Oracle Business Intelligence Security can be divided into two broad areas: controlling access to the components within the BI domain (resource access security) and controlling access to business source data (data access security).
Oracle BI integrates with Oracle Fusion Middleware’s security platform.
• Oracle WebLogic Server Administration Console
– Management of users and groups for the embedded LDAP server that serves as the default identity store
• Oracle Fusion Middleware Control
– Management of policy store application roles that grant permissions to users, groups, and other application roles
• Oracle BI Administration Tool
– Management of permissions for Presentation layer objects and business model objects in the repository
• Identity store
– Contains the definitions of users, groups, and group hierarchies required to control authentication
• Policy store
– Contains the definition of application roles, the permissions granted to the roles, and the members (users, groups, and applications roles) of the roles
• Credential store
– Stores security-related credentials, such as user name and password combinations, for accessing an external system (such as a database or LDAP server)
Default Security Realm
A security realm is a container for the mechanisms that are used to protect WebLogic resources. This includes users, groups, security roles, security policies, and security providers. Whereas multiple security realms can be defined for the BI domain, only one can be active (that is, only one can be designated as the default realm at any given time). There is a single default security realm named myrealm.
weblogic: is the administrative user. After installation, a single administrative user is shared by Oracle BI and Oracle WebLogic Server. The same user name and password that were supplied during the installation process are used for both. The password is also provided during installation and afterward can be changed by using the administration interface for the identity store. In the default security configuration, an administrative user is a member of the BIAdministrators group.
BISystemUser : Oracle BI system components now establish a connection to each other as BISystemUser instead of as the Administrator (the latter being the practice in earlier releases). Using a trusted system account such as BISystemUser to secure communication between components enables you to change the password of your deployment’s system administrator account without affecting communication between these components. The name of this user is the default and can be changed, or a different user can be created for the purpose of interprocess communication. This is a highly privileged user whose credentials should be protected from nonadministrative users.
BIAdministrators group: Members have the equivalent permissions of the Administrator user of earlier releases with the exception of the ability to impersonate.
BIAuthors group: Members have the permissions necessary to create content for other users to use.
BIConsumers group: Members have the permissions necessary to use (or consume) content created by other users. By default, every Oracle BI authenticated user is part of the BIConsumers group and does not need to be explicitly added to the group.
An application role defines a set of permissions that are granted to a user or group. Application roles are defined in Fusion Middleware Control which can be accessed via http://<machine name>:7001/em. To access the Application Roles page, right-click coreapplication in the left pane and select Security > Application Roles
Default application roles include:
• BISystem: Grants the permissions necessary to impersonate other users. This role is required by Oracle BI system components for intercomponent communication.
• BIAdministrator: Grants the administrative permissions necessary to configure and manage the Oracle BI installation. Any member of the BIAdministrators group is explicitly granted this role and implicitly granted the BIAuthor and BIConsumer roles.
• BIAuthor: Grants the permissions necessary to create and edit content for other users to use (or to consume). Any member of the BIAuthors group is explicitly granted this role and implicitly granted the BIConsumer role.
• BIConsumer: Grants the permissions necessary to use (or to consume) content created by other users
Data filters can be set for objects in both the BMM layer and the Presentation layer. Applying a filter on a logical object affects all Presentation layer objects that use the object. If you set a filter on a Presentation layer object, it is applied in addition to any filters that might be set on the underlying logical objects.
It is a best practice to set up data filters for particular application roles rather than for individual users.
Use the Query Limits tab to control the following activities:
• Control runaway queries by limiting queries to a specific number of rows received by a user or role.
• Limit queries by maximum run time or to time periods for a user or role.
• Allow or disallow the populate privilege (this is primarily used for Marketing applications and is beyond the scope of this course).
• Allow or disallow execution of direct database requests for specific database objects. To access the Query Limits tab, open the Identity Manager, click the Application Roles tab, double-click an application role to open the Application Role dialog box, and click Permissions.
To restrict access to a database during particular time periods, click the ellipsis (…) button in the Restrict column to open the Restrictions dialog box. Then perform the following steps:
1. To select a time period, click the start time and drag it to the end time.
2. Access:
- To explicitly allow access, click Allow.
- To explicitly disallow access, click Disallow.
Oracle BI integrates with Oracle Fusion Middleware’s security platform.
• Oracle WebLogic Server Administration Console
– Management of users and groups for the embedded LDAP server that serves as the default identity store
• Oracle Fusion Middleware Control
– Management of policy store application roles that grant permissions to users, groups, and other application roles
• Oracle BI Administration Tool
– Management of permissions for Presentation layer objects and business model objects in the repository
Oracle BI Default Security Model
During installation, three Oracle BI security controls are preconfigured with initial (default) values to form the default security model:• Identity store
– Contains the definitions of users, groups, and group hierarchies required to control authentication
• Policy store
– Contains the definition of application roles, the permissions granted to the roles, and the members (users, groups, and applications roles) of the roles
• Credential store
– Stores security-related credentials, such as user name and password combinations, for accessing an external system (such as a database or LDAP server)
Default Security Realm
A security realm is a container for the mechanisms that are used to protect WebLogic resources. This includes users, groups, security roles, security policies, and security providers. Whereas multiple security realms can be defined for the BI domain, only one can be active (that is, only one can be designated as the default realm at any given time). There is a single default security realm named myrealm.
