In my Configuring Highly Available BI Publisher in EM 220.127.116.11 post, I covered how you configured BI Publisher in a highly available environment. When BI Publisher is configured, by default only the super-administrator accounts you have defined in your EM12c environment have access to the tool. That means that none of your normal administrator level accounts have access, so if you login as an administrator (rather than as a super-administrator), and try to access the BI Publisher reports, you will see a screen that includes this:
Giving your administrator level accounts the right privileges to access the reports is pretty straightforward. but before you can do that you need to understand the different BI Publisher roles that can be granted and what they mean. BI Publisher conforms to the same security models that Enterprise Manager itself supports. Those models are:
- Repository-based Authentication
- Enterprise User Security Based (EUS) Authentication
- Oracle Access Manager (OAM) SSO
- Oracle Single-sign-on (OSSO) Based Authentication
- LDAP Authentication Options: Oracle Internet Directory and Microsoft Active Directory
The environment that I support only uses the first of these, so that’s all I’ll be covering in this blog. Repository-based authentication, of course, uses the repository database for authentication so you need to login using an Oracle database username and password.
BI Publisher Roles
The actions you can perform in BI Publisher are determined by the role(s) you are granted. There are 4 different levels available:
- No access – administrators without any BI Publisher role can only access BI Publisher reports that the BI Publisher System Administrator has configured and made accessible . For example, any user can receive BI Publisher reports via the BI Publisher scheduling and e-Mail delivery mechanism, if configured.
- EMBIPViewer – administrators with this role can receive e-mails and view the EM supplied BI Publisher reports.
- EMBIPScheduler – administrators with this role can receive e-mails and can schedule the EM supplied BI Publisher reports if they also have the EMBIPViewer role.
- EMBIPAuthor – administrators with this role can receive e-mails, view the EM supplied BI Publisher reports, and can create new reports in their private folder. They can also copy the EM supplied BI Publisher reports into their private folder and customize them.
- EMBIPAdministrator (Super Users) – administrators with this BI Publisher role have complete access to BI Publisher.
Granting Access to BI Publisher Roles
Granting access to these roles is done via an EMCLI command, as shown in the diagram below. In this example, I’m granting access to the administrators imaginatively named DEMO1 and DEMO2:
Notice I can grant access to multiple administrators in one command, simply by separating the administrator names by a colon as shown in the “-users” part of the command. As privileges are checked when you log in, if the administrator you’ve just granted access to is already logged in to Enterprise Manager, they will need to log out and log back in again to see the reports you’ve just granted them access to.
Revoking access is just as easy – just change the “grant_publisher_roles” verb in the EMCLI command to “revoke_publisher_roles” and you’re done.
So there you have it – you’ve now learnt how to configure highly available BI Publisher in EM 18.104.22.168 and how to grant access to your normal administrators.