Oracle Analytics and AI

Kartheeka

Users authenticate via three-legged OAuth2 against IDCS :

– BIP   already receives and validates their Bearer token                    
  - FND_GLOBAL.USER_NAME correctly resolves the calling user inside the
   data model, confirming identity propagation works at the session    
  metadata level                                                  
  - However, VPD/MOAC predicates resolve against FUSION_RUNTIME, not   
  the caller – so all users see identical data regardless of their    
  Fusion data roles and security profiles
  - This forces us to either: (a) build a parallel authorization layer 
  duplicating Fusion's security model, or (b) accept that any          
  authenticated user sees all data
                                                                       
  Current Behavior:                                                    
  
  - OAuth token authenticates the caller (catalog ACLs enforced, audit 
  trail populated correctly)                                      
  - Data model execution session is always FUSION_RUNTIME              
  - SLVs crash with FND_SESSIONS_U2 unique constraint violated because 
  VPD can't establish a user session on top of the existing            
  FUSION_RUNTIME session                                               
  - No data model type (PL/SQL or SQL) changes this – the issue is    
  execution identity, not data model design                            
  
  Requested Behavior:                                                  
                                                                  
  - A parameter on ExternalReportWSSService (e.g.,                     
  executeAsCallerFlag=true or a SOAP header) that initializes the 
  calling user's full security context (data roles, security profiles, 
  org grants) before data model execution                         
  - Same behavior as interactive BIP report execution where the
  logged-in user's VPD predicates apply                                
  - When the flag is absent, current behavior preserved (backward
  compatible)                                                          
                                                                  
  Supporting References:                                               
                                                                  
  - KB51455 confirms SLVs are designed to filter based on "the security
   profiles assigned to the roles of the user who's running the report"
   -- the mechanism exists, it just doesn't activate via API           
  - SR# (include your SR number) documents the technical investigation
  - Tested on iaammv-dev3 (26A) – MO_GLOBAL.IS_MO_INIT_DONE returns   
  'N', INIT_PLSQL_MOAC fails because Fusion middleware org-grant       
  precomputation isn't available in the BIP session                    
                                                                       
  Impact:                                                              
  calling user's full security context (data roles, security profiles,
  org grants) before data model execution
  - Same behavior as interactive BIP report execution where the
  logged-in user's VPD predicates apply
  - When the flag is absent, current behavior preserved (backward
  compatible)

  Supporting References:

  - KB51455 confirms SLVs are designed to filter based on "the security
   profiles assigned to the roles of the user who's running the report"
   -- the mechanism exists, it just doesn't activate via API
  - SR# (include your SR number) documents the technical investigation
  - Tested on iaammv-dev3 (26A) – MO_GLOBAL.IS_MO_INIT_DONE returns
  'N', INIT_PLSQL_MOAC fails because Fusion middleware org-grant
  precomputation isn't available in the BIP session