P15 - Security, Integrationand EBS Flexfields Supports

1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Confidential – Oracle Internal

Oracle BI Applications 11.1.1.7.1
Security, Integration, Flexfield Support, and
Group Account Number Configuration
BI Applications Workshop
Fanny Cai
Platform Technology Solutions
2 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Agenda
 After completing this lesson, you should be

able to:
– Describe BI Applications Security Architecture and
components
– Describe the integrations of the Oracle BI Applications
within the Oracle Applications family
– Describe the options for handling EBS Flexfields within
the OBAW and BIEE 11g frameworks
– Understand the Group Account Number Configuration
BIEE 11g Security Architecture
Security Terminology
 Authentication
– User credentials (typically login / password validation)
 Authorization
– Obtaining users application roles using supported
mechanisms
 Object Security
– RPD subject area permissions
– Webcat Permissions
 Data Security
– Data filters used in RPD for DW data security
BIEE 11g Authentication / Authorization
 Out of box integration with Fusion Middleware
 Authentication and Authorization are managed by Weblogic
– Weblogic pluggable security architecture leveraged by BIEE
– RPD does not contains users etc
 Weblogic Authentication
– Default “Weblogic Embedded LDAP” authenticator
– Can be configured to use OID, SSO, Active Directory or other
supported authenticators
 Weblogic Authorization
– Default is OPSS XML store containing “Application Roles”
– OPSS OID store can be used as alternative
Application Roles
 FMW “Application Roles” are the foundation of BI object and data
security
– Application roles carry RPD and WebCat permissions
– Application roles carry data filters
 Application Role Lifecycle
– Defined and managed using FMW tools
– Visible and consumed by BIEE
Tools for Configuring Security in a Default
Installation
8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 8
Relationship with the Default Security Providers
BIApps PS1 Security
Security - PS1 Release Summary
 Addition of large number roles in all functional areas over 7.9.6.x

 Enhanced object and data security in all functional areas
 More granular object level security with subject areas where
needed
 Webcat security has been enhanced using new EBS, PeopleSoft,
Siebel roles
 Webcat is made read only to protect out of box content
BIApps Role Based Security
 RPD
– RPD Subject Area permission assigned to “Application Role(s)”
– RPD Data Filters associated with “Application Role(s)”
 Webcat
– Webcat folder permissions assigned to “Application Role(s)”
 RPD Admin Tool
– “Application Role(s)” are visible in Admin Tool
 Runtime
– Users runtime “Application Role(s)” can be seen under “My Account”
OBIA Catalog & Data Security
End User
Security Groups
OBIA OBIA Roles Drives

OBIA
BIEE Catalog
Application Application Security & DW
Role 1 Role 2 Data Security
HR Reports
PO Reports
BU Based Managerial Other Securing

Security Position Based dimensions …
BIA DW
Application Roles -
Visible In Admin Tool
Role Based Object Security
Role Based Data Security
Webcat Security – By BI Role
Product / Functional Module security is granted using corresponding duty roles
Webcat Security – BIEE Permissions
OBIA duty roles by default are assigned to BIEE BI Author privilege. The permissions for BI Author can
be reviewed/modified using Manage Privileges page
Users Runtime Roles
BIEE 10g V/S BIEE 11g
BIEE 10g/11g Security
Comparison
Area 10g 11g
Authentication Native or Init Block • FMW Integration

• Init Block
Getting users source system Init Block • FMW Integration
roles and responsibilities • Init Block
RPD Subject Area Security Group Application Role
RPD Data Filters Security Group Application Role
Webcat Security Catalog Group Application Role (Catalog

group still supported but not
recommended)
11g Security – 10g Support
 10g style authentication and authorization still supported

