Manage Security
This chapter provides information about how Noetix Generator for Oracle Business Intelligence (Noetix Generator) manages user access and related security features.
Security Group Structure
During the repository generation process, Noetix Generator creates a security group in the Oracle WebLogic Server for each Magnitude NoetixViews (NoetixViews) role or Noetix Analytics for Oracle E-Business Suite (Noetix Analytics) relationship set that the administrator selects in the Noetix Generator interface. These groups will be created with a prefix according to the Top Level Name defined on the Target Parameters tab of the Noetix Generator for Oracle BI tool.
For Noetix Analytics:
A group is generated for each relationship set selected for generation in Noetix Generator. These groups have access to the associated presentation tables in the generated presentation catalogs and also have access to the generated connection pool used to execute queries against the Operational Data Store and data marts. For example, the Nightly AP Invoice Details group has access to the presentation tables in the Nightly AP Invoice Details folder in the AP Nightly presentation catalog.
In addition, one group is created for each business area selected for generation. These groups inherit permission from the associated relationship set-based groups. They are intended to be used to grant access to an entire presentation catalog and all of the relationship sets contained within it.
For NoetixViews (Standard and Cross Operations editions):
The NoetixViews role-based groups have access to the associated views in the generated presentation catalogs and the generated connection pool. For example, the AP1_Payables group has access to the presentation tables under the AP1_Payables folder in the Oracle BI presentation catalog that contains it.
In addition, one group is created for each organizational unit that is generated. These groups inherit permission from the associated NoetixViews role groups. Organizational unit groups are intended to be used to grant access to an entire presentation catalog.
During the generation of NoetixAnswers, Noetix Generator will create one group in Presentation Services for each NoetixViews role that has been selected for generation. These groups will have the same name as the NoetixViews-role groups that were previously generated into the Oracle BI repository. This allows the Presentation Services groups to inherit their group membership from the repository-based groups.
For NoetixViews (Global edition):
A group is generated for each global role selected for generation into the Oracle BI repository. These groups will be named according to the following format: [<Top Level Name>] <Global Subject Area>-<Global Role>, for example [Noetix-Production] NoetixViews for Oracle Financials-GLG0_LEDGER.
These groups provide members with access to the presentation tables and hierarchies under the associated functional folder in the presentation catalog (General Ledger Views in the example above) and to the connection pool necessary for running reports. Each global role-based group also provides access to the single and multi-structure key flexfield views associated with the functional area.
In addition, one group is created for each global subject area selected for generation. These groups will be named after the global subject area, for example [Noetix-Production] NoetixViews for Oracle Financials, and will inherit permission from the global role-based groups contained in the presentation catalog. They can be used to grant access to an entire presentation catalog.
During the generation of NoetixAnswers, Noetix Generator will create one group in Presentation Services for each global role group generated into the repository. These groups will have the same name as the global role group in the repository, allowing the Presentation Services groups to inherit their group membership from the repository-based groups.
NOTE: Noetix Generator removes certain special characters, such as “[“,”]”, and “:”, from the names of the application roles it generates into the Oracle WebLogic Server to work around a bug introduced into Oracle BI 11.1.1.5 by Oracle. If Noetix Generator detects that it is regenerating application roles that were originally generated against Oracle BI 11.1.1.3 (that version of Oracle BI did not include the bug), it will migrate the existing role membership to the newly generated roles and then remove the old roles from WebLogic.
Granting User Access Using Generated Security Groups
After a generation is complete, users must be given access to the generated presentation catalogs before they are able to write or execute reports in Oracle BI using NoetixViews or Noetix Analytics. Access to the generated presentation catalogs is provided by making users members of the groups created during generation.
You can add users to the generated groups directly or indirectly to give them access to the necessary presentation catalogs through WebLogic. For more information about administering groups within Oracle BI, see Oracle Business Intelligence documentation.
Use the following guidelines when granting access:
Existing groups in the repository should be given membership to the generated groups whenever possible, rather than directly to individual users. Adhering to this guideline leverages permission inheritance capabilities of Oracle BI and minimizes the time spent administering data security.
Because subject area-based groups have access to all of the NoetixViews roles or relationship sets associated with them, adding members to one of these groups is equivalent to adding the same members to the individual NoetixViews role or relationship set groups associated with the subject area. Therefore, subject area-based groups should be used whenever possible instead of using the individual NoetixViews role or relationship set groups.
NOTE: Use individual NoetixViews role groups if using an organizational unit group permission results in more than necessary access.
