With this post I want to explain the differences between the Oracle Business Intelligence 10g and 11g security model. 11g is based on Fusion Middleware which implements Oracle Platform Security (OPS). Let´s start with 10g. Usually you manage your users and groups within the repository (RPD). In answers (the report frontend) exists catalog groups were users and groups are assigned. The privileges controls who can open or edit a report, create a new dashboard or call the administration interface are assigned to these catalog groups. This is 10g security in simple. Furthermore if you use LDAP and want to take users and groups from there then you take repository initialization blocks. That was a quick look at 10g. Now let´s change to 11g.
In 11g you did not manage your users and groups within the repository anymore. Rather there is an embedded LDAP within the shipped Weblogic Server which holds this account information. If you use LDAP then you connect the Weblogic to it for retrieving the account information. Furthermore there is a new object type called application role. These application roles are a kind of catalog groups. The users and groups are assigned to these application roles and the privileges are given to the same. But application roles are more complex. They can hold users and groups and other application roles. So they can used to build hierarchic privilege schemas. In addition the application roles are available at Fusion Middleware stack and so they can be used in different Oracle applications which use Fusion Middleware (BI Suite, SOA Suite, WebCenter …). The idea is to use a central managed security platform.
And what is done by migration from 10g to 11g with the upgrade assistant? The 10g repository users and groups are created within embedded Weblogic LDAP. Each 10g repository group becomes an application role and the embedded LDAP group is assigned. The result is an one to one relation between group and application role. At this point you can use the new application roles like groups in the old known way. Let´s take a look to the frontend (called analytics in 11g). The best approach is to manage all privileges by application roles. But by migration the 10g catalog groups are transferred to 11g one to one. So catalog groups are available in 11g for backward compatibility. The migrated 11g report privileges are based on catalog groups.
The way straight forward is to change report privileges to application roles and forget catalog groups. But Oracle does not. Now it is possible to mix everything. Report privileges can base on catalog groups and application roles. And catalog groups can contain application roles also.
Overall the security model is not complete different and not massively more complex. I hope I could give an understandable summary. If you have question or notes feel free to add a comment.