| Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1) Part Number E10543-02 |
|
|
View PDF |
| Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1) Part Number E10543-02 |
|
|
View PDF |
Controlling access to system resources is achieved by requiring users to authenticate at log in (authentication) and by restricting users to only the resources for which they are authorized (authorization). The Oracle Business Intelligence default security configuration is automatically configured during installation and is available for use afterwards. The default configuration includes preconfigured security providers for managing user identities, credentials, and permission grants.
This chapter contains the following sections:
Note:
Unless otherwise stated, the permissions discussed in this chapter are those maintained in the policy store provider, such as the Oracle Business Intelligence permissions. Presentation Catalog privileges and permissions are distinct because they are maintained in Oracle BI Presentation Server. For more information about Presentation Catalog privileges and permissions, see Chapter 3, "Configuring Oracle BI to use Oracle Internet Directory".Securing Oracle Business Intelligence can be broken down into two broad areas:
System access security: Controlling access to the components and features that make up Oracle Business Intelligence.
Data access security: Controlling access to business source data and metadata used by Oracle Business Intelligence.
System access security is discussed in this guide and topics include how to limit system access to authorized users, control software resources based on permission grants, and enable secure communication among components.
Data access security is discussed in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
The Oracle Fusion Middleware security model is built upon the Oracle Fusion Middleware platform, which incorporates the Java security model. The Java model is a role-based, declarative model that employs container-managed security where resources are protected by roles that are assigned to users. However, extensive knowledge of the Java-based architecture is unnecessary when using the Oracle Fusion Middleware Security model. By being based upon this security model, Oracle Business Intelligence can furnish uniform security and identity management across the enterprise.
Oracle Business Intelligence is installed into a Oracle WebLogic Server domain during installation, which is a logically related group of resources that are managed as a unit. During a Simple installation type, an Oracle WebLogic Server domain named bifoundation_domain is created and Oracle Business Intelligence is installed into this domain. This name might vary depending upon the installation type performed. One instance of Oracle WebLogic Server in each domain is configured as an Administration Server. The Administration Server provides a central point for managing an Oracle WebLogic Server domain. The Administration Server hosts the Administration Console, which is a Web application accessible from any supported Web browser with network access to the Administration Server. Oracle Business Intelligence uses the active security realm configured for the Oracle WebLogic Server domain into which it is installed. For more information, see Section B.2.2, "Oracle WebLogic Server Domain".
For more information about the Oracle Fusion Middleware platform and the common security framework, see Oracle Fusion Middleware Security Guide. For more information about managing the Oracle WebLogic Server domain and security realm, see Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server and Oracle Fusion Middleware Securing Oracle WebLogic Server.
Oracle Platform Security Services is the underlying platform on which the Oracle Fusion Middleware security framework is built. Oracle Platform Security Services is standards-based and complies with role-based-access-control (RBAC), Java Enterprise Edition (Java EE), and Java Authorization and Authentication Service (JAAS). Oracle Platform Security Services enables the shared security framework to furnish uniform security and identity management across the enterprise.
For more information about Oracle Platform Security Services, see Oracle Fusion Middleware Security Guide.
An Oracle WebLogic Server administration domain is a logically related group of Java components. A domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain. You typically configure a domain to include additional WebLogic Server instances called Managed Servers. You deploy Java components, such as Web applications, EJBs, and Web services, and other resources to the Managed Servers and use the Administration Server for configuration and management purposes only.
Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control run in the Administration Server. Oracle WebLogic Server Administration Console is the Web-based administration console used to manage the resources in an Oracle WebLogic Server domain, including the Administration Server and Managed Servers. Fusion Middleware Control is a Web-based administration console used to manage Oracle Fusion Middleware, including the components that comprise Oracle Business Intelligence. For more information about the Oracle Business Intelligence individual components, see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.
Oracle Business Intelligence authentication is handled by the Oracle WebLogic Server authentication providers. An authentication provider performs the following functions:
Establishes the identity of users and system processes
Transmits identity information
Upon installation, Oracle Business Intelligence is configured to use the directory server embedded in Oracle WebLogic Server as both the default authentication provider and the repository for users and groups. Alternate authentication providers can be used if desired, and managed in the Oracle WebLogic Administration Console. For more information, see System Requirements and Certification.
The Oracle Fusion Middleware security platform depends upon the following key elements to provide uniform security and identity management across the enterprise. For more information about the Oracle Fusion Middleware security platform, see Oracle Fusion Middleware Security Guide.
