2 Managing Security Using the Default Security Configuration 2-1 2 Managing Security Using the Default Security Configuration This chapter explains how to deploy Oracle Business Intelligence using the default embedded WebLogic LDAP Server. By deploying the default embedded WebLogic LDAP Server, you can use the preconfigured Users, Groups, and Application Roles. You can also develop your own Users, Groups, and Application Roles. This chapter contains the following sections: ■ Section 2.1, Working with the Default Users, Groups, and Application Roles ■ Section 2.2, An Example Security Setup Using the Default Groups and Application Roles ■ Section 2.3, Creating and Managing Users and Groups in the Embedded WebLogic LDAP Server ■ Section 2.4, Creating and Managing Application Roles and Application Policies Using Fusion Middleware Control ■ Section 2.5, Managing Metadata Repository Privileges Using the Oracle BI Administration Tool ■ Section 2.6, Managing Presentation Services Catalog Privileges Using Application Roles ■ Section 2.7, Enabling High Availability of the Default Embedded Oracle WebLogic Server LDAP Identity Store You can migrate users with their encrypted passwords, and groups from the default embedded WebLogic LDAP server into an alternative authentication provider for example, OID, external tables, or another LDAP directory. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

2.1 Working with the Default Users, Groups, and Application Roles

When you install Oracle Business Intelligence, there are a number of preconfigured Users, Groups, and Application Roles that you can use to deploy Oracle Business Intelligence. For example, there is a user that is assigned to a BIAdministrators group Note: For a detailed list of security setup steps, see Section 1.8, Detailed List of Steps for Setting Up Security In Oracle Business Intelligence . 2-2 Security Guide for Oracle Business Intelligence Enterprise Edition with a name that is user-specified at installation time, for example Weblogic, a group named BIAdministrators, and an associated Application Role named BIAdministrator. The default installed Users, Groups, and Application Roles are preconfigured to work together. For example, the installed BIConsumers group is assigned to the BIConsumer Application Role. For a detailed description of the default security configuration, refer to Appendix B, Understanding the Default Security Configuration . The installed Application Roles are preconfigured with appropriate permissions and privileges to enable them to work with the installed Oracle BI Presentation Catalog, BI Repository RPD, and Policy Store. For example, the Application Role named BIAuthor is preconfigured with permissions and privileges that are required to create dashboards, reports, actions, and so on. The figure below shows the Users, Groups, and Application Roles that are installed and preconfigured. Figure 2–1 Installed Application Roles, Groups, and Users The following groups are available: ■ BIConsumers preconfigured with the BIConsumer Application Role. ■ BIAuthors preconfigured with the BIAuthor Application Role. ■ BIAdministrators preconfigured with the BIAdministrator Application Role. The user that is specified at installation time for example, Weblogic, is automatically assigned to the WebLogic Administrators group named BIAdministrators and to the associated Application Role named BIAdministrator. The user has permissions to log in to the Oracle Business Intelligence tools to create and administer other users. Note : Groups are organized hierarchically, and inherit privileges from parent groups. In other words, the BIAdministrators group automatically inherits privileges from the BIAuthors and BIConsumers groups. Oracle recommends that you do not change this hierarchy. Caution: Oracle recommends that you do not modify the default Users, Groups, or Application Roles, unless explicitly advised to do so by Oracle Support. Oracle recommends that you only modify copies that you have made of the installed Groups and Application Roles. Managing Security Using the Default Security Configuration 2-3 You can use the installed groups and Application Roles to deploy security, and if required you can develop your own groups and Application Roles to meet your business needs. For example: ■ If you want to enable an employee called Fred to create dashboards and reports, you might create a new user called Fred and assign Fred to the default BIAuthors group. ■ If you want to enable user Fred to perform BIAuthors and BIAdministrator duties, you might create a new Application Role called BIManager, which has both BIAuthors privileges and BIAdministrators privileges ■ If you want user Fred to be a Sales dashboard author, you might create an Application Role called Sales Dashboard Author that has permissions to see Sales subject areas in the repository and edit Sales dashboards. For detailed information about the installed Users, Groups, and Application Roles, see Appendix B, Understanding the Default Security Configuration.

2.2 An Example Security Setup Using the Default Groups and Application Roles