Example:
The following example describes when to use subject area groups and NoetixViews role groups. This example describes NoetixViews content, but is applicable to the subject area and relationship set groups generated for Noetix Analytics content as well. In this security scenario, two organizational unit presentation catalogs exist:
Set of Books1 contains the roles GL1 and FA1
Set of Books2 contains the roles GL2 and FA2
Two users need access to these sets of books:
User1 needs access to GL1 and FA1
User2 needs access to GL1, GL2 and FA2
User1:
User1 needs to be given membership to the organizational unit group for Set of Books1 because this set of books contains each of the roles that User1 needs access to.
User2:
User2 needs to be given membership to the NoetixViews role group for GL1 because giving membership to the organizational unit group for Set of Books1 would provide too much access. In addition, User2 should be given membership to the organizational unit group for Set of Books2 because it contains the GL2 and FA2 roles, which User2 needs access to.
Granting Access to NoetixAnswers
During the generation of NoetixAnswers, Noetix Generator secures the generated objects so users that have access to the presentation catalogs generated into the Oracle BI repository also have access to the corresponding NoetixAnswers content. Noetix Generator grants access to NoetixAnswers content directly to the application roles it generates into the Oracle WebLogic Server.
Users that have been granted access to the NoetixViews-based presentation tables in the repository will automatically be able to access the dashboard and report templates associated with those Noetix views. No additional security setup is necessary to make NoetixAnswers available.
NOTE: Users will not be able to access the generated dashboards in Oracle BI Dashboards if the Dashboard Access Level option is set to No Access.
Setting the Dashboard Access Level
Noetix Generator allows administrators to set the access level to grant authorized users of the generated dashboard templates. The access level chosen will impact how end users interact with the dashboard templates. The access levels available through Noetix Generator are listed below, along with the effect each will have on the end user experience.
-
Read: Read permission gives authorized users the ability to view the associated dashboards and the data displayed on them. Read permission will not, however, allow users to modify or make copies of the dashboards. If this option is selected, users will have to use the dashboard templates in their as-generated form.
NOTE: While end users will not have the ability to modify the generated dashboards, administrators can customize how dashboards are generated to tailor them to the business need. See Customizing NoetixAnswers in Customizing Generated Content for more information on customizing NoetixAnswers.
-
Change: Change permission builds on Read permission by giving authorized users the ability to modify and delete the associated dashboards. This option also provides end users with the ability to create copies of dashboards to customize their own copy.
Since Oracle BI Dashboards doesn’t provide end users with a way to make copies of dashboard pages through the use of the lower Read permission option, Change should be selected in order to allow users to use the dashboards as the templates they were designed to be. Care should be taken to train users not to modify the dashboards in place or to delete them, since those actions would affect all other users of those dashboards.
If this option is selected, Magnitude recommends scheduling frequent regenerations of NoetixAnswers to reset any accidentally changed or deleted dashboards to their original form. Routine regeneration will also train end users not to modify dashboards in place.
WARNING: Change permission should be used with care, since it grants end users more control over the generated dashboard templates.
-
Full Control: Full Control permission builds on Change permission by giving the user full control over the generated dashboards. They will be able to grant permission to others.
WARNING: Full Control permission should be used with care, since it grants end users complete permission over the generated dashboard templates.
-
No Access: No Access permission removes all access to the generated dashboard templates. If this option is chosen, authorized users will only have access to the generated report templates in Oracle BI Answers.
This option can be selected if it is desired that end users create their own dashboards or not use Oracle BI Dashboards at all.
WARNING: If No Access permission is chosen, users should be instructed to create their own dashboard pages using the generated report templates. These report templates should make use of the global prompts that were created for each report template.
If Oracle BI Dashboards should be avoided completely, users should be instructed to modify the is prompted filters that are created in the generated report templates to be standard filters or prompts defined within Oracle BI Answers. The generated report templates that contain is prompted filters must have values specified for those filters in order to work properly.
Row Level Data Security
The global form of Noetix views enables security administrators to take advantage of the data access privileges that they have already set up in Oracle E-Business Suite. Reports and dashboards built against the global views will have their data sets automatically filtered based on the access privileges configured for a user.
Global views look up a given user’s access privileges using the business intelligence tool user’s login name. This section defines the process that must be undertaken to configure the connection pool in the Oracle BI repository to enable this login name look up. See the NoetixViews documentation for more information on the specifics of row level security in global views.
NOTE: This section is applicable to only the global form of Noetix views. Row-level security is not available for standard or Cross Operations Extension (XOP) forms of NoetixViews, or for Noetix Analytics.