Oracle Business Intelligence uses these security platform elements as follows:
Oracle Business Intelligence permissions are granted to members of its Application Roles. In the default security configuration, each role conveys a predefined set of permissions. Permission grants are defined and managed in an Application Policy. After an Application Role is associated with an Application Policy, that role becomes a grantee of the policy. An Application Policy is specific to a particular application.
An application stripe defines a subset of policies in the policy store. The Oracle Business Intelligence application stripe is named obi.
An Application Role represents a role a user has in Oracle Business Intelligence and gives that user authorization to access system resources accordingly. For example, having the Sales Analyst Application Role can grant a user access to view, edit and create reports relating to a company's sales pipeline.The default security configuration provides four preconfigured roles that grant the permissions corresponding to the common types of work performed when using Oracle Business Intelligence. The Application Role is also the container used to grant permissions and access to its members. When members are mapped to an Application Role, that Application Role becomes the container used to convey access rights to its members. For example:
Oracle Business Intelligence Permissions: These permission grants are defined in an Application Policy. After an Application Role is mapped to a policy, the permissions become associated with the Application Role through the relationship between policy and role. If groups of users have been mapped to that Application Role, the corresponding permissions are in turn granted to all members equally. More than one user or group can be members of the same Application Role.
Data Access Rights: Application roles can be used to control access rights to view and modify data in the repository file. Data filters can be applied to Application Roles to control object level permissions in the Business Model and Mapping layer and the Presentation layer. For more information about using Application Roles to apply data access security and control repository objects, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
Presentation Services Object-Level Access: Application roles can be used to grant access rights to reports and other objects in Oracle BI Presentation Services. For more information about using Application Roles to control access in Presentation Services, see Oracle Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition.
User authentication is performed by an authentication provider. The Oracle Business Intelligence default security configuration authenticates against the Oracle WebLogic Server embedded directory server using an authentication provider named DefaultAuthenticator.
When operating in a development or test environment you might find it convenient to use the default security configuration because it comes preconfigured, then add user definitions and credentials specific to your business, and customize the default Application Roles and permission grants to meet your requirements. After the authentication, policy, and credential providers are fully configured and populated with data specific to your business, they provide all user, policy, and credential information needed by the Oracle Business Intelligence components during authentication and authorization.
The default security configuration provides you with three security providers that are integrated to ensure safe, controlled access to system and data resources. These security providers are configured during a Simple or Enterprise installation type as follows:
The authentication provider is DefaultAuthenticator, which authenticates against Oracle WebLogic Server embedded directory server (identity store). The directory server is preconfigured with the default users and groups supplied by Oracle Business Intelligence, as well as a user group needed for the embedded directory server. The default identity store is managed using Oracle WebLogic Server Administration Console.
The policy store provider is the system-jazn-data.xml file. It contains the default Application Role definitions with their corresponding Oracle Business Intelligence permission grants, and the mapping definitions between default groups and Application Roles. The mapping of a group to an Application Role serves to convey the corresponding permissions to members of the group. The default policy store provider is managed using Oracle Enterprise Manager Fusion Middleware Control.
The credential store provider is the cwallet.sso file. It contains the passwords and other security-related credentials either supplied or system-generated. The default credential store is managed using Fusion Middleware Control.
Table B-1 summarizes the three default security providers and their initial state after installation.
Table B-1 Default Security Providers
| Security Provider Type | Purpose | Default Provider | Options |
|---|---|---|---|
|
Authentication provider |
Used to control authentication. |
|
Oracle Business Intelligence can be reconfigured to use different authentication providers and directory servers. For more information, see System Requirements and Certification. |
|
Policy store provider |
|
|
Oracle Business Intelligence can be configured to use Oracle Internet Directory. |
|
Credential store provider |
Trusted store for holding system passwords and other security-related credentials. The data stored here is used for connecting to external systems, opening repositories, or for SSL. |
|
Oracle Business Intelligence can be configured to use Oracle Internet Directory. |
Figure B-1 shows the relationship between Oracle Business Intelligence and the authentication and policy store providers.
Figure B-1 Relationship with the Default Security Providers
The policy store provider contains the Oracle Business Intelligence application-specific policies, Application Roles, permission grants, and membership mappings configured during installation. A policy store can be file-based or LDAP-based, but the installation default provides a policy store that is an XML file.
Presentation Catalog privileges and permissions are not maintained in the policy store provider. For more information about them, see Chapter 3, "Configuring Oracle BI to use Oracle Internet Directory".
All Oracle Business Intelligence permissions are provided; you cannot create additional permissions. In the default configuration, the Application Policies and Application Roles are preconfigured to group these permissions according to the access requirements of the Oracle Business Intelligence common user types: administrator, author, and consumer. However, these default permission grants can be changed as needed using Fusion Middleware Control. For more information, see Section 3.3, "Configuring an Alternative Policy Store and Credentials Store".
