Oracle Analytics Cloud and Server Idea Lab

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Personalized Data Permissions (PDP)

Planned
223
Views
17
Comments

Organization Name

Strategic Account

Description

Problem: Currently users can be added to data sets, projects, and other resources from a high level but restricting access on a more granular level is difficult, very manual, and not scaleable to large organizations. It creates clutter, allowing users to see more than what they need. This is beyond what group or role access can provide.

Solution: We would love to see OAC embrace Entitlement Policies. This allows the filtering of a dataset down to the user for a custom experience at each user's level. This eliminates clutter and provides a scalable option for Data Permissions. In other words, the same Dataset can be sliced into three different displays for three different users. This ensures each user only sees their own data.

Use Case and Business Need

This would allow an enterprise to deploy OAC environment across a large number of users and ensure proper data privacy practices can stay in place. Logical examples include sales managers viewing their territory. Marketing analysts working on their LOB's data. Finance team working on only the data given to them. 

Example

VP Manager Analyst
David Wallace Michael Scott Dwight Schrute
David Wallace Michael Scott Erin Hannon
David Wallace Jim Halpert  Pam Beesly
David Wallace Jim Halpert  Creed Bratton

In this scenario you could set three PDP policies for VP level, Manager level, and analyst level {email.value=yourself, direct reports} permissions to view and edit all data under yourself as well as direct reports and their hierarchy. 

1. VP Level: David Wallace would be able to see all data in this case as they all report to him

2. Manager Level: Michael Scott can ONLY see Dwight and Erin's data. And manager Jim can see ONLY Pam and Creed's data. But they CANNOT see data from the other manager.

3. Analyst Level: Dwight Schrute can only see Dwight Schrute's data and cannot see anything else as he has no direct reports.

More details

This is something Domo does very well and would be a great feature to have parity with 

https://developer.domo.com/docs/dataset/create-personalized-data-permissions-pdp

Original Idea Number: 33c4f6b70f

Screen Shot 2021-07-13 at 4.56.30 PM.png

25
25 votes

Planned · Last Updated

This idea is now being considered for a future release. It may not be at the user grain initially, it may be based on Roles.

«1

Comments

  • Joshua C. Stewart
    Joshua C. Stewart Rank 5 - Community Champion

    I agree this entitlement based data level access would be extremely helpful from a security configuration standpoint. The current process for creating data level security is very manual and difficult to scale.

  • AnkitR Gupta
    AnkitR Gupta Rank 4 - Community Specialist

    We have got similar request from our business users asking for more detailed object and data level security, for OAC and OAS installations.

  • Nick_CloudEngineer-Oracle
    Nick_CloudEngineer-Oracle Rank 4 - Community Specialist

    Absolutely. This would further enable platform security, eliminate unrelated clutter, and help scale adoption. Would a native OAC feature like PDP above solve you particular situation? 

  • Nick_CloudEngineer-Oracle
    Nick_CloudEngineer-Oracle Rank 4 - Community Specialist

    How do you currently control access to your data model? 

  • User_PY43O
    User_PY43O Rank 1 - Community Starter

    Currently working with Verizon, who need to have granular aspects of dataset shared and available. This would allow OAC to be configured per company policy and request.

  • Sankar Bala-Oracle
    Sankar Bala-Oracle Rank 1 - Community Starter

    Data level group security is a great option to have. It also helps from the performance to leverage the group level caching.

  • Nick_CloudEngineer-Oracle
    Nick_CloudEngineer-Oracle Rank 4 - Community Specialist

    Thanks Rob!

  • Michal Zima
    Michal Zima Rank 7 - Analytics Coach

    To have implemnted "row level security" concept (similar to the one, I can setup in semantic model = RPD) also in "self-service" world - thus when designing data sets is definitelly one of the necessity, allowing to use Data Visualization for real enterprise deployment/usage.

  • Nick_CloudEngineer-Oracle
    Nick_CloudEngineer-Oracle Rank 4 - Community Specialist

    Great point Michal - Yes RPD can utilize session variables and initialization blocks to, for example, pass through user's email address as a parameter so the dashboard data will be filtered on each users email address and respective access. This is what my colleague informs me. This seems a little bit more complicated even for the self-service aspects. However, this should be more of a native feature and easier to digest, monitor, and deploy 

  • Angel Shipp
    Angel Shipp Rank 6 - Analytics Lead

    Yes. We (Verizon) definitely need this functionality especially when dealing with many levels of security pertaining to Data and Users.