To configure the connection pool for row level security:
Generate global views into the Oracle BI repository. See “Generating UDML Files and Repository Using Noetix Generator in Generate Oracle BI Repository and NoetixAnswers” for more information on generating NoetixViews into Oracle BI.
Open the repository using the Oracle BI Administration Tool.
Navigate to the connection pool created by the generator and open its Properties dialog.
Check Require fully qualified table names on the General tab if it’s not already checked.
-
Change the user name for the shared logon to use the Oracle E-Business Suite database’s APPS account. Provide the password for the APPS account in the Password box.
NOTE: The APPS account is required for row level security to work for certain modules because they utilize Oracle E-Business Suite security capabilities that require the APPS account.
Navigate to the Connection Scripts tab. Add the following PL/SQL block as an Execute before query script:
-
Add another Execute before query script after the one mentioned in the previous step for the following PL/SQL block:
BEGIN
apps.xxnao_map_user_apps_init(
'[NOETIX_SYS Schema Name]',
'VALUEOF(NQ_SESSION.USER)',
'[Registered BI Tool Name]' );
END;
NOTE: Line breaks must be removed from the PL/SQL block before using with Oracle BI. A bug in some versions of Oracle BI may cause errors in multiline scripts.
-
Replace [NOETIX_SYS Schema Name] in the PL/SQL block from the previous step with the name of the NOETIX_SYS schema associated with the global views generation, in upper case.
Replace [Registered BI Tool Name] in the PL/SQL block from the previous step with the name of the Oracle BI server, as it was registered in NoetixViews Administrator. See the NoetixViews Administrator Help File for more information on registering a BI tool server.
-
Add the following PL/SQL block as an Execute after query script:
BEGIN dbms_session.reset_package; END;
-
Press OK to save the changes made to the connection pool. The Oracle BI repository is now configured to enable row level security in the global views. If you have multiple instances of NoetixViews Global Extension in the Oracle BI repository, repeat this process with each additional instance to configure row-level security for those instances as well.
NOTE: With this connection pool configuration, BI tool users must be registered in Noetix Security Manager before users will be able to retrieve rows from the global views. An error will be returned in OBI Presentation Services if a user attempts to run reports or view dashboards prior to being registered. See the Magnitude NoetixViews Administrator Guide for more information on registering BI tool users.
TIP: Magnitude recommends registering the Oracle BI “administrator” user as a BI tool user in Noetix Security Manager. That will make it possible to return data from NoetixViews when dashboards or requests are executed as the administrator.
BEGIN dbms_session.reset_package; END;
Configuring Oracle BI to Support Row Level Data Security
The row-level data security available in the global form of Noetix views utilizes security packages embedded in the Noetix views themselves. As a result, end users will only be able to access the rows they have permission to see when any reports or dashboard requests are submitted against these Noetix views.
Data caching in Oracle BI can hinder row-level security from working correctly because it redirects requests to cached result sets instead of to the Noetix view in the Oracle database. Users switching between Oracle E-Business Suite responsibilities may not see updated data sets based on the new responsibility because Oracle BI will use the cached result set that was specific to the previous responsibility. In addition, if a previously granted responsibility is revoked from a user, that user may still be able to view data sets specific to the now revoked responsibility if Oracle BI has cached result sets pertaining to that user and responsibility.
To eliminate these conditions, Magnitude recommends:
Turning off data caching in the Oracle BI Server by modifying the BI Server Cache settings in Oracle Enterprise Manager. If turning data caching off at the server level is too invasive, caching can be turned off at the table level in the Oracle BI repository through the use of a generator hookscript.
Turning off Presentation Services caching by modifying the instanceconfig.xml file.
See the documentation that ships with Oracle BI for more information regarding making these changes.
To use generator hookscripts to disable caching at the physical table level:
Navigate to the [Noetix Generator Installation Folder]\Scripts folder.
Open the hk_popgvw.sql hookscript using a text editor.
-
Add the following statements to the file and then save it:
@utlspon &GEN_API_DIR/hk_popgvw
update n_gen_views
set cache_mode = 'NoCache';
commit;
@utlspoff
Open the hk_popglov.sql hookscript using a text editor.
-
Add the following statements to the file and then save it:
@utlspon &GEN_API_DIR/hk_popglov
update n_gen_lovs
set lov_cache_mode = 'NoCache';
commit;
@utlspoff
These hookscripts will disable caching on all Noetix-generated physical tables, including ones based on list of values (LoV) views.
Regenerate Noetix content into the Oracle BI repository. Make sure that the Cacheable check box in the properties of the Noetix-generated physical tables is not selected when you inspect the repository after the regeneration completes.