About

Oracle BI uses a role-based access control model. Security is defined in terms of the Application roles that are mapped to directory server groups and users.

1. Clear Implicit Fact

Implicit Fact is required only if you have two fact tables. Oracle provides you an option to clear the implicit fact table if you need single fact table alone.

To remove the implicit fact column, Click the Clear button in the Subject Area properties box.

Figure 1

2. Security

Authentication layer is built-in to the Oracle BI to check whether the correct user login to the system.  Setting up the security involves the following steps:

• Identify and describe security settings for Oracle BI Server.

• Create Users and Groups.

• Create Application roles.

• Set up permissions for repository objects.

• Use query limits, timing restrictions, and filters to control access to repository information.

1. Business Challenge

Who will have access to company data and business resources?

Under what conditions will access be limited or denied?

How will access be enforced?

How will users authenticate themselves?

Where will credentials be stored?

2.2- Business Solution

The solution for securing Oracle BI Server can be divided into two broad categories by controlling access to the components within the BI domain (resource access security) and controlling access to business source data (data access security).

Controlling access to system resources is achieved by the following steps:

It requires users to be authenticated during login process.

It restricts users to only those resources for which they are authorized.

It manages user identities, credentials, and permission grants. This allows you to control system access by validating users at login (authentication) and control access to specific Oracle BI components and features according to a user’s permission grants (authorization).

3. Managing Oracle BI Security

Oracle BI integrates with Oracle Fusion Middleware’s security platform:

Oracle WebLogic server Administration Console manages users and groups for the embedded LDAP server that serves as the default identity store.

Oracle Fusion MiddleWare Control manages policy store application roles that grant permissions to users, groups, and other application roles.

Oracle BI Administration tool manages permissions for presentation layer objects and business model objects in the repository.

4. Default Security Model

During installation, three Oracle BI security controls are preconfigured with initial or default values to form the default security model:

Identity Store contains the definitions of users, groups, and group hierarchies required to control authentication.

Policy Store contains the definition of application roles, the permissions granted to the roles, and the members (users, groups, and application roles) of the roles. It is designed to hold the application-role and permission-grant mappings to users and groups that are required to control authorization.

Credential Store stores the security-related credentials, such as user name and password combinations, for accessing an external system (such as database or LDAP server).

5. Default Security Alarm

You can access the Administration Console can be accessed with the following URL: http://<machine name>:7001/Console.

On the left side of the console, under Domain Structure , note that there is a single weblogic domain named bifoundation_domain into which of the BI Applications are deployed.

The OBI installer installs a single domain with a single security alarm namely myrealm in it. A security realm is a container for the mechanisms that are used to protect WebLogic resources. This includes users, groups, security policies, and security providers. Whereas multiple security realms can be defined for the BI domain, only one can be active.

Click myrealm to view its settings.

6. Default Authentication Provider

An authentication provider establishes the identity of users and system processes, transmits identity information, and serves as a repository from which components can retrieve identity information.

When a user logs in to a system with a username and password combination, Oracle WebLogic Server validates identity based on the combination provided.

Alternative security providers can be used if desired and managed in the Oracle WebLogic Administration console, but the WebLogic Authentication provider is used by default.

Note : There is a default WebLogic identity Assertion Provider, which is used primarily for Single Sign On.

7. Default Users

The default identity store contains user names that are specific to Oracle BI. These default user names are provided as a convenience so you can begin using the Oracle BI Software immediately after installation, but you are not required to maintain the default names. In the example shown below, the users are BISystemUser and weblogic.

Figure 2

Weblogic is the administrative user. After installation, a single administrative user is shared by Oracle BI and Oracle WebLogic server. The same username and password that were supplied during the installation process are used for both. The username that is created during installation can be any desired name and need not to be Administrator.

The password is also provided during installation and can be changed afterwards by using the administrative interface for the identity store. In the default security configuration, an administrative user is a member of the BIAdministrators group and has all rights granted to the Oracle BI Administrator user in earlier releases, which is the exception of impersonation. The administrative user cannot impersonate other users.

Oracle BI System components now establish a connection to each other as BISystemUser instead of as the Administrator. Using a trusted system account such as BISystemUser to secure communication between components enables you to change the password of your deployment’s system administrator account without affecting communication between components.

8. Default Groups

Groups are logically ordered sets of users. Creating groups of users who have similar needs for access to system resources enables easier security management. Managing a group is more efficient than managing a larger number of users individually. Oracle recommends that you organize users into groups for easier maintenance. Groups are then mapped to application roles in order to grant rights. Three default group names are provided as a convenience so you can begin using the Oracle BI Software immediately after installation, but you are not required to maintain the default names.

BIAdministratorsgroup : Members have the equivalent permissions of the Administrator user of earlier releases with the exception of the ability to impersonate. The Administrator user of earlier releases could impersonate, but members of the BIAdministrators group cannot impersonate other users.

BIAuthors group: Members have the permissions necessary to read/create content for other users to use.

BIConsumers group: Members have the permission to use content created by other users. The BIConsumers group represent all users who have been authenticated by Oracle BI. By default, every Oracle BI authenticated user is part of BIConsumers group and does not need to be explicitly added to the group. The BIConsumers group includes the Oracle WebLogic server users group as a member.

Selvi

Add comment