What are PII Attributes?

Personal Identifiable Information or PII attributes can refer to a person’s name, email address, social security number (SSN), salary, performance rating, and similar As part of data security, PII attributes aren’t exposed to all the users even if they belong to the same functional area. For example, users can have access to the Payroll module, but only a few users can have access to view compensation KPIs.

This article describes the detailed implementation steps to hide any sensitive column in a subject area through security features in Oracle Fusion Data Intelligence (FDI).

Introduction

FDI provides object-level security at the subject-area and workbook level. Prebuilt object-level security doesn’t consider restricting PII attributes, which are present as part of multiple FDI subject areas.However, you can restrict these attributes by implementing custom security in FDI by using the prebuilt or custom Application Roles.

Prerequisites

  • Create or identify the application role to be used to hide the column. This example uses the Custom Restricted PII Access application role.
  • Assign a user with restricted access to the PII attribute to the Group role, which has the Custom Restricted PII Access application mapped.                                        

Implementation Steps

  1. From the FDI Console, navigate to Semantic Model Extensions.                                                                                                      
    FDI console
    Fig 1 – FDI Console
                                                 
  2. From Security Configurations, open Configure Object Permissions and click Next
    This opens the list of prebuilt and custom subject areas available in the environment with the current security configuration.  
    semantic extensions
    Fig 2 – Security Configurations
     
  3. Navigate to the required subject area from left pane and expand the folders to select the specific column to be restricted. This example uses HCM – Workforce Rewards – Workforce Compensation > # Base Salary as the PII attribute to hide.                                                                                                                             
  4. After selecting the column, on the right-hand side, set Authenticated Users to No Access to restrict the access for any authenticated user and ensure that only role-based access is implemented at semantic model.            
    auth user
    Fig 4 – Security for Authenticated Users
     
  5. Click Show All Roles and search the application role identified in the Prerequisites section and set it to No Access. Preview your changes and click Finish.
    restrict pii
    Fig 5 – Security for Custom Role

    Note: This application role also needs to be mapped to a group. The user assigned to the group shouldn’t be able to view the # Base Salary KPI.                  

Here’s a quick comparison of the facts before vs. after implementation

Before implementation:

before
Fig 6 – Before Implementation

After implmementation:

            # Base Salary isn’t visible

after
Fig 7 – After Implementation

Call to Action

Try this configuration in a subject area that has PII attributes and needs restricted access. If these PII attributes are present in any FDI workbook, this configuration seamlessly hides that column from end users at the workbook level, too.

If you have questions, post them in the Oracle Analytics Community and we’ll follow up with answers. See also Manage Users, Groups, Application Roles, and Data Access.