| Oracle® Retail Insights Cloud Service Suite Security Guide Release 17.0.002 E98772-01 |
|
 Previous |
 Next |
| Oracle® Retail Insights Cloud Service Suite Security Guide Release 17.0.002 E98772-01 |
|
Previous |
Next |
Oracle Retail Insights integrates tightly with Oracle Business Intelligence Enterprise Edition (BI EE) to allow the right content to be shown to the right user. All components of Oracle Business Intelligence Enterprise Edition are fully integrated with Oracle Fusion Middleware security architecture. Oracle BI EE authenticates users using an Oracle WebLogic Server authentication provider against user information held in an identity store. User and group information is held within the Oracle WebLogic Server embedded directory server, which is the default identity store.
Ensure that you are familiar with the security features of Oracle Business Intelligence Enterprise Edition before you begin working with Oracle BI Applications.
Security settings for Oracle Business Intelligence Enterprise Edition are made in the following Oracle Business Intelligence components. See the Oracle Business Intelligence Enterprise Edition Security Guide for more details.
You must include an introductory element, such as a Para, before inserting the first Sect1 element. This requirement prevents arriving at an empty XHTML page for a chapter or appendix if you have selected the option of breaking at Sect1 when generating XHTML output
Oracle WebLogic Server Administration Console
Oracle Fusion Middleware Control
Oracle BI Administration Tool
Administration Page in Oracle BI Presentation Catalog
Security in Oracle Retail Insights can be classified into the following types. By default, Retail Insights does not provide these security features. You can choose to implement it based on the implementation requirements:
Data-level security – controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI answers, and so on) based on the user's association to data in the transactional system.
Object-level security – controls the visibility to business logical objects based on a user's role. You can set up object-level security for metadata repository objects, such as subject areas and presentation folders, and for web objects, such as dashboards and dashboard pages, which are defined in the presentation catalog.
This section describes the object-level security features in Retail Insights. It contains the following topics:
Metadata Object-Level Security (Repository Groups)
Metadata Object-Level Security (Presentation Services)
Application roles control access to metadata objects, such as subject areas, tables, and columns. For example, certain Retail Insights roles may not have access to view certain presentation tables. Metadata object security is configured in the Oracle BI Repository, using the Oracle BI Administration Tool. The Authenticated User group is denied access to some of the presentation tables and only related roles have explicit read access. This access can be extended to subject areas and columns.
|
Note: By default in Oracle Retail Insights, only permissions at the presentation tables level have been configured. |
Below are the list of Retail Insights application roles and the associated enterprise roles. You have to create these enterprise roles in your authentication provider, such as WebLogic or Oracle Identity Manager (OIM). For more information on how to set-up roles, refer to the Oracle® Fusion Middleware - Security Guide for Oracle Business Intelligence Enterprise Edition.
Retail Insights is built with role-based access. Permissions are associated with roles.
