Let non-admin users modify Agents ( aka schedule iBots) according to their corr

Marcelo Finkielsztein

Organization Name

Postmedia Network

Description

Today, in OAC classic, non-administrators can modify ONLY Agents where their profile is the one configured as "Run As specified user".

In our on-premise OBIEE, non-admin users were allowed to modify agents, as long as their permission allow it.  e.g.: if they have ownership on the Agent catalog item, or they have modfy permission on the catalog item, then they can edit it as needed.

This issue provokes extra work for the Admins.

 

Use Case and Business Need

Use cases:   the owner of an agent is Out Of Office.  Another user, who has been granted permissions on the Agent catalog item, would be able to cover for the OOO owner, without requiring assisstance from an admin.

 

More details

Agents have a|Permission" and "Ownership" setup that is sufficient to determine who can or cannot modify them.

Using the "Run As" property as unique criterion is a limitant.  The generic permission approach seems better.

Original Idea Number: 9918ca9a3d

M_Kumaran

I agree.

Marcelo Finkielsztein

May i have some feedback from Oracle about this?

TIA

 

 

Adam Bloom-Oracle

If an agent is set to run as a specific user who potentially has access to other sensitive data it would not be good if another user could change the content or recipient list for this agent as that would be a potential permission escalation.  Another user who has access to update the agent can still change that agent content and recipients without having specific admin privileges but they must first change the agent so that it does not ‘run as’ a specific user who may have access to more data than you do. First, change the agent to ‘run as recipient’ in order to change the recipients.  You can then change the agent to ‘run as’ you if that helps.  A user can only change the agent ‘run as a specific user’ if they have the ‘Manage Catalog Accounts’  privilege in the Manage Privileges UI.