Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Security
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 1/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Security
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 2/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 2
Objectives
After completing this lesson, you should be able to:• Identify and describe default security settings for Oracle BI
• Create users and groups
• Create application roles
• Set up permissions for repository objects
• Use query limits, timing restrictions, and filters to control
access to repository information
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 3/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 3
Business Challenge: Security Strategy
Security strategy designs for a business start with answers tothese basic questions:
• Who will have access to company data and business resources?
• Under what conditions will access be limited or denied?
• How will access be enforced?• How will users authenticate themselves?
• Where will credentials be stored?
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 4/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 4
Business Solution: Oracle BI Security
Controls access to system resources:• Requires users to authenticate at login
• Restricts users to only those resources for which they are
authorized
• Manages user identities, credentials, and permissiongrants
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 5/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 5
Managing Oracle BI Security
Oracle BI integrates with Oracle Fusion Middleware’s securityplatform.
• Oracle WebLogic Server Administration Console
– Management of users and groups for the embedded LDAP
server that serves as the out-of-the-box default identity store
• Oracle Enterprise Manager Fusion Middleware Control
– Management of policy store application roles that grant
permissions to users, groups, and other application roles
• Oracle BI Administration Tool
– Management of permissions for Presentation layer objectsand business model objects in the repository
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 6/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 6
Oracle BI Default Security Model
During installation, three Oracle BI security controls arepreconfigured with initial (default) values to form the default
security model:
• Identity store
– Contains the definitions of users, groups, and grouphierarchies required to control authentication
• Policy store
– Contains the definition of application roles, the permissions
granted to the roles, and the members (users, groups, and
applications roles) of the roles• Credential store
– Stores security-related credentials, such as user name and
password combinations, for accessing an external system
(such as a database or LDAP server)
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 7/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 7
Default Security Realm
BI domain
Default security realm
Select to view
security realms.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 8/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 8
Default Authentication Providers
Default
authentication
provider
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 9/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 9
Default Users
Default
user
Default
user
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 10/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 10
Default Groups
Default
groups
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 11/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 11
Default Application Roles
Default
application roles
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 12/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 13
Default Application Policies
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 13/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 14
Default Security Settings in the Repository
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 14/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 15
Default Application Role Hierarchy: Example
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 15/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 16
ABC Example
1. Create groups.2. Create group hierarchies.
3. Create users.
4. Assign users to groups.
5. Create application roles.6. Assign groups and roles to application roles.
7. Verify new users and application roles in Oracle BI.
8. Set up object permissions.
9. Set row-level security (data filters).10. Set query limits and timing restrictions.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 16/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 17
Create Groups
Use the security realm in the WebLogic Server Administration Console to create groups.
Click the New button to add new groups.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 17/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 18
Create Group Hierarchies
Add groups to other groups to create group hierarchies.
Settings for the group
The group is a
member of this group.
Available groups to
which the group can
be assigned
Click a group to open
the Settings dialog box.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 18/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 19
Create Users
Use the security realm in the WebLogic Server AdministrationConsole to create users.
Click the New button to add new users.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 19/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 20
Assign Users to Groups
Use the security realm in the WebLogic Server AdministrationConsole to assign users to groups.
Settings for user
The user is a member
of these groups.
Available groups
to which the user
can be assigned
Click a user to open the
Settings dialog box.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 20/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 21
Create Application Roles
Use Fusion Middleware Control Enterprise Manager tocreate application roles.
Click Create to create anew application role.
New application roles
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 21/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 22
Map Application Roles
Map application roles to groups or other application roles.
Click an application role to edit.
Application roles can be
mapped to both groups and
other application roles.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 22/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 23
Application Role Hierarchies
Mapping application roles to other application roles createsapplication role hierarchies
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 23/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 24
Verify Security Settings in Oracle BI
Restart Oracle BI Server to make policy store changes visiblethroughout Oracle BI.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 24/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 26
Verify Security Settings in the Repository
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 25/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 27
Set Up Object Permissions
Set up object permissions in your repository to control accessto Presentation layer and BMM layer objects.
1. Open object properties.
2. Click Permissions.
3. Set permissions.
4. User logs in.
5. User sees objects
based on permissions.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 26/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 28
Permission Inheritance
• Permissions granted explicitly to a user take precedenceover privileges granted through application roles.
• Permissions granted explicitly to an application role take
precedence over any privileges granted through other
application roles.
• If security attributes conflict at the same level, a user or
application role is granted the least-restrictive security
attribute.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 27/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 29
Permission Inheritance: Example
User 1
Member Role 1
Member Role 2
Role 1
NO ACCESS Table A
Member Role 3
Member Role 4
Role 2
READ Table A
Member Role 5
Role 3
READ Table B
Role 4
READ Table C
Role 5
NO ACCESS Table A
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 28/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 30
Set Row-Level Security (Data Filters)
"SupplierSales"."Dim-Customer"."Sales Rep" = 'JOSE CRUZ' OR "SupplierSales"."Dim-Customer"."Sales Rep" = 'ALAN ZIFF' OR
"SupplierSales"."Dim-Customer"."Sales Rep" = 'BETTY NEWER'
Filter set on Sales Rep object
for application role members
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 29/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 31
Set Query Limits
Use the Query Limits tab to:• Control the number of rows accessed by a user or role
• Control the maximum query run time
• Enable or disable Populate Privilege
• Enable or disable Execute Direct Database Requests
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 30/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 32
Set Timing Restrictions
Restrict access to a database during particular time periods.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 31/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 33
Summary
In this lesson, you should have learned how to:• Identify and describe default security settings in Oracle BI
• Create users and groups
• Create application roles
• Set up permissions for repository objects• Use query limits, timing restrictions, and filters to control
access to repository information
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 32/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 34
Practice 19-1 Overview:
Exploring Default Security Settings
This practice covers Oracle BI default security settings in theidentity store, policy store, and credential store.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 33/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 35
Practice 19-2 Overview:
Creating Users and Groups
This practice covers using the WebLogic Server AdministrationConsole to create users and groups.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 34/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 36
Practice 19-3 Overview:
Creating Application Roles
This practice covers using Enterprise Manager FusionMiddleware Control to create application roles in the policy
store.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 35/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 37
Practice 19-4 Overview:
Setting Up Object Permissions
This practice covers setting up object permissions in therepository.
8/22/2019 19BR Security
http://slidepdf.com/reader/full/19br-security 36/37
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 38
Practice 19-5 Overview:
Setting Row-Level Security (Data Filters)
This practice covers setting row-level security in the repository.