20Security and Reporting

This chapter contains the following:

Security for Sales Analytics and Reports

Analytics are available throughout the sales application as embedded analytics and also in standalone mode by way of the transactional work areas. Sales users interact with information in Oracle BI Applications and Oracle Transactional Business Intelligence using Oracle Business Intelligence Enterprise Edition (Oracle BI EE) components, such as Dashboards.

The analytics and reports that are delivered with the sales application are secured based on the roles that use each report. For example, sales managers can access sales analytics and reports that salespeople don't have access to. If you want to create new analytics or reports or edit existing ones, you should become familiar with sales security concepts and how access is secured to Oracle Transactional Business Intelligence subject areas, Oracle BI Presentation Catalog folders, and Oracle Business Intelligence reports.

Subject Areas

Subject areas are functionally secured using duty roles. The supplied user roles include the necessary duty roles to access the Oracle Business Intelligence content. The names of duty roles that grant access to subject areas include the words Transaction Analysis Duty (for example, Sales Managerial Transaction Analysis Duty). Access to a subject area is needed to run or create reports for that subject area.

Business Intelligence Catalog Folders

BI Presentation Catalog folders are functionally secured using the same duty roles that secure access to the subject areas. Therefore, a user who inherits the Sales Managerial Transaction Analysis Duty can access both the Sales Manager folder in the BI Presentation Catalog and the Sales Manager subject areas.

Business Intelligence Reports

Analyses are secured based on the folders in which they're stored. If you haven't secured BI reports using the report permissions, then they're secured at the folder level by default. You can set permissions against folders and reports for roles, catalog groups, or users.

Information about Security and Reporting

When you receive your sales application, access to its functionality and data is secured using role-based access control. For more information about creating and securing reports, see the following guides on the Oracle Help Center at http://docs.oracle.com:

  • Oracle CX Security Reference for CX Sales and B2B Service

    Describes the sales application security reference implementation and includes descriptions of all the predefined data that is included in the security reference implementation for an offering.

  • Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition

    Provides information about using Transactional Analysis Duty roles to secure access to the Business Intelligence catalog.

  • Oracle CX Sales Creating and Administering Analytics

    Explains how to view and work with analytics and reports.

Permissions for Catalog Objects

The Business Intelligence Catalog stores business intelligence objects such as dashboards, dashboard pages, folders, and analyses. Users can view only the objects for which they are authorized. Note that the owner of an object or folder cannot automatically access the object or folder. To access an object or folder, the user must have the proper permission assigned in the object or folder's permission dialog.

What Are Permissions?

An object's owner or a user who has been given the proper privileges and permissions can assign permissions to catalog objects. Permissions are authorizations that you grant to a user or role to perform a specific action or group of actions on a catalog object. For example, if you work in the sales department and created a dashboard that contains quarterly sales projections, then you can give read access to this dashboard to all sales people, but give read, write, and delete access to sales directors and vice presidents.

Note: Permissions are a part of the Oracle BI EE security model, and how permissions are initially assigned is based on how users, roles, and groups were set up on your application, and which privileges the Oracle BI EE administrator granted those users, roles, and groups.

Permission Definitions

To control access to objects (such as a folder in the catalog or a section in a dashboard), you assign permissions to roles, catalog groups, and users. The permissions that you can assign vary depending on the type of object with which you are working.

The following table shows the main types of permissions encountered for sales users:

Permission Definition

Full Control

Use this option to give authority to perform all tasks (modify and delete, for example) on the object.

Modify

Use this option to give authority to read, write, and delete the object.

Traverse

Use this option to give authority to access objects within the selected folder when the user does not have permission to the selected folder. Access to these objects is required when the objects in the folder, such as analyses, are embedded in a dashboard or Oracle WebCenter Portal application page that the user has permission to access.

For example, if you grant users the Traverse permission to the /Shared Folders/Test folder, then they can access objects, through the BI Presentation Catalog or embedded in dashboards or Oracle WebCenter Portal application pages, stored in the/Shared Folders/Test folder and stored in sub-folders, such as the /Shared Folders/Test/Guest folder. However, users cannot access (meaning view, expand, or browse) the folder and sub-folders from the Catalog.

Open

Use this option to give authority to access, but not modify, the object. If you are working with an Oracle BI Publisher object, this option enables you to traverse the folder that contains the object.

No Access

Use this option to deny access to the object. Explicitly denying access takes precedence over any other permission.

Custom

Use this option to display the Custom Permissions dialog, where you grant read, write, execute, and delete permissions.

For additional information about catalog object permissions, see Oracle Fusion Middleware User's Guide for Oracle Business Intelligence Enterprise Edition on Oracle Help Center at http://docs.oracle.com/.

Transaction Analysis Duty Roles

Oracle Transactional Business Intelligence secures reporting objects and data through a set of delivered OTBI Transaction Analysis Duty roles. These OTBI Transaction Analysis Duty roles control which subject areas and analyses a user can access and what data a user can see in the sales application.

Your administrator can select users, roles, and catalog groups to:

  • Receive the delivery content of an agent.

