Overview of Security in Oracle Business Intelligence

Overview of Security in Oracle Business IntelligenceOracle Business Intelligence 11g is tightly integrated with the Oracle Fusion Middleware Security architecture and delegates core security functionality to components of that architecture. Specifically, any Oracle Business Intelligence installation makes use of the following types of security providers:

•An authentication provider that knows how to access information about the users and groups accessible to Oracle Business Intelligence and is responsible for authenticating users.

•A policy store provider that provides access to Application Roles and Application Policies, which forms a core part of the security policy and determines what users can and cannot see and do in Oracle Business Intelligence.

•A credential store provider that is responsible for storing and providing access to credentials required by Oracle Business Intelligence.

By default, an Oracle Business Intelligence installation is configured with an authentication provider that uses the Oracle WebLogic Server embedded LDAP server for user and group information. The Oracle Business Intelligence default policy store provider and credential store provider store Credentials, Application Roles and Application Policies in files in the domain.

After installing Oracle Business Intelligence you can reconfigure the domain to use alternative security providers, if desired. For example, you might want to reconfigure your installation to use an Oracle Internet Directory, Oracle Virtual Directory, Microsoft Active Directory, or another LDAP server for authentication. You might also decide to reconfigure your installation to use Oracle Internet Directory, rather than files, to store Credentials, Application Roles, and Application Policies.

1.3 About Authentication
Each Oracle Business Intelligence 11g installation has an associated Oracle WebLogic Server domain. Oracle Business Intelligence delegates user authentication to the first authentication provider configured for that domain.

The default authentication provider accesses user and group information stored in the LDAP server embedded in the Oracle Business Intelligence's Oracle WebLogic Server domain. The Oracle WebLogic Server Administration Console can be used to create and manage users and groups in the embedded LDAP server.

You might choose to configure an authentication provider for an alternative directory. In this case, Oracle WebLogic Server Administration Console enables you to view the users and groups in your directory. However, you need to continue to use the appropriate tools to make any modifications to the directory. For example, if you reconfigure Oracle Business Intelligence to use OID, you can view users and groups in Oracle WebLogic Server Administration Console but you must manage them in OID Console.

For more information about managing users and groups in the embedded LDAP server, see Chapter 2, "Managing Security Using the Default Security Configuration".

For more information about Oracle WebLogic Server domains and authentication providers, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

1.4 About Authorization
After a user has been authenticated, the next critical aspect of security is ensuring that the user can do and see what they are authorized to do and see. Authorization for Oracle Business Intelligence release 11g is controlled by a security policy defined in terms of applications roles.

1.4.1 About Application Roles
Instead of defining the security policy in terms of users in groups in a directory server, Oracle Business Intelligence uses a role-based access control model. Security is defined in terms of Application Roles that are mapped to directory server groups and users. For example, the Application Roles BIAdministrator, BIConsumer, and BIAuthor are installed out-of-the-box.

Application Roles represent a functional role that a User has, which gives that User the privileges required to perform that role. For example, having the Sales Analyst Application Role might grant a User access to view, edit and create reports on a company's sales pipeline.

This indirection between Application Roles and directory server users and groups allows the administrator for Oracle Business Intelligence to define the Application Roles and policies without creating additional users or groups in the corporate LDAP server. Instead, the administrator defines Application Roles that meet the authorization requirements and maps those roles to pre-existing users and groups in the corporate LDAP server.

In addition, the indirection afforded by Application Roles allows the artifacts of a business intelligence system to be easily moved between development, test and production environments. No change to the security policy is needed and all that is required is to map the Application Roles to the users and groups available in the target environment.

The Figure 1-1 shows an example using the default set of Users, Groups, Application Roles.

Figure 1-1 Example Users, Groups, Application Roles, and Permissions



Figure 1-1 shows the following:

•The Group named 'BIConsumers' contains User1, User2, and User3. Users in the Group 'BIConsumers' are assigned the Application Role 'BIConsumer', which enables the users to view reports.

•The Group named 'BIAuthors' contains User4 and User5. Users in the Group 'BIAuthors' are assigned the Application Role 'BIAuthors', which enables the users to create reports.

•The Group named 'BIAdministrators' contains User6 and User7. Users in the Group 'BIAdministrators' are assigned the Application Role 'BIAdministrator', which enables the users to manage responsibilities.

1.4.2 About the Security Policy
In Oracle Business Intelligence release 11g, the security policy definition is split across the following components:

•Presentation Catalog – This defines the catalog objects and Oracle BI Presentation Services functionality that the Users with specific Application Roles can access. Access to functionality is defined in the Managing Privileges page in terms of Presentation Catalog privileges and access to presentation catalog objects is defined in the Permission dialog.

•Repository – This defines which Application Roles and users have access to which items of metadata within the repository. The Oracle BI Administration Tool is used to define this security policy.

•Policy Store – This defines which Oracle BI Server, BI Publisher, and Real Time Decisions functionality can be accessed by given users or users with given Application Roles. In the default Oracle Business Intelligence configuration, the policy store is managed using Oracle Enterprise Manager Fusion Middleware Control. For more information about the policy store, see Oracle Fusion Middleware Security Guide.