11g, 12c, application policies, OBI, permissions, security

Security conundrum in OBI 12c

So we know that 12c made some small changes in the security area – the most well known being “BI Administrator” being renamed to “BI Service Administrator”.

This can cause some issues when importing 11g BAR files with old “BI Administrator” roles but set “security model=false” during import. Well this isn’t what this post is about but still something you may want to remember 😉

What this post IS about is the little weirdness which is happening in Application Policies and the Permissions you can grant to a policy and its principals.

Let’s look at the permissions granted to “BI Service Administrator”. There’s two set of rights which look suspiciously similar:

Can you spell “redundant”?

Ok let’s turn this upside down and create a new application grant for a “close to Admin”-type set of rights:

Searching by “Permission Class” oracle.security.jps.ResourcePermission yields 14 results.

Funny enough we don’t find all four of the permissions in the screenshot above. Two catalog permissions are present – “oracle.bi.presentation.catalogmanager.manage” and “*” for the oracle.bi.catalog permission type. “*” for oracle.bi-repository isn’t there though. Hmmm. Let’s search by “Resource Type” and try to find the four in question one by one.

Why hello there. Not only do we find all four but also a nice little remark on the two known ones: Legacy Permission from BI 11g

So it seems that those two are about to get dropped and be replaced by the new “*” resources. But why is only one of the two new permissions visible when searching by “Resource Class” when it seems to actually HAVE the correct resource class assigned to it?

Smells like something needing a little fix. Most important though: going through permissions by resource type and checking the ones labeled as “Legacy 11g” is a good idea in order to not be relying on things on their way out of the product…

2 Comments

Leave a Comment