Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 14 Oracle Analytics Lounge
- 211 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 77 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Documentation on NetSuite Analytics Roles

I am struggling with trying to create a security framework that allows us to have different sets of users, each with differing access to workbooks using the various NetSuite subject areas. A simple example would be to have a set of "Sales" users who can access workbooks using the sales subject area while "Accounting" users can access those and workbooks using the banking subject area.
Out of the box, NSAW includes three Licensed Roles - NAW Service Admin Role, NAW Licensed Authors Role, and NAW Licensed Viewers Role. Our challenge is that the NAW Licensed Viewers Role includes access to all subject areas, and there doesn't appear to be a way to create additional Licensed Roles.
Is there any documentation about security configuration of Oracle Analytics Cloud that is specific to NetSuite Analytics Warehouse implementations?
Thank you,
Scott
Answers
-
@SWSearcy - Please try using object-level security to control or restrict access to specific subject areas.
You can refer to the following documentation for guidance:
Hope this helps! Thank you.
0 -
Thank you @Sumanth V -Oracle. I may be misunderstanding, but it doesn't look like that will help. Here's what I see for the object-level security for the NetSuite - Journal dataset and is what is expected.
The problem is that the out-of-the-box NAW Licensed Viewer Role includes the NetSuite Analytics Warehouse Financials Duty permission, so anyone with that role can view workbooks using that dataset. We need a way to indicate that some users have the NetSuite Analytics Warehouse Financials Duty permission while others do not.
0 -
Do you want to control which Subject Areas users can use or which workbooks users can see and use? These are two different layers of the system.
0 -
Thank you @Bret Grinslade - Oracle Analytics-Oracle. At first, our goal is to limit access to specific folders and workbooks within the catalog because most of the initial users will simply be viewers. As we allow users to be authors, we'll also need to control access to datasets.
0 -
@SWSearcy - In that case, please use catalog folder and workbook permissions to control and restrict access as needed.
You can refer to the following documentation for detailed guidance:
0 -
I looked into this previously, but the challenge is still that every user with the NAW Licensed Viewer Role can access every folder or workbook, either by virtue of the related system role (System Administrator, Author, Consumer) or one of the underlying duty roles. Here's a specific example using the default out-of-the-box folder structure.
Shared Folders
NetSuite
→ Service Administrator = Read-Write
→ Consumer = Read-only
Detailed Dashboards
→ Service Administrator = Read-Write
→ NetSuite Financials Content Duty = Read-Only
→ NetSuite Financials Content Duty = Read-Only
→ NetSuite Financials Content Duty = Read-Only
→ NetSuite Financials Content Duty = Read-Only
Financials
→ Service Administrator = Read-Write
→ NetSuite Financials Content Duty = Read-Only
Financials [workbook]
→ Service Administrator = Read-Write
→ NetSuite Financials Content Duty = Read-onlySince the NSAW Licensed Viewer Role includes the NetSuite Financials Content Duty role, how can the permissions be changed to allow only some users access? I guess the role permission could be removed, and permissions added for specific users, but that feels like a very cumbersome way to go about it. Is there no way to create additional licensed roles, each with a different set of duty roles?
0 -
As a follow-up, I created some new application roles and assigned them to folders I created, removing all other NSAW roles from the folders except Service Administrator. That has worked, but does not work for the out-of-the-box folders from NSAW provisioning: Shared Folders > Common and Shared Folders > NetSuite. When I try to make any permission changes to these folders, I receive a "Failed to update permissions" error. I assume that is because these folders are owned by ServiceAdmin.
How can a set of users be restricted from accessing these folders?0 -
Here's how this was resolved.
First, all roles other than Consumer were removed from the NAW Licensed User group. Essentially, this changes the purpose of this role from licensing + access control to just licensing. Here's the full list of roles that were removed.- NAW_BANKING_CONTENT_DUTY
- NAW_BANKING_DUTY
NAW_CONTENT_EXPLORER_ANALYSIS_CONTENT_DUTY
NAW_EMPLOYEE_EXPENSES_CONTENT_DUTY- NAW_EMPLOYEE_EXPENSES_DUTY
- NAW_FINANCIALS_CONTENT_DUTY
- NAW_FINANCIALS_DUTY
- NAW_FINANCIALS_OVERVIEW_OAC_CONTENT_DUTY
- NAW_ORDER_MANAGEMENT_OVERVIEW_OAC_CONTENT_DUTY
- NAW_PROCUREMENT_OVERVIEW_OAC_CONTENT_DUTY
- NAW_PURCHASING_CONTENT_DUTY
- NAW_PURCHASING_DUTY
- NAW_SALES_CONTENT_DUTY
- NAW_SALES_DUTY
- NAW_SALES_CONTENT_DUTY
- NAW_SALES_SNAPSHOT_CONTENT_DUTY
- NAW_SALES_SNAPSHOT_DUTY
- OA4F_COMMON_DATA_ADMIN_ANALYSIS_DUTY
- OA4F_CONTENT_EXPLORER_ANALYSIS_DUTY
As an aside, it was confusing that even though the NAW Licensed Viewers, NAW Licensed Authors, and NAW Service Admin groups have a locked icon next to them with "Oracle ready to use groups cannot be modified or deleted", roles can be removed from them.
Second, new application roles were created for the various job functions (e.g. Sales, Finance, …).
Third, new groups were created for the various job functions (e.g. Sales Team, Finance Team, …) and related application roles were assigned to them. For example, Sales, NAW_SALES_DUTY, NAW_SALES_SNAPSHOT_DUTY were assigned to the Sales Team group.
Fourth, the new groups were assigned to appropriate users.
After doing this, users in both the Sales Team and NSAW Licensed Viewer groups could no longer access the NetSuite catalog folders, but could access folders we created with access permitted to the Sales Team. These users could no longer access the NetSuite catalog folders because they no longer had any of the application roles in bold above that were previously granted to them through the NetSuite Licensed Viewer group.
I hope this helps someone else in the future.
0