Directory Integration Server in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

In Oracle Portal, security privileges can be granted to individual users and to named groups of users. Named groups are useful for streamlining the process of granting access privileges. You can assign a set of access privileges to a named group, and grant the entire set of privileges to an individual simply by adding that person to the group.

Note:

When you use features like Oracle Portal Security, Portal Destination, and Job Status Repository, the JDBC database connections made by Oracle Reports Services may override the initial NLS_LANG setting. This change may in turn affect the behavior of the running report, such as bidirectional output in PDF. On UNIX platforms, you can work around this issue by using the environment switching functionality to dynamically set the environment for reports. Refer to Section 8.2.2, "Dynamic Environment Switching" for more information.

The next sections provide overview information on how to create users and groups in Oracle Portal. They include:

Default Reports-Related Groups
Creating Users and Groups

16.1.1 Default Reports-Related Groups

When you install Oracle Portal, Reports-related groups are created for you automatically. These include the following groups:

RW_BASIC_USER
RW_POWER_USER
RW_DEVELOPER
RW_ADMINISTRATOR

You must assign appropriate privileges to these groups to enable group members to perform specific functions on reports through Oracle Portal. For example, for each report object that you want members of a group (for example, RW_BASIC_USER) to be able to run, you have to grant the Execute privilege to that group from the Access tab of the report object. Similarly, if you want members of a group (for example, RW_ADMINISTRATOR) to be able manage Reports Servers, printers, and reports, you have to grant the Manage privilege to that group from the Access tab of those objects.

While you can assign object privileges to individual users, we recommend that every person who will access your reports belong to one of these groups or a group that you create yourself. If users try to run reports without being a member of one of these groups, by default, they are assigned the privileges of a basic user.

Note:

The RW_ groups are created automatically by configuring Oracle Portal, or you can create them manually. You can also run Web commands if they are in the IASADMINS group.

The following commands can be run by members of any group:

getfile
showmyjobs
killmyjobs
getjobid
showjobid
help

Only members of the RW_DEVELOPER group can run the following commands:

showmap
showenv
showjobs
parsequery

Members of the RW_ADMINISTRATOR group can run any command.

16.1.1.1 RW_BASIC_USER

Should the security check fail, members of the RW_BASIC_USER group see less detailed error messages than the users in other Oracle Reports groups, such as:

Security Check Error

Typically, you will want to assign this group minimal privileges. For example, you probably will want to give RW_BASIC_USER the privilege to execute reports and no more.

16.1.1.2 RW_POWER_USER

In addition to the privileges of the RW_BASIC_USER group, the RW_POWER_USER group sees error messages that are more detailed than those displayed to basic users. For example, if members of this group are not permitted to run to HTML, but they try anyway, they might get the message:

Cannot run report to HTML

This is more detailed than the message an RW_BASIC_USER would receive for the same error.

16.1.1.3 RW_DEVELOPER

In addition to the privileges of the RW_POWER_USER group, the RW_DEVELOPER group can run the following Web commands that show the system environment:

showmap
showenv
showjobs
parsequery

Typically, you would assign privileges to this group needed by a developer who is testing reports. Depending upon your installation, you might even assign them limited administrative privileges.

16.1.1.4 RW_ADMINISTRATOR

In addition to the privileges of the RW_DEVELOPER group, the RW_ADMINISTRATOR group has access to the administrator's functionality in the Oracle Reports Queue Manager, which means members of this group can manage the server queue, including rescheduling, deleting, reordering jobs in the server, and shutting down a server. Members of the RW_ADMINISTRATOR group can run any command. The RW_ADMINISTRATOR group also has the privilege to run Web commands through rwservlet.

Typically, you will want to assign to this group some (but probably not all) of the same privileges assigned to the PORTAL_ADMINISTRATORS group.

Note:

Initially, only members of the PORTAL_ADMINISTRATORS group have MANAGE privileges for Oracle Reports objects. They can CREATE, UPDATE, and DELETE the registered report definition files, servers, and printer objects in Oracle Portal. In addition to all the links activated for the developer user, administrators can navigate to the Access tab on the Component Management Page, accessible in Oracle Portal. This is where the administrator can specify who will have access to this report. People with administrator privileges can assign security privileges for other people and receive full error messages from Oracle Reports Services.

16.1.2 Creating Users and Groups

Oracle Portal uses the Delegated Administration Service (DAS) interface to Oracle Internet Directory to register users for access to Portal. You can enter the DAS interface through Portal to create new users. The creation of new users and groups is discussed in the Oracle Portal Administrator's Guide available on the Oracle Fusion Middleware documentation CD.

When you create groups, you must assign appropriate privileges to them to enable group members to perform any desired functions on reports through Oracle Portal. For example, for each report object that you want members of a group (for example, RW_BASIC_USER) to be able to run, you have to grant the Execute privilege to that group from the Access tab of the report object. Similarly, if you want members of a group (for example, RW_ADMINISTRATOR) to be able manage Reports Servers, printers, calendars, and reports, you have to grant the Manage privilege to that group from the Access tab of those objects.

Ideally, you should provide a user with the necessary privileges on objects by assigning them to a group that has appropriate privileges for their role. For example, if you are creating a user who needs to be able to run but not manage reports, you could assign her to RW_BASIC_USER. If need be, you may assign object privileges to individual users (for example, JSMITH) rather than groups, but this approach is more difficult and time consuming to manage.

16.1.3 Portal Password in Credential Store

Oracle Reports 11g Release 1 (11.1.1) uses credential store to store Portal password as a key. You can also use the credential store to configure database connection information for jobstatusrepository and jobRepository elements.

Portal password is stored in the reports credential map with key in the following syntax:

"portalpasswd_DomainName_InstanceName"

Note:

If you modify the Portal password, you must update the value of the key in the Reports credential store.