1. Security Guide
  2. Application Administration

2 Application Administration

Oracle Retail Insights integrates tightly with Oracle Analytic Server (OAS) to allow the right content to be shown to the right user.

All components of Oracle Analytic Server are fully integrated with Oracle Fusion Middleware security architecture. OAS authenticates users using an Oracle WebLogic Server authentication provider against user information held in an identity store (IDCS or OCI IAM). User and group information is held within the Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM).

Ensure that you are familiar with the security features of Oracle Analytic Server before you begin working with Oracle BI Applications.

Security settings for Oracle Analytics Server are documented in Managing Security for Oracle Analytics Server.

Security Types

Security in Oracle Retail Insights can be classified into the following types. By default, Retail Insights does not provide these security features. You can choose to implement it based on the implementation requirements:

  • Data-level security – controls the visibility of data (content rendered in subject areas, dashboards, Oracle BI answers, and so on) based on the user's association to data in the transactional system.

  • Object-level security – controls the visibility to business logical objects based on a user's role. You can set up object-level security for metadata repository objects, such as subject areas and presentation folders, and for web objects, such as dashboards and dashboard pages, which are defined in the presentation catalog.

Data-Level Security in Retail Insights

This section describes the data-level security features in Retail Insights. Group IDs from the source system control access to certain levels of data, such as which Merchandising Department, or which Organization District. Data level security mapping is provided by users though interface files RAF_SEC_USER.dat, RAF_SEC_GROUP.dat, RAF_SEC_USER_GROUP.dat, RAF_FILTER_GROUP_MERCH.dat, RAF_FILTER_GROUP_ORG.dat.

  • RAF_SEC_USER.dat contains USER_ID (LDAP ID) who has data access limit in OBIEE reporting.

  • RAF_SEC_GROUP.dat contains GROUP_ID defined in the source system.

  • RAF_SEC_USER_GROUP.dat contains mapping between USER and GROUP from the source system.

  • RAF_FILTER_GROUP_MERCH.dat contains access mapping between Merch hierarchy level, Merch ID on that level, and the GROUP.

  • RAF_FILTER_GROUP_ORG.dat contains access mapping between Organization hierarchy level, Org ID on that level, and the GROUP.

  • User, whose USER_ID does not exist in the mapping, will have unlimited data access.

Object-Level Security in Retail Insights

This section describes the object-level security features in Retail Insights. It contains the following topics:

  • Metadata Object-Level Security (Repository Groups)

  • Metadata Object-Level Security (Presentation Services)

Metadata Object-Level Security (Repository Groups)

Application roles control access to metadata objects, such as subject areas, tables, and columns. For example, certain Retail Insights roles may not have access to view certain presentation tables. Metadata object security is configured in the Oracle BI Repository, using the Oracle BI Administration Tool. The Authenticated User group is denied access to some of the presentation tables and only related roles have explicit read access. This access can be extended to subject areas and columns.

Note:

By default in Oracle Retail Insights, only permissions at the presentation tables level have been configured.

For the full list of Retail Insights application roles and the associated enterprise roles, Refer to the Oracle Retail Insights Administration Guide. You have to create these enterprise roles in your authentication provider, such as WebLogic, Oracle Identity Cloud Service (IDCS), or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM). For more information on how to set-up roles, refer to the Oracle® Fusion Middleware - Security Guide for Oracle Business Intelligence Enterprise Edition. In new Retail Insights Cloud Service environments, the default set of enterprise roles will be created in IDCS or OCI IAM and should be added to users and groups following the Oracle Retail Insights Cloud Service Suite Administration Guide instructions.

Except for core presentation tables available to all roles (such as Item dimension) presentation tables will be hidden by default, unless the user is granted the specific role necessary for that table. This permissions structure allows for strict control over which users can access data from different areas of RI based on their business needs. Note that the Retail Analyst role is a super-user role with visibility to all presentation tables. This role should be granted only to system administrators and implementers.

Metadata Object-Level Security (Presentation Services)

Oracle BI Presentation Services objects are controlled using Presentation Services groups. Access to these objects, such as dashboards and pages, reports, and Web folders, is controlled using the Presentation Services groups. Presentation Services groups are customized in the Oracle BI Presentation Services interface. For detailed information about Presentation Services groups, see the Oracle Business Intelligence Presentation Services Administration Guide.

By default, users of Retail Insights will only have write-access to two folders in the presentation catalog:

  • My Folders (personal storage for each user)

  • Shared Folders > Custom (business objects which can be shared with the company)

All other folders, reports, dashboards, and related presentation objects in the RI catalog will be read-only to business users. Users may view or copy the provided presentation objects into one of their folders for their own use. RI application administrators can control the permissions on objects in Shared Folders > Custom as they see fit, such as by limiting the folder to read-only for other users or creating specific sub-folders for each business group.

Other Common Application Administration

  • Retail Insights front-end clients access Retail Insights stored data through Oracle OAS. The credentials for Oracle OAS and Retail Insights Database access are managed through Oracle OAS security system. In Retail Insights front-end, some security features, such as session timeout set, are also managed by Oracle OAS and WebLogic server. See Managing Security for Oracle Analytics Server for the detail information.

  • Retail Insights batch users access Retail Insights stored data through ODI. Then credentials for ODI and Retail Insights Database access are managed through ODI security system. See ODI Security Guide for the detail information.

  • Configuration and logs files protection

    • Batch process:

      To execute Retail Insights batch, Retail Insights batch scripts, Retail Insights source data files, Retail Insights configuration files, and Retail Insights batch log files need to be placed under Retail Insights base home directory. These files are protected with secured permission. There is no world read for these files. Retail Insights batch scripts have 750 file permission Retail Insights configuration files have 660 permission, and Retail Insights static data files have 640 permission.

    • Front-end process:

      The default permission for OAS configuration files and log files are 640.

Application Specific Feature Administration

  • The security and data access for Retail Insights goes beyond simple role based associations. Typically users and groups are associated with roles. The setup of each role determines what object is accessible by the users.

  • Retail Insights batch user is the only one who can run the batch scripts and the connections managed by ODI are used by the batch processes to access data sources.

  • For file permission, by default the following permissions are given to users to access files packaged with Retail Insights once installation is completed.

    • All Retail Insights scripts should at least have 750 permission

    • All configuration files should at least have 660 permission

    • All static data (csv files) should at least have 640 permission

    Based on the permission above, besides owner (the installer user), the group member can also view and execute scripts, read and modify the configuration files, and read the static file. A user out of the group cannot do anything to Retail Insights files and explicit permission needs to be given by the Administrator to users outside of the group.