In the General tab of the Connection Pool dialog, select Shared logon, and then Click OK in the Connection Pool dialog. In the Database dialog, select Virtual Private Database. Selecting this option Click OK in the Database dialog.
3. In the General tab of the Connection Pool dialog, select Shared logon, and then
enter :USER and :PASSWORD in the User name and Password fields. The :USER and :PASSWORD syntax automatically passes the value of user credentials upon login to the database. Note that the :USER and :PASSWORD syntax does not refer to session variables. Figure 13–3 shows the General tab of the Connection Pool dialog. Figure 13–3 Entering Credentials for Database-Level Security in the Connection Pool 13-8 Metadata Repository Builders Guide for Oracle Business Intelligence Enterprise Edition4. Click OK in the Connection Pool dialog.
5. Double-click the database object for which you want to set up database-level security.6. In the Database dialog, select Virtual Private Database. Selecting this option
ensures that the Oracle BI Server protects cache entries for each user.7. Click OK in the Database dialog.
After you have set up row-level security in the database, you still need to set up object permissions in the repository for Presentation layer or other objects. You can also set query limits governors. See Setting Up Object Permissions and Setting Query Limits for more information. Setting Up Object Permissions You can set up object permissions in your repository to control access to Presentation layer and Business Model and Mapping layer objects. You set object permissions using the Administration Tool. There are two approaches to setting object permissions: you can set permissions for particular application roles in the Identity Manager, or you can set permissions for individual objects in the Presentation layer. This section explains how to set up object permissions for application roles in the Identity Manager. See Setting Permissions for Presentation Layer Objects for information about setting object permissions for individual Presentation layer objects. Setting up object permissions for particular application roles is useful when you want to define permissions for a large set of objects at one time. You should always set up object permissions for particular application roles rather than for individual users. Figure 13–4 shows how object permissions restrict what users can see. The security rules are applied to all incoming clients and cannot be breached, even when the Logical SQL query is modified. In this example, an application role to which the Administrator belongs has been granted access to the Booked Amount column, so the Administrator can view the returned results. The user Anne Green is not a member of an application role with access to this object and cannot see the column in the Subject Area pane in Answers. Even if the request SQL is modified, results are not returned for this column because of the application role-based object permissions that have been set. Note: Alternatively, you can use the database session context to pass end user identity to the database. Use a connection pool script to set up session context. Note that this approach does not rely on database authentication. Applying Data Access Security to Repository Objects 13-9 Figure 13–4 Object Permission Enforcement in the Oracle BI Server Note the following: ■ If an application role is granted or disallowed permissions on an object from multiple sources for example, explicitly and through one or more additional application roles, the permissions are applied based on the order of precedence. ■ If you explicitly deny access to an object that has child objects, users who are members of the individual application role are denied access to the child objects. For example, if you explicitly deny access to a particular logical table, you are implicitly denying access to all of the logical columns associated with that table. ■ Object permissions do not apply to repository and session variables, so values in these variables are not secure. Anybody who knows or can guess the name of the variable can use it in an expression in Answers or in a Logical SQL query. Because of this, do not put sensitive data like passwords in session or repository variables. ■ You can control what level of privilege is granted by default to users and application roles for repository objects without explicit permissions set. To do this, set the DEFAULT_PRIVILEGES parameter in the NQSConfig.INI file. See Oracle Fusion Middleware System Administrators Guide for Oracle Business Intelligence Enterprise Edition for more information. To set up object permissions for individual application roles: 1. Open your repository in the Administration Tool.2. Select Manage, then select Identity.
Parts
» Oracle Fusion Middleware Online Documentation Library
» Click OK when you are finished setting preferences.
» Select Set Icon. Oracle Fusion Middleware Online Documentation Library
» Select the appropriate DSN and click OK.
» Click OK. Oracle Fusion Middleware Online Documentation Library
» Without opening a repository, select File Multiuser History.
» In the ODBC Data Source Administrator dialog, click the System DSN tab, and
» In the Select Data Source screen, in the Connection Type field, select the type of
» Click Finish. Oracle Fusion Middleware Online Documentation Library
» In the Administration Tool, select File, then select Import Metadata.
» Provide the Data source name for the primary database. Click OK.
» In the Select Data Source screen, select OracleADF_HTTP for Connection Type.
» Select the objects you want to import in the Available list and move them to the Click Finish.
» In the Database dialog, click the Features tab. In the Features tab, use the information in
» Specify or adjust the properties as needed, then click OK.
» In the Persist connection pool area, click Clear. Click OK.
» To add tables to the display folder, click Add. Then, in the Browse dialog, select Click OK.
» Click OK in the Hierarchy dialog.
» Select View Members. Click Query to display results. When finished, click Close.
» Click OK. Select Create Columns for Alias Table. Then, from the sub-list, select the alias
» Type the text of the hint in the Hint field and click OK.
» In the shortcut menu, select Update Row Count. Click Yes to check out the objects.
» If you want to provide a dynamic list of currency options, create a table in your
» Click OK. Click OK or Cancel to close the Dimensions dialog.
» From the right-click menu, select Create Logical Dimension, then select either
» In the Check Out Objects dialog, click Yes to check out the objects that appear in
» If the values for the source are unique, select the option Select distinct values.
» Click OK. To move a table, in the Name list, select the table you want to reorder. Then, use
» In the Finish Script screen, the complete path and file name appears. Click Finish.
» Click OK, then click OK again to return to the Identity Manager.
» On the General tab, in the Data source definition: Database field, ensure that the
» Click OK. Open the user.sh file. You can find this file at:
» Click Select next to Patch File. Browse to select the patch file you want to apply, Click Finish.
» Select Tools, then select Query Repository. Click Query.
» When you have finished mapping columns between the selected physical tables, Click Finish.
» In the Choose Directory dialog, click Browse to locate and select the location Click OK.
» To remove the selected objects, click Yes.
» Repository initialization blocks only In the Schedule area, select a start date and
» In the [Repository|Session] Variable Initialization Block dialog, click Edit Data
» Click Edit Data Target. Click OK.
» Check out the branch project using File Multiuser Checkout. You can check
Show more