Maintaining Security with Oracle BI Discoverer 13-21 Notes ■ Discoverer does not support Single Sign-On details propagation when running against a multidimensional data source for example, in Discoverer Plus OLAP. You can create a VPD using the database ID, and using the D4O_AUTOGO file to control scoping or striping in the database when starting a Discoverer Plus OLAP session. For more information, refer to the appropriate Oracle database documentation. For more information about configuring Discoverer Plus OLAP, see Chapter 5, Configuring Discoverer Plus OLAP . ■ Discoverer only uses the Oracle Single Sign-On identity to determine what data is accessible. Discoverer uses database user names and roles internally to manage business area access, workbook sharing, and scheduling. In other words, if you create a VPD policy for an Oracle Single Sign-On user, Discoverer does not restrict the list of workbooks that it displays based on the Oracle Single Sign-On identity. Discoverer displays all workbooks available to the current user namedatabase connection regardless of the Oracle Single Sign-On user name that was used to log in. However, the Oracle Single Sign-On user can view only worksheet data that conforms to the VPD policy defined for that Oracle Single Sign-On user.

13.9.1 Introducing Virtual Private Databases, Single Sign-On, and Discoverer

The Oracle database’s Enterprise Edition Release 1 and later powerful Virtual Private Database VPD feature enables you to define and implement custom security policies. Among other things, the VPD feature enables you to enforce fine-grained access control based upon attributes of a users session information referred to as application context. This VPD functionality is commonly employed as a way of controlling access to data using the currently logged-on users Oracle Single Sign-On identity. For more information about setting up a VPD, see Oracle Database Advanced Application Developers Guide. If Discoverer has been configured to require Oracle Single Sign-On authentication, Discoverer can pass one of the following values to the database as the CLIENT_ IDENTIFIER attribute of the built-in application context USERENV: ■ The Global User ID GUID associated with the Discoverer end user’s Oracle Single Sign-On user name This option is true for Discoverer version 11.1.1 and later if GUID is selected in the User ID field on the Discoverer Administration page in Oracle Fusion Middleware Control. ■ The Discoverer end user’s Oracle Single Sign-On user name This option is true for either of the following: – Discoverer versions earlier than 11.1.1 - if Discoverer has been configured to require Oracle Single Sign-On – Discoverer version 11.1.1 and later - if SSO User Name is selected in the User ID field on the Discoverer Administration page in Oracle Fusion Middleware Control Providing a VPD policy based on GUID or Oracle Single Sign-On user names has been implemented in the database, the data returned to a Discoverer worksheet is restricted to the data that the respective GUID or Oracle Single Sign-On user is authorized to access and depending on the conditions described in the previous paragraphs. You can optionally add user-defined PLSQL statements to both database LOGON and subsequent triggers and to a Discoverer trigger eul_triggerpost_login to use 13-22 Oracle Fusion Middleware Configuration Guide for Oracle Business Intelligence Discoverer the GUID or Oracle Single Sign-On user name to further control the data that is returned. You can use Discoverer triggers and the database separately or together.

13.9.2 Example for using GUID or SSO user name to limit Discoverer data