The following groups and application roles are available:
Table 2-1 Groups and Application Roles
| Enterprise Roles | Application Roles |
|---|---|
|
RetailAnalysts |
RetailAnalyst |
|
AltHierarchyInsights_Job |
AltHierarchyInsights |
|
ConsumerInsights_Job |
ConsumerInsights |
|
CustomerInsights_Job |
CustomerInsights |
|
CustomerLoyaltyInsights_Job |
CustomerLoyaltyInsights |
|
CustomerOrderInsights_Job |
CustomerOrderInsights |
|
CustomerSegmentInsights_Job |
CustomerSegmentInsights |
|
EmployeeInsights_Job |
EmployeeInsights |
|
InventoryInsights_Job |
InventoryInsights |
|
SalesInsights_Job |
SalesInsights |
|
PurchaseOrderInsights_Job |
PurchaseOrderInsights |
|
SupplierInsights_Job |
SupplierInsights |
|
PlanningInsights_Job |
PlanningInsights |
|
PromotionInsights_Job |
PromotionInsights |
|
FranchiseInsights_Job |
FranchiseInsights |
|
MarketBasketInsights_Job |
MarketBasketInsights |
|
SocialInsights_Job |
SocialInsights |
|
OfferInsights_Job |
OfferInsights |
|
ReturnsInsights_Job |
ReturnsInsights |
Table 2-2 Default Application Roles
| Presentation Table | Default Application Role(s) |
|---|---|
|
Allocation |
All Roles |
|
Business Calendar |
All Roles |
|
Buyer |
All Roles |
|
Category Management Group |
AltHierarchyInsights |
|
Clusters |
AltHierarchyInsights |
|
Comp Store |
All Roles |
|
Consumer Group |
ConsumerInsights |
|
Consumer Household Group |
ConsumerInsights |
|
Consumer Spend |
ConsumerInsights |
|
Coupon |
All Roles |
|
Customer |
CustomerInsights |
|
Customer Loyalty Account |
CustomerLoyaltyInsights |
|
Customer Loyalty Activity |
CustomerLoyaltyInsights |
|
Customer Loyalty Award Activity |
CustomerLoyaltyInsights |
|
Customer Loyalty Program |
CustomerLoyaltyInsights |
|
Customer Order |
CustomerOrderInsights |
|
Customer Order Fulfillment |
CustomerOrderInsights |
|
Customer Order Origin Channel |
CustomerOrderInsights |
|
Customer Order Promotion Transaction |
CustomerOrderInsights |
|
Customer Order Status Fact |
CustomerOrderInsights |
|
Customer Order Submit Channel |
CustomerOrderInsights |
|
Customer Order Tender Type |
CustomerOrderInsights |
|
Customer Order Transaction |
CustomerOrderInsights |
|
Customer Segment |
CustomerSegmentInsights |
|
Customer Segment Allocation |
CustomerSegmentInsights |
|
Customer Segment Loyalty Score |
CustomerSegmentInsights |
|
Employee |
EmployeeInsights |
|
From Organization |
InventoryInsights |
|
Fulfillment Organization |
CustomerOrderInsights |
|
Gift Card Sales |
SalesInsights |
|
Gregorian Calendar |
All Roles |
|
Household |
CustomerInsights |
|
Inventory Adjustment |
InventoryInsights |
|
Inventory Position |
InventoryInsights |
|
Inventory Receipts |
InventoryInsights |
|
Inventory Transfer |
InventoryInsights |
|
Inventory Unavailable |
InventoryInsights |
|
Item |
All Roles |
|
Markdown |
SalesInsights |
|
Market Item |
ConsumerInsights |
|
Net Cost |
SupplierInsights |
|
Net Profit |
SupplierInsights |
|
Organization |
All Roles |
|
Organization Customers |
CustomerInsights |
|
Plan1 |
PlanningInsights |
|
Plan2 |
PlanningInsights |
|
Plan3 |
PlanningInsights |
|
Plan4 |
PlanningInsights |
|
Planning |
No Default Role |
|
Pricing |
SalesInsights |
|
Product Org Attributes |
All Roles |
|
Promotion |
PromotionInsights |
|
Promotion Actuals |
PromotionInsights |
|
Promotion Baseline |
PromotionInsights |
|
Promotion Budget |
PromotionInsights |
|
Promotion Forecast |
PromotionInsights |
|
Purchase On Order |
PurchaseOrderInsights |
|
Purchase Order |
PurchaseOrderInsights |
|
Reason |
InventoryInsights |
|
Retail Transaction Code |
All Roles |
|
Retail Type |
All Roles |
|
Retailer To Franchise |
FranchiseInsights |
|
Return To Vendor |
InventoryInsights |
|
Sales |
SalesInsights |
|
Sales Discount |
SalesInsights |
|
Sales Forecast |
SalesInsights |
|
Sales Pack |
SalesInsights |
|
Sales Promotion |
PromotionInsights |
|
Season Phase Operational |
No Default Role |
|
Season Phase Planning |
All Roles |
|
Shipment Method |
CustomerOrderInsights |
|
Shipment Type |
CustomerOrderInsights |
|
Status |
All Roles |
|
Stock Ledger |
InventoryInsights,SalesInsights |
|
Store Traffic |
SalesInsights |
|
Supplier |
SupplierInsights |
|
Supplier Compliance |
SupplierInsights |
|
Supplier Invoice |
SupplierInsights |
|
Tender Type |
SalesInsights |
|
Time of Day |
All Roles |
|
