Requirement is to restrict business end users to view/run reports only, with no write, edit, delete, copy, move or rename access in BI Catalog (Shared Folders > Custom > ANL > Business Reports > Report).
Approach 1 - Custom Role (Did Not Work):
Created custom role CUSTOM_BI_REPORT_VIEWER inheriting BI Consumer Role. Failed for users with broader roles (e.g. General Accounting Manager, Application Implementation Consultant) as Fusion role permissions are additive and override the restriction.
Approach 2 - Folder Level Restriction (Implemented):
BI Consumer Role set to Custom (Read, Traverse, Run/Schedule Publisher Report, View Publisher Output). Schedule and View Output included as some reports have large data volumes causing query timeouts when run directly. BI Author and BI Administrator changed from Full Control to Open to prevent end users inheriting these roles from overriding the restriction. Specific technical users granted Full Control. Cascade applied to all sub-folders and items. Tested with multiple end users - working as expected.
Questions:
Is folder-level restriction the recommended best practice?
Impact of changing BI Author/Administrator Role to Open at folder level?
Will this restriction persist through quarterly cloud updates?
Note: This is an Oracle Fusion Cloud Applications SaaS environment running version 26B (11.13.26.04.0). The exact cloud version was not available in the product version dropdown, hence 11.1.2.3.0 was selected as available option.