Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• System Requirements and Certification
• Conventions

New Features in Oracle Business Intelligence Security

• New Features for Oracle BI EE 11g Release 1 (11.1.1.5)
• New Features for Oracle BI EE 11g Release 1 (11.1.1.3)

1 Introduction to Security in Oracle Business Intelligence

• 1.1 High-level Roadmap for Setting Up Security In Oracle Business Intelligence
• 1.2 Overview of Security in Oracle Business Intelligence
• 1.3 About Authentication
• 1.4 About Authorization
  • 1.4.1 About Application Roles
  • 1.4.2 About The Security Policy
• 1.5 About Pre Configured Users, Groups, and Application Roles
• 1.6 What Tools Configure Security in Oracle Business Intelligence?
  • 1.6.1 Oracle WebLogic Server Administration Console
  • 1.6.2 Oracle Fusion Middleware Control
  • 1.6.3 Oracle BI Administration Tool
  • 1.6.4 Administration Page in Oracle BI Analytics
• 1.7 Example: Looking at the Installed Users, Groups, and Application Roles
  • 1.7.1 About Using Oracle WebLogic Server Administration Console
  • 1.7.2 About Using Fusion Middleware Control
  • 1.7.3 About Using the Oracle BI Administration Tool
  • 1.7.4 About Using Administration Page in Oracle BI Presentation Catalog
• 1.8 Detailed List of Steps for Setting Up Security In Oracle Business Intelligence
• 1.9 Comparing the Oracle Business Intelligence 10g and 11g Security Models
• 1.10 Terminology

2 Managing Security Using the Default Security Configuration

• 2.1 Working with the Default Users, Groups, and Application Roles
• 2.2 An Example Security Setup Using the Default Groups and Application Roles
• 2.3 Creating and Managing Users and Groups in the Embedded WebLogic LDAP Server
  • 2.3.1 Overview of Setting Up Users, Groups, and Application Roles
    • 2.3.1.1 Assigning a User to a Default Group
    • 2.3.1.2 Assigning a User to a New Group and a New Application Role
  • 2.3.2 Launching Oracle WebLogic Server Administration Console
  • 2.3.3 Creating a New User in the Embedded WebLogic LDAP Server
  • 2.3.4 Creating a Group in the Embedded WebLogic LDAP Server
  • 2.3.5 Assigning a User to a Group in the Embedded WebLogic LDAP Server
  • 2.3.6 (Optional) Changing a User Password in the Embedded WebLogic LDAP Server
• 2.4 Creating and Managing Application Roles and Application Policies Using Fusion Middleware Control
  • 2.4.1 Starting Oracle Fusion Middleware Control and Locating the Pages for Managing Security
    • 2.4.1.1 Overview
    • 2.4.1.2 Displaying the Security Menu in Fusion Middleware Control from coreapplication
    • 2.4.1.3 Displaying the Security Menu in Fusion Middleware Control from bifoundation_domain
  • 2.4.2 Creating Application Roles Using Fusion Middleware Control
    • 2.4.2.1 Overview
    • 2.4.2.2 Creating an Application Role
    • 2.4.2.3 Assigning a Group to an Application Role
  • 2.4.3 Creating Application Policies Using Fusion Middleware Control
  • 2.4.4 Modifying Application Roles Using Oracle Fusion Middleware Control
    • 2.4.4.1 Adding or Removing Permission Grants from an Application Role
    • 2.4.4.2 Adding or Removing Members from an Application Role
• 2.5 Managing Metadata Repository Privileges Using the Oracle BI Administration Tool
  • 2.5.1 Overview
  • 2.5.2 Setting Repository Privileges for an Application Role
  • 2.5.3 Advanced Security Configuration Topics
    • 2.5.3.1 About Managing Application Roles in the Metadata Repository
• 2.6 Managing Presentation Services Catalog Privileges Using Application Roles
  • 2.6.1 Overview
  • 2.6.2 About Presentation Services Catalog Privileges
  • 2.6.3 Setting Oracle BI Presentation Catalog Privileges for an Application Role
  • 2.6.4 Advanced Security Configuration Topics
    • 2.6.4.1 About Encryption in BI Presentation Services
• 2.7 Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store

