Oracle Business Intelligence

Products Banner

Field level security needed for OTBI subject area analysis reporting

Submitted
374
Views
11
Comments

Organization Name

Clayton Homes Inc.

Description

When creating an analysis using a Subject area in OTBI reporting, there are fields that may contain PII data that need to be secure.  If someone has access to the entire Subject area, they can pull any data associated to that area regardless of whether they should have access to it or not.  There is no way to secure any of the data in a Subject area once it is accessible.  Since there is much needed additional data that is not PII, removing the subject area completely is not necessarily the best option.  Reporting needs to happen but security for specific fields needs to be available also.

Use Case and Business Need

The Supplier Tax ID can contain social security numbers for a supplier that could be a person/employee type supplier.  Therefore, this field can be considered PII data.  Since a user has access to the Supplier – Real Time subject area to run reports associated to the Suppliers and their data, they have access to the Tax ID and other fields, such as Supplier Bank Accounts.  Supplier Bank Account information is already masked, so that PII data is secured already, but the Tax ID field is not.  Any user with the subject area of Supplier – Real Time can pull a report containing the Tax ID field for a supplier and therefore have access to social security numbers for suppliers that are employees or people.  This field needs to be secured for specific individuals.

There are also fields within the HCM Subject areas that can be viewed as PII data as well, and as such, should be secured for certain individuals also.  These fields should be secured in the same way that reports/folders are secured within OTBI.  Any field a company determines should be secure should have the ability to allow for security.

Original Idea Number: 9c9888babc

5 votes

Submitted · Last Updated

Comments

  • This is critical for organizations wanting to protect PII and other sensitive data not currently protected by Oracle.

  • I agree that it should be possible to mask PII data. However, I'm unclear on what the request is - is it to:

    a) have an option to automatically mask out certain data in fields specified by Oracle themselves (such as already exists for bank accounts), which is dependent on Oracle identifying the fields, but easy for organisations to turn on, or

    b) have it flexible so that individual organisations can pick which fields in which tables are to be protected (which is a lot harder to identify the specific fields in the specific tables, but can directly model the business requirements)?

  • Agreed. Very important to hide sensitive data like supplier bank accounts.

  • It is b.  The ability to be flexible so each organization can determine which fields they want to be secure.  If this isn't something that can be done, then I would be ok with a, if we can help identify the fields that are allowed to have security enabled.  PII should be the same company by company.. for the most part.. 

  • I agree that PII will likely be the same company by company, but there may be exceptions. For example, I know of organisations in the UK that would count supplier names as PII as some of their suppliers are sole traders/partnerships and whether customer details are PII will depend on whether they sell directly to individuals. Most other organisations wouldn't want to make supplier names/customer names invisible on reports as that would usually make any reporting based on suppliers/customers much more difficult to review.

    Something similar to Manage Audit Trails functionality (recognising its current gaps in scope) may be ideal - easy to switch on/manage, but flexible enough to select individual tables/columns.

  • Great idea. It would also be useful for FAH OTBI Reports. FAH or AHCS (Accounting Hub Cloud Services) has its major utility in Reporting through OTBI. Via FAH journals, we bring in Supporting References, which contain employees' as well as customers/suppliers' sensitive and confidential data like Contract Numbers, Salary Figures, Bank Account numbers, etc. If we could mask/restrict visibility of certain selective table columns, that would really be a value addition.

  • Agreed. It's important to hide sensitive data.

  • Oracle has recently ‘archived’ a bunch of great ideas because they have not yet got enough votes from the community. Hopefully the community provides more votes to keep this Idea alive. Encourage your colleagues to vote on this too! We need to get to at least 20 votes to prevent this from being archived in the future.

  • Great idea - This needs Oracle's attention. I would encourage to comment and vote this idea so Oracle does not archive it.

  • This is very much required for achieve the regulatory requirements like SCHREMS regulation where employee shouldn't have access to sensitive data although they can access other personal non sensitive information details .

  • Was a solution offered on how to mask SSN for OTBI reports?