  • Have permission to access a section or alert section in a dashboard.

  • Add or edit for an existing catalog group.

  • Assign permissions to a catalog object.

For information about setting the necessary security, see Oracle Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

The following is a list of some OTBI Transactional Analysis Duty roles used in the sales application:

  • Partner Channel Transaction Analysis Duty

  • Partner Channel Administrative Transaction Analysis Duty

  • Sales Administrative Transaction Analysis Duty

  • Sales Executive Transaction Analysis Duty

  • Sales Managerial Transaction Analysis Duty

  • Sales Transaction Analysis Duty

  • Incentive Compensation Transaction Analysis Duty

The following table lists analytics and reports available to sales users. It also shows the predefined job roles that can access the different analytics and reports, and the OTBI Transactional Analysis Duty roles that provide the access.

Analytic or Report Name Job Role OTBI Transactional Analysis Duty Role
  • Forecast vs. Quota

  • Sales Stage by Age

  • Sales Performance Trend

  • Top Open Opportunities

Sales VP

Sales Executive Transaction Analysis Duty

  • Forecast Vs Open Pipeline: My Team

  • My Team's Activities (By Type)

  • My Team's Leads

  • My Team's Performance

  • My Team's Pipeline

  • My Team's Tasks on Open Opportunities

  • My Team's Top Open Opportunities

  • Team Leadership Board

  • Top Accounts by My Team's Activities

Sales Manager

Sales Managerial Transaction Analysis Duty

  • My Open Leads by Age

  • My Top Open Opportunities

  • My Forecast vs. Open Pipeline

  • My Open Leads by Source

  • My Open Tasks

  • My Performance

  • My Pipeline

  • My Stalled Opportunities

  • My Top Accounts by Open Opportunities

  • My Unaccepted Leads by Age

  • My Won Opportunities

  • Top Accounts by My Activities

Sales Representative

Sales Transaction Analysis Duty

  • Evaluating My Partners' Pipeline

  • Evaluating My Partners' Quarterly and Yearly Closed Revenue

  • Evaluating My Partners' Current Quarterly Sales

  • Evaluating My Partners' Win Rate

Channel Account Manager

Partner Channel Transaction Analysis Duty

Note: The predefined Transaction Analysis Duty roles provide permissions to view but not create analyses and reports. Permissions to create reports are assigned at the job role level using Business Intelligence roles.

Business Intelligence Roles

Business Intelligence roles apply to both Oracle Business Intelligence Publisher (Oracle BI Publisher) and Oracle Transactional Business Intelligence (OTBI). They grant access to Business Intelligence functionality, such as the ability to run or author reports. Users need one or more of these roles in addition to the roles that grant access to reports, subject areas, Business Intelligence catalog folders, and sales data. This topic describes the Business Intelligence roles.

The Business Intelligence roles are described in the following table.

Business Intelligence Role Description

BI Consumer Role

Runs Business Intelligence reports.

BI Author Role

Creates and edits reports.

BI Administrator Role

Performs administrative tasks such as creating and editing dashboards and modifying security permissions for reports, folders, and so on.

BI Publisher Data Model Developer Role

Creates and edits Oracle Business Intelligence Publisher data models.

BI Consumer Role

The predefined OTBI Transaction Analysis Duty roles inherit the BI Consumer Role. You can configure custom roles to inherit BI Consumer Role so that they can run reports but not author them.

BI Author Role

BI Author Role inherits BI Consumer Role. Users with BI Author Role can create, edit, and run OTBI reports. All predefined sales job roles that inherit an OTBI Transaction Analysis Duty role are also assigned the BI Author Role at the job role level, except for the Sales Representative job role which is not assigned the BI Author role.

BI Administrator Role

BI Administrator Role is a superuser role. It inherits BI Author Role, which inherits BI Consumer Role. The predefined sales and service job roles do not have BI Administrator Role access.

BI Publisher Data Model Developer Role

BI Publisher Data Model Developer Role is inherited by the Application Developer role, which is inherited by the Application Implementation Consultant role. Therefore, users with either of these predefined job roles can manage BI Publisher data models.

Configure Security for Oracle Transactional Business Intelligence

Oracle Transactional Business Intelligence secures reporting objects and data through the following types of roles:

  • Reporting objects and data are secured through the predefined OTBI Transactional Analysis Duty roles, for example, Sales Managerial Transaction Analysis Duty. The Transaction Analysis Duty roles control which subject areas and analyses a user can access and what data a user can see.

  • Business Intelligence roles, for example, BI Consumer Role, or BI Author Role. These roles grant access to Business Intelligence functionality, such as the ability to run or author reports. Users need one or more of these roles in addition to the roles that grant access to reports and subject areas to create and run reports and view analytics.

You can't copy or modify the Business Intelligence roles or the Transaction Analysis Duty roles provided with the application, or the associated security privileges. In addition, any role with a role code prefix of OBIA, for example, Business Intelligence Applications Analysis Duty (OBIA_ANALYSIS_GENERIC_DUTY), can also not be copied. However, you can configure reporting security according to your security requirements as described in this topic.