3 Using Alternative Authentication Providers

• 3.1 Common Tasks for Deploying an Alternative Authentication Provider
• 3.2 Configuring an Alternative Authentication Provider
  • 3.2.1 High Level Steps for Configuring an Alternative Authentication Provider
  • 3.2.2 Prerequisites for Using Alternative Authentication Providers
  • 3.2.3 Configuring Oracle Business Intelligence To Use Alternative Authentication Providers
    • 3.2.3.1 Configuring Oracle Business Intelligence to use Oracle Internet Directory as the Authentication Provider
    • 3.2.3.2 Configuring Oracle Business Intelligence to use Active Directory as the Authentication Provider
  • 3.2.4 Configuring User And Group Name Attributes In The Identity Store
    • 3.2.4.1 Configuring the User Name Attribute in the Identity Store
    • 3.2.4.2 (Optional for Active Directory) To Change Group Name Attributes
  • 3.2.5 Configuring the GUID Attribute in the Identity Store
  • 3.2.6 Configuring a New Trusted User (BISystemUser)
  • 3.2.7 Regenerating User GUIDs
• 3.3 Configuring OID as the Policy Store and Credential Store
• 3.4 Configuring an LDAP Authentication Provider as the Single Source
  • 3.4.1 Configuring OID LDAP Authentication as the Single Source
  • 3.4.2 Troubleshooting

4 Enabling SSO Authentication

• 4.1 SSO Configuration Tasks for Oracle Business Intelligence
• 4.2 Understanding SSO Authentication and Oracle Business Intelligence
  • 4.2.1 How an Identity Asserter Works
  • 4.2.2 How Oracle Business Intelligence Operates With SSO Authentication
• 4.3 SSO Implementation Considerations
• 4.4 Configuring SSO in an Oracle Access Manager Environment
  • 4.4.1 Configuring a New Authenticator for Oracle WebLogic Server
  • 4.4.2 Configuring Oracle Access Manager as a New Identity Asserter for Oracle WebLogic Server
• 4.5 Configuring Custom SSO Environments
• 4.6 Using Fusion Middleware Control to Enable SSO Authentication

5 SSL Configuration in Oracle Business Intelligence

• 5.1 Common SSL Configuration Tasks for Oracle Business Intelligence
• 5.2 About SSL
  • 5.2.1 SSL in Oracle Business Intelligence
  • 5.2.2 Creating Certificates and Keys in Oracle Business Intelligence
  • 5.2.3 Credential Storage
• 5.3 Configuring the Web Server to Use the HTTPS Protocol
• 5.4 Configuring SSL Communication Between Components
  • 5.4.1 Locking the Configuration
  • 5.4.2 Generating the SSL Certificates
  • 5.4.3 Commit the SSL Configuration Changes
    • 5.4.3.1 Troubleshooting Tip
  • 5.4.4 Verifying the SSL Credentials in the Credential Store
  • 5.4.5 Enabling the SSL Configuration
  • 5.4.6 Confirming SSL Status
  • 5.4.7 Configuring the SMTP Server
  • 5.4.8 Updating Expired SSL Certificates
• 5.5 Additional SSL Configuration Options
  • 5.5.1 Using SASchInvoke When BI Scheduler is SSL-Enabled
  • 5.5.2 Configuring Oracle BI Job Manager
  • 5.5.3 Enabling the Online Catalog Manager to Connect
  • 5.5.4 Configuring the Oracle BI Administration Tool
  • 5.5.5 Configuring an ODBC DSN for Remote Client Access
• 5.6 Advanced SSL Configuration Options

A Alternative Security Administration Options

• A.1 Alternative Authentication Options
  • A.1.1 Setting Up LDAP Authentication
    • A.1.1.1 Setting Up an LDAP Server
    • A.1.1.2 Defining a USER Session Variable for LDAP Authentication
    • A.1.1.3 Setting the Logging Level
  • A.1.2 Setting Up External Table Authentication
  • A.1.3 About Oracle BI Delivers and External Initialization Block Authentication
  • A.1.4 Order of Authentication
  • A.1.5 Authenticating by Using a Custom Authenticator Plug-In
  • A.1.6 Managing Session Variables
  • A.1.7 Managing Server Sessions
    • A.1.7.1 Using the Session Manager
• A.2 Alternative Authorization Options
  • A.2.1 Changes Affecting Security in Presentation Services
  • A.2.2 Managing Presentation Services Catalog Privileges Using Catalog Groups

B Understanding the Default Security Configuration

• B.1 About Securing Oracle Business Intelligence
• B.2 About the Security Framework
  • B.2.1 Oracle Platform Security Services
  • B.2.2 Oracle WebLogic Server Domain
• B.3 Key Security Elements
• B.4 Default Security Configuration
  • B.4.1 Default Policy Store Provider
    • B.4.1.1 Default Permissions
    • B.4.1.2 Default Application Roles
    • B.4.1.3 Default Application Roles, Permission Grants, and Group Mappings
  • B.4.2 Default Authentication Provider
    • B.4.2.1 Default Groups and Members
    • B.4.2.2 Default Users and Passwords
  • B.4.3 Default Credential Store Provider
    • B.4.3.1 Default Credentials
  • B.4.4 How Permissions Are Granted Using Application Roles
    • B.4.4.1 Permission Inheritance and Role Hierarchy
    • B.4.4.2 Presentation Services Catalog Groups and Precedence
• B.5 Common Security Tasks After Installation
  • B.5.1 Common Security Tasks to Evaluate Oracle Business Intelligence
  • B.5.2 Common Security Tasks to Implement Oracle Business Intelligence
• B.6 About the Default Security Configuration After Upgrade
  • B.6.1 Security-Related Changes After Upgrading
    • B.6.1.1 Changes Affecting the Identity Store
    • B.6.1.2 Changes Affecting the Policy Store
    • B.6.1.3 Changes Affecting the Default Repository File
    • B.6.1.4 Changes Affecting the Oracle BI Presentation Catalog
  • B.6.2 Planning to Upgrade a 10g Repository
  • B.6.3 Upgrading an Existing SSL Environment
  • B.6.4 Upgrading an Existing SSO Environment

