Skip Headers
Oracle® Business Intelligence Discoverer Configuration Guide
10g Release 2 (10.1.2.1) for Microsoft Windows and Solaris Operating System (SPARC)
B13918-03
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

14 Maintaining security with OracleBI Discoverer

Note: This chapter only applies to Discoverer Plus and Discoverer Viewer. For more information about configuring Discoverer Plus OLAP, see Chapter 6, "Configuring the Discoverer Catalog and Discoverer Plus OLAP".

This chapter describes the different security mechanisms that Discoverer uses to protect sensitive resources, and contains the following topics:

14.1 About Discoverer and security

Discoverer uses (and must therefore protect) different sensitive resources, including:

The table below shows the sensitive resources used and protected by the different Discoverer components:

Sensitive resources Used and protected by Discoverer Plus Used and protected by Discoverer Viewer Used and protected by Discoverer Portlet Provider Used and protected by Discoverer Administrator Used and protected by Discoverer pages in Application Server Control
data Yes Yes Yes Yes No
metadata Yes Yes Yes Yes Yes
Discoverer connections Yes Yes Yes No Yes
system resources Yes Yes Yes Yes Yes
network resources Yes Yes Yes Yes Yes

Discoverer uses a number of security mechanisms to prevent unauthorized access to the above resources. These security mechanisms are provided by the following security models:

The diagram below shows the multiple security mechanisms employed by Discoverer, all of which ultimately protect data and system resources from unauthorized access:

Description of secure1.gif follows
Description of the illustration secure1.gif

The security mechanisms that Discoverer employs will depend on the category of Discoverer user (as defined by the Discoverer product they are using), as follows:

The table below shows which security models are used by which Discoverer components:

Security Model Used by Discoverer Plus Used by Discoverer Viewer Used by Discoverer Portlet Provider Used by Discoverer Administrator Used by Discoverer pages in Application Server Control
Database Yes Yes Yes Yes No
Discoverer EUL Yes Yes Yes Yes No
Applications Yes Yes Yes Yes No
OracleAS Yes Yes Yes No Yes

14.2 About Discoverer and the database security model

At the most basic level, data in the database is protected from unauthorized access by the database's own security model. In the case of an Oracle database, this security model comprises:

The database privileges granted directly to database users (or granted indirectly via database roles) determine the data that users can access. Typically, you will set up database security using a database administration tool or SQL*Plus.

Discoverer uses the database's own security model to make sure that users never see information to which they do not have database access.

For more information about the database security model and how Discoverer uses it, see Oracle Business Intelligence Discoverer Administration Guide.

Note: Discoverer is certified with the Oracle Advanced Security Option (ASO) encryption technology provided by the Oracle database (i.e. in Oracle 8.1.7 databases and later). The certification has four encryption types (RC4, DES, Triple-DES, and AES). Oracle ASO encryption incurs little performance overhead, although performance will vary depending on a number of factors (e.g. the operating system, the encryption algorithm). For more information about Oracle ASO encryption, refer to the Oracle database documentation.

14.3 About Discoverer and the Discoverer EUL security model

Discoverer managers use Discoverer Administrator to grant Discoverer access permissions and task privileges directly to database users (or indirectly via database roles), as follows:

Regardless of the access permissions and task privileges granted in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges (either directly or through a database role):

Even if they share workbooks with each other, Discoverer users will never see information to which they do not have database access.

Discoverer Administrator also enables Discoverer managers to protect system resources by:

Discoverer managers can extend Discoverer functionality by registering their own PL/SQL functions. However, they can only register PL/SQL functions to which they have been granted the EXECUTE database privilege.

For more information about the Discoverer EUL security model, see Oracle Business Intelligence Discoverer Administration Guide.

Notes

14.4 About Discoverer and the Oracle Applications security model

A common use of Discoverer is to provide ad-hoc query access to Oracle Applications databases. To provide such access, Discoverer managers can use Discoverer Administrator to create Applications mode EULs.

Discoverer end users can connect to an Oracle Applications database using their Oracle e-Business Suite user ID and responsibility. For more information, see Section 15.1, "About Discoverer connections and Oracle e-Business Suite".

An Oracle Applications mode EUL is a Discoverer End User Layer based on an Oracle Applications schema (containing the Oracle Applications FND (Foundation) tables and views).

