This is an issue for American Express Global HCM implementation as well and it is viewed as a serious security risk that may result in data breaches. Currently anyone with access to a report can schedule it to be delivered to their personal home address. Some reports have sensitive information and forwarding them to personal emails is a risk.

We had to implement a workaround to Audit the scheduled reports that have delivery method of Email and catch any that were submitted to addresses outside company. This workaround however only works for BI Publisher reports. There is no such information available for OTBI reports at the moment.

Our organization views this as a serious security issue.

Our suggested solution would be to add a place under the Admin page that we can specify what domains are acceptable for report and analysis delivery. Similar feature is available for email contents. You can restrict contents from which domains can be used in emails but you cannot currently restrict what domains can be used for report delivery.

Please note in 20A Oracle is adding a feature to restrict who can schedule emails. This was suggested to us as a solution but it does not resolve this issue. As the problem is not who can schedule reports but it is rather what emails can be set as delivery method for reports.

Related Oracle SR:

https://support.oracle.com/epmos/faces/SrDetail?_adf.ctrl-state=916qhzprw_72&srDetailRelativeDateParam=null&queryModeName=Technical&srNumber=3-21883305951&needSrDetailRefresh=true&_afrLoop=375350879669619

As there is option available to restrict BIP reports delivery, there should be an option for OTBI restriction as well. Also, once this option is set, all the BIP reports are blocked (Even the customer facing AR Invoices). There should be an option to choose which ones need to be restricted and which ones should not be.