– Init blocks based security is still supported for backward compatibility
– Should not be mixed with FMW authentication/authorization
– RPD “Groups” do not exist
– Webcat “Catalog Groups” exist but should not be used in security
 FMW security is the future direction
11g – Upgrade from 10g
 Upgrade process from 10g to 11g supports smother migration to
11g by doing following steps
 Supported for default “Weblogic Embedded LDAP”
 RPD users are added as users in embedded LDAP
 RPD groups are added as groups in embedded LDAP
 groups used in security are created as “application roles”
 Object and data security is migrated to “application roles”
 “Catalog Groups” are not processed by upgrade –they are
retained in 11g but should be deprecated manually
PS1 Application Role Lifecycle
Application Roles Lifecycle
 Roles are defined as FMW seed metadata
 Roles are deployed in BIEE environment
 Roles can be managed using “Enterprise Manager”
– New tool available out of box for BIEE11g
 Roles are seen in RPD and Webcat
 RPD and Webcat security is developed using roles
Enterprise Manager
RPD Role Sync Up
 Roles can be made visible in RPD in 2 ways
 Role first added in FMW
– Define role using Enterprise Manager
– When BI Server starts, roles references are copied into RPD
– RPD then retains role information in offline mode as well – enabling
offline security development
 Role first added in RPD
– Role can be defined in RPD for security development
– Same role (with *** MATCHING *** name) must be added using
Enterprise Manager
– When RPD is brought online, the FMW and RPD role will match, enabling
security for the role
Webcat Role Sync Up
 Webcat security development is done in online mode only.

 BIApps use same set of roles to secure RPD and Webcat
Role Modifications/Deletions
 FMW is master source for role attributes

– Role Attributes
 Display Name
 Description
 Role Memberships
– Attribute modification is done using Enterprise Manager – not in RPD
 It is not recommended to delete roles shipped out of box
How does User gets Application Roles
11g Security Provisioning
 BIApps security is delivered out of box

– Application Roles
– RPD and Webcat security
 User to application role association is done at setup time
 Two options to associate roles to user
– 10g style – Use init block for role association
– 11g style – Use FMW for role association
User/Role Association - 10g Style
 10g style – still works in 11g
– Supported for backward compatibilities
– Use cases like EBS Integrated Deployment
 Use init block to get users roles from source system
– E.g. Query EBS responsibilities
– Populate GROUP variable with query outcome
– Init block “AUTHORIZATION” used for this purpose
 BIEE assigns roles with same name to user
Data Security for EBS Data
Security
Example: Inventory Org Based Security in Oracle BI
Oracle
E-Business
Suite
2
retrieve Inventory Orgs

based on FND_USER tables
1
log in
Oracle BI
user show data based
on application roles
filters 3
User/Role Association - 11g Style
 Users are present in a LDAP
 Typically, customer also has defined “groups” for users
– E.g. Existing LDAP has users and groups defined by customer
– Associate out of box application roles to groups
 BIApps also ships out of box sample groups
– These groups can be associated to users as desired
 Link is “User” -> Group(s) -> Application Role(s)
 Following Init Blocks are not used
– Authentication
– Authorization
Toolbox – Enterprise Manager
 Shipped out of box with 11g

 Manages
– Application Role Lifecycle – Create / Modify / Delete
– Application Role – Application Role membership
– Application Role – Group membership
Toolbox - Weblogic Admin Console
 Shipped out of box for 11g
 Used to manage Weblogic Embedded LDAP (Shipped out of box)
 Manages
– User
– Groups
– User – Group membership
 Used to configure external authenticator
– Use customer LDAP instead of OOB Weblogic Embedded LDAP
 When using external LDAP, other tools may be available
Enterprise Manager –
Application Role / Group Mapping
WLS Admin Console – Users
WLS Admin Console – Groups
WLS Admin Console – Groups/User Mapping
Customer Deployment & Common Issues
Customer Deployment
 Oracle ships duty roles and groups for all applications OOB
 Oracle ships many data security roles that are mapped to one or
more application roles
 Customers will always do following
– Define users (e.g. user names and passwords)
– Grant application role to a group or users
 Customers can optionally do following
– Define new security roles for customer specific data & object
security
Error - User can not access Answers
 Symptom
– User can run reports but can’t access Answers
 Probable Cause
– Access to Answers is given to BIAuthor, which is granted to OBIA
Application roles
– User must inherit at least one OBIA Application roles
 Fix
– Grant at least one OBIA Application roles to user
– Optionally grant BIAuthor to user or group (this will not provide
RPD access)
Error - “No access to any columns” when report is run
 Symptom
 Probable Cause
– Access to underlying subject areas is controlled by OBIA Application
roles
– User does not have the necessary OBIA Application roles
 Fix
– Find out users BI roles.
– User needs to get the relevant OBIA Application roles.
Error - Issue with newly created user
 Symptom
– A new user is added. It can not access a BI report that existing user
can access. E.g. user “Ravi Patel” can’t access a Projects
dashboard that user “Abraham Mason” can access
 Probable Cause
– Users get access to BI reports via OBIA Application roles. The new
user is not getting the BI role that allows access to the report.
 Fix
– Make sure new user gets same OBIA Application roles as existing
working user
Integrating BIA with Oracle Applications
 Integration Mechanics are essentially same as 10g with minor

