Oracle Product Lifecycle Analytics
Security Guide
v3.4
Part Nu mber E60731 -01
January 2015
Copyright and Trademarks
Copyright © 1995, 2015, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws. Except as
expressly permitted in your license agreement or allowed by law, you may not use, copy,
reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish or
display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation
of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.
If this software or related documentation is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated
software, any programs installed on the hardware, and/or documentation, delivered to U.S.
Government end users are "commercial computer software" pursuant to the applicable Federal
Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication,
disclosure, modification, and adaptation of the programs, including any operating system, integrated
software, any programs installed on the hardware, and/or documentation, shall be subject to license
terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
Government.
This software is developed for general use in a variety of information management applications. It is
not developed or intended for use in any inherently dangerous applications, including applications
which may create a risk of personal injury. If you use this software in dangerous applications, then
you shall be responsible to take all appropriate fail-safe, backup, redundancy and other measures
to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for
any damages caused by use of this software in dangerous applications.
Oracle and Java are registered trademarks of Oracle Corporation and/or its affiliates. Other names
may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC
trademarks are used under license and are trademarks or registered trademarks of SPARC
International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or
registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open
Group.
This software or hardware and documentation may provide access to or information on content,
products and services from third parties. Oracle Corporation and its affiliates are not responsible for
and expressly disclaim all warranties of any kind with respect to third party content, products and
services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages
incurred due to your access to or use of third party content, products or services. The RMW product
includes software developed by the Visigoth Software Society.
Preface
The Agile PLM documentation set includes Adobe® Acrobat PDF files. The Oracle Technology
Network (OTN) Web site http://www.oracle.com/technetwork/documentation/agile-085940.html
contains the latest versions of the Agile PLM PDF files. You can view or download these manuals
from the Web site, or you can ask your Agile administrator if there is an Agile PLM Documentation
folder available on your network from which you can access the Agile PLM documentation (PDF)
files.
No te
To read the PDF files, you must use the free Adobe Acrobat Reader version 7.0 or later.
This program can be downloaded from the Adobe Web site http://www.adobe.com.
The Oracle Technology Network (OTN) Web site
http://www.oracle.com/technetwork/documentation/agile-085940.html can be accessed through
Help > Manuals in both Agile Web Client and Agile Java Client. If you need additional assistance or
information, please contact My Oracle Support (https://support.oracle.com) for assistance.
No te
Before calling Oracle Support about a problem with an Agile PLM manual, please have
the full part number, which is located on the title page.
TTY Access to Oracle Support Services
Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the
United States of America 24 hours a day, 7 days a week. For TTY support, call 800.446.2398.
Outside the United States, call +1.407.458.2479.
Readme
Any last-minute information about Agile PLM can be found in the Readme file on the Oracle
Technology Network (OTN) Web site http://www.oracle.com/technetwork/documentation/agile085940.html
Agile Training Aids
Go to the Oracle University Web page
http://www.oracle.com/education/chooser/selectcountry_new.html for more information on Agile
Training offerings.
Accessibility of Code Examples in Documentation
Screen readers may not always correctly read the code examples in this document. The
conventions for writing code require that closing braces should appear on an otherwise empty line;
however, some screen readers may not always read a line of text that consists solely of a bracket or
brace.
This documentation may contain links to Web sites of other companies or organizations that Oracle
does not own or control. Oracle neither evaluates nor makes any representations regarding the
accessibility of these Web sites.
CONTENTS
Copyright and Trademarks .............................................................................................................. 2
Chapter 1 Overview.......................................................................................................... 1
Chapter 2 OPLA Architecture Overview ........................................................................... 3
Database Layer............................................................................................................................... 3
Application Layer ............................................................................................................................ 3
Chapter 3 General Security Principles ............................................................................. 9
Keep Software Up-To-Date ............................................................................................................. 9
Restrict Network Access to Critical Services .................................................................................... 9
Follow the Principle of Least Privilege ........................................................................................... 10
Monitor System Activity ................................................................................................................. 10
Keep Up-To-Date on Latest Security Information ........................................................................... 10
Chapter 4 Secure Installation and Configuration .......................................................... 11
Installation Overview ..................................................................................................................... 11
Installation – Prerequisites ............................................................................................................ 12
Chapter 5 Security Features........................................................................................... 15
Password Policy............................................................................................................................ 16
Security Model .............................................................................................................................. 17
Data-Level Security .................................................................................................................................................. 18
Object Level Security ............................................................................................................................................... 18
User-Level Security (User Authentication) ................................................................................................................. 18
Configuring and Using Authentication in OPLA .............................................................................. 18
Authentication at ETL Layer ..................................................................................................................................... 18
Authentication at the ETL Layer using OPLA Encryption Methods .......................................18
Authentication at the ETL Layer using the ODI Agent ..........................................................19
Authentication at the Oracle Business Intelligence Enterprise Edition Layer ............................................................... 20
LDAP Authentication...........................................................................................................21
External Table Authentication .............................................................................................21
Database Authentication .....................................................................................................21
Maintaining Oracle BI Server User Authentication ...............................................................21
Configuring and Using Access Control .......................................................................................... 22
Access Control at the Folder and File Level .............................................................................................................. 22
Access Control at the Data-Level .............................................................................................................................. 24
Access Control at the Object-Level ........................................................................................................................... 26
Access Control at the User-Level .............................................................................................................................. 27
Configuring and Using Security Audit ............................................................................................ 27
Configuring and Using Oracle PLA Configurator ........................................................................................................ 28
Chapter 6 Security Considerations for Developers ........................................................ 29
Single Database Schema Privileges .............................................................................................. 33
OPLA Multiple Schema Privileges ................................................................................................. 34
Chapter 1
Overview
Oracle Product Lifecycle Analytics (OPLA) is a comprehensive, prebuilt Business Intelligence
solution that delivers pervasive intelligence and provides key insights into your Product Lifecycle
Management (PLM) data. OPLA provides an integrated view enabling greater alignment of
information across product organizations. OPLA is built on the Oracle Data Integrator (ODI) ETL
and Oracle Business Intelligence Enterprise Edition (OBIEE) platforms.
OPLA addresses business use cases specific to these Agile PLM solutions:

