Categories
- All Categories
- 75 Oracle Analytics News
- 7 Oracle Analytics Videos
- 14K Oracle Analytics Forums
- 5.2K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 40 Oracle Analytics Trainings
- 59 Oracle Analytics Data Visualizations
- 2 Oracle Analytics Data Visualizations Challenge
- 3 Oracle Analytics Career
- 4 Oracle Analytics Industry
- Find Partners
- For Partners
GSI - Data Source Access across Oracle Pillars (HCM and FIN) - BI Admin
Organization Name
Southern
Description
The Oracle Idea Lab is logged to highlight a gap in the BI Publisher security design. As of today, a user with the ability to create a data model has the ability to query any data source:
Navigation > OBIEE > New > Published Reporting > Data Model > > New Data Set > SQL Query > Data Source
a. Oracle BI EE
b. AplicationDB_HCM
c. ApplicationDB_FSCM
d. ApplicationDB_CRM
The specific concern is around access to data categorized as PII/HIPAA/Sensitive when implementing various Oracle Pillars in the same Oracle Cloud GSI. We do not want our FIN developers to have access to performance ratings, succession plan, payroll data, and various other sensitive HR data.
Our mitigation strategy is to:
a. Run audit queries on specific HR tables (from bipublisher_v)
b. Remove the 'Workforce Confidential Reporting duty role' to remove access to personal email, personal phone, person contact, SSN, passport, communication method, person visa
c. Revoke access to most project users from access to the BIP data set creation in higher environments
d. Use HCM Extract and OTBI for integration/reporting purposes where we can
It does impact who can manage reports and integration within a GSI model. The main ask:
Provide the ability to separate access between the AplicationDB_HCM and the ApplicationDB_FSCM data source across resources via a role. For example, when you create a custom JNDI connection for "AuditViewDB", you can define which roles have access to that data source.
Use Case and Business Need
a. As a FIN Developer, I should NOT have the ability to access the AplicationDB_HCM
b. As an HR stakeholder, I want to protect my HR data in the following category: sensitive/PII/HIPAA
c. As a security manager, I want consistent security approach about securing FIN and HR across the GSI application/tools
More details
In a GSI Oracle Cloud environment where a client is implementing different pillars, it is common to have different users with different data access between an FIN team and an HR team. Across the application, we have the ability to security access across pages between the FIN and HR teams. However, there is existing way to separate access between the HR and FIN data source via the BI Publisher tool.
The BI publisher tool is a tool used for multiple purposes to meet reporting and integration reporting requirements.
Original Idea Number: e7b246aeda
Comments
-
This would help us on our current implementation project.
0 -
This is definitely a need. Customers should have the ability to address this via configuration. Key BI Admin functions like ability to view session logs and issue SQL are tangled in this web and this is introducing inefficiencies for our organization because you have for example Finance team that should not be able to query HR data and vice versa via BIP data model; so one person in each team has BI Admin access which they then end up with a line at their door because others need them to share screen so they can research an issue (i.e. using session logs, Issue SQL for PVO, data model, etc...)
1 -
Helps in segregation of roles when both FIN and HR are implemented in same domain.
0 -
Excellent idea!
0 -
Great Idea..!! This is required in our current implementation too.
0 -
Thank you for supporting this post
0 -
Good idea. Makes sense.
0 -
Agreed.
0 -
Any update on this Idea. This is very helpful to have control on which Tables user can access in Datamodel development
1 -
Very much needed. Any update on this idea
0