Oracle Applications EULs make use of the following Oracle Applications security model features:

Notes

14.5 About Discoverer and the OracleAS Security model

Note: This section only applies if the Discoverer installation is associated with an OracleAS Infrastructure. For more information, see Section 2.1, "About installing Oracle Business Intelligence".

OracleAS Security is an integrated management and security framework that provides:

The OracleAS Security model comprises:

To make sure that Discoverer fully leverages the OracleAS Security model:

In addition, the OracleAS Security model underpins the Discoverer connection mechanism (for more information, see Section 14.5.1, "About Discoverer public connections and the OracleAS Security model").

For more information about OracleAS Security, see:

14.5.1 About Discoverer public connections and the OracleAS Security model

Discoverer managers can give users access to information by using Oracle Application Server Control to create public connections. Each connection specifies an EUL containing one or more business areas.

Discoverer managers can control users' access to information by restricting users to using public connections or by giving users permission to create their own private connections.

For more information about connections, see Chapter 4, "Managing OracleBI Discoverer connections".

14.6 Using Discoverer with OracleAS Framework Security

OracleAS Framework Security provides a number of services, including:

You can specify that Discoverer uses the HTTPS/SSL support offered by the Oracle HTTP Server as one of the communication protocols to communicate between the Discoverer server and the Discoverer client tier components. For more information, see:

For more information about OracleAS Framework Security, see Oracle Application Server Security Guide.

Notes

14.6.1 About specifying Discoverer communication protocols

You can use Discoverer in different network environments that might or might not include firewalls using different communication protocols (i.e. JRMP, HTTP, HTTPS).

The most appropriate network environment depends on both existing network strategies in your organization as well as your requirements for:

  • performance (how long it takes to display information)

  • accessibility (whether data has to be accessed through a firewall)

  • security (how secure the data needs to be during transmission)

Note that you must use HTTPS if you want to make sure that sensitive information (e.g. passwords, data) is securely transmitted across a network.

Discoverer Viewer and Discoverer Plus require different security configurations:

Notes

  • If you are deploying OracleBI Discoverer with OracleAS Web Cache, there are security implications for some restricted user environments.

    For more information, see:

  • If you have deployed Discoverer in a multiple machine installation, note that you might want to specify different communication protocols on different Discoverer middle tier machines. For example, you might use:

    • the JRMP protocol on one machine for Plus users working inside a firewall

    • the HTTPS protocol on two other machines for Viewer users accessing reports across the Web

14.6.2 About Discoverer Viewer security and communication protocols

Discoverer Viewer uses standard HTTP or HTTPS protocols to connect Discoverer Viewer clients to the Discoverer servlet.

Description of sec1.gif follows
Description of the illustration sec1.gif

Note: Discoverer Viewer client machines require only a standard Web browser to run Discoverer Viewer.

In a default OracleAS installation, Discoverer Viewer is configured as follows:

  • In a HTTP environment, no additional security configuration is required. If you are using a firewall, open the firewall for the Oracle HTTP Server port used by OracleAS (e.g. 80).

  • If you are using a firewall, open the firewall for the Oracle HTTP Server SSL port used by OracleAS (e.g. 4443). In a HTTPS environment, Discoverer Viewer uses SSL security certificates on the client machine's browser. If you are using a non-standard or private SSL signing authority, you need to install the root certificates in the browser. For more information about deploying Discoverer Viewer over HTTPS, see Section 3.5, "About running Discoverer over HTTPS").

14.6.3 About Discoverer Plus security and communication protocols

Discoverer Plus uses standard Java Remote Method Protocol (JRMP), HTTP, or HTTPS protocols to connect clients to the Discoverer servlet.

Description of sec2.gif follows
Description of the illustration sec2.gif

Discoverer Plus uses two communication channels:

  • when a Discoverer Plus client first connects to the Discoverer servlet, the Discoverer Plus applet is downloaded and installed on the Discoverer client machine

  • after the Discoverer Plus applet is installed on the Discoverer client machine, the Discoverer Plus client machine uses one of JRMP, HTTP, or HTTPS to communicate with the Discoverer servlet

In a default OracleAS installation, Discoverer Plus is configured as follows, depending on the environment:

Notes

14.6.3.1 About configuring Discoverer Plus for a non-standard SSL signing authority

If you are deploying Discoverer Plus using a non-standard or private SSL signing authority, you need to make sure that the root certificate information is in the certdb.txt file on each client machine (for more information about the location of configuration files, see Appendix A, "OracleBI Discoverer configuration files"). Certificate information is required in the certdb.txt file because Discoverer Plus ignores the browser's signing authority and uses Oracle's SSL technology.

