About
Fusion Middelware Application uses a role-based access control model. Security is defined in terms of Application Roles that are mapped to directory server groups and users.
The mapping is done in the application role definition.
Example of mapping between Directory Server Group/User and OBIEE Application Role:
Directory Server Group and User | Application Role Name | Application Role and User Permission |
---|---|---|
User1, User2, User 3 | BIConsumer | access reports |
User4, User5 | BIAuthor | create reports |
User6, User7 | BIAdministrator | manage repositories |
An Application role can contain:
- other application roles,
- groups,
- or individual users.
The application role data are stored in the policy store.
Articles Related
Management
Web Interface
Note:
- The application roles in the policy store are retrieved by the application (for instance Oracle BI Server) when it starts.
Xml Policy Store
Extract from the XML file that stores the policy store
<?xml version='1.0' encoding='utf-8'?>
<jazn-data>
<jazn-realm>
</jazn-realm>
<policy-store>
<applications>
<application locale="en_US">
<!-- The application stripe -->
<name>obi</name>
<!-- The application roles -->
<app-roles>
<app-role>
<name>BISystem</name>
<display-name>BI System Role</display-name>
<guid>DE4C58507EE611E3BF4F91CA9C3BA5FC</guid>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<members>
<!-- The members -->
<member>
<class>weblogic.security.principal.WLSUserImpl</class>
<name>BISystemUser</name>
</member>
</members>
</app-role>
................
The application's principal and role classes are Oracle Platform Security Services class names.
Wlst Scripting
With OPSS script
listAppStripes(regularExpression="obi*")
listAppRoles(appStripe="obi")
Application
OBIEE
In OBIEE, you can see the Application role with the role system session variables.
@{biServer.variables['NQ_SESSION.ROLES']}