Product Quality Management (PQM)

Product Collaboration (PC)

Product Portfolio Management (PPM)

Agile PLM for Process: New Product Development (NPD)

Global Specification Management (GSM)
OPLA allows you to use different source systems. Data is transferred from the source systems to
the OPLA target analytical data store. In OPLA , the transactional data sources are either Agile PLM
9.x or Agile PLM for Process.
1
Chapter 2
OPLA Architecture Overview
This chapter includes the following:
Database Layer ............................................................................................................................................ 3
Application Layer .......................................................................................................................................... 3


You can deploy OPLA various database and application components with different hardware and
machine configurations. Depending on the performance criteria set and based on the source (Agile
PLM or Agile PLM for Process) database size, volume of data changes in the source database, IT
network, infrastructure constraints, and business requirements.
OPLA components are installed under two main layers:

Database Layer

Application Layer
Database Layer
The Database layer is distributed across different servers and consists of the following components:

Source Database



Agile PLM for Process Database on Oracle or SQL Server
Target Data Mart Database (Oracle Enterprise Database Server only)



Agile PLM Database on Oracle
Staging Schema
MDS Schema
ODI ETL Repositories (Oracle Enterprise Database Server only)


ODI Master Repository
ODI Work Repository
Application Layer
The Application layer is distributed across one or more servers and consists of the following
components:

Oracle Data Integrator Components

ODI Agent
3
Security Guide

ODI Studio

OPLA Configurator (for Agile PLM only)

JDK or JRE

Oracle Business Intelligence Enterprise Edition components



Oracle BI Server
Oracle BI Presentation Server
Web Server: IIS, WebLogic, WebSphere, or Apache Tomcat

Browser Clients: Internet Explorer or Firefox

OPLA components installed on OBIEE


OPLA RPD on Oracle BI Server
OPLA Web Catalog on Oracle BI Presentation Server
The figures below show the basic product architecture for OPLA with Agile PLM and for OPLA with
Agile PLM for Process, respectively.
4
Oracle Product Lifecycle Analytics
Chapter 2: OPLA Architecture Overview
Table 2.1 lists the major components in the Database Layer and their descriptions.
Database Laye r Com ponent
Descri pti on
Staging Schema
A schema with staging tables that temporarily extracts data
from the Agile PLM OLTP database, and transforms and
loads data to the target MDS Schema. The temporary
entities are not published, and change from one release to
another.
ODI Master Repository
A schema that maintains all ODI topology and connectivity
information.
ODI Work Repository
A schema that maintains information related to the
definition and execution of ETL processes.
5
Security Guide
Database Laye r Com ponent
MDS Schema
Descri pti on
A star schema that contains fact and dimension tables
enabling you to create analytical reports using any
reporting application.
Table 2.2 lists the major components of the Application Layer and their descriptions.
Appl i cati on Layer
Descri pti on
ODI Agent
A Java service allowing execution of scheduled ETL
scenarios, or on demand ETL jobs, to extract data from
one or more physical sources, transform it, and eventually
load the data to a target schema.
ODI Console
A web-based interface used mainly by business users
(administrators and operators) to manage scenarios,
monitor sessions, and manage the content of the error
tables generated by Oracle Data Integrator. ODI Console
interface seamlessly integrates with Oracle Fusion
Middleware Control Console.
ODI Studio
A design time component consisting of Designer,
Operator, Topology, and Security Navigator. This is
developer tool. Mainly used by developers and
administrators - to develop and manage ODI. ODI Studio is
NOT required at run time.
OPLA Configurator [in Agile PLM]
A Java client that enables you to associate configurable
PLM data to the MDS this association depends on various
individual user PLM configurations. This application gets
installed with the OPLA installation.
OPLA Model (PLMA RPD)
A metadata repository containing MDS tables metadata,
business rules (such as measures, formulae, hierarchical
dimensions), and user-specific roles and privileges
required to create analytics reports. This application gets
installed and configured with the Oracle BI Server.
6
Oracle Product Lifecycle Analytics
Chapter 2: OPLA Architecture Overview
Appl i cati on Layer
OPLA Web Catalog
Descri pti on
Presents organized information in report form on OPLA
Interactive Dashboards. This application gets installed and
configured with the Oracle BI Presentation Server.
7
Chapter 3
General Security Principles
This chapter includes the following:





Keep Software Up-To-Date ........................................................................................................................... 9
Restrict Network Access to Critical Services .................................................................................................. 9
Follow the Principle of Least Privilege............................................................................................................ 10
Monitor System Activity ................................................................................................................................. 10
Keep Up-To-Date on Latest Security Information ........................................................................................... 10
The following principles are fundamental to using any application securely.
Keep Software Up-To-Date
One principle for good security practice is to keep all software versions and patches up-to-date. To
ensure that you have the most current and updated OPLA software for the latest version, regularly
check the Oracle Critical Patch updates page.
Restrict Network Access to Critical Services
Keep both the OPLA application and the database behind a firewall. In addition, place a firewall
between the middle-tier and the database. The firewall provides assurance that access to these
systems is restricted to a known network route, which can be monitored and restricted, if necessary.
As an alternative, a firewall router substitutes for multiple, independent firewalls.
If you cannot use firewalls, then configure the TNS Listener Valid Node Checking feature (it restricts
access based upon IP address). Restricting database access by IP address often causes
application client/server programs to fail for DHCP clients.
To solve this problem, use any of the following:

static IP addresses

software VPN

hardware VPN

software VPN and hardware VPN

Windows Terminal Services or its equivalent.
9
Security Guide
Follow the Principle of Least Privilege
The principle of least privilege states that users should be given the least amount of privilege to
perform their jobs.
Over-ambitious granting of responsibilities, roles, grants, and so on, especially early in an
organization’s life cycle when people are few and work needs to be done quickly, often leaves a
system wide open for abuse.
User privileges should be reviewed periodically to determine relevance to current job
responsibilities.
Monitor System Activity
System security stands on three legs:

good security protocols

proper system configuration

system monitoring
Auditing and reviewing audit records address this third requirement. Each component within a
system has some degree of monitoring capability. Follow audit advice in this document and
regularly monitor audit records.
Keep Up-To-Date on Latest Security Information
No te
Oracle continually improves its software and documentation. Check this note yearly for
revisions.
The OPLA application's foundation is Oracle Business Intelligence Enterprise Edition (OBIEE).
OBIEE is a comprehensive suite of enterprise business intelligence products containing the
programs, servers, and tools to support broad self-service access across the organization.
OPLA uses ODI (a comprehensive data integration platform) to build its out-of-the-box MultiDimensional Schema (MDS).
No te
For more information, go to the Oracle Technology Network website
(http://www.oracle.com/technetwork/middleware/dataintegrator/downloads/index.html
http://www.oracle.com/technetwork/middleware/dataintegrator/downloads/index.html).
10
Oracle Product Lifecycle Analytics
Chapter 4
Secure Installation and Configuration
This chapter includes the following:


Installation Overview ..................................................................................................................................... 11
Installation – Prerequisites ............................................................................................................................ 12
This chapter describes recommended deployment topologies and also provides recommendations
for installing and configuring a secure setup for your Oracle Product Lifecycle Analytics (OPLA)
application.
Installation Overview
Various database and application components for Oracle Product Lifecycle Analytics (OPLA) can
be deployed in different hardware and machine configurations.
The complexity of your deployment configuration depends on the performance criteria set, which in
turn, is based on the following:

Business requirements

Source - that is the Agile PLM database size or the Agile PLM for Process database size

Volume of data changes in the source database

IT network constraints

Infrastructure constraints
11
Security Guide
To successfully install or upgrade to OPLA, you must be familiar with, or have working knowledge of
the following:





ODI
OBIEE
Agile PLM
Agile PLM for Process
the Oracle Database Server
For more information on the privileges needed for different deployment methods, see the Appendix
on Oracle PLA Database Schema Privileges on page 33.
Installation – Prerequisites
The Oracle Product Lifecycle Analytics (OPLA) application comes bundled with a number of third
party software. OPLA is tested and certified with latest security patches for the following third party
software:

Bouncy Castle http://www.bouncycastle.org

Apache Xerces Project http://xerces.apache.org

InstallAnywhere http://www.flexerasoftware.com/products/installanywhere.htm
12
Oracle Product Lifecycle Analytics
Chapter 4: Secure Installation and Configuration

Apache Ant http://ant.apache.org

LOG4PLSQL http://log4plsql.sourceforge.net
Before installing OPLA you must install and configure the following Oracle products:



Oracle Enterprise Database
Oracle Data Integrator
Oracle Business Intelligence Enterprise Edition
Important You should also consult the following Security Guides:
Oracle Business Intelligence Suite Enterprise Edition Documentation Library
Oracle Database Security Guides
13
Chapter 5
Security Features
This chapter includes the following:





Password Policy ........................................................................................................................................... 16
Security Model .............................................................................................................................................. 17
Configuring and Using Authentication in OPLA .............................................................................................. 18
Configuring and Using Access Control........................................................................................................... 22
Configuring and Using Security Audit............................................................................................................. 27
Oracle Product Lifecycle Analytics (OPLA) includes security features to provide data protection.
These features include:

Authentication - allows only permitted individuals to get access to the system and data.

Access Control (Authorization) - provides authorized individuals access control to system
privileges and data.