For more information about Discoverer and SSL, see Section 3.5, "About running Discoverer over HTTPS".

14.6.3.2 About specifying a Discoverer Plus communication protocol

Using Application Server Control, you can specify which communication protocol the Discoverer Plus applet (i.e. the Discoverer client) and the Discoverer servlet (i.e. on the Discoverer middle tier) use to communicate. The three communication protocol options are:

  • Default

    Specify this option if you want the Discoverer Plus applet to attempt to use JRMP and if this fails, to use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.

    The advantage of using the Default communication protocol is that Discoverer Plus works regardless of whether the client browser is running inside or outside a firewall. However, it will be slower outside the firewall on the initial connection because JRMP will be tried first.

    For more information about specifying this option, see Section 14.6.3.4, "How to set up Discoverer Plus to use the Default communication protocol".

  • Tunneling

    Specify this option if you want the Discoverer Plus client to connect using the same method to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS depending on the URL). This option works regardless of whether a firewall is being used.

    The advantage of using the Tunneling communication protocol is that it is quicker than the Default option, because JRMP is not attempted first before failing and trying again using HTTP or HTTPS.

    For more information about specifying this option, see Section 14.6.3.5, "How to set up Discoverer Plus to use the Tunneling communication protocol".

  • Secure Tunneling

    Specify this option if you want the Discoverer Plus client to always use HTTPS to communicate with the Discoverer servlet.

    The advantage of using the Secure Tunneling communication protocol is that it is quicker than the Default option, because JRMP is not attempted first before failing and trying again using HTTPS.

    For more information about specifying this option, see Section 14.6.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol".

Note: If you deploy Discoverer Plus over HTTPS, end users must use a HTTPS URL. If they use a HTTP URL, Discoverer will not start (for more information about troubleshooting HTTPS problems, see Section D.1.7, "Discoverer Plus reports RMI error").

14.6.3.3 How to display the OracleBI Discoverer Plus Communications Protocols page in Application Server Control

You use the Discoverer Plus Communication Protocols page in Application Server Control to specify a Discoverer Plus communication protocol. For example, if you want to encrypt Discoverer Plus data, you might want to configure Discoverer Plus to use the HTTPS communication protocol.

To display the OracleBI Discoverer Plus Configuration page in Application Server Control:

  1. Display the Application Server Control Discoverer Home page (for more information, see Section 5.1.3, "How to display the Application Server Control Discoverer Home page").

    Description of em_main.gif follows
    Description of the illustration em_main.gif

  2. Select the Discoverer Plus link to display the Application Server Control Discoverer Plus Home page.

    Hint: To display the Discoverer Plus link, either scroll down the page to the Components area, or select the Components link.

    Description of em_plus.gif follows
    Description of the illustration em_plus.gif

  3. Select the Communication Protocols link to display the Communication Protocols page.

    Description of oem6.gif follows
    Description of the illustration oem6.gif

14.6.3.4 How to set up Discoverer Plus to use the Default communication protocol

To set up Discoverer Plus to use the Default communication protocol:

  1. Display Application Server Control and navigate to the OracleBI Discoverer Plus Communication Protocols page (for more information, see Section 14.6.3.3, "How to display the OracleBI Discoverer Plus Communications Protocols page in Application Server Control").

  2. Select the Default radio button from the Communication Protocols options.

  3. Click OK to save the details.

  4. Give Discoverer Plus users the URL of the Discoverer servlet:

    For example, http://<host.domain>:80/discoverer/plus

    The Discoverer Plus applet will attempt to use JRMP. If JRMP is not available, the Discoverer Plus applet will use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.

    Note: This option works regardless of whether the applet is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first. For more information about the other options on this page, refer to Section 14.6.3.2, "About specifying a Discoverer Plus communication protocol".

14.6.3.5 How to set up Discoverer Plus to use the Tunneling communication protocol

You use the Secure Tunneling option when you want to run Discoverer Plus over HTTP.

To set up Discoverer Plus to use the Tunneling communication protocol:

  1. Display Application Server Control and navigate to the OracleBI Discoverer Plus Communication Protocols page (for more information, see Section 14.6.3.3, "How to display the OracleBI Discoverer Plus Communications Protocols page in Application Server Control").

