Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page

For information about navigating to the Security menu, see Section 2.6.1,

"Accessing Oracle Enterprise Manager Fusion Middleware Control."

2. Choose Select Application Stripe to Search, then select the obi from the list. Click the search icon next to Role Name, as shown in Figure 2–12.

Caution: Oracle recommends you make a copy of the original system-jazn-data.xml policy file and place it in a safe location. Use the copy of the original file to restore the default policy store

configuration, if needed. Changes to the default security configuration might lead to an unwanted state. The default installation location is MW_HOME/user_projects/domain/your_domain/config/fmwconfig.

Caution: Be very careful when changing the permission grants and membership for the default application roles. Changes could result in an unusable system.

Managing Authorization

2-20 Administrator's Guide for Oracle Business Intelligence Publisher Figure 2–12 Search Icon

The BI Publisher application roles are displayed. Figure 2–13 shows the default application roles.

Figure 2–13 Default Application Roles

3. Select the cell next to the application role name and click Edit to display the Edit Application Role page. In Figure 2–14, the BIAuthor application role has been selected.

Managing Authorization

Figure 2–14 BIAuthor Application Role

You can add or delete members from the Edit Application Role page. Valid members are application roles, groups, and users.

4. Select from the following options:

■ To delete a member: From Members, select from Name the member to activate the Delete button. Click Delete.

■ To add a member: Click the Add button that corresponds to the member type being added. Select from Add Application Role, Add Group, and Add User.

5. If adding a member, complete Search and select from the available list. Use the shuttle controls to move the member to the selected field. Click OK.

For example, Figure 2–15 shows the Add Group dialog after the Report_Dev group has been selected.

Managing Credentials

2-22 Administrator's Guide for Oracle Business Intelligence Publisher Figure 2–15 Add Group Dialog

The added member displays in the Members column corresponding to the application role modified in the Application Roles page.

2.7 Managing Credentials

Credentials used by the system are stored in a single secure credential store. Oracle Wallet is the default credential store file (cwallet.sso). The credential store alternatively can be LDAP-based and Oracle Internet Directory is the supported LDAP server in this release. LDAP-based credential stores are configured and administered using Oracle Enterprise Manager Fusion Middleware Control or WLST commands.

Each credential is uniquely identified by a map name and a key name. Each map contains a series of keys and each key is a credential. The combination of map name and key name must be unique for all credential store entries. The following credential maps are used by BI Publisher:

■ oracle.bi.system: Contains the credentials that span the entire BI Publisher platform.

■ oracle.bi.publisher: Contains the credentials used by only BI Publisher.

The following two credential types are supported:

■ Password: Encapsulates a user name and a password.

■ Generic: Encapsulates any customized data or arbitrary token, such as public key certificates.

To facilitate getting started with your development environment, default credentials are inserted into the file-based credential store during installation. Be aware that BI Publisher credentials such as user passwords are stored in the identity store and managed with its corresponding administrative interface.

2.7.1 Managing the Credential Store

Credentials can be managed either in Fusion Middleware Control or using WLST command. For more information about both methods, see "Managing the Domain Credential Store" in Oracle Fusion Middleware Application Security Guide.

Customizing the Default Security Configuration

2.7.2 Managing BISystemUser Credentials

If using Oracle Business Intelligence as a data store, BI Publisher establishes system communication with it as BISystemUser. If you change the BISystemUser password in the identity store administrative interface, you also must change the password in the credential store (oracle.bi.system credential map). This applies if you have created a custom application role to take the place of the default BISystemUser. Components cannot communicate with each other if the credentials are out-of-sync. For more information about how Oracle Business Intelligence uses BISystemUser for trusted system communication, see Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

2.8 Customizing the Default Security Configuration

You can customize the default security configuration in the following ways:

■ Configure a new authentication provider. For more information, see Section 2.8.1,

"Configuring a New Authentication Provider."

■ Configure new policy store and credential store providers. For more information, see Section 2.8.2, "Configuring a New Policy Store and Credential Store Provider."

