Manage Application Roles

Administrators create, modify, and assign application roles to determine what users can see and do in Oracle Analytics Server.

Topics:

• About Application Roles

• Predefined Application Roles

• About Permissions

• Get Started with Application Roles

• Add Members to Application Roles

• Why Is the Administrator Application Role Important?

• Assign Application Roles to Users

• Assign Application Roles to Groups

• Add Your Own Application Roles

• Copy Permissions to an Existing User-Defined Application Role

• View Permissions Granted to Application Roles

• Grant and Revoke Permissions for Application Roles

• Delete Application Roles

• Add One Predefined Application Role to Another (Advanced)

• View and Export Detailed Membership Data

• Sample Scenarios: User-defined Application Roles

About Application Roles

An application role comprises a set of permissions that determine what users can see and do after signing in to Oracle Analytics Server. It’s your job as an administrator to assign users and groups to one or more application roles.

There are two types of application role:

Type of Application Role	Description
Predefined	Include a fixed set of permissions.
User-defined	Created by administrators. See Add Your Own Application Roles.

Predefined Application Roles

Oracle Analytics Server provides several predefined application roles to get you started. In many cases, these predefined application roles are all that you need.

Predefined Application Roles in Oracle Analytics Server	Description	Default Members
BI Service Administrator	Allows users to administer Oracle Analytics Server and delegate privileges to others using the Console. This application role is assigned all the available permissions.	Administrator who created the service
DV Content Author	Allows users to create workbooks, load data for data visualizations, and explore data visualizations.	BI Service Administrator
BI Content Author	Allows users to create analyses, dashboards, and pixel-perfect reports in Oracle Analytics Server and share them with others.	BI Service Administrator DV Content Author
DV Consumer	Allows users to explore data visualizations.	DV Content Author
BI Consumer	Allows users to view and run reports in Oracle Analytics Server (workbooks, analyses, dashboards, pixel-perfect reports). Use this application role to control who has access to the service.	DV Consumer BI Content Author
BI Data Model Author	Allows users to create and manage semantic models using Semantic Modeler.	BI Service Administrator
BI Data Load Author	Not used	N/A

You can’t delete predefined application roles or remove default memberships.

Application roles can have users, roles, or other application roles as members. This means that a user who is a member of one application role might indirectly be a member of other application roles.

For example, any member of the BI Service Administrator application role inherits membership of other application roles, such as BI Data Model Author and BI Consumer. This means that any user that is a member of BI Service Administrator can do everything that these other application roles allow. So you don’t need to add a new user (for example, John) to all these application roles. You can simply add the user to the BI Service Administrator application role.

About Permissions

Permissions allow you to perform specific actions in Oracle Analytics Server. Administrators can grant specific permissions to application roles.

Permissions in Oracle Analytics Server

This table lists Oracle Analytics Server permissions.

Category	Resource Type	Permission	Description	Predefined Application Role
Catalog	Connections	Create and Edit Connections	Create and edit connections.	DV Content Author
		Create and Edit Connections to OCI Data Science with Resource Principal	Create and edit connections to Oracle Cloud Infrastructure Data Science using a resource principal. Not used in Oracle Analytics Server.	BI Service Administrator
		Create and Edit Connections to OCI Document Understanding with Resource Principal	Create and edit connections to Oracle Cloud Infrastructure Document Understanding using resource principal. Not used in Oracle Analytics Server.	BI Service Administrator
		Create and Edit Connections to OCI Functions with Resource Principal	Create and edit connections to Oracle Cloud Infrastructure Functions using a resource principal. Not used in Oracle Analytics Server.	BI Service Administrator
		Create and Edit Connections to OCI Language with Resource Principal	Create and edit connections to Oracle Cloud Infrastructure Language using a resource principal. Not used in Oracle Analytics Server.	BI Service Administrator
		Create and Edit Connections to OCI Vision with Resource Principal	Create and edit connections to Oracle Cloud Infrastructure Vision using a resource principal. Not used in Oracle Analytics Server.	BI Service Administrator
	Data Flows	Create and Edit Data Flows	Create and edit data flows.	DV Content Author
		Create and Edit Sequences	Create and edit sequences.	DV Content Author
	Datasets	Create and Edit Datasets	Create and edit datasets.	DV Content Author
	Workbooks	Create and Edit Watchlists	Create and edit watchlists.	DV Content Author
		Create and Edit Workbooks	Create and edit workbooks.	DV Content Author
		Export Workbooks to Documents	Export workbooks to documents, such as PDF.	BI Consumer
		Schedule Workbooks	Set up and edit schedules for workbooks. Not used in Oracle Analytics Server.	BI Service Administrator
		Schedule Workbooks with Bursting	Set up and edit schedules for workbooks with bursting. Not used in Oracle Analytics Server.	BI Service Administrator
		Schedule Workbooks with RunAs User	Set up and edit schedules for workbooks with RunAs user. Not used in Oracle Analytics Server.	BI Service Administrator
		View Navigation Menu	View the curated list of dashboards and workbooks.	BI Consumer

Get Started with Application Roles

Administrators configure what users see and do in Oracle Analytics Server from the Users and Roles page in the Console. This page presents user information in four different views: User, Groups, Application Roles, Permissions.