  2. Choose the Tunneling radio button from the Communication Protocols options.

  3. Click OK to save the details.

  4. (optional) If you are using a firewall, open the appropriate port in the firewall to accept HTTP or HTTPS traffic as appropriate.

  5. Give Discoverer Plus users the URL of the Discoverer servlet:

    For example, http://<host.domain>:80/discoverer/plus

    The Discoverer Plus applet will use the same protocol to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS). This option works regardless of whether a firewall is being used.

14.6.3.6 How to set up Discoverer Plus to use the Secure Tunneling communication protocol

You use the Secure Tunneling option when you want to run Discoverer Plus over HTTPS.

To set up Discoverer Plus to use the Secure Tunneling communication protocol:

  1. Display Application Server Control and navigate to the OracleBI Discoverer Plus Communication Protocols page (for more information, see Section 14.6.3.3, "How to display the OracleBI Discoverer Plus Communications Protocols page in Application Server Control").

  2. Choose the Secure Tunneling radio button from the Communication Protocols options.

  3. Click OK to save the details.

  4. (optional) If you are using a firewall, open the appropriate port in the firewall to accept HTTP or HTTPS traffic as appropriate.

  5. Give Discoverer Plus users the URL of the Discoverer servlet:

    For example, https://<host.domain>:4443/discoverer/plus

The Discoverer Plus applet will use the HTTPS protocol to communicate with the Discoverer servlet.

When a Discoverer end user starts Discoverer Plus for the first time on a client machine, they are prompted to confirm that they want to accept a default security certificate. Before selecting the Yes option on the Security Alert dialog, the Discoverer end user must install a Discoverer Plus security certificate on the client machine (for more information, see Section 3.5.1, "How to install a security certificate on a Discoverer Plus client machine").

14.7 Using Discoverer with Oracle Identity Management Infrastructure

Note: This section only applies if the Discoverer installation is associated with an OracleAS Infrastructure. For more information, see Section 2.1, "About installing Oracle Business Intelligence".

Oracle Identity Management Infrastructure provides a number of services, including:

You can specify that Discoverer uses OracleAS Single Sign-On to enable users to access Discoverer using the same user name and password as other Web applications. For more information, see:

For more information about Oracle Identity Management Infrastructure, see Oracle Identity Management Concepts and Deployment Planning Guide.

14.7.1 Using Discoverer with OracleAS Single Sign-On

This section describes OracleAS Single Sign-On and how to use it with Discoverer.

14.7.2 What is OracleAS Single Sign-On?

OracleAS Single Sign-On is a component of Oracle Application Server that enables users to access multiple Web applications (e.g. OracleBI Discoverer and OracleAS Portal) using a single user name and password that is entered once.

Note: OracleAS Single Sign-On is implemented using Oracle Single Sign-On Server.

14.7.2.1 About Single Sign-On and Discoverer

When you install OracleAS, the OracleAS Single Sign-On service is installed automatically, but it is not enabled by default for Discoverer. For information about how to enable OracleAS Single Sign-On, see Section 14.7.2.2, "How to enable and disable Single Sign-On for Discoverer".

Discoverer connections work in both Single Sign-On and non-Single Sign-On environments. In an OracleAS Single Sign-On environment, if a Discoverer end user starts Discoverer without having been authenticated by OracleAS Single Sign-On, the user is challenged for Single Sign-On details (user name and password). Having provided Single Sign-On details, the user can display the Discoverer connections page and start Discoverer without having to enter a user name or password again.

Note: For more information about how OracleBI Discoverer works with OracleAS Portal and Single Sign-On, see Section 14.7.2.3, "An example showing how Discoverer works with OracleAS Portal and Single Sign-On".

Notes

  • Oracle Application Server Single Sign-On does not work within BIS, EDW, or DBI Web pages.

14.7.2.2 How to enable and disable Single Sign-On for Discoverer

You enable and disable Single Sign-On on the OracleBI Discoverer instance.

To enable and disable Single Sign-On, do the following:

  1. Open the mod_osso.conf file in a text editor (for more information about the location of configuration files, see Section A.1, "List of Discoverer file locations").