Audit - allows Administrators to detect attempted breaches of authorization and attempted (or
successful) breaches of access control.
Table 6.1 provides a high level overview of the various OPLA security features.
Securi ty Fea ture s/
Technol ogy Stack
Authenti ca ti on
Access Control
(Authori z ati on)
Audi t
W eb Browser
(Desktop ti er)
Defaul t Securi ty
Fea tur e
Defaul t Securi ty
Fea tur e
Defaul t Securi ty Featu re
No out of box access
control provided.
Object level security
Model:
OBIEE
Applicatio
n Layer
Default OBIEE
authentication
Refer to Security model:
Object level security.
Default OBIEE audit feature.
Refer to section Configuring and
Using Security Audit
Data level security is
provided – Refer to
Security model: Data
Level security.
ODI
Default ODI
authentication
Default ODI Access
control
Default ODI feature
15
Security Guide
Securi ty Fea ture s/
Technol ogy Stack
Configurato
r
Authenti ca ti on
Default DB
authentication
based on
Access Control
(Authori z ati on)
Audi t
Audit details are captured at
Default access control
provided at DB level.
Detailed logging is enabled in ETL
level for ODI and PLSQL Code.
of Configurator.
Access to source is
based on DB Link.
And to Staging objects is
based on Synonyms.
Default Oracle DB
authentication
Data Layer
Default file based
authentication for
external csv files.
Specific privileges are
provided to Staging and
Target users. Refer to
Appendix B for details.
Access to file external
csv files are
controlled by access
privileges to folder at
which OPLA is
deployed.
Default Oracle DB audit feature.
Default OS audit feature at file
level for external csv files.
Password Policy
A password policy is a set of rules dictating how to use passwords. Some of the rules a password
policy sets are:

The maximum length of time a password is valid

The minimum number of characters in a password

The mandatory number of numeric characters in a password
Password policies play an important role when attempting to access a directory. The directory
server ensures that the password entered adheres to the password policy.
Oracle Product Lifecycle Analytics (OPLA) is dependent on Oracle Business Intelligence Enterprise
16
Oracle Product Lifecycle Analytics
Chapter 5: Security Features
Edition (OBIEE) password policy.
If you are using the OBIEE 11.x.x.x version, you automatically adhere to the Oracle password
policy. Use the Oracle Internet Directory to set passwords. For more information, see the Oracle®
Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1.
No te
You must secure Oracle Fusion Middleware components using SSL version 3 or TLS
version 1. For more information, see Oracle® Fusion Middleware System
Administrator's Guide for Oracle Business Intelligence Enterprise Edition 11g.
Security Model
In today's environment it is critical to have a properly secured computing infrastructure. A secured
infrastructure strikes a balance between:

Exposure risk

Security costs

Value of the information to protect (monetary or other)
Oracle Product Lifecycle Analytics (OPLA) achieves this balance and protects information by using
a three-level hierarchy model. See the OPLA Security Hierarchy figure for a better understanding.
17
Security Guide
Data-Level Security
Data-level security is a restricted security status. Restriction, or access, is based on access control
permissions given by an Administrator. The security level determines (through the Administrator)
who gets to see particular data, and if they can access it.For example, you can restrict a user’s
access to project analysis to only their product lines.
Object Level Security
Object-level security controls and restricts the visibility to business logic objects by user role. For
example, object-level security for dashboards can be set up based on subject areas and roles.
User-Level Security (User Authentication)
User-level security is the authentication and confirmation of a user’s identity based on the
credentials provided. This is your basic login and password at the lowest level. At higher levels, it
can consist of a number of authentications and confirmations (at various degrees of encryption).
Configuring and Using Authentication in OPLA
Oracle Product Lifecycle Analytics (OPLA) supports both of the following high-level authentication
configurations:
1.
OPLA authentication at ETL layer
2.
OPLA authentication at OBIEE layer
Authentication at ETL Layer
You can change or modify your password after installing Oracle Product Lifecycle Analytics (OPLA).
At the ETL layer different methods are used for changing different passwords.You change the
password for the Staging Schema connection details in the Physical Repository of ODI Topology
Manager. For more information, see the Oracle Data Integrator Installation and Configuration
Guide.You can change the OPLA Configurator password using OPLA encryption methods.You can
change the password for the ODI repositories using the ODI Agent.
Authentication at the ETL Layer using OPLA Encryption Methods
You can change the passwords for the OPLA Configurator using OPLA encryption methods.
To change passwords:
1.
From the command prompt navigate to
2.
For Windows: Type,
18
.
Oracle Product Lifecycle Analytics
Chapter 5: Security Features
For Linux: Type,
3.
The system generates an encoded password. Copy the encoded password, and exit the
command prompt.
4.
Navigate to
and open the
file.
5.
In the
file navigate to the parameter whose password you
want changed, and manually replace the old password with the new encoded password. Refer
to the table below to locate the parameter you need to change.
6.
Save and close the
To Change the Password for :
file
Param ete r to Navi gate to i n the
Agile PLM Source schema password
PLM_DB_PWD
Agile PLM for Process Source schema
password
PLM4P_DB_USER_PWD
Data Mart Database sys schema password
SYS_USER_PASSWORD
Data Mart Database system schema password
DB_SYSTEM_PWD
Data Mart schema password
MDS_USER_PASSWORD
Source schema Password, if installed as a
separate schema
ODM_USER_PASSWORD
Master Repository schema password
MASTER_PWD
Work Repository schema password
WORK_PWD
Work Repository password
WORK_REP_PWD
fi l e
Authentication at the ETL Layer using the ODI Agent
You can also change passwords at the ETL layer employing the ODI Agent or the ODI Studio for
the following:
19
Security Guide

