9-6 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Business Intelligence 3. Run the reassociateSecurityStore command, as follows: reassociateSecurityStoredomain=domainName, admin=cn=admin_user_name, password=orclPassword, ldapurl=ldap:LDAPHOST:LDAPPORT, servertype=OID, jpsroot=cn=jpsroot_bi For example: wls:bifoundation_domainserverConfig reassociateSecurityStoredomain=bifoundation_domain, admin=cn=orcladmin, password=welcome1, ldapurl=ldap:oid.mycompany.com:389, servertype=OID, jpsroot=cn=jsproot_bi,dc=mycompany,dc=com 4. Restart the Administration Server after the command completes successfully.

9.1.5 Regenerating User GUIDs After Identity Store Reassociation

This section contains the following topics: ■ Section 9.1.5.1, About User GUIDs ■ Section 9.1.5.2, About GUID Regeneration ■ Section 9.1.5.3, Regenerating User GUIDs

9.1.5.1 About User GUIDs

In Oracle Business Intelligence 11g Release 1 11.1.1, users are recognized by their global unique identifiers GUIDs, not by their names. GUIDs are identifiers that are completely unique for a given user. Using GUIDs to identify users provides a higher level of security because it ensures that data and metadata is uniquely secured for a specific user, independent of the user name. Oracle recommends that you follow these two best practices to ensure that GUIDs are consistently applied in each phase of the development to production lifecycle: ■ Ensure that a fan-out replica of the identity store is used between development, test, and production systems, so that user GUIDs are consistent and identical across the complete development to production lifecycle. See Setting Up Replication in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for further information about creating fan-out replicas. ■ Wherever possible, secure access to data and metadata using application roles rather than individual users.

9.1.5.2 About GUID Regeneration

GUID regeneration is the process of regenerating any metadata references to user GUIDs in the Oracle BI repository and Oracle BI Presentation Catalog. During the GUID regeneration process, each user name is looked up in the identity store. Then, all metadata references to the GUID associated with that user name are replaced with the GUID in the identity store. GUID regeneration might be required when Oracle Business Intelligence is reassociated with an identity store that has different GUIDs for the same users. This situation might occur when reassociating Oracle Business Intelligence with a different type of identity store and should be a rare event. Note: For credential and policy changes to take effect, the servers in the domain must be restarted. Integrating with Oracle Identity Management 9-7 Note that if Oracle best practices are not observed and Oracle Business Intelligence repository data is migrated between systems that have different GUIDs for the same users, GUID regeneration is required for the system to function. This is not a recommended practice, because it raises the risk that data and metadata secured to one user for example, John Smith, who left the company two weeks ago becomes accessible to another user for example, John Smith, who joined last week. Using application roles wherever possible and using GUIDs consistently across the full development production lifecycle prevents this problem from occurring.

9.1.5.3 Regenerating User GUIDs