Work With Object Permissions

This topic provides information to help you understand and set up semantic model object permissions.

Topics:

• About Object Permissions

• About Permission Inheritance for Application Roles

• Set Up Presentation Object Permissions

About Object Permissions

You can use object permissions to configure data filters for objects in the logical layer by using functional groups for multiple application roles.

The object permissions you set determine the security rules that Oracle Analytics applies to client queries. These permissions can't be breached, even when the Logical SQL query is modified.

To set up object permissions:

• Select individual objects such as subject areas, presentation tables, or presentation columns in the presentation layer and assign data access for specific application roles.

• Select individual objects in the logical layer and use data filters to specify functional groups when multiple application roles have different levels of access to the same object.

Set up object permissions for application roles when you want to define data access permissions for a set of objects that are common to users assigned the specific application role.

Description of the illustration data_sec_3.gif

• If an application role has permissions on an object from multiple sources, for example, explicitly and through one or more additional application roles, the permissions are applied based on the order of precedence.

• If you explicitly deny access to an object that has child objects, application roles are denied access to the child objects. For example, if you explicitly deny access to a particular logical table, you're implicitly denying access to all of the logical columns associated with that table.

• It's best practice to not put sensitive data like passwords in session or semantic model variables. Object permissions don't apply to semantic model and session variables, so values in these variables aren't secure. Anyone who knows or can guess the name of the variable can use it in an expression in Oracle Analytics or in a Logical SQL query.

• The AuthenticatedUser is the default application role associated with new semantic model objects, which means that any authenticated user has read access to new semantic model objects.

  The AuthenticatedUser application role is internal to the semantic model and doesn't display in the semantic modeler user interface. You can override the AuthenticatedUser application role's access at the object level. For example, in a subject area's permissions.

About Permission Inheritance for Application Roles

Application roles can have permissions granted through membership in other application roles.

Permissions granted explicitly to an application role take precedence over any permissions granted through other application roles.

If there are multiple application roles acting on an application role at the same level with conflicting security attributes, then the application role is granted the least restrictive security attribute. Oracle currently requires that the application role with access to an object also have access to the object's container. For example, if ApplicationRole 1 has permission to access Column A, which is part of Table B, then ApplicationRole1 must also have permission to access Table B.

Set Up Presentation Object Permissions

Add application roles and permissions to secure a presentation object.

The permissions that you set for an object are inherited by its child objects. You can change the child object's permissions to override its parent object's permissions. For example, if you set permissions on a subject area, then you can set permissions on a table or column to override the corresponding subject area's permissions.

Note:

You can use bulk update to set the permissions for multiple presentation objects at the same time. See Set Semantic Model Object Permissions in Bulk.

These are the role permissions that you can set for a presentation object:

• Read-Write - Provides both read and write access to the object.
• Read Only - Allows only read access to the object.
• No Access - Denies all access to the object.

1. On your home page, click Navigator and then click Semantic Models.
2. In the Semantic Models page, click a semantic model to open it.
3. Click Presentation Layer .
4. In the Presentation Layer pane locate and double-click the object that you want to assign permissions to.
5. Click the Permissions tab.
6. In Add, search for and select the application role that you want to set permissions for.
7. Choose a permission for the application role.
8. Click Save.