Is it possible to restrict BI report developer access to specific database objects?

User_PCJLR · Jul 20, 2023 2:42PM

Our requirement is to make sure BI report developers adhere to the policy of using Fusion SLVs (secured list views) where possible in data models of the custom BI Publisher reports they are tasked with building.

Currently nothing stops developers from incorporating HCM production tables into data model queries and expose sensitive HR information to end users who are not supposed to have access to it.

We're talking about an out of the box BI Publisher that is bundled with Fusion ERP SaaS.

Would Oracle Analytics Cloud (OAC) offer a more granular access to data capabilities? It does allow to define datasets. Would dataset be a collection of "whitelisted" database objects that can be accessed, i.e. offer the level of granularity that we need?

Lastly, would it be possible to build datasets against Fusion SaaS tables, if OAC is deployed in Oracle Cloud Infrastructure tenancy while Fusion ERP is in a different cloud?

Thanks

EzequielC-Oracle · Jul 20, 2023 5:39PM

Hello,

You can use Role-Based Filters. Dataset owners apply filters based on Oracle Analytics application roles that allow users to see data that's applicable to their application roles:

https://docs.oracle.com/en/cloud/paas/analytics-cloud/acubi/apply-different-filter-types.html#GUID-25F17720-B52E-4744-83ED-F579DFF80B59

You can use the Oracle Applications connector in DV to connect to Fusion. If Fusion instance is on private endpoint then you will need to use Remote Data Gateway (RDG). Look at:

https://docs.oracle.com/en/cloud/paas/analytics-cloud/acsds/supported-data-sources.html#GUID-3702ABF9-F3D3-4924-B4F8-3A436349DF9E

Here are the Fusion modules that you can connect to and the steps to use the Oracle Applications connector in DV:

https://docs.oracle.com/en/cloud/paas/analytics-cloud/acsds/oracle-applications-connector.html#GUID-B39E3256-0143-45F7-9D13-D92DFBBAE14D

https://docs.oracle.com/en/cloud/paas/analytics-cloud/acsds/connect-oracle-fusion-cloud-applications-suite.html#GUID-FDC9B8BD-4CC4-4AA2-8C02-1078E4FA32A2

Regards,

Ezequiel.

User_PCJLR · Jul 20, 2023 8:51PM

Great! Thanks

We'll explore OAC further, since we do have a subscription for OAC in OCI.

One last question:

Our Fusion ERP SaaS offering comes with a cloud OBIEE (BI publisher). Just to confirm, the datasets feature you were referring to does not exist in that cloud OBIEE, meaning a developer with BI role has access to the entire Fusion database - all schemas, tables, views etc.

So, if a DEV environment has real PROD data in it, that means the developer would be able to query and view sensitive information?

In case of OAC, we should be able to create datasets specific to developer profile? Some of these developers are supposed to develop only Financials reports and analyses, hence they are not supposed to access HCM schema, for example.

Is our understanding of OAC datasets functionality correct, in a way that it allows to give granular access to database objects?

Thanks

BeachDreamer · Jul 24, 2024 3:21PM

Did you ever figure out a way to limit BI Publisher access to certain tables?

Simon Ng · Nov 15, 2024 12:52AM

A couple of posts on Ideas Lab to no avail.

Data Source Access across Oracle Pillars (HCM and FIN) - BI Admin

Restrict BIP access (table access) for person, sensitive data

Doc ID 2819026.1, "…it is not possible to restrict BI Publisher Data Models to specific tables."

MFA for Oracle Community

Oracle Analytics Cloud and Server

Categories

Is it possible to restrict BI report developer access to specific database objects?

Best Answer

Answers