Applying Data Access Security to Repository Objects 13-15 However, if you first modify the users and application roles in online mode for example, applying object permissions or setting query limits, they will subsequently be available in the Administration Tool in offline mode. Setting Up Placeholder Application Roles for Offline Repository Development Application roles are created and managed in the policy store using the Oracle WebLogic Administration Console and Fusion Middleware Control. These application roles are displayed in the Administration Tool in online mode so that you can use them to set data filters, object permissions, and query limits for particular roles. The application roles in the policy store are retrieved by the Oracle BI Server when it starts. In some cases, you may want to proceed with setting up data access security in your repository for application roles that have not yet been defined in the policy store. You can do this by creating placeholder application roles in the Administration Tool, then proceeding with setting up data access security in the repository. If you create placeholder application roles in the Administration Tool, you must eventually add them to the policy store. Run the Consistency Checker to identify application roles that have been defined in the Administration Tool, but that have not yet been added to the policy store. Be sure to use the same name in the policy store that you used for the placeholder role in the Administration Tool. To create placeholder application roles in the Administration Tool: 1. Open your repository in the Administration Tool.

2. Select Manage, then select Identity.

3. In the Identity Manager dialog, select Action New Application Role.

4. In the Application Role dialog, provide the following information:

■ Name: Provide a name for the role. ■ Description: Optionally, provide a description of this application role. ■ Members: Use the Add and Remove buttons to add or remove users and other application roles as appropriate. ■ Permissions: Set object permissions, data filters, and query limits for this application role as appropriate. Refer to the other sections in this chapter for detailed information.

5. Click OK to return to the Identity Manager.

To check for application roles that need to be added to the policy store: 1. Open your repository in online mode in the Administration Tool.

2. Select File, then select Check Global Consistency.

3. Note any entries related to application roles, then add the appropriate roles to the

policy store as appropriate. See Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition for information about adding application roles to the policy store. Note: Use caution when defining and using placeholder roles. If make changes to a role in offline mode that also exists in the policy store, the changes will be overwritten the next time you connect to the Oracle BI Server. 13-16 Metadata Repository Builders Guide for Oracle Business Intelligence Enterprise Edition

4. Optionally, select individual rows and click Copy to copy the entries to a text file.

Alternatively, you can check an individual application role by right-clicking the application role in the Identity Manager dialog and then selecting Check Consistency. About the List of Users in the Administration Tool The Identity Manager in the Administration Tool provides a list of users that have been defined for your system. The list of users is retrieved from your authentication provider. The set of users is refreshed when the Oracle BI Server is restarted. To see the user list, select BI Repository in the Identity Manager navigation tree, and then select the Users tab in the right pane. In online mode, by default, no users are retrieved, because the list of users might be very large. Select Action, then select Set Online User Filter to specify the set of users you want to retrieve. The filter is empty by default, which means that no users are retrieved. Enter to retrieve all users, or enter a combination of characters for a specific set of users, such as A to retrieve all users whose names begin with the letter A. The filter is not case-sensitive. In offline mode, users do not appear in the list unless you have first modified them in the Administration Tool in online mode. Because of this, you might not see any users in the Administration Tool in offline mode. Double-click a user in the Users list to open the User dialog. You can do the following in this dialog: ■ In the User tab, you can view the application roles to which this user belongs. You can also set the query logging level for this user. See Oracle Fusion Middleware System Administrators Guide for Oracle Business Intelligence Enterprise Edition for more information about setting the query logging level. ■ In the Logons tab, you can provide a list of data source-specific logons. In this tab, you can provide a mapping of credentials that you want to be passed to data sources for this user. This feature is used when you set up a data source connection with no shared connection pool, so that individual user names are passed directly to data sources. Rather than passing the Oracle Business Intelligence user credentials to the data source, you can map individual users to separate data source-specific credentials. Important: Do not set object permissions, data filters, or query limits for individual users using the Permissions button. Always use application roles rather than individual users to secure data. 14 Completing Oracle BI Repository Setup 14-1 14 Completing Oracle BI Repository Setup After you have created the repository file, the Physical layer, Business Model and Mapping layer, and Presentation layer, you need to perform several tasks to complete the initial repository setup. These tasks include saving the repository and checking consistency, adding an entry in NQSConfig.INI, and creating data source connections to the Oracle BI Server for client applications. This chapter provides information about these final setup tasks. This chapter contains the following topics: ■ Configuring the Repository for Oracle Scorecard and Strategy Management ■ Saving the Repository and Checking Consistency ■ Testing and Refining the Repository ■ Making the Repository Available for Queries ■ Creating Data Source Connections to the Oracle BI Server for Client Applications ■ Publishing to the User Community Configuring the Repository for Oracle Scorecard and Strategy Management If your organization licensed Oracle Scorecard and Strategy Management and if you have the appropriate privileges, then you can use this functionality as part of a default installation with no additional configuration. Oracle Scorecard and Strategy Management also provides the capability to add comments that is, annotations or to override the status that is associated with specific dimension values for KPIs, Objectives, and Initiatives. KPI Watchlists offer the capability to add comments or to override statuses for KPIs. To enable these features, you must configure the repository to include a database object for storing the comment and status override information. The database that you installed for use with Oracle Business Intelligence contains the Business Intelligence Platform schema, which includes required Oracle Scorecard and Strategy Management schema tables. For more information about installing a database for Oracle Business Intelligence and running the Repository Creation Assistant RCU to create the required schemas, see Oracle Fusion Middleware Installation Guide for Oracle Business Intelligence. To configure Oracle Scorecard and Strategy Management for comments and status overrides: 1. In the Administration Tool, open the repository in online mode. 14-2 Metadata Repository Builders Guide for Oracle Business Intelligence Enterprise Edition Online mode is strongly recommended for performing data access security tasks, such as the task described in Step 12 of this procedure.

2. In the Physical layer, right-click and select New Database. The Database dialog is