Issue:
In OAS 2025, we have a DV workbook embedded in a Classic Dashboard using the native Visualize mode. Our consumers are assigned the BIConsumer application role only - they do not have DVAuthor or DVContentAuthor privileges.
However, when consumers click the Drill to Attribute/Hierarchy option available on any visualization in the embedded workbook, they are presented with a full list of Subject Area names and columns. They can select any column from this list, and it directly affects the visualization - effectively giving them ad-hoc authoring capability over the workbook from within the dashboard.
This is a governance concern. Even though consumers cannot author, they are exposed to metadata (subject area names, column structures) that should not be visible in a consumer-facing dashboard.
What We Have Tried:
- Confirmed BIConsumer role has no DVAuthor/DVContentAuthor privileges - the auth backstop is in place but does not suppress the chrome
- CSS suppression via a dashboard HTML Text object - fragile, breaks on patch, not a real security control
- Switching to
iframe embed with reportmode = presentation - successfully lets us hide the "Drill to Attribute/Hierarchy" option, but Answers prompt variables (presentation/session vars) are not passed through to the DV workbook. The workbook ignores incoming variable state after initial load.
Any guidance from Oracle product team or community members who have solved this cleanly would be appreciated.
