13-4 Oracle Fusion Middleware Configuration Guide for Oracle Business Intelligence Discoverer ■ EXECUTE privilege on any PLSQL functions used in the folder Even if they share workbooks with each other, Discoverer users never see information to which they do not have database access. Discoverer Administrator also enables Discoverer managers to protect system resources by: ■ setting scheduled workbook limits to control the system resources available to end users ■ preventing end user queries from running for longer than a specified maximum duration ■ preventing end user queries from returning more than a specified number of rows Discoverer managers can extend Discoverer functionality by registering their own PLSQL functions. However, they can only register PLSQL functions to which they have been granted the EXECUTE database privilege. For more information about the Discoverer EUL security model, see Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer. Notes ■ To enforce read-only access to Discoverer workbooks, run Discoverer Plus in read-only mode for specified Discoverer end users by removing the CreateEdit Query privilege in Oracle BI Discoverer Administrator for more information, see Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer. ■ Some EUL maintenance scripts supplied with Discoverer grant database privileges to the Discoverer manager and the PUBLIC user for more information, see Appendix D, Oracle BI Discoverer Administrative Account Information .

13.4 About Discoverer and the Oracle Applications security model

A common use of Discoverer is to provide ad-hoc query access to Oracle Applications databases. To provide such access, Discoverer managers can use Discoverer Administrator to create Applications mode EULs. Discoverer end users can connect to an Oracle Applications database using their Oracle e-Business Suite user ID and responsibility. For more information, see Section 14.1, About Discoverer connections and Oracle e-Business Suite . An Oracle Applications mode EUL is a Discoverer End User Layer based on an Oracle Applications schema containing the Oracle Applications FND Foundation tables and views. Oracle Applications EULs make use of the following Oracle Applications security model features: ■ Oracle Applications users and responsibilities Oracle Applications EULs employ Oracle Applications user names and responsibilities whereas standard EULs use database users and roles. Discoverer managers running Discoverer Administrator in Oracle Applications mode grant access permissions or task privileges to Oracle Applications responsibilities instead of roles. ■ Oracle Applications row level security Maintaining Security with Oracle BI Discoverer 13-5 Many Oracle Applications tables and views are user-sensitive, and return different results depending on which userresponsibility is used to access these tablesviews. Discoverer correctly runs queries that respect these user-sensitive tables and views. ■ Oracle Applications multiple organizations Oracle Applications multiple organizations support enables Discoverer to work with data from more than one organization. Discoverer end users can query and analyze data from the set of organizations to which they have been granted access. The folders in the EUL must be based on Oracle Business Views available in Oracle Applications 11i. For more information about the Oracle Applications security model and how Discoverer uses it, see Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer. Notes ■ Oracle Single Sign-On does not work within BIS, EDW, or DBI Web pages.

13.5 About Discoverer and the Oracle Fusion Middleware Security model