13-4 Metadata Repository Builders Guide for Oracle Business Intelligence Enterprise Edition row-level security policies are being enforced by the database rather than the Oracle BI Server. Data filters can be set for objects in both the Business Model and Mapping layer and the Presentation layer. Applying a filter on a logical object impacts all Presentation layer objects that use the object. If you set a filter on a Presentation layer object, it is applied in addition to any filters that might be set on the underlying logical objects. Figure 13–1 illustrates how data filter rules are enforced in the Oracle BI Server. The security rules are applied to all incoming clients and cannot be breached, even when the Logical SQL query is modified. In this example, a filter has been applied to an application role. When Anne Green, who is a member of that role, sends a request, the return results are limited based on the filter. Because no filters have been applied to the application roles for the Administrator user, all results are returned. The Oracle BI Server-generated SQL takes into account any data filters that have been defined. Figure 13–1 Row-Level Security Enforcement in the Oracle BI Server You should always set up data filters for particular application roles rather than for individual users. To set up data filters to apply row-level authorization rules for queries: 1. Open your repository in the Administration Tool.

2. Select Manage, then select Identity.

3. In the Identity Manager dialog, in the tree pane, select BI Repository.

4. In the right pane, select the Application Roles tab, then double-click the

application role for which you want to set data filters. Note that if you are in offline mode, no application roles appear in the list unless you have first modified them in online mode. See About Applying Data Access Security in Offline Mode for more information.

5. In the Application Role dialog, click Permissions.

Applying Data Access Security to Repository Objects 13-5 6. In the UserApplication Role Permissions dialog, click the Data Filters tab. To create filters, you first add objects on which you want to apply the filters. Then, you provide the filter expression information for the individual objects. 7. To add objects on which you want to apply filters, perform one of the following steps: ■ Click the Add button. Then, browse to locate the object you want, select it, and then click Select. ■ Click the Name field for an empty row. Then, browse to locate the object you want, select it, and then click Select. 8. To enter the filter expression for individual objects, perform one of the following steps: ■ Select the data filter, then click the Expression Builder button. Create the filter expression in Expression Builder, then click OK. ■ Click the Data Filter field for the appropriate filter, then type the filter expression. For example, you might want to define a filter like Sample Sales.D2 Market.M00 Mkt Key 5 to restrict results based on a range of values for another column in the table. You can also use repository and session variables in filter definitions. Use Expression Builder to include these variables to ensure the correct syntax. 9. Optionally, select a status for each filter from the Status list. You can choose one of the following options: ■ Enabled: The filter is applied to any query that accesses the object. ■ Disabled: The filter is not used and no other filters applied to the object at higher levels of precedence for example, through an application role are used. ■ Ignored: The filter is not in use, but any other filters applied to the object for example, through a different application role are used. If no other filters are enabled, no filtering occurs. 10. In addition to defining new filters, you can perform other operations in the Data Filters tab. Table 13–2 lists and describes the other buttons and options. Table 13–2 Data Filters Tab: Buttons and Options Option Name Description Subject Area Select a subject area to only view data filters for that individual subject area, or select All to view all filters. Total Filters Lists the total number of data filters that have been defined for this particular user or application role. Add Click Add to open the Browse dialog to add objects on which you want to apply data filters. Delete Select a row and click Delete to remove a filter. 13-6 Metadata Repository Builders Guide for Oracle Business Intelligence Enterprise Edition

11. Click OK, then click OK again to return to the Identity Manager.