Configure What Users Can See and Do

Administrators assign application roles to determine what other users can see and do in Oracle Analytics Cloud.

Topics:

• Get Started with Application Roles

• Add Members to Application Roles

• Why Is the Administrator Application Role Important?

• Assign Application Roles to Users

• Assign Application Roles to Groups

• Add Your Own Application Roles

• Copy Permissions to an Existing User-Defined Application Role

• View Permissions Granted to Application Roles

• Grant and Revoke Permissions for Application Roles

• Delete Application Roles

• Add One Predefined Application Role to Another (Advanced)

• View and Export Detailed Membership Data

• Sample Scenarios: User-defined Application Roles

Get Started with Application Roles

Administrators configure what users see and do in Oracle Analytics Cloud from the Users and Roles page in the Console. This page presents user information in four different views: User, Groups, Application Roles, Permissions.

Users and Roles Page	Description
Users tab	Lists users from the identity domain associated with your Oracle Analytics instance. From the Users tab, you can: Discover the groups and application roles that each user directly belongs to. Discover the permissions granted directly to a user. Add or remove application roles assigned to a user. Remove permissions granted directly to a user. Generate a report that lists the groups or application roles assigned to a user, either directly or indirectly. You can’t add or remove user accounts through the Users tab. Use your identity management system to manage user accounts. It's best practice to assign permissions to application roles. You can't grant permissions to a user. However, if the user already has permission grants (for example, though migration from an on-premise environment), you can remove these permission grants from the user.
Groups tab	Lists user groups from the identity domain associated with your Oracle Analytics instance. From the Groups tab, you can: Discover the members (users or groups) directly assigned to each group. Discover the application roles or any other groups that a group is directly assigned to. Add or remove application roles assigned to a group. You can’t add or remove user groups through the Groups tab. Use your identity management system to manage user groups.
Application Roles tab	Lists the predefined application roles for Oracle Analytics and any user-defined application roles that you add. From the Application Roles tab, you can: Create your own application roles. Discover the members (users, groups, application roles) directly assigned to each application role. Discover the permissions directly granted to each application role. Add members or remove members from each application role. Discover whether an application role is a member of any other application role. Add or remove memberships for each application role. Grant permissions to user-defined application roles. Remove permissions from user-defined application roles. Generate a report that lists the users assigned to an application role, either directly or indirectly. Generate a report that lists the groups (or IDCS application roles) assigned to an application role, either directly or indirectly. Generate a report that lists other application roles assigned to an application role, either directly or indirectly. Generate a report that lists any other application roles an application role is assigned to, either directly or indirectly.
Permissions tab	Lists the permissions available in Oracle Analytics. From the Permissions tab, you can: Search for permissions and filter the permissions list. Discover the application roles a permission is directly assigned to. Discover the users a permission is directly assigned to.

Add Members to Application Roles

Application roles determine what users are allowed to see and do in Oracle Analytics Cloud. It’s the administrator’s job to assign appropriate application roles to all users and to manage the privileges of each application role.

Remember:

• Members (users, groups, and other application roles) get the permissions granted to an application role.
• Application roles can get permissions granted to other application roles. For example, DV Content Author gets the permissions granted to BI Content Author, DV Consumer, and BI Consumer.

You use the Users and Roles page in the Console to assign members to an application role.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
   All the predefined application roles are displayed, together with any user-defined application roles that you've added.
4. Select the name of an application role for more detail, and to see its current members.
5. Under Direct Members, click Users, Groups, or Application Roles to view the current, direct members in each category.
   For example, if you click Users you see a list of users directly assigned to the application role.

   
   Description of the illustration approles_user_oac_only.jpg
6. To see a list of all the members in the selected category that are assigned to the application role (both directly and indirectly), click the menu icon and select Show Indirect Members.
7. To add a new member (user, group, application role, IDCS application role) to the application role, click Add Users, Add Groups, or Add Application Roles, select one or more members, and then click Add.
8. To remove a member from the application role, click the Delete icon next to the member's name.

