REDWOOD

There are many requests in the Oracle Analytics Community for a “Catalog Items Permissions” report for Oracle Analytics Cloud (OAC).

OAC provides REST APIs that get catalog items and their Access Control List (ACL). You can format the data returned by these REST APIs and use the data to build a report or visualization in OAC.

This blog describes how to get catalog items and permissions based on the item type and create a report in OAC using the OAC REST APIs.

See Unlocking Oracle Analytics Cloud with OAuth 2.0 to understand the grant types such as Resource Owner, Refresh Tokens, JWT Assertion, and Device Code.

Specifically, this blog details how to use an automation script on a Linux server to get OAC catalog item permission data using REST API commands.  

Download Automation Scripts 2

Prerequisites

  • You must have the BI Service Administrator application role to generate the OAuth token.
  • You must have a native IDCS or IAM Identity Domain user name and password to generate an OAuth token using the Resource Owner grant type. You can’t use a federated user.

Create a Confidential Application for OAuth Client

Follow this blog post to create a confidential application that uses Client Credentials as the grant type.

When configuring the confidential application, follow these steps.

  1. Select Resource Owner and Refresh Token as the Allowed Grant Types.
    OAP_RO3
  2. Click Add Scope and select the Oracle Analytics Publisher application from the list of applications.
  3. Copy the scope value for further usage in the REST API commands.
    OAP_RO7
  4. Don’t grant any App Roles for the confidential application.

Client Application Attributes Required For Authentication

Client ID:  eea4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx33db

Client Secret:  6xxxxxxx6-0xx2-4xx9-axxb-0xxxxxxxxxxa

Scope:  https://<xxxxxxxxxxxxxxxxxxxx>.analytics.ocp.oraclecloud.comurn:opc:resource:consumer::all

IDCS or IAM Domain URL:  https://idcs-f5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx03.identity.oraclecloud.com

Generate the base64 encoded clientID and clientSecret

echo -n “eea4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx33db:6xxxxxxx6-0xx2-4xx9-axxb-0xxxxxxxxxxa” | base64 -w 0

REST API Commands to Generate an OAuth Token Using the Resource Owner Grant Type

Generate the access token

curl –request POST “https://idcs-f5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx03.identity.oraclecloud.com/oauth2/v1/token” –header “Authorization: Basic <base64 encoded ClientID:clientSecret>” –header ‘Content-Type: application/x-www-form-urlencoded’ –data-urlencode ‘grant_type=password’ –data-urlencode “username=<BIServiceAdministrator_UserName>” –data-urlencode “password=<User_Password>” –data-urlencode “scope= https://<xxxxxxxxxxxxxxxxxxxx>.analytics.ocp.oraclecloud.comurn:opc:resource:consumer::all”

Capture the access token value from the output

{“access_token”:”eyJ4NXQjUzI1NiI6IkttM1VBWEttaHpHa0pxeDFnQldrZ1RFOFVJU0VtYklEdVpJUGdYVVUtb1EiLCJ4NXQiOiJ1S0h3cXp6M1c2S3czcWU3NnE5UFdXbTRQS3ciLCJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0…………………………………… jtlr6Njab5i5qW1A”,”token_type”:”Bearer”,”expires_in”:100″}

OAC REST API Documentation

Refer to the OAC REST API documentation for more information. See Catalog REST Endpoints.

Get the Data

Authenticate

Follow the OAC REST API commands to get the access token to authenticate to OAC using its IAM domain.

Get Catalog Items

Get the items in your catalog. See Get catalog items.

Get Catalog Items by Type

Get catalog items by type for a list of all the items available in your OAC environment. See Get catalog items by type.

Get Catalog Item ACL

Get the catalog item ACL for the items available in your environment. See Get catalog item ACL.

Transform the Data

Transform the data returned using JSON commands and convert the data to a CSV file (covered in the sample automation script).

Sample Automation Script

You can start with the sample automation script (getCatalogPermissions.sh) provided in this blog.

oassilent10

The result of the automation script is a set of CSV files.

OAC_Catalog_Permissions_CSV

Create a Report in OAC

  • In OAC, create a dataset from each CSV file.
  • Create a data flow, and use the datasets to create a consolidated dataset.
  • Use the consolidated dataset to create OAC reports and visualizations. Use filters to obtain the data you want.

Play the video for a demonstration…

Sample Report

Catalog permissions report

Good to Know

Bear in mind that although the catalog API can deal with various different types of objects including workbooks, datasets, and connections, the API returns only objects that the user calling the API has permission to access.

The catalog API doesn’t provide an “administrator view:” that is, the ability to list all the catalog objects regardless of their ACLs. The Content Management page does offer this functionality, but this feature isn’t possible through the API. If necessary, administrators can change ownership on catalog objects through the Content Management page, so they have the required access to list and change ACLs using the API.

Manage items that the Administrator cannot access through Content Management in Oracle Analytics Cloud. For more information refer the blog post, Managing Content in Oracle Analytics

Call to Action

Try using the OAC REST APIs to create a permissions report for your catalog and let us know in the Oracle Analytics Community.

For more information on managing the access control of catalog items programmatically refer to the blog post, Managing Access Control for Catalog Items Programmatically in Oracle Analytics Cloud.

If you have questions, post them in the Oracle Analytics Community and we’ll follow up with answers.

REDWOOD