Configuring What Users Can See and Do

Administrators assign application roles to determine what other users can see and do in Oracle Analytics Cloud.

Getting Started with Application Roles

Administrators configure what users see and do in Oracle Analytics Cloud from the Administer Users and Roles page in the Console. This page presents user information in 3 different views:

Users and Roles Page Description

Users tab

Shows users from the identity domain associated with your service.

You can add users, delete users, and assign users one or more application roles in Oracle Analytics Cloud.

Roles tab

Shows roles from the identity domain associated with your service.

You can add and remove roles (groups of users), and assign them to one or more application roles in Oracle Analytics Cloud.

From the Roles tab you can also see who belongs to each role.

Application Roles tab

Shows predefined application roles for Oracle Analytics Cloud together with any custom application roles you define.

From the Application Roles tab you can assign application roles to multiple users, roles, and other application roles. You can also create application roles of your own and assign privileges to them through other application roles.

Adding Members to Application Roles

Application roles determine what people are allowed to see and do in Oracle Analytics Cloud. It’s the administrator’s job to assign appropriate application roles to everyone using the service and to manage the privileges of each application role.

You can make individuals (users) and groups of users (roles) from your identity domain members of an application role. You can add other application roles as members too. See About Application Roles.

Remember:

  • Members inherit the privileges of an application role.
  • Application roles inherit privileges from their parent (application roles).

You select members for an application role or change parent privileges using the Console.

  1. Click Console.
  2. Click Service Administration, and then click Administer Users and Roles.
  3. Click the Application Roles tab.
  4. To display all available application roles, leave the Search field blank and Show Members: All.
    To filter the list by name, enter all or part of an application role name in the Search filter and press Enter. The search is case-insensitive, and searches both name and display name.
  5. Look in the Members area to see who belongs to each application role:
    The number of users, roles, and application roles that are members displays on the page. Click a number, such as 5 in this image, to see those members in more detail (either users, roles or application roles).
  6. To add new members or remove members from an application role:
    1. Click Members.
    2. Select either users, roles, or application roles from the Type box and click Search to show the current members.
    3. Use the shuttle controls to move members between the Available and All Selected list.

      Some application roles aren't eligible to be members and these are grayed. For example, you can’t select a parent application role to be a member.

      Note:

      Users marked ‘absent’ no longer have an account in your identity domain. To remove absent users, use the shuttle control to move the user from the All selected users list to the Available users list.

    4. Click OK.
  7. To see whether an application role, such as Sales Analyst, inherits privileges from other application roles:
    1. Click the action menu.
    2. Select Manage Application Roles.

      Inherited privileges are displayed in the Selected Application Roles pane.

  8. To add or remove privileges:
    1. Click Search to display all available application roles.
      Alternatively, enter all or part of an application role name and click Search.
    2. Use the shuttle controls to move application roles between the Available Application Roles list and the Selected Application Roles list.

      You can’t select application roles that are grayed out. Application roles are grayed out so you can’t create a circular membership tree.

    3. Click OK.

Why Is the Administrator Application Role Important?

You need the BI Service Administrator application role to access administrative options in the Console.

There must always be at least one person in your organization with the BI Service Administrator application role. This ensures there is always someone who can delegate permissions to others. If you remove yourself from the BI Service Administrator role you’ll see a warning message. Consider adding yourself back to the this application role before you sign out. After you sign out, you won’t be allowed to manage permissions through the Console to reinstate yourself.

Assigning Application Roles to Users

The Users page lists all the users who can sign in to Oracle Analytics Cloud. The list of names comes directly from the identity domain associated with your service. It’s the administrator’s job to assign users to appropriate application roles.

  1. Click Console.
  2. Click Service Administration, and then click Administer Users and Roles.
  3. Click the Users tab.
  4. To show everyone, leave the Search field blank and click Show Members: All.
    To filter the list by name, enter all or part of a user name in the Search filter and press enter. The search is case-insensitive, and searches both name and display name.
  5. To see what application roles are assigned to a user:
    1. Select the user.
    2. Click the action menu and select Manage Application Roles.
    The user’s current application role assignments are displayed in the Selected Application Roles pane.

    For example, this image shows a user called Ed Ferguson assigned with the Sales Analysts application role.

  6. To assign additional application roles or remove current assignments:
    1. Show available application roles. Click Search to display all the application roles.
      Alternatively, filter the list by Name and click Search.
    2. Use the shuttle controls to move application roles between the Available Application Roles list and the Selected Application Roles list.
    3. Click OK.

Assigning Application Roles to Multiple Users Through Roles

The Roles page shows you all the roles that people signing in belong to in their identity domain. The list of roles comes directly from the identity domain associated with your service. It’s often quicker to assign privileges to multiple users through their predefined identity domain roles, than it is to assign privileges to users one by one.

You can assign application roles from the Roles page. You can also see who belongs to each role.

  1. Click Console.
  2. Click Service Administration, and then click Administer Users and Roles.
  3. Click the Roles tab.
  4. Look in the Members area to see who belongs to each role:
    The number of users and roles that are members are displayed on the page. Click a number, such as 1 in this image, to see the members in more detail.
  5. To display all available roles, leave the Search field blank and Show Members: All.
    To filter the list by name, enter all or part of a role name in the Search filter and press enter. The search is case-insensitive, and searches both name and display name.
    Alternatively, use the Show Members filter to list roles that are members of a particular application role or belong to another role.
  6. To see the current application roles assignments:
    1. Select the role.
    2. Click the action menu and select Manage Application Roles.
    Current application role assignments display in the Selected Application Roles pane.
  7. To assign additional application roles or remove them:
    1. Click Search to display all available application roles.
      Alternatively, enter all or part of an application role name and click Search.
    2. Use the shuttle controls to move application roles between the Available Application Roles list and the Selected Application Roles list.
    3. Click OK.

Adding Your Own Application Roles

Oracle Analytics Cloud provides a set of predefined application roles. You can also create application roles of your own to suit your own requirements.

For example, you can create an application role that only allows a select group of people to view specific folders or projects.

  1. Click Console.
  2. Click Service Administration, and then click Administer Users and Roles.
  3. Click the Application Roles tab.
  4. Click Add.
  5. Enter a name and describe the application role. Click Save.
    Initially, new application roles don't have any members or privileges.
  6. Add members to the application role:
    1. Click the action menu.
    2. Select Manage Members.
    3. Select the members (users, roles or application roles) that you want assigned to this application role and move them to the Selected pane on the right.
      For example, you might want an application role that restricts access to everyone in your organization, except sales managers. To do this, move anyone who is a sales manager, to the Selected pane.
    4. Click OK.
  7. Optionally, add privileges to the new application role:
    1. Click the action menu.
    2. Select Manage Application Roles.
    3. Click Search.
    4. Move all the application roles you want this application role to inherit to the Selected Application Roles pane, and click OK.

Deleting Application Roles

You can delete application roles that you created but no longer need.

  1. Click Console.
  2. Click Service Administration, and then click Administer Users and Roles.
  3. Click the Application Roles tab.
  4. Navigate to the application role you want to delete.
  5. Click the action menu for the application role you want to delete and select Remove.
  6. Click OK.

Adding One Predefined Application Role to Another (Advanced)

Oracle Analytics Cloud provides several predefined roles: BI Service Administrator, BI Data Model Author, BI Data Load Author, BI Content Author, DV Content Author, DV Consumer, BI Consumer. There are very few, advanced use cases where you might want to permanently include one predefined application role in another.

Any changes that you make to predefined application roles are permanent, so don’t perform this task unless you need to.

  1. Click Console.
  2. Click Service Administration, and then click Manage Snapshots.
  3. Click New Snapshot to take a snapshot of your system before the change.
    The only way you can revert predefined application role changes is to restore your service from a snapshot taken before the change.
  4. Go back to the Console, click Service Administration, and then click Administer Users and Roles.
  5. Click the Application Roles tab.
  6. Click the action menu for the predefined application role you want to change and select Add Predefined Member (Advanced).
  7. Click Yes to confirm that you’ve taken a snapshot and want to continue.
  8. Select the predefined application role that you want to add.
    You can select only one application role.
  9. Click Yes to confirm that you’ve taken a snapshot and want to permanently change the predefined application role.