Default Authentication Providers
An authentication provider establishes the identity of users and system processes, transmits identity information, and serves as a repository from which components can retrieve identity information. WebLogic Authentication Provider is used by default. There is a default WebLogic Identity Assertion Provider, which is used primarily for Single Sign OnDefault Users
weblogic: is the administrative user. After installation, a single administrative user is shared by Oracle BI and Oracle WebLogic Server. The same user name and password that were supplied during the installation process are used for both. The password is also provided during installation and afterward can be changed by using the administration interface for the identity store. In the default security configuration, an administrative user is a member of the BIAdministrators group.
BISystemUser : Oracle BI system components now establish a connection to each other as BISystemUser instead of as the Administrator (the latter being the practice in earlier releases). Using a trusted system account such as BISystemUser to secure communication between components enables you to change the password of your deployment’s system administrator account without affecting communication between these components. The name of this user is the default and can be changed, or a different user can be created for the purpose of interprocess communication. This is a highly privileged user whose credentials should be protected from nonadministrative users.
Default Groups
Groups are logically ordered sets of users. Creating groups of users who have similar needs for access to system resources enables easier security management.BIAdministrators group: Members have the equivalent permissions of the Administrator user of earlier releases with the exception of the ability to impersonate.
BIAuthors group: Members have the permissions necessary to create content for other users to use.
BIConsumers group: Members have the permissions necessary to use (or consume) content created by other users. By default, every Oracle BI authenticated user is part of the BIConsumers group and does not need to be explicitly added to the group.
Default Application Roles
An application role defines a set of permissions that are granted to a user or group. Application roles are defined in Fusion Middleware Control which can be accessed via http://<machine name>:7001/em. To access the Application Roles page, right-click coreapplication in the left pane and select Security > Application Roles
Default application roles include:
• BISystem: Grants the permissions necessary to impersonate other users. This role is required by Oracle BI system components for intercomponent communication.
• BIAdministrator: Grants the administrative permissions necessary to configure and manage the Oracle BI installation. Any member of the BIAdministrators group is explicitly granted this role and implicitly granted the BIAuthor and BIConsumer roles.
• BIAuthor: Grants the permissions necessary to create and edit content for other users to use (or to consume). Any member of the BIAuthors group is explicitly granted this role and implicitly granted the BIConsumer role.
• BIConsumer: Grants the permissions necessary to use (or to consume) content created by other users
Default Application Policies
Application policies are the authorization policies that an application relies upon for controlling access to its resources. Application policies are defined in Fusion Middleware Control. To access the Application Policies page, right-click coreapplication in the left pane and select Security > Application PoliciesPermission Inheritance
Permissions granted explicitly to a user take precedence over permissions granted through application roles, and permissions granted explicitly to the application role take precedence over any permissions granted through other application roles.Set Row-Level Security (Data Filters)
Data filters are a security feature that provides a way to enforce row-level security rules in the repository. Data filters are set up in the repository using the Administration Tool and are applied for a particular user or application role. You do not set up data filters if you have implemented row-level security in the database, because in this case, your row-level security policies are being enforced by the database rather than by Oracle BI Server.Data filters can be set for objects in both the BMM layer and the Presentation layer. Applying a filter on a logical object affects all Presentation layer objects that use the object. If you set a filter on a Presentation layer object, it is applied in addition to any filters that might be set on the underlying logical objects.
It is a best practice to set up data filters for particular application roles rather than for individual users.
Set Query Limits
Use the Query Limits tab to control the following activities:
• Control runaway queries by limiting queries to a specific number of rows received by a user or role.
• Limit queries by maximum run time or to time periods for a user or role.
• Allow or disallow the populate privilege (this is primarily used for Marketing applications and is beyond the scope of this course).
• Allow or disallow execution of direct database requests for specific database objects. To access the Query Limits tab, open the Identity Manager, click the Application Roles tab, double-click an application role to open the Application Role dialog box, and click Permissions.
Set Timing Restrictions
You can regulate when users can query databases to prevent users from querying when system resources are tied up with batch reporting, table updates, or other production tasks.To restrict access to a database during particular time periods, click the ellipsis (…) button in the Restrict column to open the Restrictions dialog box. Then perform the following steps:
1. To select a time period, click the start time and drag it to the end time.
2. Access:
- To explicitly allow access, click Allow.
- To explicitly disallow access, click Disallow.
No comments:
Post a Comment