Introduction

This chapter describes the application roles and application policies that are managed in Oracle Enterprise Manager – Fusion Middleware Control. Application roles are new with OBIEE 11g and replace groups within OBIEE 10g.

1. Default Application Role

An application role defines a set of permissions that are granted to a user or group. Application roles are defined in FMW control which can be accessed via http://<machinename>:7001/em. To access the Application roles page, right-click coreapplication in the left pane and select Security->ApplicationRoles.

Default application roles include:

BISystem: Grants the permission necessary to impersonate other users. This role is required by Oracle BI System components for inter-component communication.

BIAdministrator: Grants the administrative permissions necessary to configure and manage the Oracle BI installation. Any member of the BIAdministrator group is explicitly granted this role and implicitly granted the BIAuthor and BIConsumer roles.

BIAuthor: Grants the permission necessary to create and edit content for other users to use. Any member of the BIAuthor group is explicitly granted this role and implicitly granted the BIConsumer role.

BIConsumer: Grants the permission necessary to use the content created by other users.

2. Default Application Policies

Application policies are the authorization policies that an application relies upon for controlling access to its resources. Application policies are defined in Fusion Middleware control. To access the application policies page, right-click coreapplication in the left pane and select Security->Application Policies.

The default file-based policy store contains the Oracle BI permissions. An example of permission is oracle.bi.server.manageRepositories, which grants permission to open repositories in online mode in the Oracle BI Administrator tool. This permission is granted to the BI Administrator role.

Note:

These policy permissions are not the same as those used to define access to BI objects (metadata, dashboards, reports and so on). Policy store permissions are used only to define the BI functionality that assigned roles can access.

3. Default Security Settings in RPD

• Open the repository in online mode to see the default security settings. Repository security should be managed in online mode. Select Manager->Identity to open the Identity Manager.

• On the Users tab you can see the same set of users as those listed in the WebLogic server Administrator Console.

• The Application Roles tab shows all application roles in the policy store.

• The repository holds a cache of the identities, so users and application roles are visible in offline mode as well as online mode.

4. Application Role Hierarchy

The above example illustrates the relationships among users, groups, application roles, and permissions.

The diagram in the example shows these relationships among the default application roles and the ways in which permissions are granted to users.

The table shows the role and permissions granted to all group members (users). In this example only one of the permissions granted by each role is shown.

5. Create Groups

You use the WebLogic server Administration console to create groups. Groups are logical ordered set of users. Managing a group is more efficient than managing a larger number of users individually.

• The default identity store provided for managing users and groups is Oracle WebLogic Server’s embedded directory server.

• In this example, three new groups are added: SalesAssociatesGroup, SalesManagersGroup and SalesSupervisorsGroup.

• When you click new button, a dialog box opens to create a new group.

6. Create Group Hierarchies

• Security realm in the WebLogic Administrator console is used to create group hierarchies.

• On the Users and Groups tab in the security realm, click a group on the Groups subtab to view settings for the group.

• On the Membership subtab, you can assign groups to other groups.

The example shows the group membership settings for the SalesSupervisorsGroup group. The SalesSupervisorsGroup group is a member of the SalesAssociatesGroup group. This means that any privileges assigned to the SalesAssociate group are inherited by the Sales Supervisors group.

7. Create Users

Use WebLogic Server Administrator Console to create users. The default identity store provided for managing users is Oracle WebLogic Server’s embedded directory server. In the below example, two users AZIFF and JCRUZ are added.

When you click the New button, a dialog box is opened to create a new user. In the dialog box, you provide the user name, description, and password.

8. Assign Users to Groups

• On the “Users and Groups” tab in the Security realm, click a user on the Users subtab to view settings for the user.

• On the Groups subtab, you can assign users to groups.

This example shows the group settings for JCRUZ user. JCRUZ is a member of the Sales Manager and Sales Supervisors group.

9. Create Application Roles

Oracle recommends that you map groups and other application roles to application roles and not to individual users. Once mapped, all members of the groups and roles are granted the same rights. Controlling membership in a group reduces the complexity of tracking access rights for multiple individual users.

10. Map Application Roles

Once an application role is created, you can map the application role to users or groups defined in the LDAP server, or you can map application role to other application roles.

In the example shown below, the SalesAssociateRole is mapped to the Sales Associates group, the SalesManager application role, and the SalesSupervisors application role.

Note:

It is possible to add individual users to a role, but the best practice is to add groups or application roles, not individual users, to application roles.

Selvi

Add comment