  2. To enable Single Sign-On for Discoverer, add the following text to the end of the file:

    <Location /discoverer/plus>
    
    require valid-user
    AuthType Basic
    
    </Location>
    <Location /discoverer/viewer>
    
    require valid-user
    AuthType Basic
    
    </Location>
    <Location /discoverer/app>
    require valid-user
    AuthType Basic
    </Location>
    
  3. To disable Single Sign-On for Discoverer, remove the following text from the file:

    <Location /discoverer/plus>
    
    require valid-user
    AuthType Basic
    
    </Location>
    <Location /discoverer/viewer>
    
    require valid-user
    AuthType Basic
    
    </Location>
    
    <Location /discoverer/app>
    require valid-user
    AuthType Basic
    </Location>
    
  4. Save the mod_osso.conf file.

  5. Type the following at a command prompt:

    opmnctl stopall
    opmnctl startall
    

Notes

  • Do not enable SSO for the URL /discoverer/portletprovider. Discoverer relies on OracleAS Portal to protect the /discoverer/portletprovider URL. In other words, do not specify the Location value as /discoverer, as follows:

    <Location /discoverer/portletprovider>

    require valid-user

    AuthType Basic

    </Location>

  • Make sure that the OssoIPCheck parameter value in the mod_osso.conf file is set to off.

  • If you use OracleAS Web Cache to cache Discoverer Viewer pages, note that caching for Discoverer does not work if Single Sign-On is enabled.

14.7.2.3 An example showing how Discoverer works with OracleAS Portal and Single Sign-On

When you publish Discoverer content in a portlet on an OracleAS Portal page, you give portal users access to the Discoverer workbooks and worksheets. However, portal users accessing Discoverer workbooks only see data to which they have database access. In other words, two different users accessing the same workbook might see different data, depending on their database privileges. For more information, see Section 11, "Using OracleBI Discoverer with OracleAS Portal".

To illustrate how OracleBI Discoverer works with OracleAS Portal, consider the following example:

Imagine that there are two Single Sign-On users:

  • User SSO-A has a private connection Conn-A pointing to DBUSER-A@discodb, EUL-Marketing.

  • User SSO-B has a private connection Conn-B pointing to DBUSER-B@discodb, EUL-Marketing.

User SSO-A using connection Conn-A creates two workbooks Workbook 1 and Workbook 2 in the Marketing EUL. User SSO-A uses Discoverer Plus to share Workbook 2 with DBUSER-B.

User SSO-B using connection Conn-B creates two workbooks Workbook 3 and Workbook 4 in the Marketing EUL. User SSO-B uses Discoverer Plus to share Workbook 4 with DBUSER-A.

This situation is shown in the figure below:

Figure 14-1 Single Sign-On users creating workbooks

Description of Figure 14-1  follows
Description of "Figure 14-1 Single Sign-On users creating workbooks"

Now imagine that user SSO-A creates a List of Worksheets portlet using Conn-A, and chooses the 'Use user's database connection' option in the Logged In users section (i.e. in the Select Database Connections page in the Discoverer Portlet Provider).

When user SSO-A accesses the List of Worksheets portlet, worksheets in the following workbooks are available:

  • Workbook 1

  • Workbook 2

  • DBUSER-B.Workbook 4

When user SSO-B accesses the same List of Worksheets portlet, worksheets in the following workbooks are available:

  • Workbook 3

  • Workbook 4

  • DBUSER-A.Workbook 2

This situation is shown in the figure below:

Figure 14-2 Single Sign-On users accessing Discoverer portlets

Description of Figure 14-2  follows
Description of "Figure 14-2 Single Sign-On users accessing Discoverer portlets"

14.7.3 Using Discoverer without Single Sign-On

If you are not deploying Discoverer with Single Sign-On, end users must confirm the database password each time a private connection is used. In other words, when a Discoverer end user chooses a private connection for the first time in a browser session, they are prompted to confirm the database password.

If the end user closes the Web browser and then starts the Web browser again (i.e. creates a new browser session), they are prompted to confirm their database password. End users do not have to confirm passwords for public connections (for more information, see Section 4.2.2, "About public connections").

Notes

  • To store private Discoverer connections in non-SSO environments, cookies must be enabled in the Web browser.

  • In non-SSO environments, a Discoverer end user can only access private connections created using the current machine and current Web browser. If an end user wants to use a different machine or different Web browser, they must re-create the private connections.

