The Official Documentation for the 11g Oracle Business Intelligence (Security Guide) mentions the following key rules about the evaluation of the Presentation Service Privileges:
“Presentation Services privileges control the rights that users have to access the features and functionality of Presentation Services. Privileges are granted or denied to specific application roles, individual users, and Catalog groups using a privilege assignment table.”
The Presentation Service privileges can be access from the following URL: http://hostname:port/analytics/saw.dll?PrivilegeAdmin
“privileges are either explicitly set or are inherited through role or group membership, explicitly denying a privilege takes precedence over any granted, inherited privilege. Meaning that even if Application roles are nested and thus forming a hierarchy any denied privilege takes precedence over inherited grants or directly assigned grants.”
Additionally, the following example is provided within the D. Appendix section of the same Documentation page:
With the following statements regarding the evaluation:
- User1 explicitly has the Executive role, and thus implicitly has Finance role and also Sales role.
- User1 also explicitly has the BI Author role, and thus also implicitly has BI Consumer role.
- User1’s flattened list of application roles is: Executive, BI Author, Finance, Sales and BI Consumer.
The effective privileges from Executive Role are Denied Administration privilege […] the Sales’ Denied Administration privilege takes precedence over Executive’s granted privilege, as Deny always takes precedence.”
As a showcase, the above has example has been re-created in a simplified version with all Application roles and the Presentation Service privilege for “Access to Administration” within the 126.96.36.199 Oracle BI Version:
The five Application roles of the above diagram have been configured within the Enterprise Manager (EM) Application role configuration:
All five Application roles are also correctly displayed for the User1 within the Oracle Business Intelligence “My Account” view:
Afterwards, the privileges have been configured (with Granted and Denied) for the Application roles within the Presentation Service privileges Administration page:
However, contrary to the rule and the example the “Administration Page” privilege is not denied:
The “Administration Page” privilege is granted for User1 due to the Membership of the Executive Application Role.
For testing purposes the five Application roles of the example have been enhanced to the following six:
With the following test cases and results:
deriving the following rules for the determination of the Presentation Service privileges:
- if a privilege is set (either with denied or granted) for a Application role directly assigned (member of/next) to the User this takes precedence over everything else (see #1+#3)
- for siblings on the level (within the same hierarchy level) the more restrictive is applied (#2+ #6)
- In case of inherited ancestor privileges the more restrictive is applied (#4+#5)
Links to the 11g Documentation: