OBIEE 11G Note4

v  Impersonation is a feature used by Oracle Business Intelligence components to establish a session on behalf of a user without employing the user's password.( Impression/Impersonation/Cloning/Transformation)

v  A list of application roles that a user is a member of is available from the Roles and Groups tab in the  My Account dialog in Presentation Services(My Account/ User Securit/ Privileges/ Group Membership)

v  Oracle Business Intelligence 11g is tightly integrated with the Oracle Fusion Middleware Security architecture and delegates core security functionality to components of that architecture

v  If you log in to the Administration Tool in online mode, then you can view all users from the WebLogic Server. If you log in to the Administration Tool in offline mode, then you can only view users that are stored in the repository.

v  If you want to enable an employee called Fred to create dashboards and reports, you might create a new user called Fred and assign Fred to the default BIAuthors group.( BIAuthor/ BIDevelopers/ BIConsumer/ BIAuthors).

v  Groups are organized hierarchically, and inherit privileges from parent groups. In other words, the BIAdministrators group automatically inherits privileges from the BIAuthors and BIConsumers groups. Oracle recommends that you do not change this hierarchy.

v  If you want user Fred to be a Sales dashboard author, you might create an application role called Sales Dashboard Author that has permissions to see Sales subject areas in the repository and edit Sales dashboards.

v  Instead of defining the security policy in terms of users in groups in a directory server, Oracle Business Intelligence uses a role-based access control model

v  A placeholder for an Application Role definition can be created in the Administration Tool to facilitate offline repository development. But this is just a placeholder visible in the Administration Tool and is not an actual application role. You cannot created an actual application role in the Administration Tool. You can create an application role only in the policy store, using the administrative interface available for managing the policy store.

v  Oracle does not recommend using WebLogic Embedded LDAP Server in an environment with more than 1000 users.

v  The BISystem Role must exist (with the BIAdministrator role), for Oracle Business Intelligence to function correctly.

v  During installation an Oracle WebLogic Server domain is created and Oracle Business Intelligence is installed into that domain. The domain is named bifoundation_domain (in Simple or Enterprise installations), and is found under the WebLogic Domain folder in the Fusion Middleware Control navigation pane.

v  SUFFICIENT:  This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.

v  If you want to enable user Fred to perform BIAuthors and BIAdministrator duties, you might create a new application role called BIManager, which has both BIAuthors privileges and BIAdministrat; ors privileges

v  true or false:If a user belongs to two application roles or Catalog groups and both are granted permissions, then the least restrictive permissions are given to the user.  The exception to this is if one of the two application roles or Catalog groups is explicitly denied the permissions, in which case the user is denied.

v  The default application roles are  BIAdministrator, BIConsumer, and BIAuthor.

v  Oracle Business Intelligence components communicate with each other using TCP/IP by default. Configuring SSL between the Oracle Business Intelligence components enables secured network communication.

v  Correct answer: Embedded LDAP Server → Oracle WebLogic Server Administration Console , Policy Store, Credential Store → Oracle Fusion Middleware Control , RPD → Oracle BI Administration Tool , Webcatalog → Presentation Services Administration

Oracle WebLogic Server Administration Console : LDAP Server
Oracle Fusion Middleware Control : Policy Store, Credential Store
Oracle BI Administration Tool : RPD
Presentation Services Administration : Webcatalog

v  By default, an Oracle Business Intelligence installation is configured with an authentication provider that uses the Oracle WebLogic Server embedded LDAP server for user and group information. The Oracle Business Intelligence default policy store provider and credential store provider store Credentials, application roles and application policies in files in the domain.

v  If you are deploying the default Policy Store, then Oracle recommends that you make a copy of the original  system-jazn-data.xml  policy file and place it in a safe location.

v  The Oracle Business Intelligence default credential store is file-based, also known as being wallet-based, and is represented by the file cwallet.sso.

v  You use ________  in the Oracle BI Administration Tool to manage permissions for application roles, and set access privileges for objects such as subject areas and tables.

v  you use Identity Manager in the Oracle BI Administration Tool to manage permissions for application roles, and set access privileges for objects such as subject areas and tables.

v  What is the default port number for the Oracle WebLogic Server Administration Console and Fusion Middleware Control applications?.The deafult port is 7001

v  FMW_UPDATE_ROLE_AND_USER_REF_GUIDS parameter in NQSConfig.INI:

v  OPSS is the underlying platform on which the Oracle Fusion Middleware security framework is built.  What does OPSS stand for?- Oracle Platform Security Services

v  Oracle Business Intelligence Release 11g supports the use of SA System Subject Area, in combination with the BI Server initialization blocks, to access user, group and profile information stored in database tables.

