nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Oracle Communities

Oracle Analytics and AI

Child Item

Object level security is not working in OAC DV as every user is DV consumer by default

Ajinkya Vyawahare

Dear Experts,

I need assistance with implementing object-level security in Oracle Analytics Cloud (OAC) Data Visualization (DV). We have users added to different Active Directory (AD) groups, and these AD groups have been assigned application roles. Our goal is to restrict access to DV objects based on this framework.

However, we are facing an issue where every user is seeing all DV objects. This seems to be because all application roles have the DV consumer role by default, which overrides the groups and application roles, allowing users to see all objects. This is fundamentally incorrect for our security requirements.

We have raised a Service Request (SR) with Oracle, but the response indicated that currently, all users would see all DV objects, with no restrictions.

Could you please provide guidance on how to properly implement object-level security in OAC DV under these circumstances? Any insights or workarounds would be greatly appreciated.

Thank you!

Find more posts tagged with

Security

Analysis and Data Visualization

OAC

#OracleAnalytics

Accepted answers

All comments

Steve F-2

Hi Ajinkya,

The Consumers are able to see the objects on the home page; however, they will only have access if granted.

There are some planned enhancements on this topic.

Please see:

https://community.oracle.com/products/oracleanalytics/discussion/10211/ability-to-restrict-icons-in-main-home-page-of-oas?utm_source=community-search&utm_medium=organic-search&utm_term=home+page

Also, this one may be interesting to you/your organization.

https://community.oracle.com/products/oracleanalytics/discussion/25816/new-oracle-analytics-homepage-similar-to-the-oracle-cloud-console#latest

You can comment and up-vote.

Ajinkya Vyawahare

Thank you for the clarification. However, this remains a critical security concern for our organization.

The core issue: Users can see ALL DV objects in the catalog regardless of their application roles, because every role inherits DV Consumer permissions by default and these cannot be removed.

Business Impact Example: Our CEO Dashboard containing sensitive financial data is currently visible to all managers and directors in the catalog, even though they cannot access it. This violates our data governance policies and creates compliance risks.

Request:

What is the specific timeline for the planned enhancements mentioned?
Does Oracle have an official interim workaround for organizations requiring strict object-level visibility controls?
Can this be escalated as a security concern rather than a feature request?

This limitation makes OAC DV unsuitable for enterprise deployments with confidential content. We need either a solution or an official acknowledgment of this security gap for our risk assessment documentation

GayathriAnand-Oracle

All users do not get DV Consumer by default. This could happen if you have assigned ServieViewer Role in IDCS > Cloud Service Application to a default IDCS/AD group that all users belong to.

Or if you restored snapshot from onprem, there is a possibility AuthenticatedUser is a member of DV Consumer. If yes you can check on OAC Console > Users and Roles page and see if you can delete AuthenticatedUser Role membership from DV Consumer and retest.

Ajinkya Vyawahare

Hi @GayathriAnand-Oracle ,

Thank you for the detailed response.

We are using OAC DV exclusively (no classic version) with AD groups configured through IDCS.

I will check the following and report back:

IDCS ServiceViewer Role: Verify if ServiceViewer role is assigned to our default AD groups in IDCS Cloud Service Applications
AuthenticatedUser Membership: Check OAC Console > Users and Roles to see if AuthenticatedUser is a member of DV Consumer role

Questions for clarification:

Should we avoid assigning ServiceViewer role to broad AD groups entirely?
What is the recommended approach for granting appropriate DV access to AD groups without creating the "all users see all objects" issue?
Are there other roles/permissions that might inadvertently grant broad DV Consumer access?

I'll test the suggested changes and update you with the results.

Thank you for pointing us toward the specific configuration areas to investigate.

GayathriAnand-Oracle

You can assign ServiceViewer IDCS Role membership to Groups . However just make sure that this AD Group is not something that is granted to all users. You may want to create a group specific for OAC consumer access and assign users who wish to use OAC to this group and then assign the group to ServiceViewer Role.

You could also not do this assignment in IDCS, instead manage the Application Role membership via OAC Console > USers and Roles tab. Here you can assign Groups to different OOTB Application Roles and this is the place where you can manage custom application roles as well.

thanks

Gayathri

Ajinkya Vyawahare

Hi GayathriAnand-Oracle

Thank you for your assistance with our previous queries. We need detailed step-by-step guidance on implementing proper object-level security in our OAC environment.

Our Current Environment:

Oracle Analytics Cloud (OAC) with Data Visualization (DV)
Backend: Oracle Essbase (data security managed at Essbase level)
Identity Management: Oracle Identity Cloud Service (IDCS)
Authentication: Active Directory (AD) groups synced with IDCS
Issue: All users can see all DV workbooks despite having different AD group memberships and application role assignments

Specific Assistance Required:

1. DV Consumer Role Removal: Could you please help us with step-by-step instructions for:

How to safely remove the DV Consumer role from existing application roles in IDCS without breaking user functionality?
What are the prerequisite checks we should perform before removing this role?
Are there any dependencies or warnings we should be aware of?
What is the rollback procedure if we encounter issues?

2. Object-Level Security Implementation with IDCS: - We need detailed guidance on:

The correct method to implement workbook-level access control using AD groups through IDCS
Step-by-step process to assign specific DV workbooks/projects to AD groups without using the DV Consumer role
How to configure IDCS application roles for granular DV object access
Best practices for mapping AD groups → IDCS roles → OAC DV object permissions

3. IDCS Configuration Steps: - Since we're using IDCS as our identity provider, please help us with:

Specific IDCS console navigation steps for role management
How to create custom application roles in IDCS for OAC DV access
Proper way to assign AD groups to these custom roles
How to verify the configuration is working correctly

GayathriAnand-Oracle

There is no concept of assigning IDCS Roles to OAC DV permissions directly. You always assign OAC Application roles to DV object permissions.

For out of the box IDCS Roles such has ServiceViewer, ServiceUser,ServiceAdministrator, there is a implicit behind the scene mapping to DVConsumer,DVAuthor and BIServiceAdministrator. So a user when mapped to these IDCS Roles automatically gets the oac app roles assigned. You then assign oac app roles to object permissions.

Without looking at your current app role setup in detail i will not be able to provide suggestions. Its best you create a SR with oracle support so we can zoom to review your setup and advise accordingly.

thanks

Gayathri