Why Is the Administrator Application Role Important?

You need the BI Service Administrator application role to access administrative options in the Console.

There must always be at least one person in your organization with the BI Service Administrator application role. This ensures there is always someone who can delegate permissions to others. If you remove yourself from the BI Service Administrator role you’ll see a warning message.

If no-one has administrative access to Oracle Analytics Cloud, ask your identity domain administrator to add a user to the ServiceAdministrator IDCS application role. ServiceAdministrator is assigned through the identity management system and is always assigned to the BI Service Administrator application role in a regular Oracle Analytics Cloud service instance.

Assign Application Roles to Users

The Users page lists the users from the identity domain associated with your Oracle Analytics Cloud instance. As an administrator, you can assign these users to the appropriate application roles.

1. Click Console.
2. Click Users and Roles.
3. Click Users.
4. On the Users page, click the name of a user.
   To filter the list by name, enter all or part of a user name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any user that includes the letters admin.
5. In the Details page for the user, click Application Roles to see a list of application roles directly assigned to this user.
   
   Description of the illustration user_approles.jpg
6. Click the menu icon, and select Show Indirect Memberships to see a list of all the application roles assigned to the user, that is, assigned both directly and indirectly.
7. To assign the user to an additional application role, click Add Application Roles.
8. In Add user to Application Roles, select one or more application roles from the list, and then click Add.
9. To remove an application role from the user, click the Delete icon next to the name of the application role you want to delete.

Assign Application Roles to Groups

The Groups page lists user groups from the identity domain associated with the Oracle Analytics Cloud instance. It's best practice to assign application roles to groups rather than to users.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
   All the predefined application roles are displayed, together with any application roles that you've added.
4. Select the name of the application role you want to assign to a group.
5. Under Direct Members, click Groups to view the groups currently assigned to this application role.
   For example, there is a group called AppTesters directly assigned to the DV Content Author application role.

   
   Description of the illustration approles_group.jpg
6. To see a list of all the groups that are assigned to the application role (both directly and indirectly), click the menu icon and select Show Indirect Members.
7. To assign a new group of users to the application role, click Add Groups, select one or more groups, and then click Add.
8. To remove a group from the application role, click the Delete icon next to the group's name.

Add Your Own Application Roles

Oracle Analytics Cloud provides a set of predefined application roles. You can also create user-defined application roles to suit your own requirements. For example, you might create an application role that allows only a select group of people to view specific folders or workbooks. Or you might create an application role with specific permissions assigned to it.

You can create an application role in two ways:

• Create an application role from scratch (no permissions).
• Create an application role with the same permissions as one of the predefined application roles.

After creating the application role, you can grant permissions and add members (users, groups, or other application roles).

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Do one of the following:

   Create an application role from scratch (no permissions):

   • Click Create Application Role.
     
     Description of the illustration approles_custom.jpg

   Copy the permissions from a predefined application role to a user defined application role:

   Note:

   In this step, you're copying the permission grants for the predefined application role that you choose. You aren't copying the application role's members or memberships.

   • Click the name of the application role you want to copy. For example, BIConsumer.
   • Click Permissions.
   • Click the action menu, and select Copy Permissions To and then select New Application Role.
     
     

     
     Description of the illustration oac_copy_approle_02.png

     
     
5. Enter suitable values for Application Role Name, Display Name, and Description.

   The Application Role Name can contain alphanumeric characters (ASCII or Unicode) and other printable characters (such as underscore or square brackets). The Application Role Name must not contain any white space.