■ Migrate policies and credentials from one store to another. For more information, see Section 2.8.2.1, "Reassociating the Policy Store and Credential Store."

■ Create new application roles. For more information, see Section 2.8.3.1, "Creating Application Roles Using Fusion Middleware Control."

■ Create new application policies. For more information, see Section 2.8.3.2,

"Creating Application Policies Using Fusion Middleware Control."

■ Modify the permission grants for an application policy. For more information, see Section 2.8.3.3, "Changing Permission Grants for an Application Policy."

2.8.1 Configuring a New Authentication Provider

You can configure another supported LDAP server to be the authentication provider.

Configuring BI Publisher to use an alternative external identity store is performed using the Oracle WebLogic Server Administration Console. BI Publisher delegates authentication and user population management to the authentication provider and identity store configured for the domain it is a part of. For example, if configured to use Oracle WebLogic Server's default authentication provider, then management is performed in the Oracle WebLogic Server Administration Console. If configured to use Oracle Internet Directory (OID), then the OID management user interface is used, and so on.

If using an authentication provider other than the one installed as part of the default security configuration, the default users and groups that are discussed in Section 2.4.1,

"Default Users and Groups" are not automatically present. You can create users and groups with names of your own choosing or re-create the default user and group names if the authentication provider supports this. After this work is completed, you must map the default BI Publisher application roles to different groups again. For example, if the corporate LDAP server is being used as the identity store and you are unable to re-create the BI Publisher default users and groups in it, you must map the default application roles to different groups specific to the corporate LDAP server. Use Fusion Middleware Control to map the groups to application roles.

Customizing the Default Security Configuration

2-24 Administrator's Guide for Oracle Business Intelligence Publisher

For information about how to configure a different authentication provider, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help and Oracle Fusion Middleware Securing Oracle WebLogic Server.

2.8.2 Configuring a New Policy Store and Credential Store Provider

The policy store and credential store can be file-based or LDAP-based. The supported LDAP server for both stores in this release is Oracle Internet Directory. The

pre-requisites for using an LDAP-based store are the same as for both the policy store and credential store. For more information, see "Configuring a Domain to Use an LDAP-Based Policy Store" in Oracle Fusion Middleware Application Security Guide.

2.8.2.1 Reassociating the Policy Store and Credential Store

Migrating policies and credentials from one security store to another is called reassociation. Both policy store and credential store data can be reassociated (migrated) from a file-based store to an LDAP-based store, or from an LDAP-based store to another LDAP-based store

Because the credential store and the policy store must both be of the same type, when reassociating one store you must reassociate the other.

For more information about reassociation and the steps required to migrate credential store and policy store data to Oracle Internet Directory, see "Reassociating Domain Stores with Fusion Middleware Control" in Oracle Fusion Middleware Application Security Guide.

2.8.3 Customizing the Policy Store

The Fusion Middleware Security model can be customized for your environment by creating your own application policies and application roles. Existing application roles can be modified by adding or removing members as needed. Existing application policies can be modified by adding or removing permission grants. For more information about managing application policies and application roles, see Oracle Fusion Middleware Application Security Guide.

2.8.3.1 Creating Application Roles Using Fusion Middleware Control

There are two methods for creating a new application role:

■ Create New— A new application role is created. Members can be added at the same time or you can save the new role after naming it and add members later.

■ Copy Existing— A new application role is created by copying an existing

application role. The copy contains the same members as the original, and is made a Grantee of the same application policy. You can modify the copy as needed to finish creating the new role.

Note: Before creating a new application policy or application role and adding it to the default BI Publisher security configuration, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. Best practice is to leave the default security configuration in place and first incorporate your customized application policies and application roles in a test environment. For more information, see Section 2.3, "Permission Grants and

Inheritance.".

Customizing the Default Security Configuration

To create a new application role:

1. Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

For information, see Section 2.6.1, "Accessing Oracle Enterprise Manager Fusion Middleware Control."

2. Choose Select Application Stripe to Search, then select obi from the list. Click the