Securing Subject Areas in Oracle Analytics Cloud

Introduction

This post documents how to secure Oracle Business Intelligence Repository Metadata (RPD) subject areas in Oracle Analytics Cloud (OAC). It uses an example of two subject areas; Financials and Projects. The Projects subject area is secured via application roles and presentation services privileges. Only users with the correct role(s) can view the subject area when creating Data Visualization (DV) projects, BI analyses and dashboard prompts, etc.

The following topics are covered:

Setting up Test Users in OAC

Managing Application Roles in OAC

Securing Subject Areas using Presentation Services Privileges

Validating the Security Setup

I.   Setting up Test Users in OAC

Create two users in an authentication provider accessible to OAC.  This post uses FinanceUser and ProjectsUser in the OAC embedded LDAP.

Note: The version used here is limited to using the internal WebLogic authentication provider. Creating users via the WebLogic Administration Console is documented in Administration Console Online Help.

Note: Your User ID needs to be part of the WebLogic Administrators group in order to create users. This example does not require that the two test users be associated with WebLogic Groups.

II.  Preparing Application Roles in OAC

Application roles are created to secure the subject areas.

Application Roles in OAC are documented in Configuring What Users Can See and Do

Note: Your User ID needs to be part of the BI Service Administrator application role in order to manage application roles.

A. Adding Application Roles

From the OAC home page, access the Console:

P1

Click on Applications Roles and then Add to create roles:

P2

Create the following three roles:

Finance Role

Projects Role

Non-Projects Role

The following depicts the Finance Role:

P3

B. Adding Members to Application Roles

1. Add the Finance User to the Finance Role.

Click on Members for the Finance Role:

P4A

Select Users for the Type, *User for the Name and click Search. Then select the Finance User and move it to the Selected Users pane and click OK.

P4

Use the same Process to add the Finance User to the DV Content Author Role.

Repeat the steps to add the Projects User to the Project Role and to the DV Content Author Role.

2. Add the Finance Role to the Non-Projects Role

Click on Members for the Non-Projects Role:

P5

Select Application Roles for the Type, *Role for the Name and click Search. Then select the Finance Role and move it to the Selected Application Roles pane and click OK.

P6

III. Securing Subject Areas using Presentation Services Privileges

The application roles created above secure the subject areas. The Non-Projects role is denied access to the Projects subject area. The practice of denying a privilege to a role is discussed in Managing Presentation Services Privileges Using Application Roles

Below is a note from that document:

P7

If you are on a Data Visualization (DV) page, first go to the DV Home page and then click Open Classic Home.

P8

Click on the Administration link on the analytics (classic) home page:

P9

Click on Manage Privileges in the Security section of the Administration page.

P10

Scroll down to the Subject Area privileges. Notice the BI Content Author role is granted to each subject area by default. Because previously the test users were granted the DV Content Author role, they inherit the BI Content Author role and thus have access to the subject areas.

P11

Note: Even though the privilege description is “Access within Oracle BI Answers”, the privilege extends to DV Projects also.

For the Projects Subject Area, click on the BI Content Author role to manage the permissions. Click the + icon to add a permission.

P12

Select Application Roles in the List box and click Search. Select the Non-Projects role and move (>) it to the Selected Members pane. Select Denied in the Set Permission to box. Click OK.

P13

Click OK again and the Subject Area privileges look like this:

P14

Now, any user that has explicit or inherited membership in the Non-Projects Role is denied access to the Projects subject area in both DV and BI Answers.

IV.  Validating the Security Setup

In this section, log on to both users, display the roles of both users and confirm the Projects subject area is secured appropriately.

Log out and Log on as the Projects User. Click on Open Classic Home if on the DV home page. From the drop-down for the Signed In As, click on My Account. Click Application Roles.

P15

Note the BI Content Author role which grants access to the Projects subject area and the absence of the Non-Projects role that denies access.

Click OK and then Click on Visual Analyzer Projects under Data Exploration and Discovery to go to DV and note the access to the Projects subject area.

P16

Log out and Log on as the Finance User. Click on Open Classic Home if on the DV home page. From the drop-down for the Signed In As, click on My Account. Click Application Roles.

P17

Note the BI Content Author role which grants access to the Projects subject area and the presence of the Non-Projects role that denies access. As noted above, the denial takes precedence.

Click OK and then Click on Visual Analyzer Projects under Data Exploration and Discovery to go to DV and note the absence of the Projects subject area.

P18

Summary

This post documented how to secure Oracle Business Intelligence Repository Metadata (RPD) subject areas in Oracle Analytics Cloud (OAC). It used an example of two subject areas; Financials and Projects. The Projects subject area was secured via application roles and presentation services privileges. Validation demonstrated that only users with the correct role(s) can view the subject area when creating Data Visualization (DV) projects, BI analyses, etc.

For more OAC, BICS and BI best practices, tips, tricks, and guidance that the A-Team members gain from real-world experiences working with customers and partners, visit Oracle A-Team Chronicles for BICS and Oracle A-Team Chronicles for OAC

References

Administration Console Online Help

Configuring What Users Can See and Do

Managing Presentation Services Privileges Using Application Roles

Oracle A-Team Chronicles for BICS

Oracle A-Team Chronicles for OAC

Add Your Comment