13-22 Oracle Fusion Middleware Configuration Guide for Oracle Business Intelligence Discoverer the GUID or Oracle Single Sign-On user name to further control the data that is returned. You can use Discoverer triggers and the database separately or together.

13.9.2 Example for using GUID or SSO user name to limit Discoverer data

Note: To enable the Oracle Single Sign-On user name to limit Discoverer data, in Discoverer version 11.1.1 and later, SSO User Name must be selected in the User ID field on the Discoverer Administration page in Oracle Fusion Middleware Control. The Discoverer manager at Acme Corp. does the following: 1. Configures the Discoverer middle tier machines so that Oracle Single Sign-On authentication is necessary to access the Discoverer URLs. 2. Creates a Discoverer public connection called Analysis, that has access to a workbook called Sales. 3. Creates a VPD policy against the base tables of the workbooks. The VPD policy determines the data that is returned, based on the value of a variable called CONTEXT1. 4. Creates a database LOGON trigger that sets variable CONTEXT1 to the value of the GUID extracted from the application context information passed to the database by Discoverer. To enable the Oracle Single Sign-On user name to limit Discoverer data, in step 4 replace the GUID, with the Oracle Single Sign-On user name. The Sales workbook is used by two Discoverer users at ACME Corp., Fred Bloggs and Jane Smith. A typical workflow for these two users is shown below: 1. User Fred.Bloggs authenticates through Oracle Single Sign-On and accesses the top level Discoverer URL. 2. Fred selects the public connection Analysis, and opens the workbook Sales. 3. Fred views the data in the default worksheet, and then logs out. 4. User Jane.Smith authenticates through Oracle Single Sign-On and accesses the top level Discoverer URL. 5. Jane selects the public connection Analysis, and then opens workbook Sales. 6. Jane views the data in the default worksheet. Jane sees different data to Fred, despite the identical database connection, workbook, worksheet and database query. The difference is determined by the VPD policy being based on the GUID or Oracle Single-Sign-On user name.

13.9.3 About tasks for using SSO user names to limit Discoverer data

Before the data shown in a Discoverer worksheet can be controlled using Oracle Single Sign-On user names, a Discoverer manager performs the following tasks: ■ Configures the Discoverer middle tier machines so that Oracle Single Sign-On authentication is necessary to access the Discoverer URLs for more information, Section 13.8.1.2, How to enable and disable Single Sign-On for Discoverer ■ Creates a Discoverer public connection, with access to one or more workbooks for more information, see Section 3.6, How to create public connections ■ Creates a VPD policy against the base tables of the workbooks, if one does not exist for more information about how to create a VPD policy, see Oracle Database Advanced Application Developers Guide Maintaining Security with Oracle BI Discoverer 13-23 ■ optional Configures a Discoverer Worksheet portlet to use Oracle Single Sign-On user names for more information, see Section 13.9.4, How to set up Worksheet Portlets to show data based on GUID, SSO or OAM user name ■ optional Creates or modifies database LOGON and subsequent triggers to use the Oracle Single Sign-On user name to further control the data that is available to the Oracle Single Sign-On user for more information, see Section 13.9.6, How to modify database LOGON and subsequent triggers to use the GUID, SSO, or OAM user name ■ optional Creates a function to be executed by the eul_triggerpost_login trigger, and registers the function using Discoverer Administrator for more information, see Section 13.9.7, How to use the eul_triggerpost_login trigger

13.9.4 How to set up Worksheet Portlets to show data based on GUID, SSO or OAM user name

Having created a VPD policy in the database that uses GUIDs, Oracle Single Sign-On SSO, or Oracle Access Manager OAM user names to determine the data that users can access, you can set up a Discoverer Worksheet portlet to only show the data that can be accessed by the current SSOOAM user name. To specify that users only see the data they can access with their SSO or OAM user name:

1. In the Users Logged In region of the Select Database Connections setup page for

the Discoverer Worksheet Portlet.

2. Select the Display different data using the Publisher’s connection option.

When you select the above option, Discoverer passes the worksheet portlet users SSO or OAM user name to the database. The VPD policy can then use the GUID or SSOOAM user name to restrict the data that is returned to the worksheet portlet. 13-24 Oracle Fusion Middleware Configuration Guide for Oracle Business Intelligence Discoverer 13.9.5 When to use other options in the Users Logged In region of the Select Database Connections page If you want all users to always see the same data from the database regardless of their own database user names, or SSOOAM user names, do the following in the Select Database Connections setup page for the Discoverer Worksheet Portlet:

1. Select the Display same data to all users using Publisher’s Connection option.

If you want users to initially see the same data from the database regardless of their own database user names or SSOOAM user names but to give them the option of specifying an alternative database user name:

1. Select the Display different data by allowing users to customize database

connection option.

2. Select the Show default data using Publisher’s Connection check box.

13.9.6 How to modify database LOGON and subsequent triggers to use the GUID, SSO, or OAM user name

You can modify database LOGON and subsequent triggers to use the GUID or SSOOAM user name passed by Discoverer to further control the data that is available to the SSOOAM user. For example, you might want to call custom PLSQL functions that take the GUID or SSOOAM user name to perform application specific initialization. To modify database triggers to use the GUID, SSO or OAM user name: 1. Create a suitable database trigger. 2. Add the required code to manipulate the GUID or SSOOAM user name. Tip : To return the GUID or SSOOAM user name passed by Discoverer, query the CLIENT_IDENTIFIER attribute of the USERENV application context namespace using the following function call: SYS_CONTEXTUSERENV, CLIENT_IDENTIFIER Notes ■ The GUID or SSOOAM user name passed by Discoverer is available as early as the execution of the database LOGON trigger. ■ If Discoverer is not configured to use Oracle Single Sign-On, the SYS_CONTEXT function call returns NULL. ■ The SSO user name is available with Oracle9i Release 1 and later databases.

13.9.7 How to use the eul_triggerpost_login trigger