So we know that 12c made some small changes in the security area – the most well known being “BI Administrator” being renamed to “BI Service Administrator”.
![](http://dimensionality.ch/wp-content/uploads/2016/08/img_57a0c08e69de7.png)
This can cause some issues when importing 11g BAR files with old “BI Administrator” roles but set “security model=false” during import. Well this isn’t what this post is about but still something you may want to remember 😉
What this post IS about is the little weirdness which is happening in Application Policies and the Permissions you can grant to a policy and its principals.
Let’s look at the permissions granted to “BI Service Administrator”. There’s two set of rights which look suspiciously similar:
![](http://dimensionality.ch/wp-content/uploads/2016/08/img_57a0c086c48eb.png)
Can you spell “redundant”?
Ok let’s turn this upside down and create a new application grant for a “close to Admin”-type set of rights:
![](http://dimensionality.ch/wp-content/uploads/2016/08/img_57a0c07dd5457.png)
Searching by “Permission Class” oracle.security.jps.ResourcePermission yields 14 results.
![](http://dimensionality.ch/wp-content/uploads/2016/08/img_57a0c06213603.png)
Funny enough we don’t find all four of the permissions in the screenshot above. Two catalog permissions are present – “oracle.bi.presentation.catalogmanager.manage” and “*” for the oracle.bi.catalog permission type. “*” for oracle.bi-repository isn’t there though. Hmmm. Let’s search by “Resource Type” and try to find the four in question one by one.
![](http://dimensionality.ch/wp-content/uploads/2016/08/img_57a0c21e336be.png)
Why hello there. Not only do we find all four but also a nice little remark on the two known ones: Legacy Permission from BI 11g
So it seems that those two are about to get dropped and be replaced by the new “*” resources. But why is only one of the two new permissions visible when searching by “Resource Class” when it seems to actually HAVE the correct resource class assigned to it?
![](http://dimensionality.ch/wp-content/uploads/2016/08/img_57a0c2f290eb5.png)
Smells like something needing a little fix. Most important though: going through permissions by resource type and checking the ones labeled as “Legacy 11g” is a good idea in order to not be relying on things on their way out of the product…