Oracle Business Intelligence

Products Banner

GSI - Data Source Access across Oracle Pillars (HCM and FIN) - BI Admin


Organization Name



The Oracle Idea Lab is logged to highlight a gap in the BI Publisher security design. As of today, a user with the ability to create a data model has the ability to query any data source:

Navigation > OBIEE > New > Published Reporting > Data Model > > New Data Set > SQL Query >  Data Source

a. Oracle BI EE

b. AplicationDB_HCM

c. ApplicationDB_FSCM

d. ApplicationDB_CRM


The specific concern is around access to data categorized as PII/HIPAA/Sensitive when implementing various Oracle Pillars in the same Oracle Cloud GSI. We do not want our FIN developers to have access to performance ratings, succession plan, payroll data, and various other sensitive HR data.


Our mitigation strategy is to:

a. Run audit queries on specific HR tables (from bipublisher_v)

b. Remove the 'Workforce Confidential Reporting duty role' to remove access to personal email, personal phone, person contact, SSN, passport, communication method, person visa

c. Revoke access to most project users from access to the BIP data set creation in higher environments

d. Use HCM Extract and OTBI for integration/reporting purposes where we can


It does impact who can manage reports and integration within a GSI model. The main ask:


Provide the ability to separate access between the  AplicationDB_HCM and the  ApplicationDB_FSCM data source across resources via a role. For example, when you create a custom JNDI connection for "AuditViewDB", you can define which roles have access to that data source.

Use Case and Business Need

a. As a FIN Developer, I should NOT have the ability to access the AplicationDB_HCM

b. As an HR stakeholder, I want to protect my HR data in the following category: sensitive/PII/HIPAA

c. As a security manager, I want consistent security approach about securing FIN and HR across the GSI application/tools


More details

In a GSI Oracle Cloud environment where a client is implementing different pillars, it is common to have different users with different data access between an FIN team and an HR team. Across the application, we have the ability to security access across pages between the FIN and HR teams. However, there is existing way to separate access between the HR and FIN data source via the BI Publisher tool.


The BI publisher tool is a tool used for multiple purposes to meet reporting and integration reporting requirements.

Original Idea Number: e7b246aeda

8 votes

Submitted · Last Updated