Master Repository Database password

Work Repository Database password

ODI Work Repository password
To change passwords in ODI 11g:
1.
From the command prompt navigate to
.
2.
For Windows: Type,
For Linux: Type,
Authentication at the Oracle Business Intelligence Enterprise
Edition Layer
The Oracle Product Lifecycle Analytics (OPLA) application utilizes the Oracle Business Intelligence
Enterprise Edition Layer (OBIEE) layer’s platform authentication features. You change the
password for the
repository file (where XX represents either Agile PLM or Agile
PLM for Process) using the OBIEE Admin Tool. For more information, see the OBIEE Installation
and Configuration Guide.
OPLA uses OBIEE authentication features. We recommend you use the authentication features in
the order shown below:

LDAP authentication - We recommend that you configure the OPLA application to use LDAP
authentication, only if your Agile PLM application is configured to LDAP authentication.

External table authentication - We recommend that you configure the OPLA application to use
external table authentication, only if your Agile PLM application is configured to external table
authentication.

Database authentication - We recommend that you configure the OPLA application to use
database authentication, only if your Agile PLM application is configured to database
authentication.

Oracle BI Server user authentication maintenance - We do not recommend using the Oracle BI
Server authentication mechanism.
20
Oracle Product Lifecycle Analytics
Chapter 5: Security Features
LDAP Authentication
LDAP authentication is used as an alternative to storing user IDs and passwords in an Oracle BI
repository.You can set up the Oracle BI Server to take the user ID and password, and have it then
pass the user ID and password to an LDAP server for authentication. For LDAP authentication the
server uses clear text passwords.
You can configure OBIEE to secure communications between different points in the network.
OBIEE 11g supports SSL version 3, and TLS version 1. For more information on how to configure
SSL,
Important You must configure your LDAP servers to allow this.
External Table Authentication
You can maintain lists of users and their passwords in an external database table, instead of storing
user IDs and passwords in an Oracle BI repository. You can then use this table for authentication
purposes. The external database table contains the following information:

User IDs

Passwords

Group membership

Display names (used for Oracle BI Presentation Services users)

Specific database catalog names

Schemas to use for individual users(when querying data)
You can also configure user level security with the user authentication information (stored in the
external source system). For example, in Agile PLM the AgileUser table (stores encrypted user IDs
and passwords).
Database Authentication
The Oracle BI Server authenticates users through database logons. If a user has Read permission
on a specified database, the Oracle BI Server trusts that user. This authentication method can also
be applied for Oracle BI Presentation Services users.
Maintaining Oracle BI Server User Authentication
Using the Administration Tool, you can maintain lists of users and their passwords in the Oracle BI
repository. The Oracle BI Server authenticates users against this list when a user logs on (unless
another authentication method has already been used, or a database authentication is specified in
21
Security Guide
the
file).The Oracle BI Server user IDs are case insensitive and stored in a nonencrypted form in the Oracle BI repository. Whereas, Oracle BI Server passwords are case
sensitive and stored in an encrypted form. If the user has the required access privileges, the Oracle
BI Server user IDs can access any business model in a repository.
Important User IDs are valid only for the repository in which they are set up. They do not span
multiple repositories.
For more information on password policy settings in OBIEE, see the Oracle® Fusion Middleware
System Administrator's Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1
(11.1.1) http://download.oracle.com/docs/cd/e14571_01/bi.1111/e10541/toc.htm.
Configuring and Using Access Control
Authorization primarily includes two processes:
1.
Permitting only certain users to access, process, or alter data
2.
Applying varying limitations on user access or actions.
Oracle Product Lifecycle Analytics (OPLA) supports access control at the folder and file level, as
well as at the following configurations:
3.
Access control at the data-level
4.
Access control at the object-level security
5.
Access control at the user-level security
Access Control at the Folder and File Level
Oracle Product Lifecycle Analytics (OPLA) uses host Operating System file permission features to
control authentication of directories, executables, server software, data files, logs, external csv files.
When OPLA is deployed appropriate access privileges are provided to the directories and folders.
Files often contain sensitive and critical information, and must be protected from prying eyes,
modification, or deletion.
Caution
1.
You must secure all Oracle PLA log files, external files, configurator files, product line
security files (rpd) listed below. Not doing so can result in files being corrupted,
destroyed, or rewritten.
Only Administrators should have Read, Write and Execute privileges for the
file, located at
.
For both OPLA with Agile PLM and OPLA with Agile PLM for Process.
2.
Make sure that the external (csv) files listed in the table below are secured. The files location is
22
Oracle Product Lifecycle Analytics
Chapter 5: Security Features
.
Post-I ns tal l ati on Fi l e
3.
Adm i ni strator
User
Val ue
Val ue
PPM_PRD_DEMAND.CSV
Read & Write
Read
PPM_PRD_INV_QTY.CSV
Read & Write
Read
PPM_PRD_INV_VALUE.CSV
Read & Write
Read
PPM_PRD_INV_VALUE.CSV
Read & Write
Read
PPM_PRD_UNIT_REC.CSV
Read & Write
Read
PPM_PRD_UNIT_SHIP.CSV
Read & Write
Read
PRJ_COST.CSV
Read & Write
Read
PRJ_FORECAST.CSV
Read & Write
Read
Make sure that the log files listed in the table below are secured.
No te
Log files are located at
Post-I ns tal l ati on Fi l e
.
Adm i ni strator
User
Val ue
Val ue
BI_DATA_DICT_PC_SD.log
Read, Write, Execute
Read
BI_DATA_DICT_PPM_SD.log
Read, Write, Execute
Read
BRIDGE_SD.log
Read, Write, Execute
Read
ControlTables.log
Read, Write, Execute
Read
install_logger4odm.log
Read, Write, Execute
Read
LIST_DM_SD.log
Read, Write, Execute
Read
MDS_COMMENT.log
Read, Write, Execute
Read
23
Security Guide
MDS_DDL.log
Read, Write, Execute
Read
MDS_IND.log
Read, Write, Execute
Read
MDS_PROCS.log
Read, Write, Execute
Read
MDS_SD.log
Read, Write, Execute
Read
MDS_TEMP_DDL.log
Read, Write, Execute
Read
MDS_VIEWS.log
Read, Write, Execute
Read
ODM_DDL.log
Read, Write, Execute
Read
ODM_PROC.log
Read, Write, Execute
Read
PC_DDL.log
Read, Write, Execute
Read
PPM_DDL.log
Read, Write, Execute
Read
SEED_DATA_GLOBAL.log
Read, Write, Execute
Read
SingleSchemaCreation.log
Read, Write, Execute
Read
USERDEF_OBJ.log
Read, Write, Execute
Read
4.
Make sure that the following rpd file is secure.
No te
Location for RPD file:
No te
RPD File name:
Access Control at the Data-Level
Data-level security controls the visibility of data (content in subject areas, dashboards, Oracle BI
Answers, and so on) based on the user's association to data in the transactional system.For
example, restricting authorized users access to Project Analysis for their assigned Product Lines is
provided in OPLA.
To extend data-level security for repository objects:
1.
24
Extend the physical table by adding the attribute by which the dimension, or fact, needs to be
secured.
Oracle Product Lifecycle Analytics
Chapter 5: Security Features
a.
b.