Table B-2 and Table B-3 list the available permissions and resource types that are contained in the obi application stripe.
Table B-2 Default Permissions
| Permission Name | Description |
|---|---|
|
oracle.bi.publisher.administerServer |
Enables the Administration link to access the Administration page and grants permission to set any of the system settings. |
|
oracle.bi.publisher.developDataModel |
Grants permission to create or edit data models. |
|
oracle.bi.publisher.developReport |
Grants permission to create or edit reports, style templates, and sub templates. This permission also enables connection to the BI Publisher server from the Template Builder. |
|
oracle.bi.publisher.runReportOnline |
Grants permission to open (execute) reports and view the generated document in the report viewer. |
|
oracle.bi.publisher.scheduleReport |
Grants permission to create or edit jobs and also to manage and browse jobs. |
|
oracle.bi.publisher.accessReportOutput |
Grants permission to browse and manage job history and output. |
|
oracle.bi.publisher.accessExcelReportAnalyzer |
Grants permission to download the Analyzer for Excel and to download data from a report to Excel using the Analyzer for Excel. Note that to enable a user to upload an Analyzer for Excel template back to the report definition, the permission oracle.bi.publisher.developReport must also be granted. |
|
oracle.bi.publisher.accessOnlineReportAnalyzer |
Grants permission to launch the Analyzer and manipulate the data. Note that to save an Analyzer template to a report definition, the permission oracle.bi.publisher.developReport must also be granted. |
|
oracle.bi.server.impersonateUsers |
This description is not available. |
|
oracle.bi.server.manageRepositories |
Grants permission to open, view, and edit repository files using Oracle BI Administration Tool. |
|
oracle.bi.server.queryUserPopulation |
Internal use only. |
|
oracle.bi.scheduler.manageJobs |
Grants permission to use Job Manager to manage scheduled Delivers jobs. |
|
EPM_Calc_Manager_Designer |
Grants permissions for EPM Calc Manager Designer. |
|
EPM_Calc_Manager_Administrator |
Grants permissions for EPM Calc Manager Administrator. |
|
EPM_Essbase_Filter |
Grants permissions for EPM Essbase Filter. |
|
EPM_Essbase_Administrator |
Grants permissions for EPM Essbase Administrator. |
|
oracle.epm.financialreporting.accessReporting |
Grants permissions for EPM Report Access. |
|
oracle.epm.financialreporting.administerReporting |
Grants permissions for EPM Report Administration. |
|
oracle.epm.financialreporting.editBatch |
Grants permissions for EPM Batch Edit. |
|
oracle.epm.financialreporting.editBook |
Grants permissions for EPM Book Edit. |
|
oracle.epm.financialreporting.editReport |
Grants permissions for EPM Report Edit. |
|
oracle.epm.financialreporting.scheduleBatch |
Grants permissions for EPM Batch Scheduling. |
Oracle RTD controls authorization using resources defined in context of a Java class. The Java class oracle.security.jps.ResourcePermission can be used as the permission class within any grant to protect application or system resources. Oracle RTD uses this class to control access to three types of resource:
Inline Service
Decision Center Perspective
Batch Job
Table B-3 lists the Oracle RTD resource types. For more information about Real-Time Decision (RTD) resources, see "Security for Oracle Real-Time Decisions" in Oracle Fusion Middleware Administrator's Guide for Oracle Real-Time Decisions
Table B-3 Oracle RTD Resource Types and Actions
| Type of Resource | Resource Type Name Stored in Application Grants | Action[:Qualifier] | Comments |
|---|---|---|---|
|
Inline Service |
rtd_ils |
choice_editor |
might execute any methods of the ExternalChoice web service for the named Inline Service. |
|
decision_service:normal |
might execute any integration points (advisors and informants) for the named Inline Service. Action qualifier normal allows integration point requests to be executed in the server. |
||
|
decision_service:stress |
might execute any integration points (Advisors and Informants) for the named Inline Service. Action qualifier stress allows LoadGen to issue integration point calls. To be accepted by the server, the user also needs the normal action. |
||
|
open_service:read |
Authorizes the use of Decision Center to open the named Inline Service for viewing. Also authorizes the External Rule Editor to access the named Inline Service, since the External Rule Editor does not need to update the content of the Inline Service. |
||
|
open_service:write |
Authorizes the use of Decision Center to open the named Inline Service for editing. |
||
|
deploy_service |
Authorizes the deployment of the named Inline Service from Decision Studio. |
||
|
download_service |
Authorizes the use of Decision Studio to download the named Inline Service from a server. |
||
|
Decision Center Perspective |
rtd_dc_persp |
dc_perspective |
Open the named Decision Center Perspective, to have Decision Center render its specialized set of UI elements or capabilities. |
|
Registered Batch Job Type |
rtd_batch |
batch_admin |
might execute any methods of the BatchManager web service to start, stop, or query the status of the registered batch job type name. |
The default Application Roles are grouped into broad categories of functional usage: administrator (BIAdministrator), author (BIAuthor), and consumer (BIConsumer). These categories correspond to the typical roles that users of Oracle Business Intelligence assume: an administrator, an author who creates reports for others, and a consumer who reads (consumes) reports created by others (authors).
