Let non-admin users modify Agents ( aka schedule iBots) according to their corr — Oracle Analytics

Oracle Analytics Cloud and Server Idea Lab

Home Oracle Analytics Oracle Analytics Idea Labs Oracle Analytics Cloud and Server Idea Lab

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Let non-admin users modify Agents ( aka schedule iBots) according to their corr

Delivered
51
Views
3
Comments
Marcelo Finkielsztein
Marcelo Finkielsztein Rank 6 - Analytics Lead
in Oracle Analytics Cloud and Server Idea Lab

Organization Name

Postmedia Network

Description

Today, in OAC classic, non-administrators can modify ONLY Agents where their profile is the one configured as "Run As specified user".

In our on-premise OBIEE, non-admin users were allowed to modify agents, as long as their permission allow it.  e.g.: if they have ownership on the Agent catalog item, or they have modfy permission on the catalog item, then they can edit it as needed.

This issue provokes extra work for the Admins.

 

Use Case and Business Need

Use cases:   the owner of an agent is Out Of Office.  Another user, who has been granted permissions on the Agent catalog item, would be able to cover for the OOO owner, without requiring assisstance from an admin.

 

More details

Agents have a|Permission" and "Ownership" setup that is sufficient to determine who can or cannot modify them.

Using the "Run As" property as unique criterion is a limitant.  The generic permission approach seems better.

Original Idea Number: 9918ca9a3d

Tagged:
3
3 votes

Delivered · Last Updated

Comments

  • M_Kumaran
    M_Kumaran Rank 5 - Community Champion

    I agree.

  • Marcelo Finkielsztein
    Marcelo Finkielsztein Rank 6 - Analytics Lead

    May i have some feedback from Oracle about this?

    TIA

     

     

  • Adam Bloom-Oracle
    Adam Bloom-Oracle Mod

    If an agent is set to run as a specific user who potentially has access to other sensitive data it would not be good if another user could change the content or recipient list for this agent as that would be a potential permission escalation.  Another user who has access to update the agent can still change that agent content and recipients without having specific admin privileges but they must first change the agent so that it does not ‘run as’ a specific user who may have access to more data than you do. First, change the agent to ‘run as recipient’ in order to change the recipients.  You can then change the agent to ‘run as’ you if that helps.  A user can only change the agent ‘run as a specific user’ if they have the ‘Manage Catalog Accounts’  privilege in the Manage Privileges UI.