About Managing Users, Groups, Application Roles, and Data Access
As the service administrator or security administrator, one of your initial tasks is to ensure that users have appropriate access to use Oracle Fusion Analytics Warehouse.
Users need access to objects and data. Access to objects include subject areas or elements of subject areas such as folders and attributes, front-end decks, cards, KPIs, and the legacy Oracle BI Enterprise Edition dashboards and answers. You grant access to the users by assigning groups to them. The groups inherit the permissions from the data and duty roles mapped to them. You can merge your security setup only with the main semantic model.
About Users
Users accessing Oracle Fusion Analytics Warehouse must exist in Oracle Identity Cloud Service.
- You can synchronize the Oracle Fusion Cloud Applications users with the Oracle Identity Cloud Service instance.
- You can manually create users in the Oracle Identity Cloud Service instance directly or create users in the Oracle Identity Cloud Service instance using the Oracle Fusion Analytics Warehouse user interface.
- You can synchronize the users from other 3rd-party systems with the Oracle Identity Cloud Service instance.
Users gain their access to Oracle Fusion Analytics Warehouse based on the Oracle Fusion Analytics Warehouse-specific system groups assigned to them. They gain access to different functionality, objects, and data in Oracle Fusion Analytics Warehouse based on the job-specific groups assigned to them.
You can assign the predefined system groups, groups available in the Oracle Identity Cloud Service instance associated with your Oracle Fusion Analytics Warehouse instance, and custom groups that you create in Oracle Fusion Analytics Warehouse. See Associate Users and Groups.
About Groups
Oracle Fusion Analytics Warehouse uses groups to provide users access to subject areas, objects, and data.
- System groups created in Oracle Identity Cloud Service specifically for Oracle Fusion Analytics Warehouse. These system groups are associated with system roles that provide a set of privileges to the users to perform system tasks after signing into Oracle Fusion Analytics Warehouse, such as administering system settings, performing functional setup, managing security, and modeling data.
- Job-specific groups such as Vice President of Sales, Human Resources Analyst, and Procurement Buyer. The job-specific groups are job roles from Oracle Fusion Cloud Applications mapped as groups in Oracle Identity Cloud Service. See Job-Specific Groups.
- Other groups that are generic groups created in Oracle Identity Cloud Service not specifically for Oracle Fusion Analytics Warehouse, such as IDCS_Administrators and All_Tenant_Users.
System Groups
Oracle Fusion Analytics Warehouse creates the system groups in Oracle Identity Cloud Service while provisioning your Oracle Fusion Analytics Warehouse instance.
- Authenticate a user to Oracle Fusion Analytics Warehouse.
- License a user to use Oracle Fusion Analytics Warehouse based on the system group they are assigned.
System Group Code | System Group Name | Description | Associated Oracle Fusion Analytics Warehouse System Role* |
---|---|---|---|
FAW_FUNCTIONAL_ADMINISTRATORS | FAW Functional Administrator | Fusion Analytics Warehouse Functional Administrators | FunctionalAdmin |
FAW_SECURITY_ADMINISTRATORS | FAW Security Administrator | Fusion Analytics Warehouse Security Administrators | SecurityAdmin |
FAW_MODELERS | FAW Modeler | Fusion Analytics Warehouse Modelers | Modeler |
FAW_MODELER_ADMINISTRATORS | FAW Modeler Administrator | Fusion Analytics Warehouse Modeler Administrators | ModelerAdmin |
FAW_SERVICE_ADMINISTRATORS | FAW Service Administrator | Fusion Analytics Warehouse Service Administrators | ServiceAdmin |
FAW_LICENSED_ERP_AUTHORS | FAW Licensed ERP Authors | Fusion Analytics Warehouse ERP Licensed Authors | Author |
FAW_LICENSED_ERP_CONSUMERS | FAW Licensed ERP Consumers | Fusion Analytics Warehouse ERP Licensed Consumers | Consumer |
FAW_LICENSED_HCM_AUTHORS | FAW Licensed HCM Authors | Fusion Analytics Warehouse HCM Licensed Authors | Author |
FAW_LICENSED_HCM_CONSUMERS | FAW Licensed HCM Consumers | Fusion Analytics Warehouse HCM Licensed Consumers | Consumer |
*See System Roles.
Job-Specific Groups
Job-specific groups are job roles synchronized from Oracle Fusion Cloud Applications into Oracle Identity Cloud Service.
Common Job-Specific Groups
The common job-specific groups are applicable across the analytics applications that are part of Oracle Fusion Analytics Warehouse such as Oracle Fusion HCM Analytics and Oracle Fusion ERP Analytics.
Job-Specific Group Code | Job-Specific Group Name | Description | Associated Application Roles | Associated Application Role Names | Functional Area |
---|---|---|---|---|---|
ORA_FND_INTEGRATION_SPECIALIST_JOB | Integration Specialist | Individual responsible for planning, coordinating, and supervising all activities related to the integration of enterprise information systems. Has author privileges. |
Author OA4F_COMMON_DATA_ADMIN_ANALYSIS_DUTY |
Not applicable | Common |
Other Groups
The Other Groups category refers to groups created in Oracle Identity Cloud Service for purposes such as administrating Oracle Cloud Infrastructure and Oracle Identity Cloud Service.
These groups are not necessarily Oracle Fusion Analytics Warehouse-specific but you can use them in Oracle Fusion Analytics Warehouse. Examples of this category are the "IDCS_Administrators" and "All_Tenant_Users" groups.
