Integrating BIP with Oracle Database Security
In 10.1.3.3 there is a feature that Im embarrassed to say I did not know about until I got an email today asking about it - I checked the docs and it appears our resident 'word wrangler' (read 'doc writer') Leslie was in the dark too. Im referring to the wonderful subject of user security - we boast a growing list of supported security configurations - our own native flavor, LDAP, BI Server, E Business Suite. Well, there's now another 'Oracle Database' - how many of you spotted it?
It essentially lets you set up all of your users in the database - which you will have done anyways - not sure how many of your business users have a username in your db but the option is there for you. Once you have your users you, can then hook the publisher server up to the db for user management. There is some set up to do but its pretty quick.
Quick recap on the report security model we support:
Reports sit in Folders, Folders are assigned to Roles, Roles can be assigned to other Roles and Roles are assigned to User. When a user logs in, we look at their roles and then work out what folders and therefore reports they have access to.
Getting the house in order
We have two sides of this security model to sort out before we can use it ...
Database side of the House
Assuming we have set up the users already we need to create some roles that BIP recognizes. Im not going to get into how to create and assign roles to users - get googling if you're unsure. BIP needs these roles created in the database:
- XMLP_ADMIN ? this is the administrator role for the BI Publisher server.
- XMLP_DEVELOPER ? allows users to build reports in the system.
- XMLP_SCHEDULER ? allows users to schedule reports.
- XMLP_ANALYZER_EXCEL ? allows users to use the Excel analysis feature.
- XMLP_ANALYZER_ONLINE ? allows users to use the online analysis feature.
- XMLP_TEMPLATE_DESIGNER - allows users to connect to the BI Publisher server from the Template Builder and to upload and download templates.
Create these roles and assign them as you wish to db users depending on what you want the user to be able to do. Thats not the end of it - you can create as many roles as you wish you'll use them on the publisher side and attach folders to them, for instance, you might create an HR_MANAGER role and assign an HR folder to it ... duh!
Lastly, assign the XMLP_ADMIN role to someone like SYSTEM or a user with admin privileges - this is important.
Once you have created the roles you can move on to the publisher side ...
Publisher Side of the House
With the database security option we manage the users and their roles in the database and then map folders to those roles in the BIP UI. To set it up:
- Login into BIP with an Administrator responsibility
- Navigate to the Admin tab then to the Security Configuration
- In the Security Model section pick 'Oracle Database' from the drop down
- Fill in the fields required to connect the database - check out the graphic for hints.
- The user you enter has to be able to access data from dba_users/_roles/_role_privs tables - so user in the appropriate user
- Save your work - you're going to need to bounce the server to get the changes to take effect.
Once the server is bounced you can now log in with your db user that has the XMLP_ADMIN role assigned. You can now start assigning folders to db roles so that users can access reports.
Navigate to the Admin tab then to the Roles and Permissions page. You'll now see all the db roles along with any of the new ones you may have created.
Notice the HR_MANAGER role, this is effectively a dummy role in the db but we can attach folders to it to make a more 'logical' role structure that is easily understood. You will of course not find the XMLP_XXXX roles in the list as you would when using BIP Security. Check the user guide on how to add folders to roles.
Once you have assigned the folders to the roles you want, save your work and your done. Users can now log in with their database username/password combos to get into BIP and access the reports they are permitted to access.