The default Oracle Business Intelligence Application Roles are as follows:
The BIAdministrator role grants administrative permissions necessary to configure and manage the Oracle Business Intelligence installation. Any member of the BIAdministrators group is explicitly granted this role and implicitly granted the BIAuthor and BIConsumer roles. See Table B-4 and Table B-5 for a list of the default role permissions.
The BIAuthor role grants permissions necessary to create and edit content for other users to use, or to consume. Any member of the BIAuthors group is explicitly granted this role and implicitly granted the BIConsumer role. See Table B-4 and Table B-5 for a list of the default role permissions.
The BIConsumer role grants permissions necessary to use, or to consume, content created by other users. See Table B-4 and Table B-5 for a list of the default role permissions.
The BISystem role grants the permissions necessary to impersonate other users. This role is required by Oracle Business Intelligence system components for inter-component communication. See Table B-4 and Table B-5 for a list of the default role permissions.
The authenticated role is a special Application Role provided by the Oracle Fusion Middleware security model and is made available to any application deploying this security model. Oracle Business Intelligence uses the authenticated Application Role to grant permissions implicitly derived by the role and group hierarchy of which the authenticated role is a member. The authenticated role is a member of the BIConsumer role by default and, as such, all authenticated role members are granted the permissions of the BIConsumer role implicitly.
Every user who successfully logs in to Oracle Business Intelligence becomes a member of the authenticated role, and it is a replacement for the 10g Everyone Presentation Catalog group. The authenticated role is not stored in the obi application stripe and is not searchable in the Oracle Business Intelligence policy store. However, the authenticated role is displayed in the administrative interface for the policy store, is available in Application Role lists, and can be added as a member of another Application Role.
You can map the authenticated role to another user, group, or Application Role, but you cannot remove the authenticated role itself. Removal of the authenticated role would result in the inability to log in to the system and this right would need to be granted explicitly.
For more information about the Oracle Fusion Middleware security model and the authenticated role, see Oracle Fusion Middleware Security Guide.
The default file-based policy store is configured with the Oracle Business Intelligence default Application Roles. Each Application Role is preconfigured with a set of permissions grants and one or more members. Members of an Application Role can include users, groups, or other Application Roles from the policy store.
Table B-4 and Table B-5 lists the default configuration of Application Roles, permission grants, and members. The default naming convention is that Application Role names are singular and group names are plural.
Table B-4 Default Application Role, Permission Grants, and Members
| Role Name | Role Permissions | Members |
|---|---|---|
|
BIAdministrator |
|
BIAdministrators group |
|
BIAuthor |
|
|
|
BIConsumer |
|
|
|
BISystem |
|
BISystemUser |
Table B-5 lists the default Application Roles, Oracle RTD resource types, resource names, and actions in the default application grants after installation. For more information about Real-Time Decision (RTD) resource defaults, see "Security for Oracle Real-Time Decisions" in Oracle Fusion Middleware Administrator's Guide for Oracle Real-Time Decisions
Note:
The resource name _all _ is a special name that matches any Oracle RTD resource name of the associated resource type.Table B-5 Default Application Grants for Oracle RTD Users
| Application Role | Resource Type | Resource Name | Action[:Qualifier] |
|---|---|---|---|
|
BIAdministrator |
rtd_ils |
_all_ |
open_service:read |
|
_all_ |
open_service:write |
||
|
_all_ |
deploy_service |
||
|
_all_ |
download_service |
||
|
_all_ |
choice_editor |
||
|
_all_ |
decision_service:normal |
||
|
_all_ |
decision_service:stress |
||
|
rtd_dc_persp |
_all_ |
dc_perspective |
|
|
rtd_batch |
_all_ |
batch_admin |
|
|
BIAuthors |
rtd_ils |
_all_ |
open_service:read |
|
_all_ |
open_service:write |
||
|
_all_ |
deploy_service |
||
|
_all_ |
download_service |
||
|
_all_ |
decision_service:normal |
||
|
_all_ |
decision_service:stress |
||
|
rtd_dc_persp |
_all_ |
dc_perspective |
|
|
BIConsumer |
rtd_ils |
_all_ |
open_service:read |
|
_all_ |
choice_editor |
||
|
_all_ |
decision_service:normal |
||
|
rtd_dc_persp |
Explore |
dc_perspective |
|
|
At a Glance |
dc_perspective |
||
|
rtd_batch |
_all_ |
batch_admin |
An authentication provider accesses user and group information and is responsible for authenticating users. An identity store contains user name, password, and group membership information and in Oracle Business Intelligence is a directory server. The default security configuration authenticates against the Oracle WebLogic Server embedded directory server using an authentication provider named DefaultAuthenticator.
