1-42 Upgrade Guide for Oracle Business Intelligence See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for complete information on security. ■ Users, passwords, and groups are moved from the default 10g repository file to the default 11g identity store Oracle WebLogic Server embedded LDAP server. Repository groups receive a matching Application Role in the Policy Store. Any other authentication mechanism remains as it was in 10g. If you used a different LDAP server in 10g, then the upgraded 11g system continues to point to the LDAP server that was specified in 10g through initialization blocks. Under certain circumstances, you can replace these initialization blocks with WebLogic Authenticators. If you intend to use another LDAP server, such as Oracle Identity Management OID, then you must upgrade to the embedded LDAP server first, then migrate to the production LDAP server. While it is technically possible to configure the 11g environment with an alternative security model before the upgrade, the environment is upgraded to the embedded LDAP server. Oracle recommends that Presentation Services groups also known as Web Groups be used for backward compatibility only and that application roles be used instead for new installations. ■ Passwords for other repository objects, such as connection pools and LDAP servers, remain in the repository and are encrypted. The repository itself is encrypted. ■ The Administrator user is migrated from the default 10g repository file to the default identity store and becomes a member of the BIAdministrators group. The BIAdministrators group is granted the BIAdministrator role and by that association has system administrative rights. ■ References to old groups and users in the Oracle BI Presentation Catalog are updated. ■ The variable names ROLES, PERMISSIONS, USERGUID and ROLEGUIDS are reserved 11g system variable names. Before upgrading a 10g repository file, these variables must be renamed if they exist. Other references to these variable names, as in reports, also must be renamed for consistency. ■ The Everyone Presentation Services group has been replaced with the AuthenticatedUser role, which is the same as the authenticated-role Application Role. For information, see Managing Security for Dashboards and Analyses in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition. ■ Users who belonged to the Presentation Services group that is called Presentation Services Administrators in 10g must be re-assigned to this Presentation Services group if you still want to use this group. It is recommended that you instead use either an appropriate existing Application Role or create a new Application Role for these users. ■ If you use the default authentication, then any initialization blocks in the repository that contain the :USER system variable must be disabled or deleted. For more information, see Detailed List of Steps for Setting Up Security in Oracle Business Intelligence in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

1.5.2 Oracle BI Security: Other Upgrade Considerations

Keep the following considerations for security in mind when upgrading to 11g: Planning to Upgrade from Oracle BI 10g to BI 11g 1-43

1.5.2.1 Changes Affecting the Identity Store

Upgrade Assistant automatically creates the following entries in the Oracle WebLogic Server embedded LDAP server for the target system: ■ An LDAP group that corresponds to each group in the repository. This does not include the Administrators group that is present in prior releases. Any users that were in this Administrators group are added to the BIAdministrators LDAP group. ■ LDAP group hierarchies that match the repository group hierarchies. ■ The Administrator user is migrated and made a part of the BIAdministrators group. All users, other than the Administrator user, who are members of the Administrators group in the specified repository are added to the BIAdministrators group in the embedded LDAP server. The 11g Administrator user that is created from information provided during installation is also added to the BIAdministrators group in the embedded LDAP server.

1.5.2.2 Changes that Affect the Policy Store

Upgrade Assistant automatically creates the following entries in the file-based policy store for the target system: ■ An Application Role that corresponds to each group in the specified repository. This does not include the Administrators group that is present in prior releases. The Application Role is granted to the group with the same name. ■ Application Role hierarchies that match the repository group hierarchies.

1.5.2.3 Changes that Affect the Repository File

Upgrade Assistant automatically upgrades the specified Oracle BI metadata repository and makes the following changes: ■ All groups in the specified 10g repository are converted to Application Role references placeholders that are created in the policy store during upgrade. ■ All users are removed from the specified repository during upgrade and replaced with references name and GUID to LDAP users that are created in the embedded LDAP server on the target system. The upgraded repository has the following characteristics in the 11g system: ■ The upgraded repository is now protected and encrypted by the password that is entered during the upgrade. ■ The repository file is upgraded to contain references to users it expects to be present in the identity store and references to Application Roles it expects to be present in the policy store. ■ A numerical suffix is added to the name of an upgraded repository file. A number is added to indicate the number of times that file has been upgraded. The upgraded repository can be opened in the Oracle BI Administration Tool in offline mode as usual, and can be deployed to an Oracle BI Server to be opened in online mode.

1.5.2.4 Changes that Affect the Oracle BI Presentation Catalog

Upgrade Assistant automatically makes the following changes to the Oracle BI Presentation Services Catalog: