Categories
- All Categories
- Oracle Analytics Learning Hub
- 19 Oracle Analytics Sharing Center
- 18 Oracle Analytics Lounge
- 231 Oracle Analytics News
- 44 Oracle Analytics Videos
- 15.9K Oracle Analytics Forums
- 6.2K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 86 Oracle Analytics Trainings
- 15 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Object level security is not working in OAC DV as every user is DV consumer by default
 
            Dear Experts,
I need assistance with implementing object-level security in Oracle Analytics Cloud (OAC) Data Visualization (DV). We have users added to different Active Directory (AD) groups, and these AD groups have been assigned application roles. Our goal is to restrict access to DV objects based on this framework.
However, we are facing an issue where every user is seeing all DV objects. This seems to be because all application roles have the DV consumer role by default, which overrides the groups and application roles, allowing users to see all objects. This is fundamentally incorrect for our security requirements.
We have raised a Service Request (SR) with Oracle, but the response indicated that currently, all users would see all DV objects, with no restrictions.
Could you please provide guidance on how to properly implement object-level security in OAC DV under these circumstances? Any insights or workarounds would be greatly appreciated.
Thank you!
Answers
- 
            Hi Ajinkya, 
 The Consumers are able to see the objects on the home page; however, they will only have access if granted.
 There are some planned enhancements on this topic.
 Please see:
 https://community.oracle.com/products/oracleanalytics/discussion/10211/ability-to-restrict-icons-in-main-home-page-of-oas?utm_source=community-search&utm_medium=organic-search&utm_term=home+page
 Also, this one may be interesting to you/your organization.
 https://community.oracle.com/products/oracleanalytics/discussion/25816/new-oracle-analytics-homepage-similar-to-the-oracle-cloud-console#latest
 You can comment and up-vote.1
- 
            Thank you for the clarification. However, this remains a critical security concern for our organization. The core issue: Users can see ALL DV objects in the catalog regardless of their application roles, because every role inherits DV Consumer permissions by default and these cannot be removed. Business Impact Example: Our CEO Dashboard containing sensitive financial data is currently visible to all managers and directors in the catalog, even though they cannot access it. This violates our data governance policies and creates compliance risks. Request: - What is the specific timeline for the planned enhancements mentioned?
- Does Oracle have an official interim workaround for organizations requiring strict object-level visibility controls?
- Can this be escalated as a security concern rather than a feature request?
 This limitation makes OAC DV unsuitable for enterprise deployments with confidential content. We need either a solution or an official acknowledgment of this security gap for our risk assessment documentation 0
- 
            All users do not get DV Consumer by default. This could happen if you have assigned ServieViewer Role in IDCS > Cloud Service Application to a default IDCS/AD group that all users belong to. Or if you restored snapshot from onprem, there is a possibility AuthenticatedUser is a member of DV Consumer. If yes you can check on OAC Console > Users and Roles page and see if you can delete AuthenticatedUser Role membership from DV Consumer and retest. 1
- 
            Thank you for the detailed response. We are using OAC DV exclusively (no classic version) with AD groups configured through IDCS. I will check the following and report back: - IDCS ServiceViewer Role: Verify if ServiceViewer role is assigned to our default AD groups in IDCS Cloud Service Applications
- AuthenticatedUser Membership: Check OAC Console > Users and Roles to see if AuthenticatedUser is a member of DV Consumer role
 Questions for clarification: - Should we avoid assigning ServiceViewer role to broad AD groups entirely?
- What is the recommended approach for granting appropriate DV access to AD groups without creating the "all users see all objects" issue?
- Are there other roles/permissions that might inadvertently grant broad DV Consumer access?
 I'll test the suggested changes and update you with the results. Thank you for pointing us toward the specific configuration areas to investigate. 0
- 
            Hi You can assign ServiceViewer IDCS Role membership to Groups . However just make sure that this AD Group is not something that is granted to all users. You may want to create a group specific for OAC consumer access and assign users who wish to use OAC to this group and then assign the group to ServiceViewer Role. You could also not do this assignment in IDCS, instead manage the Application Role membership via OAC Console > USers and Roles tab. Here you can assign Groups to different OOTB Application Roles and this is the place where you can manage custom application roles as well. thanks Gayathri 0
- 
            Thank you for your assistance with our previous queries. We need detailed step-by-step guidance on implementing proper object-level security in our OAC environment. Our Current Environment: - Oracle Analytics Cloud (OAC) with Data Visualization (DV)
- Backend: Oracle Essbase (data security managed at Essbase level)
- Identity Management: Oracle Identity Cloud Service (IDCS)
- Authentication: Active Directory (AD) groups synced with IDCS
- Issue: All users can see all DV workbooks despite having different AD group memberships and application role assignments
 Specific Assistance Required: 1. DV Consumer Role Removal: Could you please help us with step-by-step instructions for: - How to safely remove the DV Consumer role from existing application roles in IDCS without breaking user functionality?
- What are the prerequisite checks we should perform before removing this role?
- Are there any dependencies or warnings we should be aware of?
- What is the rollback procedure if we encounter issues?
 2. Object-Level Security Implementation with IDCS: - We need detailed guidance on: - The correct method to implement workbook-level access control using AD groups through IDCS
- Step-by-step process to assign specific DV workbooks/projects to AD groups without using the DV Consumer role
- How to configure IDCS application roles for granular DV object access
- Best practices for mapping AD groups → IDCS roles → OAC DV object permissions
 3. IDCS Configuration Steps: - Since we're using IDCS as our identity provider, please help us with: - Specific IDCS console navigation steps for role management
- How to create custom application roles in IDCS for OAC DV access
- Proper way to assign AD groups to these custom roles
- How to verify the configuration is working correctly
 0
- 
            Hi There is no concept of assigning IDCS Roles to OAC DV permissions directly. You always assign OAC Application roles to DV object permissions. For out of the box IDCS Roles such has ServiceViewer, ServiceUser,ServiceAdministrator, there is a implicit behind the scene mapping to DVConsumer,DVAuthor and BIServiceAdministrator. So a user when mapped to these IDCS Roles automatically gets the oac app roles assigned. You then assign oac app roles to object permissions. Without looking at your current app role setup in detail i will not be able to provide suggestions. Its best you create a SR with oracle support so we can zoom to review your setup and advise accordingly. thanks Gayathri 0