Touch Point |
CustomerInsights |
|
Trade Area |
AltHierarchyInsights,ConsumerInsights |
|
Transaction Tender |
SalesInsights |
|
Trial and Repeat |
CustomerInsights |
|
Unit Cost |
SupplierInsights |
For the presentation tables available to All Roles, any authenticated RI user will have the ability to view these objects. All other presentation tables will be hidden by default, unless the user is granted the specific role necessary for that table. This permissions structure allows for strict control over which users can access data from different areas of RI based on their business needs. Note that the Retail Analyst role is not listed in the table above, as it is a super-user role with visibility to all presentation tables. This role should be granted only to system administrators and implementers.
Oracle BI Presentation Services objects are controlled using Presentation Services groups. Access to these objects, such as dashboards and pages, reports, and Web folders, is controlled using the Presentation Services groups. Presentation Services groups are customized in the Oracle BI Presentation Services interface. For detailed information about Presentation Services groups, see the Oracle Business Intelligence Presentation Services Administration Guide.
By default, users of Retail Insights will only have write-access to two folders in the presentation catalog:
My Folders (personal storage for each user)
Shared Folders > Custom (business objects which can be shared with the company)
All other folders, reports, dashboards, and related presentation objects in the RI catalog will be read-only to business users. Users may view or copy the provided presentation objects into one of their folders for their own use. RI application administrators can control the permissions on objects in Shared Folders > Custom as they see fit, such as by limiting the folder to read-only for other users or creating specific sub-folders for each business group.
Retail Insights front-end clients access Retail Insights stored data through Oracle BI EE. The credentials for Oracle BI EE and Retail Insights Database access are managed through Oracle BI EE security system. In Retail Insights front-end, some security features, such as session timeout set, are also managed by Oracle BI EE and WebLogic server. See the Oracle BI EE WebLogic Security Guide for the detail information.
Retail Insights batch users access Retail Insights stored data through ODI. Then credentials for ODI and Retail Insights Database access are managed through ODI security system. See ODI Security Guide for the detail information.
Configuration and logs files protection
Batch process:
To execute Retail Insights batch, Retail Insights batch scripts, Retail Insights source data files, Retail Insights configuration files, and Retail Insights batch log files need to be placed under Retail Insights base home directory. These files are protected with secured permission. There is no world read for these files. Retail Insights batch scripts have 750 file permission Retail Insights configuration files have 660 permission, and Retail Insights static data files have 640 permission.
Front-end process:
The default permission for Oracle BI EE configuration files and log files are 640.
The security and data access for Retail Insights goes beyond simple role based associations. Typically users and groups are associated with roles. The setup of each role determines what object is accessible by the users.
Retail Insights batch user is the only one who can run the batch scripts and the connections managed by ODI are used by the batch processes to access data sources.
For file permission, by default the following permissions are given to users to access files packaged with Retail Insights once installation is completed.
All Retail Insights scripts should at least have 750 permission
All configuration files should at least have 660 permission
All static data (csv files) should at least have 640 permission
Based on the permission above, besides owner (the installer user), the group member can also view and execute scripts, read and modify the configuration files, and read the static file. A user out of the group cannot do anything to Retail Insights files and explicit permission needs to be given by the Administrator to users outside of the group.