changes related to the nature of BIA running against WebLogic.
 Siebel/EBS/PeopleSoft Applications teams are planning to do
certification testing with 11g, but not yet available.
Integrating BIA with Oracle Applications: EBS
Integrating BIA with Oracle Applications: JD
Edwards EnterpriseOne
• Contextually within a transactional or inquiry view
Integrating BIA with Oracle Applications: Siebel
Applications
• Contextually within a transactional view
Integrating BIA with Oracle Applications:
PeopleSoft
Flexfield and Value Set Integration
 Key Flexfields (KFF)
– Pre-packaged mappings to
extract Key Flexfield data
– Mappings are flexible to handle
configuration performed on these
flexfields
– Out-of-the-box support to a
number of KFF’s
 Value Set Hierarchy
– Extract hierarchical relationships
of Value Sets
– Out-of-the-box support to GL
Account Value Set Hierarchies
 Descriptive Flexfields (DFF)

– Support by extension of the data
warehouse by adding requisite
columns
Current Support - GL Account Hierarchy
 Out-of-the-box Support for all 30
segments in Accounting Key Flexfields
(KFF)
– Pre-packaged mappings to extract
Accounting Key Flexfield data
– Mappings are flexible to handle
configuration performed on these
Flexfields
 Limited Out-of-the-box support for

Descriptive Flexfields where appropriate
Current Support - GL Value Set Hierarchy
 Up to 20 levels of
GL Value Set
Hierarchy support
Why do we need it?
Oracle EBS General Ledger (GL) doesn’t contain business attributes
that represent a real world entity such as Supplier, Customer, and
Employee etc. This information generally resides in the sub ledgers.
For example, Supplier dimension in Accounts Payables (AP) and

Customer dimension in Account Receivables (AR). In Oracle GL, the
transactions are tracked at an account level and used more for book
keeping purposes.
Therefore in order to facilitate reporting on the GL transactions in a

Data Warehouse environment, Financial Analytics uses the Group
Account Number to categorize the accounting transactions.
Why do we need it?
Purchase Order Transaction (header)

Purchase Order#
Buyer Supplier Location Start Date Amount
Dimension Fact
GL Journal Entry
Journal# Period Account Combination Creation Date Amount
Dimension Fact
How it works
Out of the box Balance Sheet report Metadata repository (rpd file)
How it works
Metadata repository (rpd file)
How it works
Metadata repository (rpd file)
W_GL_BALANCE_F table
How it works
W_GL_BALANCE_F table
file_group_acct_codes_ora.csv
How to use Natural Account Segment of Chart
Of Account to Map Group Account Numbers
file_group_acct_codes_ora.csv
Summary
 In this lesson, you should have learned

how to:
– Describe BI Applications Security Architecture and
components
– Describe the integrations of the Oracle BI Applications
within the Oracle Applications family
– Describe the options for handling EBS Flexfields within
the OBAW and BIEE 11g frameworks
– Understand the Group Account Number Configuration
Q&A

P15 - Security, Integrationand EBS Flexfields Supports

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

P15 - Security, Integrationand EBS Flexfields Supports

Uploaded by

Copyright:

Available Formats

1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

Confidential – Oracle Internal

 After completing this lesson, you should be

 Addition of large number roles in all functional areas over 7.9.6.x

OBIA OBIA Roles Drives

BU Based Managerial Other Securing

Authentication Native or Init Block • FMW Integration

RPD Subject Area Security Group Application Role

RPD Data Filters Security Group Application Role

Webcat Security Catalog Group Application Role (Catalog

 10g style authentication and authorization still supported

 Webcat security development is done in online mode only.

 FMW is master source for role attributes

 BIApps security is delivered out of box

retrieve Inventory Orgs

 Shipped out of box with 11g

 Integration Mechanics are essentially same as 10g with minor

 Descriptive Flexfields (DFF)

 Limited Out-of-the-box support for

For example, Supplier dimension in Accounts Payables (AP) and

Therefore in order to facilitate reporting on the GL transactions in a

Purchase Order Transaction (header)

 In this lesson, you should have learned

You might also like