Setup Oracle BIA 7963 – Data Security

Customer wants to secure their data based on things like Ledger, Company, Operating Unit, etc. All users who login via Oracle eBS should inherit (based on the current responsibility) the same security settings in Oracle BI. The following is a possible solution.

Environment

  • Oracle eBS R12.1.1
  • Oracle BI EE 11.1.1.6.0
  • Oracle BIA 7.9.6.3
Setup

The setup consists of a few different parts

Data Security

The Data Security is based on different Roles and a Profile Option assigned to the responsibilities in Oracle eBS

Oracle eBS

  • Create ‘BI Type User’-profile option
  • Assign ‘BI Type User’-profile option to Responsibility
  • Assign Responsibility to User

Each Responsibility has either a specific ‘BI Type User’-profile option or a ‘BI Type User’-profile option on Site level. A view (xx_obia_user_groups_v) in Oracle eBS ‘holds’ the profile option information.

select fpov.level_value responsibility_id
 , fpov.level_value_application_id application_id
 , 'OBIA '
 || fpov.profile_option_value autorisatierol_code
 , fl.meaning autorisatierol
 from applsys.fnd_profile_option_values fpov
 , apps.fnd_profile_options_vl fpo
 , apps.fnd_lookups fl
 where fpo.profile_option_id = fpov.profile_option_id
 and fpo.application_id = fpov.application_id
 and fpov.profile_option_value = fl.lookup_code
 and fl.lookup_type = 'BI_TYPE_GEBRUIKER'
 and fpo.profile_option_name = 'XXBI_TYPE_GEBRUIKER'
 and fpov.level_id = 10003

Oracle BI

In Oracle BI, there is a Initialization Block which populates the; ROLES Session Variable

select ( select sector
 from apps.xx_obia_user_groups_v
 where responsibility_key = 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_KEY)'
 and responsibility_id = valueof ( nq_session.oltp_ebs_resp_id ) )
 || ';'
 || ( select autorisatierol_code "ROLES"
 from apps.xx_obia_user_groups_v
 where responsibility_key = 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_KEY)'
 and responsibility_id = valueof ( nq_session.oltp_ebs_resp_id ) )
 || ';'
 || ( select responsibility_key "ROLES"
 from apps.xx_obia_user_groups_v
 where responsibility_key = 'VALUEOF(NQ_SESSION.OLTP_EBS_RESP_KEY)'
 and responsibility_id = valueof ( nq_session.oltp_ebs_resp_id ) )
 "ROLES"
 from DUAL

Oracle Enterprise Manager (EM)

In the EM ‘all’ the different Application Roles, related to the Data Security are created.

There are a few different Application Roles;

  • Out-of the box
  • Data Security
  • eBS Profile

Out-of-the-Box

  • BIAdministrators
    • Administration privileges.
  • BIAuthors
    • Create, use or consume content.
  • BIConsumers
    • Use / consume content,
    • Every authenticated user.
  • BISystem
    • Component connections between products.

Data Security & eBS Profile

Oracle BI Administrator (Identity Manager)

In the Identity Manager, the Business Model Filters are applied to the Data Security Application Roles

The Business Model Filters are based on the Initialization Blocks. Some out-of-the-box, others custom.

This setup should be sufficient to apply Data Security to all queries, which query the Logical Tables with the Business Model Filters applied to it.

Note: Application roles data filters won’t apply for users with BI Administrator role.

By definition the BIAdministrator application role is granted the “oracle.bi.server.manageRepositories” permission, which is equivalent to the 10g “Administrator” user who also had unrestricted access. Hence, data filters won’t affect users with BIAdministrator Role. (source: Oracle Support)

Author: Daan Bakboord

I am an Oracle Business Analytics Consultant with great interest in anything closely related to the Oracle Business Analytics (OBIEE, BICS, Big Data, Data Integration, Data Visualization) .

3 thoughts on “Setup Oracle BIA 7963 – Data Security”

  1. Hi Daan,

    Do you have idea about configuring object level security in BI Apps 7.9.6.3. I am struggling with implementation of object level security. I am making use of only application roles for the security configuration. Below are the steps that i followed :

    1) Created application roles in OBIEE with the same resposiblity names
    2) Grouped the application roles in diffrent groups. I.e. if application roles a,b,c should have access to dashboard x then i made b and c member of a.
    3) Configured security in manage previleges and catalog for these application roles i.e. i used application role a mentioned in step 2 in manage previleges etc.
    4) Restarted the BI server and presentation servers.

    Are there any other steps which should be followed . Do i have to make use of groups

    Regards,
    Sandeep

    Like

    1. Hi Sandeep,

      After step 1, you might need to use the ROLES System Session Variable in the Oracle BI EE Admin Tool. With this Session Variable you will make the match between the Application Role and the Responsibility. There is a standard Initialization Block, which populates the GROUP variable. Try to change that one to the ROLES variable or make a new Initialization Block.

      Good Luck.

      – Daan

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s