6. Click Create.
   When you create an application role from scratch, it doesn't start with any members or permissions. When you copy the permissions from one of the predefined application roles, the application role starts with the same permissions as the role that you copied.
7. Grant permissions to the application role.
   1. Under Direct Grants, select Permissions.
   2. Click Add Permissions.
      This option is available only to user-defined application roles.
   3. Select one or more permissions, and then click Add.
8. Add members (users, groups, or application roles) to the new application role.
   1. Under Direct Members, select the type of member you want to add: Users, Groups, or Application Roles.
   2. Click Add Users, Add Groups, or Add Application Roles.
   3. Select one or more members, and then click Add.
9. Optional: Create hierarchical relationships between other application roles.
   1. Under Direct Memberships, click Add to Application Roles.
   2. Select all the application roles you want this application role to inherit privileges from, and then click Add.

Copy Permissions to an Existing User-Defined Application Role

You can copy the permissions directly granted to a predefined application role to a user-defined application role.

After you copy permissions to an existing role, you can grant additional permissions or revoke any of the copied permissions. See Grant and Revoke Permissions for Application Roles.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Click the name of a predefined application role.
   To filter the list by name, enter all or part of a name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any user that includes the letters admin.
5. Click Permissions to see the permissions granted to the predefined application role.
6. Click the action menu, select Copy Permissions To, and then select Existing Application Role.
   
   
   Description of the illustration oac_copy_approle_existing.png
   
   
7. Select an existing application role and click Copy.

View Permissions Granted to Application Roles

You can see a list of permissions granted to each user-defined application role as well as permissions granted to the predefined application roles from the Application Roles page.

While you can view, add, and remove permissions for user-defined application roles, each predefined application role includes a fixed set of permissions that you can't change. Specifically, each predefined application role has a set of role-based permissions built into it which aren't listed individually, plus zero or more regular permissions which are listed individually but you can't remove them. For example, the predefined application role BI Consumer has built-in, role-based permissions plus the permission Export Workbook to Document.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Click the name of an application role.
   To filter the list by name, enter all or part of a name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any application role that includes the letters admin.
5. Click Permissions to see a list of permissions directly granted to the application role.

   When you select an application role that you created from scratch, you see a list of permissions granted to the role on the right. In this example, only one permission (Export workbook to document) is granted to an application role you created (Finance Consumer).

   You can add and delete permissions, as required.

   

   When you select one of the predefined application roles, such as BI Data Model Author, you see a message indicating that the role contains a set of built-in, role-based permissions. You can't change the permissions granted to a predefined application role.

   

   When you select a user-defined application role containing permissions copied from one of the predefined application roles, such as BI Data Model Author, you see a message indicating that the role contains a set of built-in, role-based permissions, plus any additional permissions assigned to the predefined application role, as well as any permissions that you granted the role.

   

Grant and Revoke Permissions for Application Roles

You can grant individual permissions to a user-defined application role or revoke permissions that are no longer required. For example, you might want to provide an application role that enables users to export their workbooks to a PDF by granting the permission Export workbook to document.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Click the name of a user-defined application role.
   To filter the list by name, enter all or part of a name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any user that includes the letters admin.
5. Click Permissions to see the permissions granted to the user-defined application role.
6. To grant permissions to a user-defined application role.
   1. Click Add Permissions.
      
      

      

      
      
   2. Select the permission you want, and click Add.
      
      

      

      
      
7. To revoke permissions from the application role.
   1. Navigate to the permission you want to revoke.
   2. Click the Remove Permission icon.
   3. To confirm, click Remove.
   
   

   

   
   

Delete Application Roles

You can delete user-defined application roles that you don't need anymore.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Navigate to the user-defined application role you want to delete.
5. Click the Delete icon next to the name of the application role you want to delete, and then click Delete to confirm.

Add One Predefined Application Role to Another (Advanced)

Oracle Analytics Cloud provides several predefined roles: BI Service Administrator, BI Data Model Author, BI Dataload Author, BI Content Author, DV Content Author, DV Consumer, BI Consumer. In a very few advanced use cases, you might want to permanently include one predefined application role in another.

Any changes that you make to predefined application roles are permanent, so don’t perform this task unless you're sure you need to.

