Categories
- All Categories
- 75 Oracle Analytics News
- 7 Oracle Analytics Videos
- 14K Oracle Analytics Forums
- 5.2K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 40 Oracle Analytics Trainings
- 60 Oracle Analytics Data Visualizations
- 2 Oracle Analytics Data Visualizations Challenge
- 3 Oracle Analytics Career
- 4 Oracle Analytics Industry
- Find Partners
- For Partners
Security on reporting OTBI
Good morning,
I hope this message finds you well.
I would like to kindly ask if it’s possible to assign a user the BI Author role only for a specific group of Subject Areas (e.g., Recruiting/ORC), while maintaining the BI Consumer role for others (e.g., Workforce/Core HCM).
Thank you in advance for your help and support!
Best regards
Best Answer
-
Hi, That is already how it is setup out of the box. Role BI Consumer does not have access to any subject areas. Role BI Author does not have access to any subject areas. If you create a custom role just with either of these roles you do not get access to any subject areas to execute a query.
The subject areas that are displayed, by default as BI Author, in the list of values when you select create analysis or dashboard prompt, is managed by your BI Administrator using page Manage Privileges /analytics/saw.dll?PrivilegeAdmin. But that does not give you permission to query that subject area without the system throwing a database connection error. It just shows or hides that subject area in that list of values. For example, to hide subject areas for services to which you have not a subscription therefore will never have any data.
To grant "access" to query a subject area without error your user must also be granted one of the out of the box job roles or a custom role that inherit the "transaction analysis" duty role(s) required for each subject area as per the content guide https://docs.oracle.com/en/cloud/saas/otbi/fa-index.html.
Then on top of that you may also need to grant some data access row/column security so you do not get no data found / get null values in sensitive columns. In ERP/SCM most require row level security by grant a security context using task "Manage Data Access for Users" and in HCM most use custom data roles task "Data Roles and Security Profiles" in My Enterprise work area Setup and Maintenance.
0
Answers
-
Thank you for your reply, it has been very useful.
Do you know if it is possible to deny a Subject Area (es "Workforce Management - Worker Assignment Event Real Time") to BI Author Role and let the BI Administrator Role to create analysis on it?
0 -
Hi, It is not possible to deny something that is already denied. So ALL subject areas are already "denied" from BI Author Role. That is "denied" meaning that if you issue sql to query from that subject area, for example by open an analysis, you are denied by the system throwing database connection error.
To understand this concept do a test case. Grant to a user only a custom role, no ootb roles, in that custom role having only bi author role, no function privileges, no data privileges, no other roles. You will get an error when you query any subject area as this user. BI Author Role does not grant access to query any subject areas.
BI Administrator Role must never be used to create any analysis. This is a highly privileged role only for like the 1 person in your organization that may need from time to time to do some configuration like manage privileges or edit themes or grant access to a publisher data source to a role or maybe change folder permissions in the catalog. But your authors who build content must never never ever be granted BI Administrator Role.
As you can see from your subject are user guide https://docs.oracle.com/en/cloud/saas/human-resources/24d/faohb/Workforce-Management--Worker-Assignment-Event-Real-SA-4.html to issue sql to query this subject area without error you need a role that inherits duty role Workforce Transaction Analysis Duty. BI Author Role does not inherit this duty role therefore is already denied access to this subject area.
1