This step may result in a change to the data model.
For enabling existing out-of-the-box defined dimensions and measures without changing
ETL Mapping you can map attributes in the OPLA Configurator.
For enabling new user-defined dimensions and measures by changing ETL mapping and
BI repository, new user defined attributes can be added using Schema Enhancer that
comes with OPLA Configurator

This step results in a change to the data model.
Populate the relevant attribute value for each row in the fact or dimension table.

2.
This step results in a change to the ETL mapping.
Use the Oracle BI Administration Tool to create an initialization block. When a user logs into
OPLA, the initialization block fetches the attribute values and populates them into a session
variable. You can then create a target session variable for the initialization block. For detailed
instructions, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle
Business Intelligence Enterprise Edition.

You can only create a target session variable if the initialization block is not a
row-wise initialization block.
This step results in a change to the Oracle BI repository.
3.
Use the Oracle BI Administration Tool (in online mode) to set up data filters based on the new
role for each of the fact and dimension tables that need to be secured by the attribute you
added in Step 1.

4.
This step results in a change to the Oracle BI Repository.
Use Presentation Services administration to set up the Presentation Services catalog privileges
- based on the application role you created in step 4. For detailed instructions, see Oracle
Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g.
No te
You can also leverage the existing OPLA security objects (when extending data-level
security). To do this, copy existing security objects for secured dimensions, such as
initialization blocks, and then modify them to apply to the additional dimensions.
25
Security Guide
Access Control at the Object-Level
You can enable object-level security using the Oracle Business Intelligence Enterprise Edition Layer
(OBIEE) platform features.Oracle Product Lifecycle Analytics (OPLA) tightly integrates with OBIEE,
as well as the security model of the operational source system, to allow the right content to be
shown to the right user.
Important You should be thoroughly familiar with the security features of OBIEE before you
begin working with OPLA.
Security settings for OBIEE are made in the following Oracle Business Intelligence (Oracle
BI) components:
1.
Oracle BI Administration Tool
You can use the Oracle BI Administration Tool to perform tasks such as:

Setting permissions for business models, tables, columns, and subject areas

Specifying filters to limit data accessibility

Setting authentication options
For more detailed information, see Oracle Fusion Middleware Metadata Repository Builder's Guide
for Oracle Business Intelligence Enterprise Edition 11g.
1.
Oracle BI Presentation Services Administration
You can use Oracle BI Presentation Services Administration to perform tasks such as setting
permissions to Presentation Catalog objects (including dashboards and dashboard pages).
For more detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business
Intelligence Enterprise Edition 11g.
2.
Oracle Enterprise Manager Fusion Middleware Control
You can use Fusion Middleware Control to manage the policy store, application roles, and
permissions for determining functional access.
For detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business
Intelligence Enterprise Edition 11g.
3.
Oracle WebLogic Server Administration Console
You can use the Administration Console to manage users and groups in the embedded Oracle
WebLogic Server LDAP. You can also use the Administration Console to manage security realms,
and to configure alternative authentication providers.
26
Oracle Product Lifecycle Analytics
Chapter 5: Security Features
For detailed information, see Oracle Fusion Middleware Security Guide for Oracle Business
Intelligence Enterprise Edition 11g.
Access Control at the User-Level
User-level security involves the authentication and confirmation of the user's identity - based on the
credentials provided, such as username and password.By default, user-level security is set up in
the embedded Oracle WebLogic Server, the LDAP server, and the policy store.
See also
Oracle Fusion Middleware Security Guide for Oracle Business Intelligence
Enterprise Edition 11g.
Configuring and Using Security Audit
This section explains how to enable the security audit feature in Oracle Product Lifecycle Analytics
(OPLA).
Oracle Business Intelligence Enterprise Edition (OBIEE) supports extensive audit features
including, but not limited to, error events, informational events, and warning events. Some
examples are, server starting and server shutdown, failed login attempts, and failed access control
authorizations. In OBIEE 11g, security auditing is integrated into the Oracle Fusion Middleware
Audit Framework in Oracle Fusion Middleware Application Security, and it provides a range of outof-the-box reports that are accessible through Oracle Business Intelligence Publisher.
The reports are grouped according to the type of audit data they contain:

Common Audit Reports




Account Management
User Activities
Errors and Exceptions
Component-Specific Audit Reports









Oracle Fusion Middleware Audit Framework
Oracle HTTP Server
Oracle Internet Directory
Oracle Virtual Directory
Reports Server
Oracle Directory Integration Platform
Oracle Identity Federation
Oracle Platform Security Services
Oracle Web Services Manager
27
Security Guide

Oracle Web Cache
For more information, see the Oracle® Fusion Middleware Application Security Guide
http://docs.oracle.com/cd/E21764_01/core.1111/e10043/toc.htm
Configuring and Using Oracle PLA Configurator
Oracle Product Lifecycle Analytics (OPLA) comes with the OPLA Configurator tool. The OPLA
Configurator provides the ability to map source columns to target columns (based on customer
choice) in the data layer .
It is a standalone feature and uses independent encryption algorithms to connect with source and
target Data Schema for Agile PLM 9 Schema
The following security features are implemented with OPLA:

Uses Blowfish based encryption for DB level authentication stored in
file.

Uses 3rd party software components XML Parser. This component is upgraded to latest
patch. (From Xerces 2.9.0 to Xerces2 2.11.0).
No te

28
OPLA also provides ability to map extended attributes with MDS Layer for Agile PLM for
Process source. Manual SQL scripts are supplied for updating MDS Schema.
Uses default DB level authentication.
Oracle Product Lifecycle Analytics
Chapter 6
Security Considerations for Developers
Oracle Product Lifecycle Analytics (OPLA) supports the extension of the standard product
functionality only in the following two scenarios:
1.
You can enable existing defined dimensions and measures without changing ETL Mapping.
This requires changes only to the BI repository.
2.
You can enable new user-defined dimensions and measures. This requires changes to both
the ETL Mapping and the BI repository.
In both scenarios you must ensure that the preconfigured OPLA security model is updated to match
your operational source system.
When you extend OPLA, you must ensure that your customizations and any new objects are valid
and functional.
29
Appendix A
OPLA Secure Deployment Checklist
The following security checklist includes guidelines that help secure your database:
1.
Install only what is required.
2.
Lock and expire default user accounts.
3.
Enforce password management.
4.
Enable data dictionary protection.
5.
Practice the principle of least privilege.
a. Grant necessary privileges only.
b. Revoke unnecessary privileges from the PUBLIC user group.
c. Restrict permissions on run-time facilities.
6.
Enforce access controls effectively and authenticate clients stringently.
7.
Restrict network access.
a. Use a firewall.
b. Never poke a hole through a firewall.
c. Protect the Oracle listener.
d. Monitor listener activity.
e. Monitor who accesses your systems.
f. Check network IP addresses.
g. Encrypt network traffic.
h. Harden the operating system.
8.
Apply all security patches and workarounds.
9.
Contact Oracle Security Products if you come across any vulnerability in the Oracle Database.
31
Appendix B
Database Schema Privileges
This Appendix includes the following:


