Comparing the Oracle Business Intelligence 10g and 11g Security Models
The security policy for Oracle Business Intelligence 11g defines what individual users and users with certain application roles can access and do. In Oracle Business Intelligence 11g, the security policy definition is split across the following:
-
Presentation Catalog - this defines which catalog objects and Oracle BI Presentation Services functionality given users and application roles can access.
-
RPD - this defines which application roles and users have access to which items of metadata within the RPD. You define this security policy in the Administration Console.
-
Policy Store - this defines which Oracle Business Intelligence Server, Oracle Business Intelligence Publisher and Real Time Decisions functionality can be accessed by given users or users with given application roles. Use Oracle Enterprise Manager to configure the default Oracle Business Intelligence Policy Store.
Oracle Business Intelligence10g and 11g security models differ in the following areas:
-
Defining users and groups - in Oracle Business Intelligence 10g, it was possible to define users and groups within a repository file using the Oracle BI Administration tool. In Oracle Business Intelligence 11g, you can no longer define users and groups within a repository. The Oracle Business Intelligence Enterprise Edition Upgrade Assistant migrates users and groups from a 10g repository into the embedded LDAP server in an 11g installation.
-
Defining security policies - in Oracle Business Intelligence 10g, security policies in the Web catalog and repository can be defined to reference groups within a directory. In Oracle Business Intelligence 11g, security policies are defined in terms of application roles, which are in turn mapped to users and groups in a directory. This allows an Oracle Business Intelligence 11g system to be deployed without changes to the corporate directory and eases movement of artifacts between development, test and production environments.
-
Use of the Administrator user - in an Oracle Business Intelligence 10g installation, a special user named, Administrator has full administrative permissions and is also used to establish trust between processes within that installation. In Oracle Business Intelligence 11g there is no special significance to the name Administrator and there can be one or more users who are authorized to undertake different sets of administrative functions. In Oracle Business Intelligence 11g the identity used to establish trust between processes in an installation is configurable and independent.
-
Repository encryption - in Oracle Business Intelligence 10g, certain sensitive elements within a repository are encrypted. In Oracle Business Intelligence 11g, the entire repository is encrypted using a key derived from a user supplied password. An 11g repository can only be opened with the password, and there is no mechanism to recover a lost password.
The following aspects of the Oracle Business Intelligence 10g security model remain in 11g:
-
Oracle Business Intelligence Server Initialization Blocks - Oracle Business Intelligence Server 11g continues to support the use of initialization blocks for authentication and authorization. In 10g Oracle Business Intelligence Server falls back to use initialization blocks if a matching user cannot be found in the repository. In 11g Oracle Business Intelligence falls back to use initialization blocks if the user cannot be authenticated by the installation's configuration authentication provider.
-
Presentation Catalog Groups - Oracle Business Intelligence 11g continues to support the definition of catalog groups within the presentation catalog. These groups are only visible within Oracle Business Intelligence Presentation Services. Oracle recommends that presentation catalog groups be used for backward compatibility only and that application roles be used instead for new installations.
-
SA System Subject Area - Oracle Business Intelligence 11g supports the use of SA System Subject Area in combination with Oracle Business Intelligence Server initialization blocks to access user, group, and profile information stored in database tables.