Oracle Analytics Cloud and Server Idea Lab

Home Oracle Analytics Oracle Analytics Idea Labs Oracle Analytics Cloud and Server Idea Lab

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Authorization should be able for group as well as users and application roles for Catalog

Needs Votes
21
Views
5
Comments
shintaro umezawa
shintaro umezawa Rank 2 - Community Beginner
in Oracle Analytics Cloud and Server Idea Lab

Organization Name

JAPAN AUTOMOBILE FEDERATION

Description

For Oracle Analytics Cloud there is an authorization setting for catalogs, reports, data models and analytics. 

However the authorization could be done only through Users or Application roles. I think it is better from an operation perspective that there should be authorization for groups as well as users and Application roles.

Use Case and Business Need

Using OAC for report creation in a operational level in a big organization, it requires some authorization.

For the authorization it requires as an example three patterns.

1. Administrator authority 2.Authority for creating data models and reports 3. Authority only for executing report jobs.

And if authentification is done through IDCS(Which is done in our company) , it is difficult to manipulate the authorization of catalogs through Users or application roles.

That is because, Users are too many to control and Application roles are too big to control when there are more then 200 members you have to think about.

So, my Idea is to have an authorization of catalogs for Groups as well, to make the management easier.

 

Original Idea Number: 52784298e1

Tagged:
4
Up
4 votes

Needs Votes · Last Updated

Comments

  • Marcelo Finkielsztein
    Marcelo Finkielsztein Rank 6 - Analytics Lead

    Hi.  
    I must be missing something.  
     

    We use IDCS users and IDCS groups to authenticate and authorize.

    Each IDCS group matches an OAC application role.

    Then, OAC privileges and permissions are assigned to application roles, but, for all purposes it is like granting them to IDCS groups.

    Is it not this what you are trying to accomplish?

    With all due respect, 

    Marcelo Finkielsztein 

  • shintaro umezawa
    shintaro umezawa Rank 2 - Community Beginner

    Hello Marcelo

    Thank you for your comment.
    Yes as you mention, with IDCS, authentication and authorization can be done and its good for most of the time.
    However, in our business scenario there is a situation where IDCS authentication and authorization is not enough, let me point them out below

    【Scenario 】When we want to use the same dataflow in few users
    As Dataflow has to be export/import as a .dva file for other users to use, and the user must have a higher privilege then ServiceUser(the IDCS authorization). The user having an privilege of ServiceUser can edit any file in any catalog.
    And that is not acceptable, because in our project there are few teams using OAC and each team does not want to show there work to other team and don't want to give privilege to edit the contents in there folders.

    For that reason we want to make authorization setting in OAC, for users. For example User A in team finance can edit and create dataflow and other contents in finance folder, but User A cannot see and edit files in the folder for Sales team.
    For doing the authorization setting as showing in the example above, we have to do it through the OAC folder privilege setting, but doing it for each user is burden and hard to operate, so we will like to be able to give privilege setting to groups, which will make it easy to operate.

    Shintaro

  • Marcelo Finkielsztein
    Marcelo Finkielsztein Rank 6 - Analytics Lead

    If I am not mistaken, this seems to be another example where DV does not have all the functionality that Classic Home already had.

    in a scenario like the one described by Shintaro, in Classic Home we would have assigned privileges to Subject Areas.  
    Access to Finance Subject Area is different than access to Sales Subject Area.

    Thank you Shintaro for your explanation.

  • Marcelo Finkielsztein
    Marcelo Finkielsztein Rank 6 - Analytics Lead

    I would like to see DV offering all the functionality that Classic Home has.

  • shintaro umezawa
    shintaro umezawa Rank 2 - Community Beginner

    Thank you for your Reply Marcelo

    However, there are few things I didn't understand

    First, Does it mean if DV is exported to Subject Area we will be able to give privilege by groups? 
           Meaning we can manage the privilege for each group of subject area, so some subject areas cannot be accessed by few groups?

    Second, How about other contents such as reports and datamodel? Can they be preserved in Subject Areas? and will they be samelly authorized by groups in Subject area?

    Third, how is data stored in subject area and how can we manage them? Can you provide a document and kindly explain, how data is stored in subject area, what is the capacity and how to create authorization in subject area.

    Best regards
    Shintaro