When a user logs in to a system with a user name and password combination, Oracle WebLogic Server validates identity based on the combination provided. During this process, a Java principal is assigned to the user or group that is undergoing authentication. The principal can consist of one or more users or groups and is stored within subjects. A subject is a JAAS element used to group and hold identity information.
Upon successful authentication, each principal is signed and stored in a subject. When a program call accesses a principal stored in a subject, the default authenticator provider verifies the principal has not been altered since signing, and the principal is returned to the program making the call. For example, in the Oracle WebLogic Server default authenticator, the subject contains a principal for the user (WLSUserPrincipal) and a principal for the group (WLSGroupsPrincipals) of which the user is a member. If an authentication provider other than the installation default is configured, consult that provider's documentation because how identity information is stored might differ.
Groups are logically ordered sets of users. Creating groups of users who have similar system resource access needs enables easier security management. Managing a group is more efficient than managing a large number of users individually. Oracle recommends that you organize your users into groups for easier maintenance. Groups are then mapped to Application Roles to grant rights.
The default group names discussed here are provided as a convenience so you can begin using the Oracle Business Intelligence software immediately after installation, but you are not required to maintain the default names.
Table B-6 lists the group names and group members that are created during the installation process. These defaults can be changed to different values and additional group names can be added by an administrative user using Oracle WebLogic Server Administration Console.
Table B-6 Default Groups and Members
| Purpose | Group Name and Members | Description |
|---|---|---|
|
Contains the Oracle Business Intelligence administrative users. |
Name: BIAdministrators Members: Any administratror user |
|
|
Contains the Oracle Business Intelligence authors. |
Name: BIAuthors Members: BIAdministrators Group |
Members of the BIAuthors group have the permissions necessary to create content for other users to use, or to consume. |
|
Contains the Oracle Business Intelligence consumers. |
Name: BIConsumers Members: BIAuthors group and Oracle WebLogic Server LDAP server users group |
|
Oracle WebLogic Server embedded directory server contains Oracle Business Intelligence user names provided as part of the default security configuration. These default user names are provided as a convenience so you can begin using the Oracle Business Intelligence software immediately after installation, but you are not required to maintain the default names.
Table B-7 lists the default user names and passwords in the Oracle WebLogic Server embedded directory server after installation.
Table B-7 Default Users and Passwords
| Purpose | User Name and Password | Description |
|---|---|---|
|
Administrative user |
Name: administrator user Password: user supplied |
|
|
Name: BISystemUser Password: system generated |
|
A credential store is a repository of security data (credentials) that validates the authority of users, Java components, and system components. Oracle Business Intelligence system processes use these credentials to establish trusted communication.
The Oracle Business Intelligence default credential store is file-based, also known as being wallet-based, and is represented by the file cwallet.sso. The default credential store is managed in Fusion Middleware Control.
Credentials are grouped into logical collections called maps. The default security configuration contains the following maps: oracle.bi.system and oracle. bi.enterprise. Each credential is accessed from a map using a key, such as system.user or repository.paint. A key is case sensitive. Each repository file has its own entry in the credential map.
The oracle.bi.actions credential map is created manually. For information about creating the oracle.bi.actions credential map, see "Adding and Maintaining Credentials for Use with Action Framework" in Oracle Fusion Middleware Integrator's Guide for Oracle Business Intelligence Enterprise Edition.
Table B-8 lists the credentials contained in the default credential store after installation.
