Managing Permissions in Oracle Analytics Cloud

October 16, 2023 | 9 minute read
Adam Bloom
Oracle Analytics Product Management
Text Size 100%:

Introduction

The November 2023 update of Oracle Analytics Cloud (OAC) allows you to assign permissions to use specific functionality at a finer grain than the existing predefined application roles. This post provides a recap of the predefined application roles' role-based permissions before demonstrating the new permissions that you can assign to user-defined application roles of your choice. The post concludes with information on other permissions being planned for future updates.

Role-Based Permissions

Oracle Analytics Cloud uses a traditional Role-Based Access Control (RBAC) model to enable users to use specific areas of functionality. Users and groups are assigned to application roles, and permissions are granted to application roles. In a regular Oracle Analytics Cloud service instance, several predefined application roles confer functional permissions. These roles and the role-based permissions they control are described in this table:

Predefined Application Roles in Oracle Analytics Cloud

Description

BI Service Administrator

Allows users to administer Oracle Analytics Cloud and delegate privileges to others using the Console. This application role is assigned all the available permissions.

BI Data Model Author

Allows users to create and manage semantic models in Oracle Analytics Cloud using Semantic Modeler.

DV Content Author

Allows users to create workbooks, connect to data and load data for data visualizations, and explore data visualizations.

BI Content Author

Allows users to create analyses, dashboards, and pixel-perfect reports, and share them with others.

DV Consumer

Allows users to explore data visualizations.

BI Consumer

Allows users to view and run reports in Oracle Analytics Cloud (workbooks, analyses, dashboards, pixel-perfect reports).

Use this application role to control who has access to the service.

So if your group of users are just consumers, you assign their group to the DV Consumer application role, whereas if they're authors, you assign the group to the DV Content Author application role. This approach allows you to control which users can consume, author, and manage or administer, but it's fairly coarse-grained in that, for example, a user can either author all types of content (such as connections, datasets, and workbooks) or can't author any.

Everyone is an Author in a World of Self-Service Analytics

Often there are requirements for a group of users to be able to create their own workbooks, but only based on existing curated datasets and connections for example. Or perhaps another group of users must be able to create connections, datasets, and data flows, but not workbooks. The November 2023 update of OAC includes several permissions at a finer grain than the role-based permissions discussed above.

The existing predefined application roles still have the same capabilities as before, but some of the role-based permissions are broken out into standalone permissions (or just "permissions") that can also be assigned to your own user-defined application roles. Here's the list of new permissions:

Permission

Create and Edit Connections

Create and Edit Data Flows

Create and Edit Sequences

Create and Edit Datasets

Create and Edit Watchlists

Create and Edit Workbooks

Create and Edit Connections to OCI Data Science with Resource Principal

Create and Edit Connections to OCI Document Understanding with Resource Principal

Create and Edit Connections to OCI Functions with Resource Principal

Create and Edit Connections to OCI Language with Resource Principal

Create and Edit Connections to OCI Vision with Resource Principal

Schedule Workbooks

Schedule Workbooks with Bursting

Schedule Workbooks with RunAs User

Export Workbooks to Documents

You can assign each of these permissions to your own user-defined application roles, but they're also automatically assigned to the existing predefined application roles. This is so the existing roles still have all of the functional capabilities they had before, and so that you can see in more detail what each predefined application role can do.

Default Assignment

Permission

DV Content Author

Create and Edit Connections

 

Create and Edit Data Flows

 

Create and Edit Sequences

 

Create and Edit Datasets

 

Create and Edit Watchlists

 

Create and Edit Workbooks

BI Service Administrator

Create and Edit Connections to OCI Data Science with Resource Principal

 

Create and Edit Connections to OCI Document Understanding with Resource Principal

 

Create and Edit Connections to OCI Functions with Resource Principal

 

Create and Edit Connections to OCI Language with Resource Principal

 

Create and Edit Connections to OCI Vision with Resource Principal

 

Schedule Workbooks

 

Schedule Workbooks with Bursting

 

Schedule Workbooks with RunAs User

BI Consumer

Export Workbooks to Documents

You can add or delete the permissions assigned to user-defined application roles that you've created, but you can't change the permission assignments to the predefined application roles. So if you want to create an application role that has some (but not all) authoring capabilities, you can add the relevant permissions to your user-defined role and then remove the assignment of DV Content Author from your user or group.

Hint: It's often useful to copy the role-based permissions from the relevant predefined application role to your user-defined role so that your user-defined role gets any role-based permissions that can't be separately assigned.

A user who has the user-defined application role defined above can create workbooks and datasets, but can use only the connections they've been given read access to: