My understanding of how the data validations run is as follows * The validation is run against the FAW ADW database (via FAW reporting layer) * The validation is run against the ERP (via OTBI reporting layer) * The results are compared and reported back My question is around what account is used security-wise. When we set up FAW Data validation, a custom account is created with impersonation rights - but my question is who is that account impersonating. * For non-scheduled validations, it seem to be using the security of the person running the validation in FAW (both on FAW and OTBI) * What about scheduled validations? Do these run as the person who scheduled the validation (both in FAW and OTBI)? FAW allows you to use the functional administrator role to bypass most data access constraints, but we're trying to understand what user is being used on OTBI to see if there is a similar role that can be used to avoid data access errors. Thanks!

Oracle Communities

Oracle Analytics and AI

Child Item

FAW ERP Data Validation - User Accounts/Security

D.Angle

My understanding of how the data validations run is as follows

The validation is run against the FAW ADW database (via FAW reporting layer)
The validation is run against the ERP (via OTBI reporting layer)
The results are compared and reported back

My question is around what account is used security-wise.

When we set up FAW Data validation, a custom account is created with impersonation rights - but my question is who is that account impersonating.

For non-scheduled validations, it seem to be using the security of the person running the validation in FAW (both on FAW and OTBI)
What about scheduled validations? Do these run as the person who scheduled the validation (both in FAW and OTBI)?

FAW allows you to use the functional administrator role to bypass most data access constraints, but we're trying to understand what user is being used on OTBI to see if there is a similar role that can be used to avoid data access errors.

Thanks!

Find more posts tagged with

Security

FDI

Fusion ERP Analytics

Accepted answers

JohnW-Oracle

Hi @Indra Sardana-Oracle,

The environment, including setting up accounts, should be fully thought out prior to starting the provisioning process. Ideally, you would go with option #1 documented here https://docs.oracle.com/en/cloud/saas/analytics/24r2/fawag/set-user-access-oracle-fusion-data-intelligence-using-single-sign.html#GUID-4B27DAF6-CA3B-4E7A-97B9-9CFC18749722 and Set Up User Access to Oracle Fusion Data Intelligence Using Single Sign-On. This would allow you to synchronize users and groups in Oracle Fusion Cloud Applications with the Oracle Identity Cloud Service instance specified in the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance. Then Federate the Oracle Identity Cloud Service instance specified in the Identity Cloud account associated with your Oracle Fusion Cloud Applications instance to the Oracle Cloud Infrastructure tenancy where Fusion Data Intelligence is provisioned. Keeping these users and groups in sync will prevent you from having to address some of the role granting issues you have mentioned. Also, comparing FAW/FDI and OTBI is one part of data validation but it's not everything.

Regards,

John

All comments

FAW_User-Oracle

Please review below documentation which explains which user is used and the roles required.

https://docs.oracle.com/en/cloud/saas/analytics/24r2/fawag/validate-oracle-fusion-data-intelligence-data.html

Indra Sardana-Oracle

For non-scheduled validations, it seem to be using the security of the person running the validation in FAW (both on FAW and OTBI) : Correct for non-scheduled validations, it use the security of the person running the validation in FAW

What about scheduled validations? Do these run as the person who scheduled the validation (both in FAW and OTBI)?: For scheduled validations, it use the security of the person who scheduled it.

D.Angle

Thanks for confirming, Indra.

Do you know - if there is a role on the OTBI side - that provides somewhat of a "global" access data-wise, similar to the Functional Administrator role on the FAW side.

JohnW-Oracle

Hi @User_9STVF

Each offering in the FA (OTBI) source like ERP (Financials) has the equivalent of an 'Application Administrator' role. For details See: https://docs.oracle.com/en/cloud/saas/financials/24b/oafrm/Financial_Application_Administrator_job_roles.html#Financial_Application_Administrator_job_roles

If you have a chance, review this Youtube video regarding Data Validation for additional details:

https://youtu.be/WrduV2Uw9z0

If you find this reply to your question useful, others might as well. By clicking the “Yes” button for “Did this answer the question?” below, you’ll be able to help the community members who might have a similar concern find the answer easier.

Regards,

John

Indra Sardana-Oracle

Do you know - if there is a role on the OTBI side - that provides somewhat of a "global" access data-wise, similar to the Functional Administrator role on the FAW side. : Fusion end custom role can be created which will inherit all the required permission for all OTBI subject area as far i know by default no role exist.

Indra Sardana-Oracle

If we can set up an account with Functional Administrator on the FAW side and whatever role is required on the OTBI side, we would be able to run the scheduled validations without concern about running into false alarms due to security restrictions on one side or the other. : NO you need to have role on the other side that is to OTBI to have access to all subject area's having Functional Administrator on the FAW side only won't suffice the purpose.

JohnW-Oracle

Hi @Indra Sardana-Oracle,

Regards,

John

Aubrey_K

Hi, I have the above access provision to my account, I'm also a Identity domain administrator and a security administrator.

Even with all this access, when I log into FAW I am missing the application administration area that has the data validation area as pictured below in Oracles documentation .

Can someone please help me understand what access I could possible be missing?