1. Take a snapshot of your system before making any predefined application role change.
   Oracle recommends that you always take a snapshot before you start, as the only way you can revert changes to predefined application roles is to restore your service from a snapshot that was taken before the change.
   1. Click Console.
   2. Click Snapshots.
   3. Click Create Snapshot.
2. In Console, click Users and Roles.
3. Click Application Roles.
4. Click the name of the predefined application role you want to change.
5. Under Direct Members, click Application Roles to see which application roles the selected application role is currently a member of.
6. Click Add Application Roles.
   By default, none of the predefined application roles are available.

   
   Description of the illustration approles_advanced.jpg
7. To add a predefined application role, click Advanced.

   WARNING:

   A warning is displayed. Read the information carefully before you proceed. When you add one predefined application role to another, the change is permanent. The only way you can revert predefined application role changes is to restore a snapshot taken before the change.

8. Click OK to confirm that you’ve taken a snapshot and you're sure you want to permanently modify the predefined application role you selected.
9. Select one or more predefined application roles from the list, and then click Add.
10. To reconfirm that you’ve taken a snapshot and want to permanently change the predefined application role, click OK.

View and Export Detailed Membership Data

Each application role in Oracle Analytics Cloud can have direct members, but they might also have one or more indirect members or memberships.

For example, Joe Brown is granted the DV Content Author application role. Joe is a direct member of the DV Content Author role and an indirect member of BI Consumer, BI Content Author, DV Consumer. You can view direct and indirect membership details from the User and Role Management page and you can export this information to a CSV file.
Description of the illustration members.jpg

1. Click Console.
2. Click Users and Roles.
3. To view direct and indirect membership data for a user:
   1. Click the Users tab.
   2. Select the name of the user whose membership details you want to see.
   3. Under Direct Memberships, click Application Roles to see a list of all the or application roles that the user you selected is directly assigned to.
   4. Click the menu icon, and select Show Indirect Memberships to see a list of all the or application roles that this user is both directly and indirectly assigned to.
4. To view direct and indirect membership data for an application role:
   1. Click the Application Roles tab.
   2. Select the name of the application role whose membership details you want to see.
   3. Under Direct Members (or Direct Memberships), click Users, Groups, or Application Roles to see a list of all the users, groups or application roles that the application role you selected is a direct member of (or directly assigned to).
   4. Click the menu icon, and select Show Indirect Members (or Show Indirect Memberships) to see a list of all the users, groups, or application roles that this group is both directly and indirectly a member of (or assigned to).
5. To export both direct and indirect membership data to a CSV file, click Export.

Download Membership Data

After displaying a list of the direct and indirect members for a user, group, or application role in Oracle Analytics Cloud, you can download the report to a Comma Separated Values file (.csv).

1. From the Direct and Indirect Users | Groups | Application Roles view, click Export.
   The direct and indirect members for the selected user, group, or application role are exported to a file named RoleReport.csv.
2. Do one of the following:
   • Click Open to open the CSV file in an application of your choice.
   • Click Save to save the CSV file to a location of your choice.

Sample Scenarios: User-defined Application Roles

Here are some common scenarios for creating your own application roles .

Topics:

• Allow a User to Export Workbooks to PDF
• Prevent a User with the BI Consumer Role from Exporting Workbooks to PDF
• Allow a User to Create Datasets and Workbooks
• Prevent a User with the DV Content Author Role from Creating or Modifying Specific Object Types

Allow a User to Export Workbooks to PDF

You can give users permission to perform specific actions in Oracle Analytics. For example, you can enable users to export workbooks to PDF through an application role that includes the Export Workbook to Document permission.

Note:

The predefined application role BI Consumer includes the permission Export Workbook to Document. This means that any user who is a member of BI Consumer (either directly or indirectly) automatically has this permission.

