Categories
Restrict BIP (Reports & Analytics) Access to Specific Set of Users
Organization Name
CherryRoad
Description
Restrict BIP (Reports & Analytics) Access to Specific Set of Users. Not all users of financials or hcm are allowed to query the database using create data models and extract the data from Base tables.
Certain Personal information like bank accounts, PII invformations are available in tables which are accessible to all users with role BI Author/ BI Administrator.
Eg: Supplier bank accounts.
We have masking utility to mask the bank accounts in front end. But when an hcm user or erp user tries to query the table. The bank account numbers and all PII information are available and visible in BI reports without masking. Due to which anyone has access to BI Publisher can view all sensitive information.
Need some functionality or role that restricts all users or set of users querying sensitive information. Unlike other Oracle products such as PeopleSoft doesn't allow a PIA user to query a database tables or base tables.
Restrict set of users with some methodology to restrict BI access(Table level or module level).
Use Case and Business Need
Security breach if all users can query the base tables and get sensitive information out of BI reports. Set of Users to be restricted to query the Base tables.
Eg: Not all users with Manager roles are allowed to view Supplier information(using BI Publisher).
Benefits: Security to be tightened and secure the sensitive information.
More details
Current product is like an open Pond. Anyone who have BI Author(Role inherited within Parent role) can access any information using BI Publisher. The querying option to be given only to specific set of users and not to all users from 1 to n.
Original Idea Number: ef61fc9002
Comments
-
Agreed on the Idea Lab. It is especially important for clients that implement various Oracle Pillars. For example, if a client implements Oracle Cloud ERP and Oracle Cloud HCM, they have developers on teams that should NOT have access to each other's data.
There should be a way to separate the Data Model Data Source. Manage access to those Data Source via different roles:
i. ApplicationDB_HCM
ii. ApplicationDB_FSCMThe functionality does exist when create a 'custom' connection to data source 'AuditViewDB'
1 -
Agreed and thank you for your comments !
0 -
We have done this by applying an EL to the visibility of the R&A icon on the desktop (via the Structure tool in a sandbox) - that allows us to assign a custom role to users who are authorized to access BIP to only select individuals.
0 -
Hi Liz,
Can you if possible provide the EL expression that you have used to achieve this?
Regards,
Abhi
0 -
Hi Abhi,
We created a custom abstract role called REPORTS_USER and then applied this EL to the "Show on Navigator" field for this icon:
#{securityContext.userInRole['REPORTS_USER']}
We found it was important to give this abstract role at least ONE function security policy (something every user would have) as well as at least ONE role to inherit (we chose Access Personal Details by Worker). If we didn't do this, it seemed that the EL wasn't applied consistently and the icon often didn't appear even for those users with the role.
Best,
Liz
0 -
Thank you Liz for detail explanation.
Appreciate.
We will also check the suggested approach.
-BR
Abhi
0