Categories
- All Categories
- 121 Oracle Analytics News
- 21 Oracle Analytics Videos
- 14.4K Oracle Analytics Forums
- 5.5K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 47 Oracle Analytics Trainings
- 7 Oracle Analytics Data Visualizations Challenge
- 4 Oracle Analytics Career
- 8 Oracle Analytics Industry
- Find Partners
- For Partners
Creating Data Model Using SQL Querry is Causing Data Breach Issue
Does Anyone who has both HCM and ERP in same project have the concern if a user has access to create Data Models using SQL Querry??
That is, if a user account having access to BI Author role along with BIPDataModelDeveloper role is providing the ability to see any FSCM or HCM sensitive information in the Oracle fusion irrespective of data restrictions placed in the front end through role assignments.
Isn't this a data breach issue and do Oracle have any solution for this ??
As per Oracle SR Suggestion I have submitted an Idea/Enhancement Request. Please refer to below link to vote or comment if it is a concern in your project as well.
Restriction of Data in reports and analytics while creating Data Model — oracle-products
Answers
-
I wouldn't call it "data breach", because it's obvious that it can be done if you allow direct access to your database.
It's like if I give you the keys of my home and tell you to freely go in when you want and use the kitchen. Then I will start questioning if I should call the police on you because you could also go in my bathroom or bedroom. Well, why did I gave you the keys of my home if I don't want you to go in?
You should control who can use what connection, because mainly with a database connection, you will have access to anything the configured database account can query. If you don't want that, you have to better secure your database either by using a more limited database account, or by not allowing anyone access to your database.
Just don't confuse the roles and tools involved and an "expectation" of security: when using a database connection in Publisher, you can't expect Publisher to be aware of the application that is currently hosted in that schema and start implementing some application security. Publisher will only know that it is a database, will be limited by the limits the database itself will enforce and nothing else. Publisher can't know, and can't "simulate", your application permissions. For Publisher it's just a database connection, like any other database connection, without connection to what application store data there.
1 -
As @Gianni Ceresa mentioned, I don't think this could be called a data breach issue.
These old posts and White Paper may help you to implement row level security / VPD (Virtual Private Database) in BI Publisher:
https://www.oracle.com/docs/tech/middleware/technical-brief-oracle-bip-row-level-security.pdf
Other comments welcome.
Regards,
Ezequiel.
1