Users and Roles Page	Description
Groups tab	Lists user groups from the identity domain associated with your Oracle Analytics instance. From the Groups tab, you can: Discover the members (users or groups) directly assigned to each group. Discover the application roles or any other groups that a group is directly assigned to. Add or remove application roles assigned to a group. You can’t add or remove user groups through the Groups tab. Use your identity management system to manage user groups.
Application Roles tab	Lists the predefined application roles for Oracle Analytics and any user-defined application roles that you add. From the Application Roles tab, you can: Create your own application roles. Discover the members (users, groups, application roles) directly assigned to each application role. Discover the permissions directly granted to each application role. Add members or remove members from each application role. Discover whether an application role is a member of any other application role. Add or remove memberships for each application role. Grant permissions to user-defined application roles. Remove permissions from user-defined application roles. Generate a report that lists the users assigned to an application role, either directly or indirectly. Generate a report that lists the groups (or IDCS application roles) assigned to an application role, either directly or indirectly. Generate a report that lists other application roles assigned to an application role, either directly or indirectly. Generate a report that lists any other application roles an application role is assigned to, either directly or indirectly.
Permissions tab	Lists the permissions available in Oracle Analytics. From the Permissions tab, you can: Search for permissions and filter the permissions list. Discover the application roles a permission is directly assigned to. Discover the users a permission is directly assigned to.

Add Members to Application Roles

Application roles determine what users are allowed to see and do in Oracle Analytics Server. It’s the administrator’s job to assign appropriate application roles to all users and to manage the privileges of each application role.

Remember:

• Members (users, groups, and other application roles) get the permissions granted to an application role.
• Application roles can get permissions granted to other application roles. For example, DV Content Author gets the permissions granted to BI Content Author, DV Consumer, and BI Consumer.

You use the Users and Roles page in the Console to assign members to an application role.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
   All the predefined application roles are displayed, together with any user-defined application roles that you've added.
4. Select the name of an application role for more detail, and to see its current members.
5. Under Direct Members, click Users, Groups, or Application Roles to view the current, direct members in each category.
   For example, if you click Users you see a list of users directly assigned to the application role.

   
   Description of the illustration approles_user.jpg
6. To see a list of all the members in the selected category that are assigned to the application role (both directly and indirectly), click the menu icon and select Show Indirect Members.
7. To add a new member (user, group, application role) to the application role, click Add Users, Add Groups, or Add Application Roles, select one or more members, and then click Add.
8. To remove a member from the application role, click the Delete icon next to the member's name.

Why Is the Administrator Application Role Important?

You need the BI Administrator application role to access administrative options in the Console.

There must always be at least one person in your organization with the BI Administrator application role. This ensures there is always someone who can delegate permissions to others. If you remove yourself from the BI Administrator role you’ll see a warning message.

Assign Application Roles to Users

The Users page lists the users from the identity domain associated with your Oracle Analytics Server instance. As an administrator, you can assign these users to the appropriate application roles.

1. Click Console.
2. Click Users and Roles.
3. Click Users.
4. On the Users page, click the name of a user.
   To filter the list by name, enter all or part of a user name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any user that includes the letters admin.
5. In the Details page for the user, click Application Roles to see a list of application roles directly assigned to this user.
   
   Description of the illustration user_approles.jpg
6. Click the menu icon, and select Show Indirect Memberships to see a list of all the application roles assigned to the user, that is, assigned both directly and indirectly.
7. To assign the user to an additional application role, click Add Application Roles.
8. In Add user to Application Roles, select one or more application roles from the list, and then click Add.
9. To remove an application role from the user, click the Delete icon next to the name of the application role you want to delete.

Assign Application Roles to Groups

The Groups page lists user groups from the identity domain associated with the Oracle Analytics Server instance. It's best practice to assign application roles to groups rather than to users.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
   All the predefined application roles are displayed, together with any application roles that you've added.
4. Select the name of the application role you want to assign to a group.
5. Under Direct Members, click Groups to view the groups currently assigned to this application role.
   For example, there is a group called AppTesters directly assigned to the DV Content Author application role.

