Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Documentation on NetSuite Analytics Roles

Received Response
34
Views
8
Comments

I am struggling with trying to create a security framework that allows us to have different sets of users, each with differing access to workbooks using the various NetSuite subject areas. A simple example would be to have a set of "Sales" users who can access workbooks using the sales subject area while "Accounting" users can access those and workbooks using the banking subject area.

Out of the box, NSAW includes three Licensed Roles - NAW Service Admin Role, NAW Licensed Authors Role, and NAW Licensed Viewers Role. Our challenge is that the NAW Licensed Viewers Role includes access to all subject areas, and there doesn't appear to be a way to create additional Licensed Roles.

Is there any documentation about security configuration of Oracle Analytics Cloud that is specific to NetSuite Analytics Warehouse implementations?

Thank you,
Scott

Answers

  • Sumanth V -Oracle
    Sumanth V -Oracle Rank 8 - Analytics Strategist

    @SWSearcy - Please try using object-level security to control or restrict access to specific subject areas.

    You can refer to the following documentation for guidance:

    https://docs.oracle.com/en/cloud/saas/netsuite-analytics-warehouse/nsawa/configure-object-permissions.html?source=%3Aow%3Ams%3Apt%3A%3A

    Hope this helps! Thank you.

  • SWSearcy
    SWSearcy Rank 4 - Community Specialist

    Thank you @Sumanth V -Oracle. I may be misunderstanding, but it doesn't look like that will help. Here's what I see for the object-level security for the NetSuite - Journal dataset and is what is expected.

    image.png

    The problem is that the out-of-the-box NAW Licensed Viewer Role includes the NetSuite Analytics Warehouse Financials Duty permission, so anyone with that role can view workbooks using that dataset. We need a way to indicate that some users have the NetSuite Analytics Warehouse Financials Duty permission while others do not.

  • Do you want to control which Subject Areas users can use or which workbooks users can see and use? These are two different layers of the system.

  • SWSearcy
    SWSearcy Rank 4 - Community Specialist

    Thank you @Bret Grinslade - Oracle Analytics-Oracle. At first, our goal is to limit access to specific folders and workbooks within the catalog because most of the initial users will simply be viewers. As we allow users to be authors, we'll also need to control access to datasets.

  • SWSearcy
    SWSearcy Rank 4 - Community Specialist

    I looked into this previously, but the challenge is still that every user with the NAW Licensed Viewer Role can access every folder or workbook, either by virtue of the related system role (System Administrator, Author, Consumer) or one of the underlying duty roles. Here's a specific example using the default out-of-the-box folder structure.

    Shared Folders
    NetSuite
    → Service Administrator = Read-Write
    → Consumer = Read-only
    Detailed Dashboards
    → Service Administrator = Read-Write
    → NetSuite Financials Content Duty = Read-Only
    → NetSuite Financials Content Duty = Read-Only
    → NetSuite Financials Content Duty = Read-Only
    → NetSuite Financials Content Duty = Read-Only
    Financials
    → Service Administrator = Read-Write
    → NetSuite Financials Content Duty = Read-Only
    Financials [workbook]
    → Service Administrator = Read-Write
    → NetSuite Financials Content Duty = Read-only

    Since the NSAW Licensed Viewer Role includes the NetSuite Financials Content Duty role, how can the permissions be changed to allow only some users access? I guess the role permission could be removed, and permissions added for specific users, but that feels like a very cumbersome way to go about it. Is there no way to create additional licensed roles, each with a different set of duty roles?

  • SWSearcy
    SWSearcy Rank 4 - Community Specialist

    As a follow-up, I created some new application roles and assigned them to folders I created, removing all other NSAW roles from the folders except Service Administrator. That has worked, but does not work for the out-of-the-box folders from NSAW provisioning: Shared Folders > Common and Shared Folders > NetSuite. When I try to make any permission changes to these folders, I receive a "Failed to update permissions" error. I assume that is because these folders are owned by ServiceAdmin.

    How can a set of users be restricted from accessing these folders?

  • SWSearcy
    SWSearcy Rank 4 - Community Specialist

    Here's how this was resolved.

    First, all roles other than Consumer were removed from the NAW Licensed User group. Essentially, this changes the purpose of this role from licensing + access control to just licensing. Here's the full list of roles that were removed.

    • NAW_BANKING_CONTENT_DUTY
    • NAW_BANKING_DUTY

    • NAW_CONTENT_EXPLORER_ANALYSIS_CONTENT_DUTY

    • NAW_EMPLOYEE_EXPENSES_CONTENT_DUTY
    • NAW_EMPLOYEE_EXPENSES_DUTY
    • NAW_FINANCIALS_CONTENT_DUTY
    • NAW_FINANCIALS_DUTY
    • NAW_FINANCIALS_OVERVIEW_OAC_CONTENT_DUTY
    • NAW_ORDER_MANAGEMENT_OVERVIEW_OAC_CONTENT_DUTY
    • NAW_PROCUREMENT_OVERVIEW_OAC_CONTENT_DUTY
    • NAW_PURCHASING_CONTENT_DUTY
    • NAW_PURCHASING_DUTY
    • NAW_SALES_CONTENT_DUTY
    • NAW_SALES_DUTY
    • NAW_SALES_CONTENT_DUTY
    • NAW_SALES_SNAPSHOT_CONTENT_DUTY
    • NAW_SALES_SNAPSHOT_DUTY
    • OA4F_COMMON_DATA_ADMIN_ANALYSIS_DUTY
    • OA4F_CONTENT_EXPLORER_ANALYSIS_DUTY

    As an aside, it was confusing that even though the NAW Licensed Viewers, NAW Licensed Authors, and NAW Service Admin groups have a locked icon next to them with "Oracle ready to use groups cannot be modified or deleted", roles can be removed from them.

    Second, new application roles were created for the various job functions (e.g. Sales, Finance, …).

    Third, new groups were created for the various job functions (e.g. Sales Team, Finance Team, …) and related application roles were assigned to them. For example, Sales, NAW_SALES_DUTY, NAW_SALES_SNAPSHOT_DUTY were assigned to the Sales Team group.

    Fourth, the new groups were assigned to appropriate users.

    After doing this, users in both the Sales Team and NSAW Licensed Viewer groups could no longer access the NetSuite catalog folders, but could access folders we created with access permitted to the Sales Team. These users could no longer access the NetSuite catalog folders because they no longer had any of the application roles in bold above that were previously granted to them through the NetSuite Licensed Viewer group.

    I hope this helps someone else in the future.