Mapping Licensed and Unlicensed Groups in IDCS

D.Angle · Jun 14, 2024 6:25PM

We have been leveraging group to group mappings in Fusion ERP Analytics when the switch was made from managing security in the FAW security console to IDCS.

We received a confirmation that this functionality is still supported but have not been able to figure out where in IDCS group to group mappings are managed.

Has anyone else had this issue and been able to implement the same in IDCS?

This is an image of what the mapping looks like in the security console

Licensed Group FAW Functional Administrator was mapped to custom groups called IVZ FAW FDAC Power User and IVZ FAW FDAC Administrator

Looking at the licensed group FAW Functional Administrator in IDCS, there doesn't seem to be any way to map the group to another group

Thanks!

Duane

Sumanth V -Oracle · Jun 20, 2024 1:40PM

@User_9STVF - The flow of security management is as follows: Users are assigned to Groups, which in turn are assigned to Application Roles. These Application Roles or Groups can then be used to handle further authorization aspects as required. Your understanding of this process is correct.

Sumanth V -Oracle · Jun 17, 2024 1:22PM

@User_9STVF - This seems to be same query as in the below thread created by you.

Linking Out of the Box Security Groups with Custom Security Groups

D.Angle

Jun 6, 2024

We have created custom groups in Fusion Analytics, and mapped those groups to Out of the Box Groups (i.e. FAW Functional Administrator).
We are finding that this approach is not effective -
We create a custom group - "Custom Admins"
We put a user in the "Custom Admins" group
We map "Custom Admins" to application roles
this works well - the user benefits from the application roles mapped to "Custom Admins"
We map the out of the box group FAW Functional Administrator to the "Custom Admins" group
this is not effective - the user does not benefit from this group to group relationship
instead we have to put the user into the FAW Functional Administrator group directly (which we'd like to avoid)
Ideally when we set up a user, we'd like to just be able to put them into the "Custom Admins" group and be done.
The way the security is working, we need to put the user into the Custom Admins group and the FAW Functional Administrator group
Not that this is horribly difficult, but it isn't clear why there is an option to "link" or "map" out of the box groups to custom groups if there is no net yield from doing so.
Has anyone else run into this issue - trying to have only one custom group that maps to the required out of the box groups and application roles for that role?

In the current scenario or with the latest security features provided in the newest version, do you experience any difficulties compared to the previous versions? If yes, please share a specific business scenario, and we will assist you in achieving the same. Thank you.

D.Angle · Jun 17, 2024 2:13PM

Hi Sumanth - thanks for the response and inquiry.

The original question you referenced - the goal was to confirm that the capability to map unlicensed groups to licensed groups was still supported - and the thread did confirm that the capability is still supported.

Based on that response - we have attempted to map groups together in IDCS.

This question is - how do you do it? We have not been able to find any documentation with instructions and haven't been able to figure it out intuitively in IDCS.

Regarding your request for a business scenario - here is an example.

We would like to configure a group of people to be "developers" who can perform

Dashboard Development
Data Validations
Data Augmentation development
Semantic Model Development (non-security)

Rather than configuring these developers individually each time a developer is onboarded, we would like to create a custom group called "IVZ Developers".

When someone is added to the IVZ Developers group - they should inherit the following licensed roles

FAW ERP Licensed Author (Dashboard development)
FAW Functional Administrator (Data Augmentation development and data validation)
FAW Modeler (semantic model development - non-security)

In this way - we will simplify user setup and also assure that everyone who is supposed to be an IVZ Developer is configured the same because their rights are inherited from that group rather than being assigned manually.

This is how we had configured security via the FAW security console originally using group to group mappings. We are just not able to figure out how to do the same things via IDCS - where the security management functionality has moved.

Hope that helps.

D.Angle · Jun 20, 2024 1:34PM

Adding a bit of additional information.

Our security console has been updated - and it appears that there are some differences that I was not aware of.

My recollection is that on the previous version, FAW Functional Administrator was a group, but not an application role - so there was this ability to link a licensed group to an unlicensed group.

It looks like - as part of this security change - there is an FAW Functional Administrator application group - so the group to group mappings are no longer needed as the functionality previously provided through the FAW Functional Administrator group can be provided through the FAW Functional Administrator application role.

Can you confirm that my understanding is correct?

D.Angle · Jun 20, 2024 1:43PM

Thanks for confirming, Sumanth. In my view at least - this is a better/more intuitive approach than mapping groups together. We will test/confirm this approach.

D.Angle · Jul 23, 2024 2:26PM

Hi Sumanth - where a "specific business scenario" is concerned -

We want to have a custom group of developers.

This group have the following capabilities

Data Validation
Data Configuration
Semantic Development
Data Augmentation Development
Dashboard Development

We do not want to have to manually assign all of these roles each time someone is onboarded, so we want to create a custom group called "IVZ Developers".

When someone is added to the IVZ Developers role, they should also inherit the following licensed roles

FAW ERP Licensed Author (for dashboard development)
FAW Modeler (for semantic development)
FAW Functional Administrator (for data augmentation and data validation)

When we review users and we see they are included in the "IVZ Developers" group, we know what their configuration is and we know that everyone who is in that role is configured the same because those rights are inherited through the group and not assigned manually to each person.

This is how we had configured security through the FAW Security console via group to group mappings and we can't figure out how to configure the same through IDCS (where the security management functionality has moved).

Hope that example helps.

Oracle Fusion ERP Analytics

Welcome!

Quick Links

Categories

Mapping Licensed and Unlicensed Groups in IDCS

Welcome!

Best Answer

Answers

Linking Out of the Box Security Groups with Custom Security Groups

Welcome!