6-20 Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer 7 Controlling Access to Information 7-1 7 Controlling Access to Information This chapter explains how to control access to information using Discoverer Administrator, and contains the following topics: ■ About Discoverer and security ■ About Discoverer access permissions ■ About Discoverer and the Oracle Advanced Security Option ASO ■ About Discoverer task privileges ■ How to specify a user or role responsibility that can access a business area ■ How to specify the business areas a user or role responsibility can access ■ How to specify the tasks a user or role responsibility can perform ■ How to specify a user or role responsibility to perform a specific task ■ How to set query retrieval limits ■ How to set scheduled workbook limits ■ How to share Discoverer workbooks using a database role ■ About Transparent Application Failover About Discoverer and security As a Discoverer manager, it is your responsibility to control the information that users can access and what they can do with that information. You use Discoverer access permissions and task privileges as follows: ■ you use Discoverer access permissions to control who can see and use the data in business areas ■ you use Discoverer task privileges to control the tasks each user is allowed to perform You can grant Discoverer access permissions and task privileges to database roles and to database users. When you grant access permissions or task privileges to a role, all users with that role have the role’s access permissions and task privileges. If you run Discoverer Administrator in Oracle Applications mode, you grant access permissions or task privileges to Oracle Applications Responsibilities instead of roles. For more information about Oracle Applications mode, see What features does Discoverer support for Oracle Applications users? . The access permissions and task privileges that you grant in Discoverer Administrator only apply to Discoverer’s business areas and not to the underlying database tables. 7-2 Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer Data access rights to the database tables remain under the control of the database administrator. Regardless of the access permissions and task privileges that you set in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges either directly or through a database role: ■ SELECT privilege on all the underlying tables used in the folder ■ EXECUTE privilege on any PLSQL functions used in the folder You can enable a user to perform administrative tasks for example, the creation of folders, calculations, conditions, hierarchies, summaries in a business area by granting that user Administration privilege on the business area. A user with the Administration privilege on a particular business area can also grant Administration privilege on that business area to other users. Note that although you can devolve business area administration to multiple users, it is often easier to maintain control with a single administrator for each business area. About Discoverer access permissions Discoverer access permissions enable you to control who can see and use the data in business areas. You control access to business areas in two ways: ■ by specifying the business areas that a particular user or role can access for more information, see How to specify the business areas a user or role responsibility can access ■ by specifying the users or roles that can access a particular business area for more information, see How to specify a user or role responsibility that can access a business area Before Discoverer end users see folders in a business area, Discoverer confirms that the user has database access to the tables referenced by the folders. If the user does not have access to a table referenced by a folder, Discoverer does not display the folder. You can override this behavior for example, to improve performance where access privileges rarely change by changing the value of the ObjectsAlwaysAccessible registry setting for more information, see Chapter 21, Discoverer Registry Settings . About Discoverer and the Oracle Advanced Security Option ASO Discoverer is certified with the Oracle Advanced Security Option ASO encryption technology provided by the Oracle database in Oracle Enterprise Edition databases. The certification has four encryption types RC4, DES, Triple-DES and AES. Oracle ASO encryption incurs little performance overhead, although performance will vary depending on several factors for example, the operating system, the encryption algorithm. For more information about Oracle ASO encryption, see the Oracle9i Security Overview. About Discoverer task privileges Discoverer task privileges enable you to control the tasks each user is allowed to perform. You use task privileges to specify whether a Discoverer end user is able to: Controlling Access to Information 7-3 ■ create new worksheets or edit existing ones without this option, a user only has the ability to run predefined worksheets ■ use item drills, drill to related items, and drill from summary to detail items ■ drill out to launch other applications ■ grant access to workbooks to other users ■ create and edit scheduled workbooks ■ save workbooks to the database ■ collect query performance statistics You also use task privileges to specify whether a user of Discoverer Administrator is able to: ■ edit only the formatting information in an existing business area ■ create new business areas and edit existing ones ■ create summary tables ■ grant and revoke EUL privileges ■ maintain the scheduled workbooks of end users How to specify a user or role responsibility that can access a business area Note: When Oracle Applications database users are connected, Discoverer Administrator displays responsibilities instead of roles. To specify the users or roles that can access a specific business area:

1.

Choose Tools | Security and select the Security dialog: Business Area - User tab . Discoverer Administrator displays the following warning dialog. Figure 7–1 Warning dialog 2. Click Yes to display the Security dialog: Business Area - User tab . 7-4 Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer Figure 7–2 Security dialog: Business Area-User tab Note: To change the maximum number of rows that Discoverer will display in the Available usersroles list, you edit the value of the Discoverer registry setting MaxNumListRows for more information, see Chapter 21, Discoverer Registry Settings .

3. Select the business area to which you want to grant access from the Business area

drop down list.

4. Specify the content of the Available usersroles list by selecting the Users check

box and the Roles check box, as appropriate. 5. Move the users or roles that you want to have access to the selected business area from the Available usersroles list to the Selected usersroles list. You can select more than one user or role by pressing the Ctrl key and clicking another user or role.

6. For each new user or role you add to the Selected usersroles list, follow the

instructions below to specify whether they have administration access to the business area:

a. Click the user or role in the Selected usersroles list.

b. Select or clear the Allow Administration check box as required.

The setting of a user’s Allow Administration privilege controls which administration tasks the user can perform. For more information, see How to specify the tasks a user or role responsibility can perform . 7. Click OK to save the changes you have made and close the Security dialog. Notes ■ To remove access to a business area from a user or role, move the user or role from the Selected usersroles list to the Available usersroles list. ■ The Available usersroles list includes a role called PUBLIC. Select this role to view or edit the default access permissions for users or roles whose permissions you have not yet defined. ■ If you run Discoverer Administrator as an Oracle Applications user, the Security dialog shows Oracle Applications Responsibilities instead of roles. For more Controlling Access to Information 7-5 information about Applications mode, see What features does Discoverer support for Oracle Applications users? . How to specify the business areas a user or role responsibility can access Note: When Oracle Applications database users are connected, Discoverer Administrator displays responsibilities instead of roles. To specify the business areas that a user or role can access:

1.

Choose Tools | Security and display the Security dialog: Users - Business Area tab Figure 7–3 Security dialog: Users- Business Area tab 2. Click Select to display the Select UserRole dialog where you can search for and select the database user or role to which you want to grant access. 7-6 Oracle Fusion Middleware Administrators Guide for Oracle Business Intelligence Discoverer Figure 7–4 Select UserRole dialog

3. Enter the search criteria in the Search For field and click Go.

Discoverer Administrator displays the search results in the Results list. 4. Select a user or role from the Results list. 5. Click OK to display the Security dialog: Users - Business Area tab with the business areas for the selected user or role. Figure 7–5 Security dialog: Users- Business Area tab

6. Move the business areas that you want the selected user or role to have access to

from the Available business areas list to the Selected business areas list. You can select more than one business area by pressing the Ctrl key and clicking another business area.