Oracle Analytics Cloud and Server Idea Lab

Home Oracle Analytics Oracle Analytics Idea Labs Oracle Analytics Cloud and Server Idea Lab

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Allow Impersonate feature on OAC

Declined
490
Views
15
Comments
2»

Comments

  • Marcelo Finkielsztein
    Marcelo Finkielsztein Rank 6 - Analytics Lead

    Thanks for your feedback Gabby.

    About the "without credentials" point ...   
    Ideally, an administrator would log on, with her/his own credentials, and only then, after authenticated, would activate the functionality "impersonate x". 
    This way, the app should be able to log who the user was and who the impersonated user was.

    I agree that there is a security concern in letting admins "act as" out of control; but if every action gets logged properly, then the Security Officer should be able to review all actions taken by administraors while impersonating other users.   

    • Maybe the app could send special e-mails to Seucurity Officers when a impersonation is about to occur ?
    • Maybe impersonation can require TWO admins logging on concurrently, to be allowed to happen?  ( a.k.a. "two-person rule"  ) 

    HTH, Thanks,
    Marcelo Finkielsztein

     

  • User_7CMER
    User_7CMER Rank 3 - Community Apprentice

    Very needed to have to look at a report how the users sees it.

  • gmigotto
    gmigotto Rank 4 - Community Specialist

    Would be very useful.
    We have actually to do that through the creation of one test user for every role, but when the role structure gets more complex, it became cumbersome.

  • Gabby Rubin-Oracle
    Gabby Rubin-Oracle Admin

    As some of you described, doing ActAs responsibly is not the same feature that exists in OBIEE and a completely new system will need to be developed in order to allow it. Even with your suggestions, it will still not pass any security review because it is a high level of access with auditing but no gate.

    Regardless, providing the ability to admins of cloud systems to impersonate different users should not be a feature of a specific service but a feature of the identity management system. As such, we definitely raised it to the OCI IDM team and they acknowledged that it will be reviewed and possibly prioritized - we will not implement such capability as an OAC feature bypassing the overall security system of the cloud platform.

  • User_7CMER
    User_7CMER Rank 3 - Community Apprentice

    Maybe then give a option to impersonate a role? not a user.