In the previous section, you've briefly reviewed the embedded WebLogic LDAP Server, and also completed an exercise using WLST to create a new user via scripting. There is one other operation that is integral to managing users and groups within Oracle BI - Application Roles.

Application Roles provide a means to associate universal privileges to users and groups, regardless of which identity provider (for example, MS Active Directory, Oracle OID, and so on) they may stem from. That is to say, we can assign an embedded WLS LDAP user and a user from our Active Directory LDAP to a single application role. We could then assign certain privileges within the Oracle BI application to that specific application role. In addition, you can assign application roles to another application role in order to provide a hierarchy of authorization. Oracle BI 12c comes with three broad-range core application roles out-of-the-box that should not be deleted or modified: BIServiceAdministrator, BIContentAuthor, and BIConsumer.

The application role names are quite indicative of what each role's capabilities are, except, maybe, BIServiceAdministrator. BIServiceAdministrator has administrative ability over the Oracle BI environment; BIContentAuthor may read/write reports and create most types of content, and BIConsumer can read/consume content such as reports but is restricted as to what it is able to create.

As a WebLogic Server administrator, in Enterprise Manager, you can create new application roles from scratch, or you can mimic the properties from any of the default application roles to assume those capabilities into your own custom application roles.