v  true or false:In Oracle Business Intelligence Release 10g users and groups could be defined within a repository file using the Oracle BI Administration Tool. In Oracle Business Intelligence Release 11g users and groups can no longer be defined within a repository.

v  False. A suitable database schema containing the users, credentials and groups required for authentication, must be accessible from the WebLogic Server on which Oracle BI EE is running.

v  True or False: The Oracle BI Administration Tool displays application role data from the policy store data in real time

v  True or False: if you reconfigure Oracle Business Intelligence to use Oracle Internet Directory (OID), you can view and manage users and groups in Oracle WebLogic Server Administration Console. if you reconfigure Oracle Business Intelligence to use Oracle Internet Directory (OID), you can view users and groups in Oracle WebLogic Server Administration Console but you must manage them using the OID Console.

v  The BI Server and Presentation Services client support industry-standard security for login and password encryption. When an end user enters a user name and password in the Web browser, the BI Server uses the Hypertext Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit), preventing unauthorized users from accessing data or Oracle Business Intelligence metadata.

v  To use Microsoft Active Directory for authentication, you must configure an  alternative authentication provider

v  After a user has been authenticated, the next critical aspect of security is ensuring that the user can do and see what they are authorized to do and see. Authorization for Oracle Business Intelligence Release 11g is controlled by a security policy defined in terms of application roles.

v  When a user acts as proxy user for a target user, which mode of access allows only read only access to the target user's objects?

The following list describes the proxy levels:

v  Restricted — Permissions are read-only to the objects to which the target user has access. Privileges are determined by the proxy user's account (not the target user's account).

For example, suppose a proxy user has not been assigned the Access to Answers privilege, and the target user has. When the proxy user is acting as the target user, the target user cannot access Answers.

Full — Permissions and privileges are inherited from the target user's account.

v  If Catalog groups and application roles are used in combination to manage Catalog permissions or privileges, the Catalog groups take precedence. For example, if a user is a member of a Catalog group that grants access to a Presentation Services object or feature and is also a member of an application role that denies access to the same object or feature, then this user has access. A Catalog group takes precedence over an application role.

v  In Oracle Business Intelligence Release 11g the entire repository is encrypted using a key derived from a user supplied password.

Note:

A Release 11g repository can only be opened with the password. There is no mechanism for recovering a lost password.

v  A GUID is typically a 32-character hexadecimal string that is system-generated to form a unique identifier for an object. In Oracle Business Intelligence a GUID is used to refer to individual users and groups.

v  True or False: Assigning an application role to be a member of a Presentation Services Catalog group  is considered a best practice.

v  In the Provider Specific tab you specify the SQL statements used to query, and authenticate against, your database tables.

v  PROXY — Use this variable to store the name of the proxy user.

Use the initialization block named ProxyBlock and include code such as the following:

select targetId

from Proxies

where 'VALUEOF(NQ_SESSION.RUNAS)'=targetId and ':USER'=proxyId

PROXYLEVEL — Use this optional variable to store the proxy level, either Restricted or Full. If you do not create the PROXYLEVEL variable, then the Restricted level is assumed.

Use the initialization block named ProxyLevel and include code such as the following:

select proxyLevel

from Proxies

where 'VALUEOF(NQ_SESSION.RUNAS)'=targetId and ':USER'=proxyId

v  Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

v  False: You may have your own LDAP directory (for example Oracle Internet Directory) that you may want to use as the default authenticator, and disable the WebLogic Server default authenticator. Having a single source authentication provider prevents user names and passwords being derived from multiple authentication sources, which could lead to multiple points of attack, or entry from unauthorizeed users.

v  knows how to access information about the users and groups accessible to Oracle Business Intelligence and is responsible for authenticating users. → authentication provider, provides access to application roles and application policies, which forms a core part of the security policy and determines what users can and cannot see and do in Oracle Business Intelligence. → policy store provider, is responsible for storing and providing access to credentials required by Oracle Business Intelligence. → credential store provider --- 

An authentication provider that knows how to access information about the users and groups accessible to Oracle Business Intelligence and is responsible for authenticating users.

A policy store provider that provides access to application roles and application policies, which forms a core part of the security policy and determines what users can and cannot see and do in Oracle Business Intelligence.

A credential store provider that is responsible for storing and providing access to credentials required by Oracle Business Intelligence.

v  An application stripe defines a subset of policies in the policy store. The Oracle Business Intelligence application stripe is named obi.

v  To enable high availability of the default embedded Oracle WebLogic Server LDAP identity store in a clustered environment, you configure the virtualize attribute. When you set the virtualize attribute value to true, Managed servers are able to use a copy of the embedded default Oracle WebLogic Server LDAP identity store.

v  Single Sign On (SSO) A method of authorization enabling a user to authenticate once and gain access to multiple software application during a single browser session