19BR Security

8/22/2019 19BR Security

http://slidepdf.com/reader/full/19br-security 1/37

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.

Security



Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 2

Objectives

After completing this lesson, you should be able to:• Identify and describe default security settings for Oracle BI

• Create users and groups

• Create application roles

• Set up permissions for repository objects

• Use query limits, timing restrictions, and filters to control

access to repository information




Business Challenge: Security Strategy

Security strategy designs for a business start with answers tothese basic questions:

• Who will have access to company data and business resources?

• Under what conditions will access be limited or denied?

• How will access be enforced?• How will users authenticate themselves?

• Where will credentials be stored?




Business Solution: Oracle BI Security

Controls access to system resources:• Requires users to authenticate at login

• Restricts users to only those resources for which they are

authorized

• Manages user identities, credentials, and permissiongrants




Managing Oracle BI Security

Oracle BI integrates with Oracle Fusion Middleware’s securityplatform.

• Oracle WebLogic Server Administration Console

– Management of users and groups for the embedded LDAP

server that serves as the out-of-the-box default identity store

• Oracle Enterprise Manager Fusion Middleware Control

– Management of policy store application roles that grant

permissions to users, groups, and other application roles

• Oracle BI Administration Tool

– Management of permissions for Presentation layer objectsand business model objects in the repository




Oracle BI Default Security Model

During installation, three Oracle BI security controls arepreconfigured with initial (default) values to form the default

security model:

• Identity store

– Contains the definitions of users, groups, and grouphierarchies required to control authentication

• Policy store

– Contains the definition of application roles, the permissions

granted to the roles, and the members (users, groups, and

applications roles) of the roles• Credential store

– Stores security-related credentials, such as user name and

password combinations, for accessing an external system

(such as a database or LDAP server)


http://slidepdf.com/reader/full/19br-security 7/37Copyright © 2010, Oracle and/or its affiliates. All rights reserved.19 - 7

Default Security Realm

BI domain

Default security realm

Select to view

security realms.



Default Authentication Providers

Default

authentication

provider



Default Users

Default

user

Default

user



Default Groups

Default

groups



Default Application Roles

Default

application roles



Default Application Policies



Default Security Settings in the Repository



Default Application Role Hierarchy: Example



ABC Example

1. Create groups.2. Create group hierarchies.

3. Create users.

4. Assign users to groups.

5. Create application roles.6. Assign groups and roles to application roles.

7. Verify new users and application roles in Oracle BI.

8. Set up object permissions.

9. Set row-level security (data filters).10. Set query limits and timing restrictions.



Create Groups

Use the security realm in the WebLogic Server Administration Console to create groups.

Click the New button to add new groups.



Create Group Hierarchies

Add groups to other groups to create group hierarchies.

Settings for the group

The group is a

member of this group.

Available groups to

which the group can

be assigned

Click a group to open

the Settings dialog box.



Create Users

Use the security realm in the WebLogic Server AdministrationConsole to create users.

Click the New button to add new users.



Assign Users to Groups

Use the security realm in the WebLogic Server AdministrationConsole to assign users to groups.

Settings for user

The user is a member

of these groups.

Available groups

to which the user

can be assigned

Click a user to open the

Settings dialog box.



Create Application Roles

Use Fusion Middleware Control Enterprise Manager tocreate application roles.

Click Create to create anew application role.

New application roles



Map Application Roles

Map application roles to groups or other application roles.

Click an application role to edit.

Application roles can be

mapped to both groups and

other application roles.



Application Role Hierarchies

Mapping application roles to other application roles createsapplication role hierarchies



Verify Security Settings in Oracle BI

Restart Oracle BI Server to make policy store changes visiblethroughout Oracle BI.



Verify Security Settings in the Repository



Set Up Object Permissions

Set up object permissions in your repository to control accessto Presentation layer and BMM layer objects.

1. Open object properties.

2. Click Permissions.

3. Set permissions.

4. User logs in.

5. User sees objects

based on permissions.




Permission Inheritance

• Permissions granted explicitly to a user take precedenceover privileges granted through application roles.

• Permissions granted explicitly to an application role take

precedence over any privileges granted through other

application roles.

• If security attributes conflict at the same level, a user or

application role is granted the least-restrictive security

attribute.




Permission Inheritance: Example

User 1

Member Role 1

Member Role 2

Role 1

NO ACCESS Table A

Member Role 3

Member Role 4

Role 2

READ Table A

Member Role 5

Role 3

READ Table B

Role 4

READ Table C

Role 5

NO ACCESS Table A




Set Row-Level Security (Data Filters)

"SupplierSales"."Dim-Customer"."Sales Rep" = 'JOSE CRUZ' OR "SupplierSales"."Dim-Customer"."Sales Rep" = 'ALAN ZIFF' OR

"SupplierSales"."Dim-Customer"."Sales Rep" = 'BETTY NEWER'

Filter set on Sales Rep object

for application role members




Set Query Limits

Use the Query Limits tab to:• Control the number of rows accessed by a user or role

• Control the maximum query run time

• Enable or disable Populate Privilege

• Enable or disable Execute Direct Database Requests




Set Timing Restrictions

Restrict access to a database during particular time periods.




Summary

In this lesson, you should have learned how to:• Identify and describe default security settings in Oracle BI

• Create users and groups

• Create application roles

• Set up permissions for repository objects• Use query limits, timing restrictions, and filters to control

access to repository information




Practice 19-1 Overview:

Exploring Default Security Settings

This practice covers Oracle BI default security settings in theidentity store, policy store, and credential store.





Creating Users and Groups

This practice covers using the WebLogic Server AdministrationConsole to create users and groups.





Creating Application Roles

This practice covers using Enterprise Manager FusionMiddleware Control to create application roles in the policy

store.





Setting Up Object Permissions

This practice covers setting up object permissions in therepository.





Setting Row-Level Security (Data Filters)

This practice covers setting row-level security in the repository.




Setting Query Limits and Timing Restrictions

This practice covers managing the query environment bysetting query limits and timing restrictions in the repository.

19BR Security

Documents