Oracle Fusion Analytics Warehouse: Configuring Object Security and Custom Duty Roles

September 3, 2021 | 8 minute read
Krithika Raghavan
Director, Oracle Analytics
Text Size 100%:

Authors

Krithika Raghavan  Director, Oracle Analytics

Nupur Joshi  Senior Principal Product Manager, Oracle Analytics

 

Introduction

 

Oracle Fusion Analytics Warehouse (FAW) Release 21.R1.P2 includes the security extensibility feature. Security administrators can create custom duty roles to secure prebuilt subject areas, grant access to only a specific set of dimensions or attributes, and restrict access to a custom subject area and any front-end objects (such as decks, KPIs, visualization projects, and classic dashboards and analyses).

This blog describes the steps to configure custom duty roles and secure subject areas.

 

 

Implementing Object Security in FAW

 

The following list provides the steps performed by various people to implement object security.

 

 

  1. As a security administrator, log in to Fusion Analytics Warehouse, navigate to Console, click the Security tile and in the Application Roles tab, create a custom duty role.

 

  1. As a security administrator, map the custom duty role to one or more prebuilt or custom groups by navigating to the Groups tab in the Security tile and clicking Add Mapping on the Application Roletab.

 

  1. As a modeler, navigate to Console and to Semantic Model Extensions. Under Security Configurations, click Duty Security Step and Edit.

 

  1. In Secure Subject Areas, select the subject area or folder that this role will provide or deny access to and make the appropriate selections.

 

  1. In the final step in Secure Subject Areas, validate and reconfirm that changes are correct for this duty role.

 

  1. Publish the Version in Semantic Model Extensions.

 

  1. Log in to Fusion Analytics Warehouse and test your changes.

Use Case #1: Removing Access to the “Personal Information” folder in the Workforce Core Subject Area

 

WorkForce Core is a prebuilt HCM Subject Area. This use case includes steps to define a custom duty role to use to deny access to the Personal information folder in the subject area and to restrict access to PII (Personally Identifiable Information) data.

 

  1. As a security administrator, log in to Fusion Analytics Warehouse, navigate to Console, click the Securitytile and in the Application Roles tab, create a Custom Duty Role.

 

 

 

  1. As a security administrator, map the custom duty role to one or more prebuilt or custom groups by navigating to the Groups tab in the Security tile and clicking Assign Duty Role. This step is necessary because any user can’t be directly assigned to an application role; a user can be assigned to groups only. A group can have multiple application roles (data and duty roles) and users inherit application roles indirectly through groups.

 

  1. Create a custom group.

  1. Assign a custom duty role to the new group or existing groups.
    • Navigation > Security Console > Groups Tab > Application Role (sub tab) > Add Mapping.
    • You can instead select Application Role > Assign Groups.

 

 

  1. As a modeler, navigate to Console and to the Semantic Model Extensions. Under Security Configurations, click Configure Object Security and Edit.

 

 

 

 

  1. In Secure Subject Areas, select the subject area that this role will provide access for.
  1. For this use case we’ll permit “Read” access for “HCM-WorkForce Core”.

 

 

 

  1. In Secure Subject Areas, select the folder in the subject area that access needs to be revoked from. For this use case we’ll provide “No Access” for the Personal Information folder.

 

 

 

  1. In the final step in Secure Subject Areas, validate and reconfirm that this role has Read access to the subject area and No Access to the Personal Information folder.

 

 

 

  1. Publish the Version in Semantic Model Extensions

 

In the Semantic Model Extensions area, navigate to Security Configurations and select Publish Model. Select the latest version of the model and select All under Security Configurations.


 

  1. Log in and test

Log in to Fusion Analytics Warehouse as a user assigned to the group “HR Specialist (No Personal Information)” and run a report on the HCM -WorkForce Core subject area.

Confirm that the user can’t access the Personal Information folder.

Use Case #2: Secure Access to a Custom Subject Area.

 

This use case includes steps to secure access to a new subject area created with semantic model extensions, and not from prebuilt content (for example, from the Taleo Recruiting subject area; see Taleo Recruiting Cloud Data Replication into ADW: Using ODI Marketplace ). This subject area needs to be secured for access by a specific set of users only.

 

 

  1. As a security administrator, log in to Fusion Analytics Warehouse, navigate to Console, click the Securitytile and in the Application Roles tab, create a Custom Duty Role.

 

 

 

  1. As a security administrator, map the custom duty role to one or more prebuilt or custom groups by navigating to the Groups tab and clicking Assign Duty Role.
     

 

  1. The same can also be done on Application Role Tab >Assign Group if you need to assign the duty role to any of the existing groups. This step is necessary because any user can’t be directly assigned to an application role; a user can be assigned to groups only. A group can have multiple application roles (data and duty roles) and users inherit application roles indirectly through groups.

 

 

 

  1. As a modeler, navigate to Console and to the Semantic Model Extensions. Under Security Configurations, click Configure Object Security and Edit.

 

 

 

  1. In Secure Subject Areas, select the subject area that needs to be secured using the new custom duty role. For this use case, we’ll permit “Read” access for “HCM-Taleo”.

 

 

 

  1. In the final step in Secure Subject Areas, validate and reconfirm that this role does have Read access to the subject area.

 

 

 

  1. Publish the Version in Semantic Model Extensions

 

In the Semantic Model Extensions area, navigate to Security Configurations and select Publish Model. Select the latest version of the model and select All under Security Configurations.


 

  1. Log in and test

Log in to Fusion Analytics Warehouse as a user assigned the group “Taleo User” and run a report against the HCM -Taleo subject area. Any other user not assigned to this group can’t access the HCM -Taleo subject area.

 

 

Summary

 

The semantic model extensions feature in Fusion Analytics Warehouse supports using extensible content to secure access to data in the warehouse. This article provides the steps involved along with two simple use cases. Other use cases include:

 

  1. In an existing subject area, grant access to only aggregate measures and common dimensions. For example, in the HCM - Workforce Core subject area, a set of users must be granted access for aggregate reporting and not for detail person-level reporting.
  2. Restrict various users from accessing catalog objects (such as decks, cards, KPIs, and visualization projects) using custom duty roles.

 



To learn more about FAW, visit Oracle.com/analytics, and follow us on Twitter@OracleAnalytics. 

 

Krithika Raghavan

Director, Oracle Analytics


Previous Post

Oracle Analytics Server (OAS) is now certified with Oracle Linux 8 and Redhat 8

Tanya Heise | 1 min read

Next Post


3 Manufacturing Analytics Use Cases to Simplify End-to-End Production

Roxanne Bradley | 6 min read