Managing Security Using the Default Security Configuration 2-31 grants are changed by modifying the permission grants of the corresponding Application Policy. For more information about managing Application Policies and Application Roles, see Managing Policies with Fusion Middleware Control in Oracle Fusion Middleware Application Security Guide.

2.4.4.1 Adding or Removing Permission Grants from an Application Role

Use this procedure if you want to change the permission grants for an Application Role This is done by adding or removing the permission grants for the Application Policy which the Application Role is a grantee of. To add or remove permission grants from an Application Policy :

1. Log in to Fusion Middleware Control, navigate to Security, then select

Application Policies to display the Application Policies page. For more information, see Section 2.4.1, Starting Oracle Fusion Middleware Control and Locating the Pages for Managing Security . Whether or not the obi stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Policies page.

2. If necessary, select Select Application Stripe to Search, then select obi from the

list. Click the search icon next to Role Name. The Oracle Business Intelligence Application Policies are displayed. The Principal column displays the name of the policy Grantee. 3. Select the Application Role from the Principal column and click Edit. 4. Add or delete permissions from the Edit Application Grant view and click OK to save the changes.

2.4.4.2 Adding or Removing Members from an Application Role

Members can be added to or deleted from an Application Role using Fusion Middleware Control. You must perform these tasks while in the WebLogic Domain that Oracle Business Intelligence is installed in. For example, bifoundation_domain. Valid members of an Application Role are Users, Groups, or other Application Roles. Being assigned to an Application Role is to become a member of an Application Role. Best practice is to assign groups instead of individual users to Application Roles. To add or remove members from an Application Role : Caution: Oracle recommends that you do not change the permission grants and membership for the default Application Roles name BIConsumer, BIAuthor, and BIAdministrator. Note: Be very careful when changing the permission grants and membership for the default Application Roles. For example, the BISystem Application Role provides the permissions required for system communication and changes to it could result in an unusable system. 2-32 Security Guide for Oracle Business Intelligence Enterprise Edition

1. Log in to Fusion Middleware Control, navigate to Security, then select

Application Roles to display the Application Roles page. For information about navigating to the Security menu, see Section 2.4.1, Starting Oracle Fusion Middleware Control and Locating the Pages for Managing Security . Whether or not the obi application stripe is pre-selected and the Application Policies are displayed depends upon the method used to navigate to the Application Roles page

2. If necessary, select Select Application Stripe to Search, then select the obi from

the list. Click the search icon next to Role Name. The Oracle Business Intelligence Application Roles are displayed.

3. Select the cell next to the Application Role name and click Edit to display the Edit

Application Role page. You can add or delete members from the Edit Application Role page. Valid members are Application Roles, Groups, and Users.

4. From Members, select from the following options:

■ To delete a member : Select the Name of the member to activate the Delete button. Click Delete. ■ To add a member : Click the Add button that corresponds to the member type being added. Select from Add Application Role, Add Group, and Add User. 5. If adding a member, complete Search and select from the available list. Use the shuttle controls to move the member to the selected field. Click OK. For example, the following figure shows the Add Group dialog and after the Report_Dev group has been selected. The added member displays in the Members column corresponding to the Application Role modified in the Application Roles page. For example, the following figure shows the Edit Application Role page for the MyNewRole Application Role after the Report_Dev group has been added. Managing Security Using the Default Security Configuration 2-33

6. Click OK in the Edit Application Role page to return to the Application Roles