By looking at the diagram below we can figure out that assigning Application Roles rather than permissions(read, write, execute) on the Dashboards and Reports.
We cannot assign basic permissions(Read, Write and Execute) on Dashboard and Reports, since Dashboards and Reports consist of actions like scheduling, executing, viewing, editing, embedding etc.
Hence the two level of granting accessing to users/groups and granting an Application Role to the user/group
In OBIEE 11g we first create users and groups then copy an existing application role.
First we put a user into a group then put the group into the newly copied application role.
Here Application Roles already exist, mentioning the Application Policies(type of accesses given on various type of resources). Hence the copying of Application Roles rather than the creation of Application Roles.
Lets observe how permissions are set on reports:
- Open the URL in a your web browser: http://localhost9704/analytics and login in as the Administrator i.e. weblogic user.
- Open the "Samples Sales Lite" , Catalog on the analytics menu then on the left "Folders" pane select "Shared Folders" -> "Sample Lite" -> "Published Reporting" -> "Analyses".
- On the right pane, select the "Quarterly Revenue" options, "More", then "Permissions".
- You can observe that "Bi Administrator Role" and "BI Consumer Role" roles have been allocated by default when a reports gets created by the Administrator "weblogic" user.
- Now lets go and observe what these "BI Administrator Role" and "BI Consumer Role" are composed of.
- Open the URL: http://localhost:7001/em and login with the "weblogic" user.
- Expand the "Farm_bifoundation_domain" then the "WebLogic Domain" and select "bifoundation_domain".
- On the right pane select "WebLogic Domain" -> "Security" -> "Application Policies" as show in the below screenshot.
- Once the "Application Policies" window opens up on the right pane, in the "Search" Section select "obi" for the "Application Stripe" and "Application Role" for the "Principal Type", then click on the blue button with yellow arrow .
- Select the "BIAdministrator" and click the "Edit..." link to show the "Edit Application Grant" page.
- As you can observe in the "Permissions" section it lists all the available resources allocated to this "BIAdministrator" Application Role.
- You can observe the same for the "BIAuthor" Application Role.
- On the right pane select "WebLogic Domain" -> "Security" -> "Application Roles".
- Once the "Application Roles" window opens up on the right pane, in the "Search" Section select "obi" for the "Application Stripe", then click on the blue button with yellow arrow .
- Select the "BIAdministrator" and click the "Edit..." link to show the "Edit Application Role : BIAdministrator" page.
- You can observe in the "Members" section that "BIAdministrators" group is included for this "BIAdministrator" Application Role.
- Now open the URL: http://localhost:7001/console and login as "weblogic" administrative user.
- On the "Domain Structure" Pane , select "Security Realms".
- Under the "Summary of Security Realms" section in the right pane, select "myrealm", then click on the "Users and Groups" Tab, then on the "Groups" tab.
- You can observe that a "BIAdministrators" group displayed in above screenshot is coming from here.
- You can also click on the "Users" tab and observe that the "weblogic" exists in the "BIAdministrators" group by clicking on the "weblogic" user and selecting the "groups" tab.
- This observation is which makes our initial user, group and application role relationship complete.
We have now experienced how OBIEE 11g is handling our Authentication and Authorization to different resources. As a safety habit its better to use the "Create Like..." link and copy and create your "Application Roles" and "Application Policies" of working the default ones.
In many cases you might unknowingly change the permissions or delete them which will effect proper functioning of the OBIEE's default security policies.