Single Database Schema Privileges .............................................................................................................. 33
OPLA Multiple Schema Privileges ................................................................................................................. 34
In Oracle Product Lifecycle Analytics (OPLA), database privileges vary for single schema and
multiple schema installations.
Single Database Schema Privileges
This table lists and explains the privileges required to use a single schema to host the DataMart,
ODI Master, and the ODI Work Repository objects in Oracle Product Lifecycle Analytics (OPLA).
Pri vi l ege
Purpose
CONNECT,RESOURCE
Basic privilege for the Schema User
CREATE DATABASE LINK
Create DBLink to Agile PLM source system for every ETL run
CREATE TABLE
Create table privilege for the schema
CREATE SYNONYM*
Create a synonym for the source table
CREATE MATERIALIZED VIEW*
Create materialized view on the schema
DROP PUBLIC DATABASE LINK
Drop database link on schema
ANALYZE ANY*
Analyze the table for performance
SELECT ON V_$DATABASE
Read Platform information
ALL ON SYS.DBMS_PIPE
PL/SQL logger privileges
EXECUTE ON, SYS.DBMS_SYSTEM
CREATEVIEW
Create a View on the Schema
CREATEPUBLICSYNONYM
Create a synonym on the Schema
DROPPUBLICSYNONYM
Drop a synonym on the Schema
* Agile PLM databases only
33
Security Guide
OPLA Multiple Schema Privileges
This table lists and explains the privileges required when you install the ODM and MDS on one
schema, and the ODI Master and ODI Work repositories on a separate schema.
Pri vi l ege
Purpose
CONNECT, RESOURCE
Required for MDS and ODI Repository schemas
CREATE DATABASE LINK
Create DBLink to Agile PLM source database for every ETL run.
CREATE ANY TABLE
Create i$,
CREATE ANY SYNONYM
Create a synonym for the source table in the ODI Work
Repository schema.
CREATE VIEW
Create a view privilege for the schema.
INSERT ANY TABLE
Insert a table, like i$, e$, c$, in the ODI Work Repository schema.
DELETE ANY TABLE
Delete records from i$ tables in the ODI Work Repository
schema. This is used during an Incremental ETL run.
SELECT ANY TABLE
Select a table like i$_listname in the ODI Work Repository
schema.
DROP ANY SYNONYM
Drop a synonym in the ODI Work Repository schema.
DROP ANY TABLE
Drop i$ tables in the ODI Work Repository schema. This is used
during Full/Incremental ETL runs.
DROP PUBLIC DATABASE LINK
Drop database link on schema.
SELECT ON V_$DATABASE
Reads Platform information.
CREATE PUBLIC SYNONYM
PL/SQL Logger privileges.
DROP PUBLIC SYNONYM
ALL ON SYS.DBMS_PIPE
EXECUTE ON SYS.DMBS_SYSTEM
This table lists and explains the privileges required when you install ODM and MDS in different
schemas.
34
Oracle Product Lifecycle Analytics
Appendix B
Pri vi l ege
Purpose
CONNECT, RESOURCE
Basic privilege for schema user
CREATE ANY TABLE
Create i$, e$, c$ tables in the ODI Work Repository schema.
CREATE ANY SYNONYM
Create a synonym for the ODM table in the ODI Work Repository
schema.
CREATE ANY VIEW
Create a view in the schema and JV$ view on the ODI Work
Repository schema.
CREATE ANY INDEX
Create an index in the ODI Work Repository schema for the i$
tables.
CREATE ANY TRIGGER
Create a trigger on the ODM schema.
CREATE MATERIALIZED VIEW
Create a materialized view on the schema.
INSERT ANY TABLE
Insert a table, like i$, e$, c$, in the ODI Work Repository schema.
DELETE ANY TABLE
Delete records from the i$ tables in the ODI Work Repository
schema. This is used during an Incremental ETL
SELECT ANY TABLE
Select a table, like i$_listname, in the ODI Work Repository schema.
DROP ANY SYNONYM
Drop a synonym in the ODI Work Repository schema.
DROP ANY TABLE
Drop i$ tables in the ODI Work Repository schema. This is used
during Full and Incremental ETL runs.
DROP ANY INDEX
Drop an index on the schema.
DROP ANY TRIGGER
Drop a trigger on the schema.
DROP ANY VIEW
Drop a view on the schema.
ANALYZE ANY TABLE
Analyze the table for performance
UPDATE ANY TABLE
Update records in the i$ tables in the ODI Work Repository schema.
This is used during an Incremental ETL run.
ALTER ANY TABLE
Alters the schema tables.
35
Appendix C
SSL Configuration in Oracle Business Intelligence
Secure Socket Layer (SSL) is a cryptographic protocol that enables secure communication between
applications across a network. Enabling SSL communication provides several benefits, including
message encryption, data integrity, and authentication. An encrypted message ensures
confidentiality in that only authorized users have access to it. Data integrity ensures that a
message is received intact without any tampering. Authentication guarantees that the person
sending the message is who they claim to be.
The SSL Everywhere feature of Oracle Business Intelligence enables secure communications
between the components.You can configure SSL communication between the Oracle Business
Intelligence components and between Oracle WebLogic Server for secure HTTP communication
across your deployment.
The table below contains common SSL configuration tasks. For more information on these tasks,
see the "SSL Configuration in Oracle Business Intelligence" chapter in Security Guide for Oracle
Business Intelligence Enterprise Edition 11g Release 1 (11.1.1).
Task Map: Configuring SSL Communication for Oracle Business Intelligence
Task
Understand SSL communication in Oracle
Business Intelligence.
Descri pti on
Understand how SSL communication between components and
the application server works.
The Web server must be configured to use HTTPS before
enabling SSL communication for Oracle Business Intelligence.
Configure SSL communication between the
Oracle WebLogic Server Managed servers.
Configure SSL communication between
components.
Note Also see the "SSL Configuration in Oracle Fusion
Middleware" chapter in the Oracle Fusion Middleware
Administrator's Guide.
Configure SSL communication between Oracle Business
Intelligence components.
Additional references:

For more information about SSL concepts and public key cryptography, see "How SSL
Works" in Oracle Fusion Middleware Administrator's Guide.

For information about how to configure SSL for Oracle WebLogic Server, see "SSL
Configuration in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's
Guide.
37
Security Guide
38
Oracle Product Lifecycle Analytics