1. Create a new application role called Allow Document Export (or use a similar name).
   See Add Your Own Application Roles.
2. Add the permission Export Workbook to Document.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role Allow Document Export to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Give users with the Allow Document Export application role access to one or more workbooks.

   These users can access workbooks and export the content to PDF.

   See Add or Update Workbook Permissions.

Prevent a User with the BI Consumer Role from Exporting Workbooks to PDF

You can prevent users from performing specific actions in Oracle Analytics. For example, you might want to provide an application role that prevents users with the BI Consumer role from exporting workbooks to a PDF by removing the permission Export Workbook to Document.

1. Copy the BI Consumer application role and name the copy BI Consumer (prevent export) (or use a similar name).
   1. Use the option Copy Permissions to a New Application Role to create an application role with the same permission set as BI Consumer.
   2. Provide a suitable name and description for the new role. For example, BI Consumer (prevent export).
   See Add Your Own Application Roles.
2. Remove the Export Workbook to Document permission.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role BI Consumer (prevent export) to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Remove the predefined application role BI Consumer from the user or group.
5. Give users with the BI Consumer (prevent export) application role access to one or more workbooks and access to the folders where the workbooks are saved.

   When you give the BI Consumer (prevent export) application role access to the workbook, you must accept the option to cascade access to any datasets used by the workbook. That is, select the option Share related artifacts to ensure the workbook is usable in the Share Related Artifacts dialog that displays when you save changes to workbook permissions. See Add or Update Workbook Permissions.

   These users can access workbooks but they can’t export the content to PDF.

   See Add or Update Workbook Permissions.

Allow a User to Create Datasets and Workbooks

You can give users permission to perform specific actions in Oracle Analytics. For example, you can enable users to create datasets and workbooks, and access and modify datasets and workbooks through an application role that includes the Create and Edit Datasets and Create and Edit Workbooks permissions.

Note:

The predefined application role DV Content Author includes the permissions Create and Edit Datasets and Create and Edit Workbooks. This means that any user who is a member of DV Content Author (either directly or indirectly) automatically has these permissions.

1. Create a new application role called Allow Dataset and Workbook Creation (or use a similar name).
   See Add Your Own Application Roles.
2. Add the permissions Create and Edit Datasets and Create and Edit Workbooks.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role Allow Dataset and Workbook Creation to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Give users with the Allow Dataset and Workbook Creation application role access to one or more datasets and one or more workbooks.

   These users can access and edit datasets and workbooks, and create datasets and workbooks.

   See Add or Update Workbook Permissions.

Prevent a User with the DV Content Author Role from Creating or Modifying Specific Object Types

You can prevent users from performing specific actions in Oracle Analytics. For example, you might want to provide an application role that prevents users with the DV Content Author role from creating and modifying connections, data flows, sequences, and watchlists.

1. Copy the DV Content Author application role and name the copy DV Content Author (limited create and modify) (or use a similar name).
   1. Use the option Copy Permissions to a New Application Role to create an application role with the same permission set as DV Content Author.
   2. Provide a suitable name and description for the new role. For example, DV Content Author (limited create and modify).
   See Add Your Own Application Roles.
2. Remove the Create and Edit Connections, Create and Edit Data Flows, Create and Edit Sequences, and Create and Edit Watchlists permissions.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role DV Content Author (limited create and modify) to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Remove the predefined application role DV Content Author from the user or group.
5. Give users with the DV Content Author (limited create and modify) application role access to one or more workbook and datasets and access to the folders where the workbooks and datasets are saved.

   When you give the DV Content Author (limit create and modify) application role access to the workbook, you must accept the option to cascade access to any artifacts used by the workbook. That is, select the option Share related artifacts to ensure the workbook is usable in the Share Related Artifacts dialog that displays when you save changes to workbook permissions. See Add or Update Workbook Permissions.

   These users can access, create, and modify datasets and workbooks, but can't create and modify connections, data flows, sequences, and watchlists.

   See Add or Update Workbook Permissions.