Oracle Analytics and AI

Rashmi Jadhav-Oracle

I'm trying to implement fine-grained role-based access control in Oracle Analytics Cloud (OAC), specifically regarding shared folder permissions. My use case is:

• I have a shared folder where I'm assigning an application role.
• This application role will be granted to OCI IAM groups.
• Within OAC, I want to ensure that members of a given group assigned to the application role (who will have an 'Admin' privilege within that context) have permissions limited solely to managing access and permissions related to their own group.
• Essentially, they should be able to manage permissions within the shared folder, but they should be restricted from viewing or modifying roles and permissions associated with other groups.

Is there a way to configure OAC to achieve this level of granular control, preventing administrators of one group from affecting the permissions of other groups within the same shared folder?

Gianni Ceresa

Hi,

While not sure I got your requirement correctly, it isn't something possible: if a user is allowed to manage permissions on an object in the catalog, you can't limit the security objects it can control the permissions for.

Once a user has access to manage permissions on the catalog folder, they can add or remove any user/group/role from the permissions.

You are requesting an extra level of granularity, allowing to define what security objects (users/groups/roles) can that user "touch", and this isn't an existing feature in the product.

You can post an idea to have such a feature evaluated for implementation.