About Managing Users, Groups, Application Roles, and Data Access

As the service administrator or security administrator, one of your initial tasks is to ensure that users have appropriate access to use Oracle Fusion Data Intelligence.

Users need access to objects and data. Access to objects include subject areas or elements of subject areas such as folders and attributes, key metrics, workbooks, and the legacy Oracle BI Enterprise Edition dashboards and answers. You grant access to the users by assigning groups to them. The groups inherit the permissions from the application roles (data and duty) mapped to them. You can merge your security setup only with the main semantic model.

Enhanced Security Capabilities

The enhanced security capabilities available from release Platform 23.R4 enable you to:
  • Create and manage users and groups only in the Oracle Identity Cloud Service associated with your Oracle Fusion Data Intelligence instance. As a security administrator, you can perform user-group management if you've the User Administrator role in Oracle Identity Cloud Service. See Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console. In Oracle Fusion Data Intelligence, you can view the users and groups on the Security page but you can't create, modify, or delete them.
  • Use the licensed application roles corresponding to the existing licensed groups made available in this release onwards. You can assign the licensed application roles to your custom groups. These licensed application roles are mapped by default to the existing prebuilt licensed groups and are associated with the system roles. When you assign these prebuilt licensed groups and custom groups to users, then the applicable users get the system privileges such as consumer, author, and administrator.

If your Oracle Fusion Data Intelligence is on a release prior to release Platform 23.R4 or you haven’t yet up taken this security update, then you can continue to use the existing security capabilities until Oracle Fusion Data Intelligence automatically applies them as part of the release Platform 24.R2. Consult the information in Manage Users, Groups, Application Roles, and Data Access from a release prior to release Platform 23.R4.

These changes are mandatory and you can schedule the update sooner to enhance the security of your application using the Schedule Update option in the banner announcing these enhancements on the Security page. Ensure that you don't schedule the security update beyond May 2024. All current setups will be retained and available in Oracle Identity Cloud Service; you don't need to take any action other than scheduling.

About Users

Users accessing Oracle Fusion Data Intelligence must exist in Oracle Identity Cloud Service.

You can create the users or synchronize them with the Oracle Identity Cloud Service instance associated with your Oracle Fusion Data Intelligence instance from different sources:
  • You can synchronize the Oracle Fusion Cloud Applications users with the Oracle Identity Cloud Service instance.
  • You can manually create users in the Oracle Identity Cloud Service instance directly or create users in the Oracle Identity Cloud Service instance using the Oracle Fusion Data Intelligence user interface.
  • You can synchronize the users from other 3rd-party systems with the Oracle Identity Cloud Service instance.

Users gain their access to Oracle Fusion Data Intelligence based on the Oracle Fusion Data Intelligence-specific system groups assigned to them. They gain access to different functionality, objects, and data in Oracle Fusion Data Intelligence based on the job-specific groups assigned to them.

You can assign the predefined system groups, groups available in the Oracle Identity Cloud Service instance associated with your Oracle Fusion Data Intelligence instance, and custom groups that you create in Oracle Fusion Data Intelligence.

About Groups

Oracle Fusion Data Intelligence uses groups to provide users access to subject areas, objects, and data.

Oracle Fusion Data Intelligence uses the following three types of groups:
  • System groups created in Oracle Identity Cloud Service specifically for Oracle Fusion Data Intelligence. These system groups are associated with system roles that provide a set of privileges to the users to perform system tasks after signing into Oracle Fusion Data Intelligence, such as administering system settings, performing functional setup, managing security, and modeling data.
  • Job-specific groups such as Vice President of Sales, Human Resources Analyst, and Procurement Buyer. The job-specific groups are job roles from Oracle Fusion Cloud Applications mapped as groups in Oracle Identity Cloud Service. See Job-Specific Groups.
  • Other groups that are generic groups created in Oracle Identity Cloud Service not specifically for Oracle Fusion Data Intelligence, such as IDCS_Administrators and All_Tenant_Users.

System Groups

Oracle Fusion Data Intelligence creates the system groups also known as licensed groups in Oracle Identity Cloud Service while provisioning your Oracle Fusion Data Intelligence instance.

