Configure What Users Can See and Do
Administrators assign application roles to determine what other users can see and do in Oracle Analytics Cloud.
Get Started with Application Roles
Administrators configure what users see and do in Oracle Analytics Cloud from the Users and Roles page in the Console. This page presents user information in four different views: User, Groups, Application Roles, Permissions.
Users and Roles Page | Description |
---|---|
Users tab |
Lists users from the identity domain associated with your Oracle Analytics instance. From the Users tab, you can:
You can’t add or remove user accounts through the Users tab. Use your identity management system to manage user accounts. It's best practice to assign permissions to application roles. You can't grant permissions to a user. However, if the user already has permission grants (for example, though migration from an on-premise environment), you can remove these permission grants from the user. |
Groups tab |
Lists user groups from the identity domain associated with your Oracle Analytics instance. From the Groups tab, you can:
You can’t add or remove user groups through the Groups tab. Use your identity management system to manage user groups. |
Application Roles tab |
Lists the predefined application roles for Oracle Analytics and any user-defined application roles that you add. From the Application Roles tab, you can:
|
Permissions tab | Lists the permissions available in Oracle Analytics.
From the Permissions tab, you can:
|
Add Members to Application Roles
Application roles determine what users are allowed to see and do in Oracle Analytics Cloud. It’s the administrator’s job to assign appropriate application roles to all users and to manage the privileges of each application role.
Remember:
- Members (users, groups, and other application roles) get the permissions granted to an application role.
- Application roles can get permissions granted to other application roles. For example, DV Content Author gets the permissions granted to BI Content Author, DV Consumer, and BI Consumer.
You use the Users and Roles page in the Console to assign members to an application role.
Why Is the Administrator Application Role Important?
You need the BI Service Administrator application role to access administrative options in the Console.
There must always be at least one person in your organization with the BI Service Administrator application role. This ensures there is always someone who can delegate permissions to others. If you remove yourself from the BI Service Administrator role you’ll see a warning message.
If no-one has administrative access to Oracle Analytics Cloud, ask your identity domain administrator to add a user to the ServiceAdministrator IDCS application role. ServiceAdministrator is assigned through the identity management system and is always assigned to the BI Service Administrator application role in a regular Oracle Analytics Cloud service instance.
Assign Application Roles to Users
The Users page lists the users from the identity domain associated with your Oracle Analytics Cloud instance. As an administrator, you can assign these users to the appropriate application roles.
Assign Application Roles to Groups
The Groups page lists user groups from the identity domain associated with the Oracle Analytics Cloud instance. It's best practice to assign application roles to groups rather than to users.
Add Your Own Application Roles
Oracle Analytics Cloud provides a set of predefined application roles. You can also create user-defined application roles to suit your own requirements. For example, you might create an application role that allows only a select group of people to view specific folders or workbooks. Or you might create an application role with specific permissions assigned to it.
- Create an application role from scratch (no permissions).
- Create an application role with the same permissions as one of the predefined application roles.
After creating the application role, you can grant permissions and add members (users, groups, or other application roles).
Copy Permissions to an Existing User-Defined Application Role
You can copy the permissions directly granted to a predefined application role to a user-defined application role.
View Permissions Granted to Application Roles
You can see a list of permissions granted to each user-defined application role as well as permissions granted to the predefined application roles from the Application Roles page.
While you can view, add, and remove permissions for user-defined application roles, each predefined application role includes a fixed set of permissions that you can't change. Specifically, each predefined application role has a set of role-based permissions built into it which aren't listed individually, plus zero or more regular permissions which are listed individually but you can't remove them. For example, the predefined application role BI Consumer has built-in, role-based permissions plus the permission Export Workbook to Document.
Grant and Revoke Permissions for Application Roles
You can grant individual permissions to a user-defined application role or revoke permissions that are no longer required. For example, you might want to provide an application role that enables users to export their workbooks to a PDF by granting the permission Export workbook to document.
Delete Application Roles
You can delete user-defined application roles that you don't need anymore.
- Click Console.
- Click Users and Roles.
- Click Application Roles.
- Navigate to the user-defined application role you want to delete.
- Click the Delete icon next to the name of the application role you want to delete, and then click Delete to confirm.
Add One Predefined Application Role to Another (Advanced)
Oracle Analytics Cloud provides several predefined roles: BI Service Administrator, BI Data Model Author, BI Dataload Author, BI Content Author, DV Content Author, DV Consumer, BI Consumer. In a very few advanced use cases, you might want to permanently include one predefined application role in another.
Any changes that you make to predefined application roles are permanent, so don’t perform this task unless you're sure you need to.
View and Export Detailed Membership Data
Each application role in Oracle Analytics Cloud can have direct members, but they might also have one or more indirect members or memberships.
For example, Joe Brown is granted the DV Content Author application role.
Joe is a direct member of the DV Content Author role and an indirect member of BI
Consumer, BI Content Author, DV Consumer. You can view direct and indirect
membership details from the User and Role Management page and
you can export this information to a CSV file.
Description of the illustration members.jpg
- Click Console.
- Click Users and Roles.
- To view direct and indirect membership data for a user:
- Click the Users tab.
- Select the name of the user whose membership details you want to see.
- Under Direct Memberships, click Application Roles to see a list of all the or application roles that the user you selected is directly assigned to.
- Click the menu icon, and select Show Indirect Memberships to see a list of all the or application roles that this user is both directly and indirectly assigned to.
- To view direct and indirect membership data for an application role:
- Click the Application Roles tab.
- Select the name of the application role whose membership details you want to see.
- Under Direct Members (or Direct Memberships), click Users, Groups, or Application Roles to see a list of all the users, groups or application roles that the application role you selected is a direct member of (or directly assigned to).
- Click the menu icon, and select Show Indirect Members (or Show Indirect Memberships) to see a list of all the users, groups, or application roles that this group is both directly and indirectly a member of (or assigned to).
- To export both direct and indirect membership data to a CSV file, click Export.
Sample Scenarios: User-defined Application Roles
Here are some common scenarios for creating your own application roles .
Allow a User to Export Workbooks to PDF
You can give users permission to perform specific actions in Oracle Analytics. For example, you can enable users to export workbooks to PDF through an application role that includes the Export Workbook to Document permission.
Note:
The predefined application role BI Consumer includes the permission Export Workbook to Document. This means that any user who is a member of BI Consumer (either directly or indirectly) automatically has this permission.Prevent a User with the BI Consumer Role from Exporting Workbooks to PDF
You can prevent users from performing specific actions in Oracle Analytics. For example, you might want to provide an application role that prevents users with the BI Consumer role from exporting workbooks to a PDF by removing the permission Export Workbook to Document.
Allow a User to Create Datasets and Workbooks
You can give users permission to perform specific actions in Oracle Analytics. For example, you can enable users to create datasets and workbooks, and access and modify datasets and workbooks through an application role that includes the Create and Edit Datasets and Create and Edit Workbooks permissions.
Note:
The predefined application role DV Content Author includes the permissions Create and Edit Datasets and Create and Edit Workbooks. This means that any user who is a member of DV Content Author (either directly or indirectly) automatically has these permissions.Prevent a User with the DV Content Author Role from Creating or Modifying Specific Object Types
You can prevent users from performing specific actions in Oracle Analytics. For example, you might want to provide an application role that prevents users with the DV Content Author role from creating and modifying connections, data flows, sequences, and watchlists.