14.8 Discoverer support for Single Sign-On details propagation

This section explains how you can use Discoverer in conjunction with a Virtual Private Database (VPD) using Single Sign-On (SSO) details, and contains the following topics:

Notes

14.8.1 Introducing Virtual Private Databases, Single Sign-On, and Discoverer

The Oracle9i Release 1 (and later) Enterprise Edition database's powerful Virtual Private Database (VPD) feature enables you to define and implement custom security policies. Among other things, the VPD feature enables you to enforce fine-grained access control based upon attributes of a user's session information (referred to as application context). This VPD functionality is commonly employed as a way of controlling access to data using the currently logged-on user's Single Sign-On (SSO) identity. For more information about setting up a VPD, see Oracle9i Application Developer's Guide - Fundamentals.

If Discoverer has been configured to require SSO authentication, Discoverer can pass a Discoverer end-user's SSO user name to the database (as the CLIENT_IDENTIFIER attribute of the built-in application context USERENV). Providing a VPD policy based on SSO user names has been implemented in the database, the data returned to a Discoverer worksheet will be restricted to the data that the SSO user is authorized to access.

You can optionally add user-defined PL/SQL statements to both database LOGON (and subsequent) triggers and to a Discoverer trigger (eul_trigger$post_login) to use the SSO user name to further control the data that is returned. You can use the database and Discoverer triggers separately or in conjunction with each other.

14.8.2 Example showing how SSO user names can limit Discoverer data

The Discoverer manager at Acme Corp. does the following:

  1. Configures the Discoverer middle tier machines so that SSO authentication is necessary to access the Discoverer URLs.

  2. Creates a Discoverer public connection called 'Analysis', that has access to a workbook called 'Sales'.

  3. Creates a VPD policy against the base tables of the workbooks. The VPD policy determines the data that is returned, based on the value of a variable called 'CONTEXT1'.

  4. Creates a database LOGON trigger that sets variable CONTEXT1 to the value of the SSO user name (extracted from the application context information passed to the database by Discoverer).

The Sales workbook is used by two Discoverer users at ACME Corp., Fred Bloggs and Jane Smith. A typical workflow for these two users is shown below:

  1. User 'Fred.Bloggs' authenticates via SSO and accesses the top level Discoverer URL.

  2. Fred selects the public connection 'Analysis', and opens the workbook 'Sales'.

  3. Fred views the data in the default worksheet, and then logs out.

  4. User 'Jane.Smith' authenticates via SSO and accesses the top level Discoverer URL.

  5. Jane selects the public connection 'Analysis', and then opens workbook 'Sales'.

  6. Jane views the data in the default worksheet.

Jane sees different data to Fred, despite the identical database connection, workbook, worksheet and database query. The difference is determined by the VPD policy being based on SSO user identities.

14.8.3 What tasks are required to use SSO user names to limit Discoverer data

Before the data shown in a Discoverer worksheet can be controlled using SSO user names, a Discoverer manager performs the following tasks:

14.8.4 How to set up Discoverer Worksheet Portlets to show different data based on SSO user name

Having created a VPD policy in the database that uses SSO user names to determine the data that users can access, you can set up a Discoverer Worksheet portlet to only show the data that can be accessed by the current SSO user name.

To specify that users only see the data they can access with their SSO user name:

  1. In the Users Logged In region of the Select Database Connections setup page for the Discoverer Worksheet Portlet.

  2. Select the Display different data using the Publisher's connection radio button.

    Description of portal_14.gif follows
    Description of the illustration portal_14.gif

    When you select the above option, Discoverer passes the worksheet portlet user's SSO user name to the database. The VPD policy can then use the SSO user name to restrict the data that is returned to the worksheet portlet.

14.8.5 When to use other options in the Users Logged In region of the Select Database Connections page

If you want all users to always see the same data from the database regardless of their own database user names or SSO user names, do the following in the Select Database Connections setup page for the Discoverer Worksheet Portlet:

  1. Select the Display same data to all users using <Publisher's Connection> radio button.

If you want users to initially see the same data from the database (regardless of their own database user names or SSO user names) but to give them the option of specifying an alternative database user name:

  1. Select the Display different data by allowing users to customize database connection radio button.

  2. Select the Show default data using <Publisher's Connection> check box.

14.8.6 How to modify database LOGON (and subsequent) triggers to use the SSO user name

You can modify database LOGON (and subsequent) triggers to use the SSO user name passed by Discoverer to further control the data that is available to the SSO user. For example, you might want to call custom PL/SQL functions that take the SSO user name to perform application specific initialization.

