15Security for SCM Analytics and Reports

This chapter contains the following:

Overview of Security for Oracle SCM Cloud Analytics

Security for viewing, creating, and editing Oracle SCM Cloud analytics includes three levels:

  • Access to the folders where the analyses and dashboards are stored

  • Access to the data that you want the analysis or dashboard to return

  • Access to business intelligence functionality

This topic provides an overview of how analyses and dashboards are secured so that you understand what security roles or access you may need to request from your security administrator to create and edit analyses and dashboards.

Access to Subject Areas

Subject areas are functionally secured using duty roles. The names of duty roles that grant access to subject areas include the words Transaction Analysis Duty (for example, Product Transaction Analysis Duty). These duty roles belong to the OBI application.

Access to Analyses and Dashboards in the BI Catalog

To access delivered analyses and dashboards, you access the Business Intelligence Catalog (BI Catalog). The folders in the BI Catalog are functionally secured using the same duty roles that secure access to the subject areas. Therefore, a user who inherits the Workforce Transaction Analysis Duty can access both the Workforce Management folder in the Business Intelligence Catalog and the Workforce Management subject areas. Analyses and dashboards are secured based on the folders in which they're stored. You can set permissions against folders and reports for Application Roles, Catalog Groups, or Users.

Reporting Data

The data that's returned in Oracle Transactional Business Intelligence reports is secured in a similar way to the data that's returned in Oracle SCM Cloud pages. Data access is granted by roles that are linked to security profiles. Each of the Transaction Analysis Duty roles that grants access to subject areas and Business Intelligence Catalog (BI Catalog) folders inherits one or more Reporting Data Duty roles. These duty roles grant access to the data. The Reporting Data Duty roles belong to the SCM application.

Business Intelligence Roles

Business Intelligence roles apply to both Oracle Business Intelligence Publisher (Oracle BI Publisher) and Oracle Transactional Business Intelligence. They grant access to Business Intelligence functionality, such as the ability to run or author reports. Users need one or more of these roles in addition to the roles that grant access to reports, subject areas, Business Intelligence catalog folders, and Oracle SCM Cloud data.

Overview of Security for Oracle SCM Cloud Reports

Security for viewing, creating, and editing Oracle Business Intelligence Publisher reports for SCM includes the following concepts:

  • Access to the folders where the reports are stored

  • Access to the data that you want the report to return

  • Access to business intelligence functionality

  • Secured list views

  • Personally identifiable information (PII)

This topic provides an overview of how Business Intelligence Publisher reports are secured so that you understand what security roles or access you must request from your security administrator to create and edit reports.

Access to Reports in the BI Catalog

You can access the delivered reports in the Business Intelligence Catalog (BI Catalog). The folders in the BI Catalog are functionally secured using the same duty roles that secure access to the subject areas. Therefore, a user who inherits the Cost Transaction Analysis Duty can access both the Cost Management folder in the Business Intelligence Catalog and the Cost Management subject areas. Reports are secured based on the folders in which they're stored. You can set permissions against folders and reports for Application Roles, Catalog Groups, or Users.

Functional Area Folder Default Job Role OTBI Transactional Analysis Duty Role

Cost Management

Cost Accountant

Cost Transactional Analysis Duty

Innovation Management

Product Management VP

Product Management VP Real Time Transaction Analysis Duty Role

Order Orchestration and Order Management

Order Administrator

Order Transaction Analysis Duty

Order Orchestration and Order Management

Order Manager

Order Transaction Analysis Duty

Product Management

Product Data Steward

Product Catalog Transaction Analysis Duty

Product Management

Product Manage

Product Catalog Transaction Analysis Duty

Warehouse Operations

Inventory Manager

Inventory Transaction Analysis Duty

Warehouse Operations

Shipping Manager

Order Pick Transaction Analysis Duty

Warehouse Operations

Warehouse Manager

  • Inventory Transaction Analysis Duty

  • Order Pick Transaction Analysis Duty

  • Receiving Transaction Analysis Duty

Reporting Data

The data that's returned in reports is secured in a similar way to the data that's returned in Oracle SCM Cloud pages. Data access is granted by roles that are linked to security profiles. Each of the Transaction Analysis Duty roles that grants access to subject areas and Business Intelligence Catalog (BI Catalog) folders inherits one or more Reporting Data Duty roles. These duty roles grant access to the data. The Reporting Data Duty roles belong to the SCM application.

Business Intelligence Roles

Business Intelligence roles apply to both Oracle Business Intelligence Publisher (Oracle BI Publisher) and Oracle Transactional Business Intelligence. They grant access to Business Intelligence functionality, such as the ability to run or author reports. Users need one or more of these roles in addition to the roles that grant access to reports, subject areas, Business Intelligence catalog folders, and Oracle SCM Cloud data.

Secured List Views

When you access data using a BI Publisher data model that uses an SQL Query as the data source, you have two options:

  • Select data directly from a database table, in which case the data you return isn't subject to data-security restrictions. Because you can create data models on unsecured data using BI Publisher, you're recommended to minimize the number of users who can create data models.

  • Join to a secured list view in your select statements. The data returned is determined by the security profiles that are assigned to the roles of the user who's running the report.

PII Data

Personally identifiable information (PII) tables are secured at the database level using virtual private database (VPD) policies. Only authorized users can report on data in PII tables. This restriction also applies to Business Intelligence Publisher (BI Publisher) reports. The data in PII tables is protected using data security privileges that are granted by means of duty roles in the usual way.

Business Intelligence Roles: Explained

Business Intelligence roles apply to both Oracle Business Intelligence Publisher (Oracle BI Publisher) and Oracle Transactional Business Intelligence (OTBI). They grant access to Business Intelligence functionality, such as the ability to run or author reports. Users need one or more of these roles in addition to the roles that grant access to reports, subject areas, Business Intelligence catalog folders, and your data. This topic describes the Business Intelligence roles.

Business Intelligence roles are defined as application roles in Oracle Entitlements Server. This table identifies those roles.

Business Intelligence Role Description

BI Consumer Role

Runs Business Intelligence reports.

BI Author Role

Creates and edits reports.

BI Administrator Role

Performs administrative tasks such as creating and editing dashboards and modifying security permissions for reports, folders, and so on.

BI Publisher Data Model Developer Role

Creates and edits Oracle Business Intelligence Publisher data models.

BI Consumer Role

The predefined OTBI Transaction Analysis Duty roles inherit the BI Consumer Role. You can configure custom roles to inherit BI Consumer Role so that they can run reports but not author them.

BI Author Role

The BI Author Role inherits the BI Consumer Role. Users with BI Author Role can create, edit, and run OTBI reports.

BI Administrator Role

BI Administrator Role is a superuser role. It inherits BI Author Role, which inherits BI Consumer Role.

The predefined Sales Cloud job roles do not have BI Administrator Role access.

BI Publisher Data Model Developer Role

BI Publisher Data Model Developer Role is inherited by the Application Developer role, which is inherited by the Application Implementation Consultant role. Therefore, users with either of these predefined job roles can manage BI Publisher data models.