   
   Description of the illustration approles_group.jpg
6. To see a list of all the groups that are assigned to the application role (both directly and indirectly), click the menu icon and select Show Indirect Members.
7. To assign a new group of users to the application role, click Add Groups, select one or more groups, and then click Add.
8. To remove a group from the application role, click the Delete icon next to the group's name.

Add Your Own Application Roles

Oracle Analytics Server provides a set of predefined application roles. You can also create user-defined application roles to suit your own requirements. For example, you might create an application role that allows only a select group of people to view specific folders or workbooks. Or you might create an application role with specific permissions assigned to it.

You can create an application role in two ways:

• Create an application role from scratch (no permissions).
• Create an application role with the same permissions as one of the predefined application roles.

After creating the application role, you can grant permissions and add members (users, groups, or other application roles).

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Do one of the following:

   Create an application role from scratch (no permissions):

   • Click Create Application Role.
     
     Description of the illustration approles_custom.jpg

   Copy the permissions from a predefined application role to a user defined application role:

   Note:

   In this step, you're copying the permission grants for the predefined application role that you choose. You aren't copying the application role's members or memberships.

   • Click the name of the application role you want to copy. For example, BIConsumer.
   • Click Permissions.
   • Click the action menu, and select Copy Permissions To and then select New Application Role.
     
     

     
     Description of the illustration oac_copy_approle_02.png

     
     
5. Enter suitable values for Application Role Name, Display Name, and Description.

   The Application Role Name can contain alphanumeric characters (ASCII or Unicode) and other printable characters (such as underscore or square brackets). The Application Role Name must not contain any white space.

6. Click Create.
   When you create an application role from scratch, it doesn't start with any members or permissions. When you copy the permissions from one of the predefined application roles, the application role starts with the same permissions as the role that you copied.
7. Grant permissions to the application role.
   1. Under Direct Grants, select Permissions.
   2. Click Add Permissions.
      This option is available only to user-defined application roles.
   3. Select one or more permissions, and then click Add.
8. Add members (users, groups, or application roles) to the new application role.
   1. Under Direct Members, select the type of member you want to add: Users, Groups, or Application Roles.
   2. Click Add Users, Add Groups, or Add Application Roles.
   3. Select one or more members, and then click Add.
9. Optional: Create hierarchical relationships between other application roles.
   1. Under Direct Memberships, click Add to Application Roles.
   2. Select all the application roles you want this application role to inherit privileges from, and then click Add.

Copy Permissions to an Existing User-Defined Application Role

You can copy the permissions directly granted to a predefined application role to a user-defined application role.

After you copy permissions to an existing role, you can grant additional permissions or revoke any of the copied permissions. See Grant and Revoke Permissions for Application Roles.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Click the name of a predefined application role.
   To filter the list by name, enter all or part of a name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any user that includes the letters admin.
5. Click Permissions to see the permissions granted to the predefined application role.
6. Click the action menu, select Copy Permissions To, and then select Existing Application Role.
   
   
   Description of the illustration oac_copy_approle_existing.png
   
   
7. Select an existing application role and click Copy.

View Permissions Granted to Application Roles

You can see a list of permissions granted to each user-defined application role as well as permissions granted to the predefined application roles from the Application Roles page.

While you can view, add, and remove permissions for user-defined application roles, each predefined application role includes a fixed set of permissions that you can't change. Specifically, each predefined application role has a set of role-based permissions built into it which aren't listed individually, plus zero or more regular permissions which are listed individually but you can't remove them. For example, the predefined application role BI Consumer has built-in, role-based permissions plus the permission Export Workbook to Document.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Click the name of an application role.
   To filter the list by name, enter all or part of a name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any application role that includes the letters admin.
5. Click Permissions to see a list of permissions directly granted to the application role.

   When you select an application role that you created from scratch, you see a list of permissions granted to the role on the right. In this example, only one permission (Export workbook to document) is granted to an application role you created (Finance Consumer).

   You can add and delete permissions, as required.

   

   When you select one of the predefined application roles, such as BI Data Model Author, you see a message indicating that the role contains a set of built-in, role-based permissions. You can't change the permissions granted to a predefined application role.

   

   When you select a user-defined application role containing permissions copied from one of the predefined application roles, such as BI Data Model Author, you see a message indicating that the role contains a set of built-in, role-based permissions, plus any additional permissions assigned to the predefined application role, as well as any permissions that you granted the role.