C Troubleshooting Security in Oracle Business Intelligence

• C.1 Resolving Inconsistencies With the Identity Store
  • C.1.1 User is Deleted From the Identity Store
  • C.1.2 User is Renamed in the Identity Store
  • C.1.3 User Name is Reused in the Identity Store
• C.2 Resolving Inconsistencies With the Policy Store
  • C.2.1 Application Role Was Deleted From the Policy Store
  • C.2.2 Application Role is Renamed in the Policy Store
  • C.2.3 Application Role Name is Reused in the Policy Store
  • C.2.4 Application Role Reference is Added to a Repository in Offline Mode
• C.3 Resolving SSL Communication Problems
• C.4 Resolving Issues with BISystemUser Credentials
• C.5 Resolving Custom SSO Environment Issues
• C.6 Resolving IBM LDAP Init Block Based Authentication on Linux x86 (64-Bit)

D Managing Security for Dashboards and Analyses

• D.1 Managing Security for Users of Oracle BI Presentation Services
  • D.1.1 Where Are Oracle BI Presentation Services Security Settings Made?
  • D.1.2 What are the Security Goals in Oracle BI Presentation Services?
  • D.1.3 How Are Permissions and Privileges Assigned to Users?
• D.2 Managing Users Using Administration Pages
  • D.2.1 Understanding the Administration Pages
  • D.2.2 Working with Catalog Groups
    • D.2.2.1 Creating Catalog Groups
    • D.2.2.2 Deleting Catalog Groups
    • D.2.2.3 Editing Catalog Groups
  • D.2.3 Managing Presentation Services Privileges
    • D.2.3.1 What are Privileges?
    • D.2.3.2 Setting Privileges in Oracle BI Presentation Services Administration
    • D.2.3.3 Default Oracle BI Presentation Services Privilege Assignments
      • D.2.3.3.1 Access to Oracle BI Enterprise Edition Actions
      • D.2.3.3.2 Access to Oracle BI for Microsoft Office Privilege
      • D.2.3.3.3 Save Content with HTML Markup Privilege
  • D.2.4 Managing Sessions in Oracle BI Presentation Services
• D.3 Inheritance of Permissions and Privileges for Oracle BI Presentation Services
  • D.3.1 Rules for Inheritance for Permissions and Privileges
  • D.3.2 Example of Inherited Privileges for Application Roles
  • D.3.3 Example of Inherited Privileges for Catalog Groups
• D.4 Providing Shared Dashboards for Users
  • D.4.1 Understanding the Catalog Structure for Shared Dashboards
  • D.4.2 Creating Shared Dashboards
  • D.4.3 Testing the Dashboards
  • D.4.4 Releasing Dashboards to the User Community
• D.5 Controlling Access to Saved Customization Options in Dashboards
  • D.5.1 Overview of Saved Customizations in Dashboards
  • D.5.2 Administering Saved Customizations
    • D.5.2.1 Privileges for Saved Customizations
    • D.5.2.2 Permissions for Saved Customizations
      • D.5.2.2.1 Assigning Permissions to Dashboards
      • D.5.2.2.2 Assigning Permissions for Customizations on a Dashboard Page
      • D.5.2.2.3 Catalog Folder Structure for Saved Customizations
  • D.5.3 Permission and Privilege Settings for Creating Saved Customizations
  • D.5.4 Example Usage Scenario for Saved Customization Administration
• D.6 Enabling Users to Act for Others
  • D.6.1 Why Enable Users to Act for Others?
  • D.6.2 What are the Proxy Levels?
  • D.6.3 Process of Enabling Users to Act for Others
    • D.6.3.1 Defining the Association Between Proxy Users and Target Users
    • D.6.3.2 Creating Session Variables for Proxy Functionality
    • D.6.3.3 Modifying the Configuration File Settings for Proxy Functionality
    • D.6.3.4 Creating a Custom Message Template for Proxy Functionality
    • D.6.3.5 Assigning the Proxy Privilege
    • D.6.3.6 Assigning the manageRepositories Permission

Index