This short guide will take you through the process of creating new users in Oracle OBIEE and WebLogic as well as introducing security concepts including the use of security groups and application roles to control data access.Before you startBefore proceeding with this tutorial, you will need: An Oracle 11g database that is installed and running. A working WebLogic install. WebLogic/OBIEE credentials with the appropriate level of permissions to create and administer other user accounts. A login for the Enterprise Manager Fusion Control panel.Once you have each of these in place, you are ready to proceed.Viewing your own user permissionsLog into the OBIEE WebLogic console using your admin credentials and proceed to the "welcome" screen.1. Click on your user name in the top right-hand corner of the screen and selectMy Account from the drop-down menu:

2. In theMy Account pop-up box, select theRoles and Catalog Groups tab:

This will then show a list of the groups to which your account belongs:

3. ClickOK orCancel to close the dialog box.At this point you cannot change any of your permissions or group memberships, but you can at least get an idea of what you are permitted to do with the system.Viewing other WebLogic user accounts and permissionsFire up the WebLogin console and login with an administrator-level account.1. When the Administration Console screen opens, selectSecurity Realm from theDomain Structure pane on the left-hand side of the screen:

2. The main console pane will now refresh. Click on the relevant realm from the list displayed. In our example it is calledmyrealm (which also happens to be the default realm created when first installing OBIEE).

3. With the details ofmyrealm loaded, select theUsers and Groups tab:

4. You will now be presented with a table containing the registered OBIEE users:

Bear in mind that the system displays only ten accounts at a time by default. You can change this by clicking theCustomize this table link and making adjustments as you see fit.Creating a new WebLogic userCreating a new WebLogic user account is relatively straightforward too. 1. From within theUsers and Groups tab of themyrealm security realm click the New button:

2. Complete theCreate a New User form ensuring that you supply aName and aPassword at the very least:

ClickOK to continue.3. You are now returned to the list of users where you will see a message confirming successful creation of the new user account:

You should be able to test the new account by trying to log into the WebLogic interface with the user name and password you just created. Rememeber that this new account will have relatively restricted access to WebLogic functions based on the default new user account settings.Checking Application Role permissionsUsers can also be assigned permissions viaApplication Roles. Application Roles apple security group permissions to user accounts, adding an additional layer of security. Application Roles can be modified by logging into theEnterprise Manager Fusion Control interface with an admin-level account.1. From the left-hand tree-view panel, selectBusiness Intelligence ->coreapplication

2. Click theSecurity tab in the main window:

3. Select theSingle Sign On sub-tab:

4. Click theConfigure and Manage Application Roles link at the bottom of the page:

5. When the screen reloads you will be able to see a list of the available application roles. By selecting one, in this caseBIConsumer, you will then see a list of users who are members of that role:

Note thatauthenticated-role one of the default memberships discovered above is also a member of theBIConsumer role, helping to explain why all new users receive both permissions by default.At this point you can assign users new application role permissions directly using this screen - this is not however considered best practice. Instead you should be looking to associate users with groups, and groups with application roles.Assigning permissions to WebLogic usersOnce you understand the difference between security groups and application roles, changing user group memberships is relatively simple.1. FromtheUsers and Groupstab of themyrealmsecurity realm click theGroupstab:

Check for the group that you want to add your new user to - for our example we will be working with the group that has already been defined asBIAuthors.

As before the system displays just ten groups by default. You can change the number of records displayed by clicking theCustomize this tablelink and making the necessary alterations.2. Click theUserssub-tab above the tableand then select the new user's name from the table displayed.3. When the Settings screen reloads, click theGroups tab:

4. Select the desiredParent Group from the list on the left, then click the blue arrow to add it to theChosen column:

ClickSave to apply the account changes.The user will now need to log out of the OBIEE for the new permissions to apply. Upon next login the new Application Role settings will have been added to the account and the user will have access to additional functions as defined in theBIAuthors application role. You can confirm the new permissions have been applied by checking theMy Account settings as detailed above