About Object Permissions
You can use object permissions to configure data filters for objects in the logical layer by using functional groups for multiple application roles.
The object permissions you set determine the security rules that Oracle Analytics applies to client queries. These permissions can't be breached, even when the Logical SQL query is modified.
To set up object permissions:
-
Select individual objects such as subject areas, presentation tables, or presentation columns in the presentation layer and assign data access for specific application roles.
-
Select individual objects in the logical layer and use data filters to specify functional groups when multiple application roles have different levels of access to the same object.
Set up object permissions for application roles when you want to define data access permissions for a set of objects that are common to users assigned the specific application role.
-
If an application role has permissions on an object from multiple sources, for example, explicitly and through one or more additional application roles, the permissions are applied based on the order of precedence.
-
If you explicitly deny access to an object that has child objects, application roles are denied access to the child objects. For example, if you explicitly deny access to a particular logical table, you're implicitly denying access to all of the logical columns associated with that table.
-
It's best practice to not put sensitive data like passwords in session or semantic model variables. Object permissions don't apply to semantic model and session variables, so values in these variables aren't secure. Anyone who knows or can guess the name of the variable can use it in an expression in Oracle Analytics or in a Logical SQL query.
-
The AuthenticatedUser is the default application role associated with new semantic model objects, which means that any authenticated user has read access to new semantic model objects.
The AuthenticatedUser application role is internal to the semantic model and doesn't display in the semantic modeler user interface. You can override the AuthenticatedUser application role's access at the object level. For example, in a subject area's permissions.