Introduction
This article provides an understanding of the application roles found in Oracle Analytics, especially targeted to administrators. It’s part of a series of best practice articles for Oracle Analytics.
Application roles
In this article, Classic Analytics refers to the OAC functionality accessed via the URL subdirectory analytics. For example, https://<oac-url>/analytics.
These acronyms are used in this article.
| BI | Business Intelligence |
| IDCS | Oracle Identity Cloud Service |
| IAM | Oracle Identity and Access Management |
| LDAP | Lightweight Directory Access Protocol |
| REST | Representational State Transfer |
| API | Application Programming Interface |
Oracle Analytics offers a a hierarchy of predefined application roles that determine the level of access and that provide users with varying access privileges within the platform. Depending on the assigned role, these roles grant access to different functions, such as administrative tasks and content consumption. The higher a role is in the hierarchy, the more privileges it grants. When combining application roles, the added role inherits the permissions and policies of the role it’s added to, not the other way around. The same application roles apply to both Oracle Analytics Cloud and Oracle Analytics Server.
Although it might seem counterintuitive, assigning higher roles to lower roles in the hierarchy passes access privileges from lower levels to higher levels. For instance, adding the BI Author role to the BI Consumer role grants the BI Author role all the permissions and policies of the BI Consumer role, in addition to its own. Similarly, adding the BI Administrator role to the BI Author role grants the BI Administrator role all the permissions and policies assigned to the BI Author role, along with those inherited from the BI Consumer role.
Therefore, to determine the actions users can take in Oracle Analytics, you as the administrator must assign one of the predefined application roles. Adding higher-level roles to lower-level roles is recommended as it grants users with lower-level access the same privileges as the higher-level role.
Some of the most used application roles include:
BI Service Administrator – Performs administrative tasks.
BI Data Model Author – Performs data modeling using the Semantic Modeler.
BI Data Load Author – Loads data using REST APIs.
BI Content Author – Creates analytics content (analyses, Publisher reports, Classic Analytics dashboards).
DV Content Author – Creates data visualization content such as workbooks, dashboards, and Classic Analytics content.
DV Consumer – Views data visualization and Classic Analytics content.
BI Consumer – Views Classic Analytics content.
Roles and Identity Management
Oracle Analytics relies on IDCS or IAM as its identity provider. Either can also synchronize with a company’s LDAP to obtain a list of authorized users. In IDCS or IAM, groups are created based on functional requirements. Users are added to these groups and then to roles. While users can be added directly to roles, the recommended approach is first to add them to groups in IDCS or IAM and then add the groups to roles.
The roles in IDCS and IAM share similarities with those in Oracle Analytics. The following table shows IDCS and IAM application roles and their Oracle Analytics equivalents.
| IDCS and IAM Application Role | Oracle Analytics Application Role |
| Analytics Service Administrator | BI Service Administrator |
| Analytics Service User | BI Content Author, DV Content Author |
| Analytics Service Viewer | BI Consumer, DV Consumer |
Recommendations
Administrators should follow these recommendations:
- Avoid using IDCS or IAM roles in Oracle Analytics, except in specific cases.
For example, if only prebuilt Oracle Analytics roles are used, using the corresponding IDCS and IAM roles is acceptable. - Separate IDCS and IAM roles from Oracle Analytics roles. Adding IDCS and IAM roles to Oracle Analytics roles can lead to confusion and make troubleshooting problems with permissions difficult.
- Maintain roles in one location.
This is more reliable than switching back and forth between Oracle Analytics and IDCS and IAM.
Custom Roles
As the administrator, you can create custom roles in Oracle Analytics, which grant permissions to catalog objects when combined with predefined roles and groups. For example, custom roles restrict access to reports relevant to specific business units, subject areas, and datasets. To achieve this, add the appropriate Oracle Analytics role to a custom role and assign catalog privileges to the custom role.
Create custom roles in Oracle Analytics and use them alongside the prebuilt roles if additional privileges are required, such as granting access based on Sales and Marketing groups. IDCS and IAM don’t support this level of granularity required.
In the following example, the Finance Consumer custom role incorporates the Oracle Analytics DV Consumer and BI Consumer roles. Folder permissions are granted in either the data visualization area or in Classic Analytics. The permissions remain consistent across both interfaces despite slight differences in their setup.
There are three folders in the catalog. The Finance Consumer role has permissions only for the Finance folder.
Data visualization permissions:
Classic Analytics permissions:
When a user with the Finance Consumer role logs in, they see only the Finance folder.
Call to action
This article provides an understanding of the application roles found in Oracle Analytics. Review the roles assigned in your system to ensure they follow the recommendations outlined here. For more information about roles in Oracle Analytics, see the Oracle Help Center for Oracle Analytics Cloud and Oracle Analytics Server.