Table B-8 Default Credentials
| Description | Map and Key | User Name and Password |
|---|---|---|
|
RPD password |
map: oracle.bi.enterprise key: repository.RPD name |
Name: Not Applicable Password: user supplied |
|
BISystem user |
map: oracle.bi.system key: system.user |
Name: BISystemUser Password: system generated |
|
Oracle Business Intelligence Scheduler Schema user |
map: oracle.bi.enterprise key: scheduler.schema |
Name: Name of Scheduler schema Password: system generated |
Oracle Business Intelligence permissions are typically granted by becoming a member in an Application Role. LDAP groups become members by being mapped to Application Roles. In the default security configuration, each Application Role is preconfigured to grant a predefined set of permissions. The mapping of a group to a role conveys the role's permissions to all members of the group. In short, permissions are granted by Oracle Business Intelligence Application Roles by establishing the following relationships:
A group defines a set of users having similar system access requirements. Users are added as members to one or more groups according to the level of access required.
Application roles are defined to represent the role a user typically performs when using Oracle Business Intelligence. The default security configuration provides the following role types: administrator (BIAdministrator), author (BIAuthor), and consumer (BIConsumer).
The groups of users are mapped to one or more Application Roles that match the type of access required by each group.
Application policies are created with Oracle Business Intelligence permissions that grant a set of access rights corresponding to each role type.
An Application Role is mapped to the corresponding Application Policy that grants the set of permissions required by the role type (administrator, author, consumer). Once done, the Application Role is the Grantee of the Application Policy.
Group membership can be inherited by nature of the group hierarchy. Application roles mapped to inherited groups are also inherited, and those permissions are likewise conveyed.
How a user's permissions are determined by the system is as follows:
A user enters credentials into a Web browser at login. The user credentials are authenticated by the authentication provider against data contained the identity store.
After successful authentication, a Java subject and principal combination is issued, which is populated with the user name and a user's groups.
A list of the user's groups is generated and checked against the Application Roles. A list is created of the Application Roles that are mapped to each of the user's groups.
A user's permission grants are determined from knowing which Application Roles the user is a member of. The list of groups is generated only to determine what roles a user has, and is not used for any other purpose.
For example, the ability to open a repository file in online mode from Oracle BI Administration Tool requires the manage repository permission (oracle.bi.server.manageRepositories). In the default security configuration, this permission is granted by membership in the BIAdministrator Application Role. The BIAdministrator Application Policy contains the actual permission grant definitions, and in this example, the BIAdministrator Application Policy contains the manage repository permission definition. The default security configuration includes a preconfigured mapping between the BIAdministrator Application Role and the BIAdministrators group. To convey the manage repository permission to a user in your environment, add that user to the BIAdministrators group. Every user who needs to manage a repository in online mode should be added to the BIAdministrators group instead of granting the required permission to each user individually. If a user no longer requires the manage repository permission, you then remove the user from the BIAdministrators group. After removal from the BIAdministrators group, the user no longer has the BIAdministrator Application Role or the manage repository permission granted by role membership.
Users can also obtain permissions by inheriting group membership and Application Roles. For more information and an example of how this is accomplished, see Section B.4.4.1, "Permission Inheritance and Role Hierarchy".
In Oracle Business Intelligence, the members of a default Application Role includes both groups and other Application Roles. The result is a hierarchical role structure where permissions can be inherited in addition to being explicitly granted. A group that is a member of a role is granted both the permissions of the role and the permissions for all roles descended from that role. It is important when constructing a role hierarchy that circular dependencies are not introduced.
The following figure provides an example of how the role hierarchy grants permissions using several of the Oracle Business Intelligence default groups and Application Roles. The default BIAdministrator role is a member the BIAuthor role, and BIAuthor role is a member of BIConsumer role. The result is members of the BIAdministrators group are granted all the permissions of the BIAdministrator role, the BIAuthor role, and the BIConsumer role. In this example only one of the permissions granted by each role is used for demonstration purposes.
Figure B-2 shows these relationship between the default Application Roles and how permissions are granted to members.
Figure B-2 Default Application Role Hierarchy Example
The result is that, by nature of the role hierarchy, the user who is a member of a particular group is granted both explicit permissions and any additional inherited permissions.
Note:
By themselves, groups and group hierarchies do not provide access rights to application resources. Privileges are conveyed by the permission grants defined in an Application Policy. A user, group, or Application Role becomes a Grantee of the Application Policy. The Application Policy grantee conveys the permissions and this is done by direct association (such as a user) or by becoming a member of the Grantee (such as a group or Application Role).Table B-9 details the role and permissions granted to all group members (users) shown in Figure B-2.