About Application Roles
Application roles consist of duty and data roles.
Duty roles define the duties of a job as an entitlement to perform a particular action; for example, access to an AP Transactions subject area. Data roles provide access to the row-level data in the warehouse tables. Data roles group the users based on the functional access they have through a particular job role and a particular dimension of data. For example, a group of users based on invoices relevant only to their business unit.
Duty Roles
The predefined duty roles to secure the predefined subject areas and the predefined front-end objects are:
Common Duty Roles
The common duty roles are applicable across the analytics applications that are part of Oracle Fusion Analytics Warehouse such as Oracle Fusion HCM Analytics and Oracle Fusion ERP Analytics.
Duty Role Code | Duty Role Name | Details | Functional Area | Gets access to Subject Area Display Name OR Associated Role |
---|---|---|---|---|
OA4F_COMMON_DATA_ADMIN_ANALYSIS_DUTY | Data Warehouse Refresh Analysis Duty | Object security role to control presentation catalog access to Common - Warehouse Refresh subject area. | Common | Common - Warehouse Refresh |
OA4F_COMMON_USAGE_TRACKING_DUTY | Usage Tracking Analysis Duty | Object security role to control presentation catalog access to Common - Usage Tracking subject area. | Common | Common - Usage Tracking |
OA4F_SECURITY_REPORTING_DUTY | Security Reporting Duty | Object security role to control presentation catalog access to Security Assignment and Security Audit History subject areas. | Common |
Common - Security Assignment Common - Security Audit History |
Data Roles
The predefined data roles used to secure the predefined objects, custom facts, and custom dimensions are:
System Roles
The system roles for Oracle Fusion Analytics Warehouse available in Oracle Identity Cloud Service through provisioning of Oracle Fusion Analytics Warehouse are:
Role Name | Role Description | Purpose | Permissions |
---|---|---|---|
Administrator | Tenant administrator for service instances | Creates and manages Oracle Fusion Analytics Warehouse instances and administers Oracle Identity Cloud Service users and roles. |
|
Service Administrator | Oracle Fusion Analytics Warehouse service administrator | Customer facing (Snapshots, Connections, System Settings) administrator access to Oracle Fusion Analytics Warehouse. |
|
Functional Administrator | Oracle Fusion Analytics Warehouse functional administrator | Performs functional configuration (pipeline, reporting) in Oracle Fusion Analytics Warehouse. |
|
Security Administrator | Oracle Fusion Analytics Warehouse security administrator | Administers system roles and data security. |
|
Modeler Administrator | Oracle Fusion Analytics Warehouse data model administrator | Promote data model (RPD) customization to the Oracle Analytics Cloud instance. |
|
Modeler | Oracle Fusion Analytics Warehouse modeler | Modify the semantic model to bring in custom dimensions and attributes. |
|
Author | Oracle Fusion Analytics Warehouse author | Create and edit KPIs, cards, decks, visualization projects, reports, and dashboards. |
|
Consumer | Oracle Fusion Analytics Warehouse consumer | Read access to Oracle Analytics Cloud content and can create cards and decks. |
|
Refer to the full list of privileges in Mapping of System Roles to Permissions in Fusion Analytics Warehouse. This document is updated typically for each release of Oracle Fusion Analytics Warehouse. Ensure that you are signed into Cloud Customer Connect prior to viewing this document.
About Data Access through Security Assignments
You grant the data security assignments at the user-level.
Data security assignments apply data filters to display only the data corresponding to the security assignment values assigned to the users. For example, John Smith and Marie Pierce are both Accounts Payable Manager in an organization, but John Smith needs to see only the US business unit-specific data and Marie needs to see only the UK business unit-specific data. Even though both have the same functional role, their data security assignments differ. John is assigned all the US business units and Marie is assigned all the UK business units only.
You ensure data-level security with a combination of data roles, security context, and security assignments assigned to the user. Oracle Fusion Analytics Warehouse maps a security context 1:1 onto a data role. You grant the data security assignments within a security context. The user must have the data role through the group assigned to them in order to have access to the security context and its corresponding list of values to pick from. You assign a user one or more job-specific groups. The groups have data roles mapped to them, and when querying data, the semantic layer applies the data filters.
For Enterprise Resource Planning, the ledger, payables business unit, and receivables business unit values are restricted by the ledgers that you selected while setting up the report parameters. To establish the security permissions, you'd need to map users to security assignments. If a user doesn't have security assignment values mapped, then the user doesn't get to see any datasets corresponding to the job role (and implicitly data role) assigned to them. When you add data security assignments to a user, you ensure that the user can access specific data within a security context, such as ledger, payables business unit, or receivables business unit. See Set Up the Reporting Configurations for Enterprise Resource Planning.
For Human Capital Management, the data security is based on the line manager hierarchy defined in Oracle Fusion Cloud Applications for the user having the Line Manager role. For Human Capital Management, the data security is based on the talent acquisition hierarchy defined in Oracle Fusion Cloud Applications for the user having the Job Application or Job Requisition roles. All users can see their own records using the HCM Show context. A user with the HR Analyst role has access to all Human Capital Management data and no security restrictions are applied to the Human Capital Management data set. A user with the Hiring Manager role has access to non-restricted job applications, while users with the Recruiter and Recruiting Manager role can view all job applications. The business unit, legal employer, department, country security context, and related data roles are restricted by contexts and assigned predicate values. To establish the security permissions, you'd need to map users to security assignments