Marketing, Security, and Other Elements 16-17 The privilege package tag does not include any attributes. Note that the schema lists attributes for none, read, write, readwrite, delete, grant, and all, but these attributes are not used. Instead, these permissions are exposed as part of the child element definitions. Syntax PrivilegePackage … QueryPrivileges Mapping RefDatabase … RefQueryPrivilege … Mapping QueryPrivileges RefTypePrivilege .. Filters Mapping status= RefObject … Expr … Mapping Filters ObjectPrivileges RefObjectPrivilege … ObjectPrivileges PrivilegePackage Example PrivilegePackage name=PrivPack_4209:16704985826474 id=4209:469 uid=425 Description Filters Mapping status=enable RefObject id=4008:459 qualifiedName=quot;Paintquot;.. quot;Marketsquot; Expr [CDATA[ Paint.Markets.Region = Eastern Region ]] Expr Mapping Mapping status=enable RefObject id=4008:462 qualifiedName=quot;Paintquot;..quot;Sales Measuresquot; Expr [CDATA[ Paint.Markets.Region = Eastern Region ]] Expr Mapping Mapping status=enable RefObject id=4008:463 qualifiedName=quot;Paintquot;..quot;Share Measuresquot; Expr [CDATA[ Paint.Markets.Region = Eastern Region ]] Expr Mapping Mapping status=enable RefObject id=4008:464 qualifiedName=quot;Paintquot;..quot;Forecast Measuresquot; Expr [CDATA[ Paint.Markets.Region = Eastern Region ]] Expr Mapping Mapping status=enable RefObject id=4008:465 qualifiedName=quot;Paint Execquot; 16-18 Oracle Fusion Middleware Integrators Guide for Oracle Business Intelligence Enterprise Edition ..quot;Measuresquot; Expr [CDATA[ Paint.Markets.Region = Eastern Region ]] Expr Mapping Mapping status=enable RefObject id=4008:466 qualifiedName=quot;Paint Execquot;.. quot;Marketsquot; Expr [CDATA[ Paint.Markets.Region = Eastern Region ]] Expr Mapping Filters ObjectPrivileges PrivilegePackage

16.2.6 Object Privilege

The object privilege element corresponds to the set of object permissions you can apply to metadata objects such as logical or presentation columns. In the Administration Tool, you can set object permissions in the Presentation layer, or in the Object Permissions tab of the UserApplication Role Permissions dialog. The object privilege tag includes the following attributes: The object privilege tag includes the following child elements: Syntax ObjectPrivilege … privilege= Objects RefObject… RefObject… Objects ObjectPrivilege Table 16–18 Object Privilege Tag Attributes Attribute Name Description type Contains the type of privilege applied to the objects. Valid values are: ■ read: corresponds to the Read privilege in theAdministration Tool ■ readWrite: corresponds to the ReadWrite privilege in the Administration Tool ■ none: corresponds to the No Access privilege in the Administration Tool This attribute can contain the following other values: delete, write, grant, and all. These other values are for internal use. Table 16–19 Object Privilege Child Elements Element Name Description Objects References the set of objects for which this privilege type applies. Each object is contained in a sub-element called RefObject. Marketing, Security, and Other Elements 16-19 Example ObjectPrivilege name=ObjPriv_1500:10072891258596599 id=1500:1007289 uid=2162635189 type=read DescriptionDescription Objects RefObject id=4004:275554 uid=2156776977 qualifiedName=quot;Sales - CRM Sales Activityquot; RefObject id=4004:275556 uid=2156689246 qualifiedName=quot;Sales - CRM Pipelinequot; RefObject id=4004:275636 uid=2156689916 qualifiedName=quot;Sales - CRM Forecastingquot; RefObject id=4004:275663 uid=2156776077 qualifiedName=quot;Sales - CRM Customer Overviewquot; RefObject id=4004:275728 uid=2160717431 qualifiedName=quot;Sales - CRM Quota Managementquot; Objects ObjectPrivilege

16.2.7 Query Privilege

The query privilege element corresponds to the set of query privileges you can apply to users or application roles. In the Administration Tool, you can set query privileges in the Query Limits tab of the UserApplication Role Permissions dialog. The query privilege tag includes the following attributes: Table 16–20 Query Privilege Tag Attributes Attribute Name Description maxExecTime The maximum number of minutes queries can run on a database. maxExecTimePrivilege Specifies the status of the maximum query run time limit. Valid values are: ■ Enable: Limits the time to the value specified in maxExecTime. ■ Disable: Disables any limits set in maxExecTime. ■ Warn: Does not enforce limits, but logs queries that exceed the set time limit in the Query log. ■ Ignore: Inherits limits from the parent application role. If there is no time limit to inherit, no limit is enforced. maxRows The maximum number of rows for users to retrieve from a database. maxRowsPrivilege Specifies the status of the maximum number of rows limit. Valid values are: ■ Enable: Limits the number of rows to the value specified. If the number of rows exceeds the maxRows value, the query is terminated. ■ Disable: Disables any limits set in maxRows. ■ Warn: Does not enforce limits, but logs queries that exceed the set limit in the Query log. ■ Ignore: Inherits limits from the parent application role. If there is no row limit to inherit, no limit is enforced. 16-20 Oracle Fusion Middleware Integrators Guide for Oracle Business Intelligence Enterprise Edition The query privilege tag includes the following child elements: Syntax QueryPrivilege … maxExecTime= maxExecTimePrivilege= maxRows= maxRowsPrivilege= populatePrivilege= execPhysicalPrivilege= ExecTimeTable Item allow=true startTime= endTime= Item allow=true startTime= endTime= ExecTimeTable QueryPrivilege Example QueryPrivilege name=QueryPriv_4204:8253601255133864 id=4204:825360 uid=2162247182 maxExecTime=600 maxRows=100000 DescriptionDescription populatePrivilege Specifies whether the Populate privilege is granted or denied for a database. The Populate stored procedure writes the CacheSaved Result Set value to the database when a criteria block is cached. Valid values are: ■ Allow: Explicitly grants the Populate privilege. ■ Disallow: Explicitly denies the Populate privilege. ■ Ignore: Inherits limits from the parent application role. If there is no limit to inherit, then the Populate privilege is allowed or disallowed based on the property Allow populate queries by default for the database object. execPhysicalPrivilege Specifies whether direct database requests can be executed by default. Valid values are: ■ Allow: Explicitly grants the ability to execute direct database requests. ■ Disallow: Explicitly denies the ability to execute direct database requests. ■ Ignore: Inherits limits from the parent application role. If there is no limit to inherit, then direct database requests are allowed or disallowed based on the property Allow direct database requests by default for the database object. Table 16–21 Query Privilege Child Elements Element Name Description ExecTimeTable If database access has been restricted to particular time periods, lists the time periods and whether access is allowed or disallowed. Each time period is contained in a sub-element called Item. The Item child element has three attributes: allow true or false, startTime, and endTime. Table 16–20 Cont. Query Privilege Tag Attributes Attribute Name Description