Table B-9 Permissions Granted by The Role Hierarchy Example
| User Name | Group Membership: Explicit/Inherited | Application Role Membership: Explicit/Inherited | Permission Grants: Explicit/Inherited |
|---|---|---|---|
|
User1, User2, User3 |
BIConsumers: Explicit |
BIConsumer: Explicit |
Access reports: Explicit |
|
User4, User5 |
BIAuthors: Explicit BIConsumers: Inherited |
BIAuthor: Explicit BIConsumer: Inherited |
Create reports: Explicit Access reports: Inherited |
|
User6, User7 |
BIAdministrators: Explicit BIAuthors: Inherited BIConsumers: Inherited |
BIAdministrator: Explicit BIAuthor: Inherited BIConsumer: Inherited |
Manage repository: Explicit Create reports: Inherited Access Reports: Inherited |
If catalog groups and Application Roles are used in combination to manage Presentation Services Catalog permissions or privileges, the catalog groups take precedence. For example, if a user is a member of a catalog group that grants access to a Presentation Services object or feature and is also a member of an Application Role that denies access to the same object or feature, then this user has access. A Presentation Services Catalog group takes precedence over an Application Role. For more information about Presentation Services permissions and privileges, see Chapter 3, "Configuring Oracle BI to use Oracle Internet Directory".
The common security tasks performed after a successful Oracle Business Intelligence software installation are different according to purpose. Common reasons to install Oracle Business Intelligence are:
Evaluate the product
Implement the product
Implementation typically involves moving through the product lifecyle of using the product in one or more of the following environments:
Development
Test
Production
Table B-10 contains common security tasks performed to evaluate Oracle Business Intelligence and provides links for more information.
Table B-10 Task Map: Common Security Tasks to Evaluate Oracle Business Intelligence
| Task | Description | For Information |
|---|---|---|
|
Understand the Oracle Fusion Middleware security model and the Oracle Business Intelligence default security configuration. |
Familiarize yourself with the key elements of the Oracle Fusion Middleware security model and the Oracle Business Intelligence default security configuration after a successful installation. |
Chapter 1, "Introduction to Security in Oracle Business Intelligence" |
|
Add users and groups to the default identity store. |
Create new user and group definitions for the embedded directory server using Oracle WebLogic Server Administration Console. |
Section 2.4.3, "How to create a User in the Embedded WebLogic LDAP Server" Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help |
|
Add a new member to a default Application Role. |
Add a new user or group as a member to a default Application Role, such as BIConsumer. |
Section 2.5.4, "Modifying Application Roles Using Oracle Fusion Middleware Control" Section B.4.1.3, "Default Application Roles, Permission Grants, and Group Mappings" |
|
Create a new Application Role based on an existing default Application Role. |
Create a new Application Role based on an existing default Application Role by copying it and naming the copy. |
Section 2.5.2, "Creating Application Roles Using Fusion Middleware Control" |
Table B-11 contains common security tasks performed when you implement Oracle Business Intelligence and provides links for more information. The following tasks are performed in addition to the tasks listed in Section B.5.1, "Common Security Tasks to Evaluate Oracle Business Intelligence".
Table B-11 Task Map: Common Security Tasks to Implement Oracle Business Intelligence
| Task | Description | For Information |
|---|---|---|
|
Transition to using your enterprise directory server as the authentication provider and identity store. |
Configure your enterprise directory server to become the authentication provider and identity store. |
Section 3.2, "Configuring an Alternative Authentication Provider" |
|
Create a new Application Role. |
Create a new Application Role and make the role a Grantee of an Application Policy. |
Section 2.5.2, "Creating Application Roles Using Fusion Middleware Control" |
|
Map a group to a newly created Application Role. |
Map a group to a newly created Application Role to convey the permission grants to group members. |
Section 2.5.4, "Modifying Application Roles Using Oracle Fusion Middleware Control" |
|
Decide whether to use SSL. |
Decide whether to use SSL communication and devise a plan to implement. |
Chapter 5, "SSL Configuration in Oracle Business Intelligence" |
|
Decide whether to use an SSO provider in your deployment. |
Decide whether to use SSO authentication and devise a plan to implement. |
The Upgrade Assistant is a unified graphical user interface that enables you to selectively upgrade your Oracle Business Intelligence installation. For complete upgrade information, see Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.
Significant changes have been made to the security model regarding how and where users, groups, and credentials are defined and stored. The following is a summary of some of the changes that are made during the upgrade process by the Upgrade Assistant:
Users, passwords, and groups are moved from the default release 10g repository file to the release 11g default identity store (Oracle WebLogic Server embedded LDAP server).
Passwords for other repository objects, such as connection pools and LDAP servers, remain in the repository and are encrypted. The repository itself is encrypted as well.