Modifying Transaction Analysis Duty Role Assignments

If you want to change the subject areas that users have access to, then create a job role and provide the custom role with the Oracle Transactional Business Intelligence duty roles that provide the required access.

For example, you can create a role that provides access to both partner and sales team subject areas by assigning both the Sales Managerial Transaction Analysis Duty and the Partner Channel Transaction Analysis Duty to the custom role.

Modifying Business Intelligence Role Assignments

The Business Intelligence roles enable users to perform tasks within Business Intelligence tools such as Oracle Business Intelligence Publisher. The default Business Intelligence roles used in the sales application are BI Consumer and BI Author.

The delivered Transaction Analysis Duty roles inherit the BI Consumer Role, which provides view-only access to analyses and reports. You assign the BI Author Role at the job role level, giving you flexibility in granting the BI Author privilege to only those job roles that you want to have access to create and edit analyses and reports.

All predefined sales job roles that inherit a Transaction Analysis Duty role are also assigned the BI Author Role by default, except for the Sales Representative job role. However, you can optionally create copies of the predefined job roles and add or remove the BI Author Role from the custom roles as required.

View Reporting Roles

Viewing reporting roles can help you to understand Oracle Transactional Business Intelligence security. This topic explains how to view the following:

  • The reporting roles that a job role inherits

  • The reporting roles you are assigned

View the Reporting Roles Assigned to a Job Role

To view the OTBI reporting roles that a job role inherits, perform the following steps:

  1. Sign in to the application with the IT Security Manager job role.

  2. Select Navigator > Tools > Security Console.

  3. On the Security Console, search for and select a job role. For example, search for the Sales Manager job role.

    Depending on the enterprise setting, either a graphical or a tabular representation of the role appears. Switch to the tabular view if it doesn't appear by default.

  4. Notice that the Sales Manager job role inherits the BI Author Role directly. The Sales Manager job role also inherits a number of Transaction Analysis Duty roles, such as the Sales Managerial Transaction Analysis Duty role and the Marketing Lead Transaction Analysis Duty role.

  5. Click the Show Graph icon to switch to a graphical view of the Sales Manager job role.

  6. Locate and expand one of the OTBI roles, for example, expand the Sales Managerial Transaction Analysis Duty role.

    Notice that the role inherits the BI Consumer Role. It also inherits the Transactional Analysis Duty role which is required to run queries and reports.

View the Reporting Roles You Are Assigned

To view all of the duty roles that you are assigned, including Business Intelligence roles and Transaction Analysis Duty roles, perform the following steps:

  1. Select Navigator > Tools > Reports and Analytics to open the Reports and Analytics work area.

  2. Click the Browse Catalog icon.

    The Business Intelligence Catalog page opens.

  3. Click your user name in the global header, then select My Account.

  4. Click the Roles and Catalog Groups tab.

    All the duty roles you are assigned are listed, including Transaction Analysis Duty roles and Business Intelligence roles.

  5. Click OK to return to the Business Intelligence Catalog page.

  6. Click Sign Out to return to the Oracle Applications Cloud window.

Display Direct Report Data in Participant Manager Reports

This topic applies only to Incentive Compensation. You must enable the Secure by Manager Hierarchy person security profile before participant managers can see direct report participant data in their business intelligence reports. The application automatically generates and associates data grants using this security profile.

In the Setup and Maintenance work area:

  1. Add the security profile.

  2. Refresh the manager hierarchy.

Add the Security Profile

Only users with either View All HCM Data or IT Security access can do these steps.

  1. In the setup and Maintenance work area, go to the following:

    • Offering: Sales

    • Functional Area: Users and Security

    • Task: Manage Data Role and Security Profiles

  2. Search for roles staring with Incentive.

  3. In the Search Results section, select Incentive Compensation Participant Manager.

  4. On the toolbar, click Assign to open the Assign Data Role: Role Details page.

  5. Click Next to open the Security Criteria page.

  6. In the Person Security Profile field, select View Manager Hierarchy.

  7. Click the Secure by Manager check box if it isn't already selected.

  8. Click Review.

  9. Click Submit to return to the Manage Data Role and Security Profiles page.

  10. Click Done to return to the All Tasks tab.

Refresh the Manager Hierarchy

You must run and schedule the Refresh Manager Hierarchy process to populate the HR Foundation Person tables with the manager hierarchy information. Reporting data is unavailable until you run the process.

  1. On the Navigator menu within Tools, select Scheduled Processes.

  2. On the Search Results section toolbar, click Schedule New Process.

  3. In the Name field, search for and select Refresh Manager Hierarchy.

  4. Click OK to return to Schedule New Process.

  5. Click OK to open Process Details.

  6. Click Submit, which causes the Confirmation to appear.

  7. Click OK to return to Process Details.

  8. Click Cancel to return to the Overview page.

FAQs for Security and Reporting

Can I configure Oracle Transactional Business Intelligence duty roles?

You can't modify the predefined OTBI duty roles or the associated security privileges. But you can configure Oracle Transactional Business Intelligence reporting security by assigning different OTBI duty roles to a custom job role if necessary.