To modify database triggers to use the SSO user name:

  1. Create a suitable database trigger.

  2. Add the required code to manipulate the SSO user name.

    Hint: To return the SSO user name passed by Discoverer, query the CLIENT_IDENTIFIER attribute of the USERENV application context namespace using the following function call:

    SYS_CONTEXT('USERENV', 'CLIENT_IDENTIFIER')

Notes

  • The SSO user name passed by Discoverer is available as early as the execution of the database LOGON trigger.

  • If Discoverer has not been configured to use SSO, the SYS_CONTEXT function call above will return NULL.

  • The SSO user name is only available with Oracle9i Release 1 (and later) databases.

14.8.7 How to use the eul_trigger$post_login trigger

You can use the eul_trigger$post_login trigger instead of, or in conjunction with, the database LOGON (and subsequent) triggers to further control the information that is displayed in a Discoverer worksheet based on the SSO user name. Use the eul_trigger$post_login trigger (rather than the database triggers) if:

  • you want trigger code to affect just Discoverer users, not all database users

  • you do not have DBA privilege (and therefore cannot modify the database LOGON (or subsequent) trigger code)

To use the eul_trigger$post_login trigger:

  1. Define a PL/SQL function in the database that:

    • has a return type of integer

    • does not take any arguments

  2. Add the required code to manipulate the SSO user name.

    Hint: To return the SSO user name passed by Discoverer, query the CLIENT_IDENTIFIER attribute of the USERENV application context namespace using the following function call:

    SYS_CONTEXT('USERENV', 'CLIENT_IDENTIFIER')

  3. Register the function with Discoverer Administrator and give it the following properties:

    • Name: eul_trigger$post_login

    • Return type: Integer

    • Arguments: none

      For more information about registering PL/SQL functions and using Discoverer EUL triggers, see the Oracle Business Intelligence Discoverer Administration Guide.

  4. If the Database/EnableTriggers preference exists in the pref.txt file, set it to a value other than zero.

Notes

  • If the Database/EnableTriggers preference does not exist in the pref.txt file, do not create it.

  • If the Database/EnableTriggers preference does exist and you have to change its value (i.e. to make it non-zero), you must subsequently:

    1. Run the applypreferences script to apply the preference change.

    2. Stop and restart the OracleBI Discoverer service for the change to take effect.

14.9 Frequently asked questions about security

This section contains common security questions and answers.

14.9.1 What is a firewall?

A firewall is one system or a group of several systems put in place to enforce a security policy between the Internet and an organization's network.

In other words, a firewall is an electronic 'fence' around a network to protect it from unauthorized access.

Figure 14-3 A typical Internet connection with a Client-side and Server-side firewall

Description of Figure 14-3  follows
Description of "Figure 14-3 A typical Internet connection with a Client-side and Server-side firewall"

Typically, an organization using a Web Server machine that communicates across the Internet has a firewall between its Oracle HTTP Server machine and the Internet. This is known as a Server-side firewall. Other organizations (or remote parts of the same organization) connecting to this Web Server machine typically have their own firewall, known as a Client-side firewall. Information that conforms to the organization's firewall policy is allowed to pass through the firewalls enabling server machines and client machines to communicate.

14.9.2 What is a demilitarized zone (DMZ)?

A demilitarized zone (DMZ) is a firewall configuration that provides an additional level of security. In this configuration, the DMZ is an extra network placed between a protected network and the Internet. Resources residing within the DMZ are visible on the public Internet, but are secure. DMZs typically hold servers that host a company's public Web site, File Transfer Protocol (FTP) site, and Simple Mail Transfer Protocol (SMTP) server.

Figure 14-4 A Demilitarized Zone (DMZ)

Description of Figure 14-4  follows
Description of "Figure 14-4 A Demilitarized Zone (DMZ)"

Firewall policies vary across organization and there are a wide variety of bespoke and off-the-shelf firewall packages in use.

A good firewall configuration assumes that resources in the DMZ will be breached, and if this happens should minimize damage to the internal network and any sensitive data residing on the network. This involves two steps:

  • move sensitive private resources (at a minimum, databases and application logic) from the DMZ to the internal network behind the internal firewall

  • restrict access to sensitive private resources from the DMZ itself, as well as from internal networks

14.9.3 What is HTTPS and why should I use it?

The HTTPS protocol uses an industry standard protocol called Secure Sockets Layer (SSL) to establish secure connections between clients and servers.