The Administrator user is migrated from the default release 10g repository file to the default identity store and becomes a member of the BIAdministrators group. The BIAdministrators group is granted the BIAdministrator role and by that association has system administrative rights.
Presentation Catalog references to old groups and users are updated.
The variable names ROLES, PERMISSIONS, USERGUID and ROLEGUIDS are reserved release 11g system variable names. Before upgrading a release 10g repository file, these variables must be renamed if they exist. Other references to these variable names, as in reports, also must be renamed for consistency.
Caution:
Before upgrading, create a backup of the repository file and the Presentation Catalog to ensure that you can restore the originals if needed.The following is an overview of the security-related changes initiated by the Upgrade Assistant when upgrading an Oracle Business Intelligence installation. For information about upgrading a system, see Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.
In general, the standard upgrade process is as follows. The Upgrade Assistant is run on a system that has the Oracle Business Intelligence release 11g software installed. During this process the metadata from the release 10g repository file and Presentation Catalog is imported to the release 11g system. The release 10g system is left unchanged after the upgrade process completes. The imported metadata is upgraded as needed to function in the release 11g environment, such as moving users and groups defined in the repository to the Oracle WebLogic Server embedded LDAP server, and so on. However, configuration settings such as SSL settings are not carried over from the upgrade source.
Before running the Upgrade Assistant you must have the following available:
The Oracle Business Intelligence release 10g installation, which is used as the upgrade source. This installation can be configured to use any combination of security mechanisms supported in the release 10g, including: repository users and groups, authentication initialization blocks, catalog groups, and SA System Subject Area.
A default installation of Oracle Business Intelligence release 11g to be used as the target for the upgrade. This installation must not have been customized in any way.
The Upgrade Assistant prompts for details of the release 10g installation. The Upgrade Assistant migrates the existing security-related entries to the release 11g system, as explained in the following sections.
The Upgrade Assistant automatically creates the following entries in the Oracle WebLogic Server embedded LDAP server for the target system:
An LDAP group corresponding to each group found in the repository. This does not include the Administrators group found in prior releases. Any users that were in this Administrators group are added to the BIAdministrators LDAP group.
LDAP group hierarchies that match the repository group hierarchies.
The Administrator user is migrated and made a part of the BIAdministrators group.
All users, other than the Administrator user, who are members of the Administrators group in the default repository are added to the BIAdministrators group in the embedded LDAP server. The release 11g Administrator user that is created from information provided during installation is also added to the BIAdministrators group in the embedded LDAP server.
The Upgrade Assistant automatically creates the following entries in the file-based policy store for the target system:
An Application Role that corresponds to each group in the default repository. This does not include the Administrators group found in prior releases. The Application Role is granted to the group with the same name.
Application role hierarchies that match the repository group hierarchies.
The upgrade assistant automatically upgrades the default repository in the source system and makes the following changes:
All groups in the default release 10g repository are converted to Application Role references (placeholders) to Application Roles created in the policy store during upgrade.
All users are removed from the default repository during upgrade and replaced with references (name and GUID) to LDAP users created in the embedded LDAP server on the target system.
A numerical suffix is added to the name of an upgraded repository file. A number is added to indicate the number of times that file has been upgraded.
The Upgrade Assistant automatically makes the following changes to the Presentation Catalog:
The Presentation Catalog is scanned and the old security representations are converted to the new ones. Permissions and privileges that existed in 10g are migrated. Updates the internal representation of each user to the standard GUID being used across the environment. Users not found in the LDAP server are placed in the initialization block users folder until they have been added to the LDAP server, after which they are moved to the standard user folder. All references to old user and group representation are replaced by the GUID. The entire Presentation Catalog is reviewed.
Leaves the release 10g catalog groups in the upgraded Presentation Catalog and assigns the same privileges, access, and membership.
A release 10g repository can be opened and upgraded using the Upgrade Assistant. The following security-related changes are made to the repository upon upgrade:
The upgraded repository is now protected and encrypted by the password entered during the upgrade.
The repository file is upgraded to contain references to users it expects to be present in the identity store and references to Application Roles it expects to be present in the policy store.
The upgraded repository can be opened in the Oracle BI Administration Tool in offline mode as usual, and can be deployed to a server to be opened in online mode.
For more information about upgrading a release 10g repository, see Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.
Configuration settings such as SSL settings are not carried over from the upgrade source. For information regarding configuring SSL, see Chapter 5, "SSL Configuration in Oracle Business Intelligence".
Configuration settings such as single sign-on (SSO) settings are not carried over from the upgrade source. For information regarding configuring SSO, see Chapter 4, "Enabling SSO Authentication".
|
 Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