   

Grant and Revoke Permissions for Application Roles

You can grant individual permissions to a user-defined application role or revoke permissions that are no longer required. For example, you might want to provide an application role that enables users to export their workbooks to a PDF by granting the permission Export workbook to document.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Click the name of a user-defined application role.
   To filter the list by name, enter all or part of a name in the Search filter and press enter. If you enter part of the name use * as the wild card. The search is case-insensitive, and searches both name and display name. For example, enter *admin* to search for any user that includes the letters admin.
5. Click Permissions to see the permissions granted to the user-defined application role.
6. To grant permissions to a user-defined application role.
   1. Click Add Permissions.
      
      

      

      
      
   2. Select the permission you want, and click Add.
      
      

      

      
      
7. To revoke permissions from the application role.
   1. Navigate to the permission you want to revoke.
   2. Click the Remove Permission icon.
   3. To confirm, click Remove.
   
   

   

   
   

Delete Application Roles

You can delete user-defined application roles that you don't need anymore.

1. Click Console.
2. Click Users and Roles.
3. Click Application Roles.
4. Navigate to the user-defined application role you want to delete.

Add One Predefined Application Role to Another (Advanced)

Oracle Analytics Server provides several predefined roles: BI Service Administrator, BI Data Model Author, BI Dataload Author, BI Content Author, DV Content Author, DV Consumer, BI Consumer. In a very few advanced use cases, you might want to permanently include one predefined application role in another.

Any changes that you make to predefined application roles are permanent, so don’t perform this task unless you're sure you need to.

1. Take a snapshot of your system before making any predefined application role change.
   Oracle recommends that you always take a snapshot before you start, as the only way you can revert changes to predefined application roles is to restore your service from a snapshot that was taken before the change.
   1. Click Console.
   2. Click Snapshots.
   3. Click Create Snapshot.
2. In Console, click Users and Roles.
3. Click Application Roles.
4. Click the name of the predefined application role you want to change.
5. Under Direct Members, click Application Roles to see which application roles the selected application role is currently a member of.
6. Click Add Application Roles.
   By default, none of the predefined application roles are available.

   
   Description of the illustration approles_advanced.jpg
7. To add a predefined application role, click Advanced.

   WARNING:

   A warning is displayed. Read the information carefully before you proceed. When you add one predefined application role to another, the change is permanent. The only way you can revert predefined application role changes is to restore a snapshot taken before the change.

8. Click OK to confirm that you’ve taken a snapshot and you're sure you want to permanently modify the predefined application role you selected.
9. Select one or more predefined application roles from the list, and then click Add.
10. To reconfirm that you’ve taken a snapshot and want to permanently change the predefined application role, click OK.

View and Export Detailed Membership Data

Each application role in Oracle Analytics Server can have direct members, but they might also have one or more indirect members or memberships.

For example, Joe Brown is granted the DV Content Author application role. Joe is a direct member of the DV Content Author role and an indirect member of BI Consumer, BI Content Author, DV Consumer. You can view direct and indirect membership details from the User and Role Management page and you can export this information to a CSV file.
Description of the illustration members.jpg

1. Click Console.
2. Click Users and Roles.
3. To view direct and indirect membership data for a user:
   1. Click the Users tab.
   2. Select the name of the user whose membership details you want to see.
   3. Under Direct Memberships, click Application Roles to see a list of all the or application roles that the user you selected is directly assigned to.
   4. Click the menu icon, and select Show Indirect Memberships to see a list of all the or application roles that this user is both directly and indirectly assigned to.
4. To view direct and indirect membership data for an application role:
   1. Click the Application Roles tab.
   2. Select the name of the application role whose membership details you want to see.
   3. Under Direct Members (or Direct Memberships), click Users, Groups, or Application Roles to see a list of all the users, groups or application roles that the application role you selected is a direct member of (or directly assigned to).
   4. Click the menu icon, and select Show Indirect Members (or Show Indirect Memberships) to see a list of all the users, groups, or application roles that this group is both directly and indirectly a member of (or assigned to).
5. To export both direct and indirect membership data to a CSV file, click Export.

Download Membership Data

After displaying a list of the direct and indirect members for a user, group, or application role in Oracle Analytics Cloud, you can download the report to a Comma Separated Values file (.csv).

1. From the Direct and Indirect Users | Groups | Application Roles view, click Export.
   The direct and indirect members for the selected user, group, or application role are exported to a file named RoleReport.csv.
2. Do one of the following:
   • Click Open to open the CSV file in an application of your choice.
   • Click Save to save the CSV file to a location of your choice.

Sample Scenarios: User-defined Application Roles

Here are some common scenarios for creating your own application roles .

