| Oracle® Retail Merchandising Security Guide Release 15.0 E65442-01 |
|
 Previous |
 Next |
The following topics are covered in this chapter:
The standard reporting tool for Operational Insights is Oracle Business Intelligence Enterprise Edition (BIEE). These reports are integrated within the ReSA/ReIM/Allocation application ADF UI to give insight into sales audit functional areas using visualizations (charts, graphs, and so on) of the OBIEE tool.
The operational insights security features are as follows:
Operational Insights uses Oracle Business Intelligence Enterprise Edition (BIEE) to allow the right content to be shown to the right user. All components of Oracle Business Intelligence Enterprise Edition are fully integrated with Oracle Fusion Middleware security architecture. For more information, see http://docs.oracle.com/cd/E14571_01/bi.1111/e10543/intromartin.htm#CJHJFIGE.
The Single Sign-On (SSO) implementation for Operational Insights dashboards and reports is mandatory in production environments because it has contextual BI reports and in context launches into Retail Merchandising Fusion Application screens apart from dashboard reports. Because accessing the Operational Insights reports from the Retail Merchandising Fusion Application UI in the absence of SSO poses a security risk, the use of integrated Operational Insights reports in Retail Merchandising Fusion Application UI like ReSA, Allocation and so on without SSO is not supported in this release. In the absence of SSO, the Operational Insights dashboard can be accessed in a standalone Oracle Business Intelligence Enterprise Edition (OBIEE) environment. The use of the Operational Insights contextual reports in a standalone OBIEE environment is not supported due to dependencies on certain input parameters from Merchandising applications like ReSA, Allocation, and ReIM.
Security in Operational Insights is classified into the following types. One can choose to enhance the Oracle Retail Operational Insights security implementation based on the requirements.
Application Security: Operational Insights is built with role-based access. Permissions are associated with roles the user is assigned to. You can choose to enhance the implementation based on the requirements.
Data-level Security: It controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI answers, and so on) based on the user's association to data in the Retail Merchandising Fusion Application. For more information on implementation of data-level security in Operational Insights, see section Data-Level Security in Operational Insights.
Object-level Security: Access to Oracle BI Presentation Services objects, such as dashboards, pages, reports and Web folders, are controlled using application roles. For more information on implementation of object-level security in Operational Insights, see section Object-Level Security in Operational Insights.
This section describes the data-level security features in Operational Insights.
Oracle Retail Operational Insights reports leverage the RMS data authorization infrastructure. For more information, see Security Features of the Application under Chapter 10.
Data level security is implemented for Operational Insights by setting the user's context. The user's context is set when user views the report, hence ensuring that a user can view data only with respect to the user's access levels.
The context of the user is set by calling the package set_APP_CTX which helps in leveraging the RMS security views and filter_policy_SQL for data authorization in the connection scripts of OBIEE as depicted in Figure 13-1.
For more information, see Post Installation - Application Administration under Chapter 11.
ReSA Data-level Security: The users are able to view data for only user assigned stores at the Sales Audit dashboard page and for all the user's stores for the contextual reports.
The User Assigned Stores is retrieved by the following SQL:
Select 'AssignedStores',STORE from LOC_TRAITS_MATRIX,SA_USER_LOC_TRAITS where SA_USER_LOC_TRAITS.LOC_TRAIT=LOC_TRAITS_MATRIX.LOC_TRAIT and USER_ID='VALUEOF(NQ_SESSION.USER)'
ReIM Data-level Security: ReIM reports support only Location security and the user would view data only for the locations and invoices he is assigned and invoice level to.
Allocation Data-level Security: The reports in allocation when reported at location and item hierarchy level the corresponding security is implemented and the data seen by the user would be for the locations/items that he has access to.
This section describes the object-level security features in Operational Insights and covers the following topics:
Metadata Object-Level Security (Repository Groups)
Metadata Object-Level Security (Presentation Services)
Application roles control access to metadata objects, such as subject areas, tables, and columns. For example, certain Operational Insights roles may be configured to not have access to view/edit certain presentation tables. The metadata object security is configured in the Oracle BI Repository, using the Oracle BI Administration Tool. Since out of box security configuration for Oracle Retail Operational Insights gives adhoc reporting access to only the administrator role thus no security filters are set up at Oracle BI Repository for Operational Insights. This can be customized based on individual implementation requirement.
Oracle BI Presentation Services objects are controlled using Presentation Services groups. Access to these objects, such as dashboards and pages, reports, and Web folders, is controlled using the Presentation Services groups. Presentation Services groups are customized in the Oracle BI Presentation Services interface. For detailed information about Presentation Services groups, see the Oracle Business Intelligence Presentation Services Administration Guide.
Once the Operational insights and ReSA are installed and configured and the system-jazn file is deployed as per the Oracle Installation Guide there would be following OI application roles deployed in the Enterprise Manager which are mapped to their corresponding MOM application groups.
The following list provides details of OI roles, the corresponding MOM application groups and details on access to Retail Merchandising Fusion Application. For more information on how to set-up groups, see the Oracle® Fusion Middleware-Security Guide for Oracle Business Intelligence Enterprise Edition:
Table 13-1 OI Roles and MOM Groups
| OI/OBIEE Roles | Application Group | Allocation | ReIM | ReSA |
|---|---|---|---|---|
|
Finance Manager |
FINANCE_MANAGER_JOB |
Yes |
||
|
Accounts Payable Specialist |
ACCOUNTS_PAYABLE_SPECIALIST_JOB |
Yes |
||
|
ReIM Application Administrator |
REIM_APPLICATION_ADMINISTRATOR_JOB |
Yes |
||
|
Allocation Manager |
ALLOCATION_MANAGER_JOB |
Yes |
||
|
Allocator |
ALLOCATOR_JOB |
Yes |
||
|
Allocation Application Administrator |
ALLOCATION_APPLICATION_ADMINISTRATOR_JOB |
Yes |
||
| Sales Audit Analyst |
SALES_AUDIT_ANALYST_JOB |
Yes |
||
|
Sales Audit Manager |
SALES_AUDIT_MANAGER_JOB |
Yes | ||
|
ReSA Application Administrator |
RESA_APPLICATION_ADMINISTRATOR_JOB |
Yes |
Following are the default OBIEE roles in addition to the above mentioned roles that are packaged with Operational Insights code:
BI System
BI Administrator: Having access to reports of all applications. Only role that has access to Answers for adhoc analysis.
BI Author
BI Consumer
|
Note: Each default group is preconfigured to use the appropriate default application role. For example, the default group named BIAuthors is assigned to the default application role named BIAuthor. In other words, any users that you add to the default group named BIAuthors automatically have the privileges required to create reports and perform related duties. |
If you want to create a more complex or fine grained security model, you can create your own application roles and application policies as described in this section. You can create application roles based on default preconfigured application policies, or you can create your own application policies.
For more information on Security, see http://docs.oracle.com/cd/E14571_01/bi.1111/e10543/intromartin.htm#CJHJFIGE.
By default the following permissions are given to users to access files packaged with Operational Insights once installation is completed:
All configuration files should at least have 660 permission
All static data (csv files) should at least have 640 permission
Based on the permission above, besides owner (the installer user), the group member can also view and read and modify the configuration files, and read the static file. A user out of the group cannot do anything to Operational Insights files and explicit permission needs to be given by the Administrator to users outside of the group.