The SSL protocol enables sensitive data to be transmitted over an insecure network, such as the Internet, by providing the following security features:

  • authentication - a client can determine a server's identity and be certain that the server is not an impostor (and optionally, a client can also authenticate the identity of its server)

  • privacy - data passed between the client and server is encrypted so that if a third party intercepts their messages, the third party will not be able to unscramble the data

  • integrity - the recipient of encrypted data will know if a third party has corrupted or modified that data

You can tell when SSL is enabled in Discoverer as follows:

  • the URL to start Discoverer Plus begins with https://, and a closed padlock appears at the left hand side of the applet's status bar

    Note: To deploy Discoverer Plus over HTTPS, you must select the Secure Tunneling security protocol in Oracle Application Server Control (Section 14.6.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol").

  • the URL to start Discoverer Viewer starts with https://, and a closed padlock or other equivalent symbol (browser dependent) appears in the browser's status bar

14.9.4 How do I configure Discoverer to work in an intranet

You configure Discoverer to work in an intranet as follows:

  • Discoverer Viewer

    Deploying Discoverer Viewer in an intranet (i.e. inside a firewall) requires no additional configuration after an OracleAS installation. Discoverer Viewer uses a HTTP connection.

  • Discoverer Plus

    Deploying Discoverer Plus in an intranet (i.e. inside a firewall) requires no additional configuration after an OracleAS installation. Discoverer Plus uses a direct connection using JRMP.

Figure 14-5 A typical network configuration for Discoverer in an intranet

Description of Figure 14-5  follows
Description of "Figure 14-5 A typical network configuration for Discoverer in an intranet"

14.9.5 How do I configure Discoverer to work through a firewall?

You configure Discoverer to work through firewalls with HTTP or HTTPS, as follows:

  • Discoverer Viewer

    Discoverer Viewer requires no additional configuration as long as the firewall allows HTTP traffic to pass through.

  • Discoverer Plus

    Discoverer Plus requires no additional configuration as long as the firewall allows HTTP or HTTPS traffic to pass through.

    To improve performance on initial connection, you might want to change the Discoverer Plus communication protocol to one of the following:

Figure 14-6 A typical firewall configuration for Discoverer using HTTP

Description of Figure 14-6  follows
Description of "Figure 14-6 A typical firewall configuration for Discoverer using HTTP"

14.9.6 Can I configure Discoverer to work through multiple firewalls?

Yes, if you are using HTTP or HTTPS, Discoverer will work through multiple firewalls (for more information, see Section 14.9.5, "How do I configure Discoverer to work through a firewall?").

14.9.7 How do I configure Discoverer to use encryption in an intranet?

You configure Discoverer to use encryption as follows:

  • Discoverer Viewer

    Configure mod_ossl to use HTTPS (for more information, see Oracle HTTP Server Administrator's Guide) and deploy Discoverer Viewer on a HTTPS URL.

  • Discoverer Plus

    Configure mod_ossl to use HTTPS (for more information, see Oracle HTTP Server Administrator's Guide) and deploy Discoverer Plus on a HTTPS URL. You must change the Discoverer Plus communication protocol to Secure Tunneling (for more information, see Section 14.6.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol").

14.9.8 How do I configure Discoverer to use encryption through firewalls?

You configure Discoverer to use encryption through firewalls as follows:

Figure 14-7 A typical firewall configuration for Discoverer using HTTPS

Description of Figure 14-7  follows
Description of "Figure 14-7 A typical firewall configuration for Discoverer using HTTPS"

14.9.9 How can I verify that Discoverer is encrypting communications?

In Discoverer Viewer, make sure that client browsers display a closed padlock or other equivalent symbol (browser dependent) in the Discoverer Viewer browser's status bar.

In Discoverer Plus, make sure that the client displays a closed padlock symbol in the bottom left-hand corner of the Discoverer Plus applet window.

14.9.10 Can I configure Discoverer for both intranet users and users accessing Discoverer through a firewall?

Yes, you can configure Discoverer for both intranet users and Internet users. For example, if you use the Default Discoverer Plus communication protocol:

  • sessions connecting from inside the firewall use a direct JRMP connection because JRMP is a direct connection that only works inside a firewall

  • sessions connecting from outside the firewall automatically use a HTTP or HTTPS connection (depending on the URL)

14.9.11 Can I use Discoverer with a NAT device?

Yes, you can deploy Discoverer using any standard Network Address Translation (NAT) device.