Topics:

• Allow a User to Export Workbooks to PDF
• Prevent a User with the BI Consumer Role from Exporting Workbooks to PDF
• Allow a User to Create Datasets and Workbooks
• Prevent a User with the DV Content Author Role from Creating or Modifying Specific Object Types

Allow a User to Export Workbooks to PDF

You can give users permission to perform specific actions in Oracle Analytics. For example, you can enable users to export workbooks to PDF through an application role that includes the Export Workbook to Document permission.

Note:

The predefined application role BI Consumer includes the permission Export Workbook to Document. This means that any user who is a member of BI Consumer (either directly or indirectly) automatically has this permission.

1. Create a new application role called Allow Document Export (or use a similar name).
   See Add Your Own Application Roles.
2. Add the permission Export Workbook to Document.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role Allow Document Export to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Give users with the Allow Document Export application role access to one or more workbooks.

   These users can access workbooks and export the content to PDF.

   See Add or Update Workbook Permissions.

Prevent a User with the BI Consumer Role from Exporting Workbooks to PDF

You can prevent users from performing specific actions in Oracle Analytics. For example, you might want to provide an application role that prevents users with the BI Consumer role from exporting workbooks to a PDF by removing the permission Export Workbook to Document.

1. Copy the BI Consumer application role and name the copy BI Consumer (prevent export) (or use a similar name).
   1. Use the option Copy Permissions to a New Application Role to create an application role with the same permission set as BI Consumer.
   2. Provide a suitable name and description for the new role. For example, BI Consumer (prevent export).
   See Add Your Own Application Roles.
2. Remove the Export Workbook to Document permission.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role BI Consumer (prevent export) to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Remove the predefined application role BI Consumer from the user or group.
5. Give users with the BI Consumer (prevent export) application role access to one or more workbooks and access to the folders where the workbooks are saved.

   When you give the BI Consumer (prevent export) application role access to the workbook, you must accept the option to cascade access to any datasets used by the workbook. That is, select the option Share related artifacts to ensure the workbook is usable in the Share Related Artifacts dialog that displays when you save changes to workbook permissions. See Add or Update Workbook Permissions.

   These users can access workbooks but they can’t export the content to PDF.

   See Add or Update Workbook Permissions.

Allow a User to Create Datasets and Workbooks

You can give users permission to perform specific actions in Oracle Analytics. For example, you can enable users to create datasets and workbooks, and access and modify datasets and workbooks through an application role that includes the Create and Edit Datasets and Create and Edit Workbooks permissions.

Note:

The predefined application role DV Content Author includes the permissions Create and Edit Datasets and Create and Edit Workbooks. This means that any user who is a member of DV Content Author (either directly or indirectly) automatically has these permissions.

1. Create a new application role called Allow Dataset and Workbook Creation (or use a similar name).
   See Add Your Own Application Roles.
2. Add the permissions Create and Edit Datasets and Create and Edit Workbooks.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role Allow Dataset and Workbook Creation to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Give users with the Allow Dataset and Workbook Creation application role access to one or more datasets and one or more workbooks.

   These users can access and edit datasets and workbooks, and create datasets and workbooks.

   See Add or Update Workbook Permissions.

Prevent a User with the DV Content Author Role from Creating or Modifying Specific Object Types

You can prevent users from performing specific actions in Oracle Analytics. For example, you might want to provide an application role that prevents users with the DV Content Author role from creating and modifying connections, data flows, sequences, and watchlists.

1. Copy the DV Content Author application role and name the copy DV Content Author (limited create and modify) (or use a similar name).
   1. Use the option Copy Permissions to a New Application Role to create an application role with the same permission set as DV Content Author.
   2. Provide a suitable name and description for the new role. For example, DV Content Author (limited create and modify).
   See Add Your Own Application Roles.
2. Remove the Create and Edit Connections, Create and Edit Data Flows, Create and Edit Sequences, and Create and Edit Watchlists permissions.
   See Grant and Revoke Permissions for Application Roles.
3. Assign the new application role DV Content Author (limited create and modify) to a user or a group.
   See Assign Application Roles to Users or Assign Application Roles to Groups.
4. Remove the predefined application role DV Content Author from the user or group.
5. Give users with the DV Content Author (limited create and modify) application role access to one or more workbook and datasets and access to the folders where the workbooks and datasets are saved.

   When you give the DV Content Author (limit create and modify) application role access to the workbook, you must accept the option to cascade access to any artifacts used by the workbook. That is, select the option Share related artifacts to ensure the workbook is usable in the Share Related Artifacts dialog that displays when you save changes to workbook permissions. See Add or Update Workbook Permissions.

   These users can access, create, and modify datasets and workbooks, but can't create and modify connections, data flows, sequences, and watchlists.

   See Add or Update Workbook Permissions.