Wednesday, February 27, 2013

OBIEE 11g Security - Creating Application Policies


You can create Application Roles based on existing Application Policies that are installed by default  for Application Roles

So you can create your own Application Policies/Application Roles.

In below post we can see how a custom Application Policy can be created using Web logic Enterprise manager

The Application Policy defines the permissions grants. Permission grants are controlled  using Web logic Enterprise manager  
 


Application Role,Group,User are mapped to Application Policy based on permissions granted the Business intelligence content is visible to users

There are two methods for creating a new Application Policy:
  • Create New - A new Application Policy is created and permissions are added to it.
  • Copy Existing - A new Application Policy is created by copying an existing Application Policy. The copy is named and existing permissions are removed or permissions are added.

    Creating a New Policy : 
    Login to EM and Weblogic Domain - bi foundation Domain --Security -- Application Policies

    Click on Create button for a new application security grant

I am going to assign custom Application Policies for my Application Role 'Power User' as shown below

In the Grantee Add your application role in Permissions section click on Add by default the permission class  'oracle.security.jps.ResourcePermission' which contains all the Resource Type


Select the Resource Name and click on Continue and Select the Resource Name which will add to your Permissions section




POWER USER Application Role is assigned to below policies : 



POWER USER application role is member of BI Admin/BI Author/BI Consumer/Saichand_policy(user)

If a Application Role is part of BI Administrator then the user Should able have privilege to create report/dashboard but the policy which added above will have privilege to manage catalog but not create Analysis/dashboards


create an Application Policy based on an existing one:
It is the same process but here you need to select the application Role and click on Create like button



So new application role Super User has been  created using policies of BI Administrator as shown below




Few Application polices with description


Permission Name
Description
oracle.bi.publisher.administerServer
Enables the Administration link to access the Administration page and grants permission to set any of the system settings.
oracle.bi.publisher.developDataModel
Grants permission to create or edit data models.
oracle.bi.publisher.developReport
Grants permission to create or edit reports, style templates, and sub templates. This permission also enables connection to the BI Publisher server from the Template Builder.
oracle.bi.publisher.runReportOnline
Grants permission to open (execute) reports and view the generated document in the report viewer.
oracle.bi.publisher.scheduleReport
Grants permission to create or edit jobs and also to manage and browse jobs.
oracle.bi.publisher.accessReportOutput
Grants permission to browse and manage job history and output.
oracle.bi.publisher.accessExcelReportAnalyzer
Grants permission to download the Analyzer for Excel and to download data from a report to Excel using the Analyzer for Excel. Note that to enable a user to upload an Analyzer for Excel template back to the report definition, the permission oracle.bi.publisher.developReport must also be granted.
oracle.bi.publisher.accessOnlineReportAnalyzer
Grants permission to launch the Analyzer and manipulate the data. Note that to save an Analyzer template to a report definition, the permission oracle.bi.publisher.developReport must also be granted.
oracle.bi.server.impersonateUsers
This description is not available.
oracle.bi.server.manageRepositories
Grants permission to open, view, and edit repository files using the Administration Tool or the Oracle BI Metadata Web Service.
oracle.bi.server.queryUserPopulation
Internal use only.
oracle.bi.scheduler.manageJobs
Grants permission to use Job Manager to manage scheduled Delivers jobs.