System groups are associated with system roles that provide a set of privileges to users. The enhanced security capabilities available from release Platform 23.R4 provide licensed application roles corresponding to the existing licensed groups and are mapped by default to the existing prebuilt system or licensed groups. The system roles or the licenses application roles (from release Platform 23.R4) serve two purposes:
  • Authenticate a user for Oracle Fusion Data Intelligence.
  • License a user to use Oracle Fusion Data Intelligence based on the system group they are assigned.
See System Roles and Licensed Roles.
As a security administrator, you can perform user-group management if you've the User Administrator role in Oracle Identity Cloud Service. You must add the users to the corresponding system groups based on the tasks they perform in Oracle Fusion Data Intelligence. See Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console. In Oracle Fusion Data Intelligence, you can view the users and groups on the Security page but you can't create, modify, or delete them. In Oracle Identity Cloud Service add users to these system groups:
System Group Code System Group Name Description Associated System Role* Associated Licensed Application Role from release Platform 23.R4 Onwards
FAW_FUNCTIONAL_ADMINISTRATORS FAW Functional Administrator Fusion Data Intelligence Functional Administrators FunctionalAdmin FAW Functional Administrator Role
FAW_SECURITY_ADMINISTRATORS FAW Security Administrator Fusion Data Intelligence Security Administrators SecurityAdmin FAW Security Administrator Role
FAW_MODELERS FAW Modeler Fusion Data Intelligence Modelers Modeler FAW Modeler Role
FAW_MODELER_ADMINISTRATORS FAW Modeler Administrator Fusion Data Intelligence Modeler Administrators ModelerAdmin FAW Modeler Administrator Role
FAW_SERVICE_ADMINISTRATORS FAW Service Administrator Fusion Data Intelligence Service Administrators ServiceAdmin FAW Service Administrator Role
FAW_LICENSED_ERP_AUTHORS FAW Licensed ERP Authors Fusion Data Intelligence ERP Licensed Authors Author FAW Licensed ERP Authors Role
FAW_LICENSED_ERP_CONSUMERS FAW Licensed ERP Consumers Fusion Data Intelligence ERP Licensed Consumers Consumer FAW Licensed ERP Consumers Role
FAW_LICENSED_HCM_AUTHORS FAW Licensed HCM Authors Fusion Data Intelligence HCM Licensed Authors Author FAW Licensed HCM Authors Role
FAW_LICENSED_HCM_CONSUMERS FAW Licensed HCM Consumers Fusion Data Intelligence HCM Licensed Consumers Consumer FAW Licensed HCM Consumers Role
FAW_LICENSED_SCM_CONSUMERS FAW Licensed SCM Consumers Fusion Data Intelligence SCM Licensed Consumers Consumer FAW Licensed SCM Consumers Role
FAW_LICENSED_CX_CONSUMERS FAW Licensed CX Consumers Fusion Data Intelligence CX Licensed Consumers Consumer FAW Licensed CX Consumers Role
FAW_LICENSED_SCM_AUTHORS FAW Licensed SCM Authors Fusion Data Intelligence SCM Licensed Authors Author FAW Licensed SCM Authors Role
FAW_LICENSED_CX_AUTHORS FAW Licensed CX Authors Fusion Data Intelligence CX Licensed Authors Author FAW Licensed CX Authors Role

*See System Roles and Licensed Roles.

Job-Specific Groups

Job-specific groups are job roles synchronized from Oracle Fusion Cloud Applications into Oracle Identity Cloud Service.

Common Job-Specific Groups

The common job-specific groups are applicable across the analytics applications that are part of Oracle Fusion Data Intelligence such as Oracle Fusion HCM Analytics and Oracle Fusion ERP Analytics.

Job-Specific Group Code Job-Specific Group Name Description Associated Application Roles Associated Application Role Names Functional Area
ORA_FND_INTEGRATION_SPECIALIST_JOB Integration Specialist Individual responsible for planning, coordinating, and supervising all activities related to the integration of enterprise information systems. Has author privileges.

Author

OA4F_COMMON_DATA_ADMIN_ANALYSIS_DUTY

Not applicable Common

Other Groups

The Other Groups category refers to groups created in Oracle Identity Cloud Service for purposes such as administrating Oracle Cloud Infrastructure and Oracle Identity Cloud Service.

These groups aren't necessarily Oracle Fusion Data Intelligence-specific but you can use them in Oracle Fusion Data Intelligence. Examples of this category are the "IDCS_Administrators" and "All_Tenant_Users" groups.

About Application Roles

Application roles consist of duty and data roles.

Duty roles define the duties of a job as an entitlement to perform a particular action; for example, access to an AP Transactions subject area. Data roles provide access to the row-level data in the warehouse tables. Data roles group the users based on the functional access they have through a particular job role and a particular dimension of data. For example, a group of users based on invoices relevant only to their business unit.

Duty Roles

The predefined duty roles to secure the predefined subject areas and the predefined front-end objects are:

Common Duty Roles

The common duty roles are applicable across the analytics applications that are part of the application such as Oracle Fusion CX Analytics, Oracle Fusion HCM Analytics, and Oracle Fusion ERP Analytics.

Duty Role Code Duty Role Name Details Functional Area Gets access to Subject Area Display Name OR Associated Role
OA4F_COMMON_DATA_ADMIN_ANALYSIS_DUTY Data Warehouse Refresh Analysis Duty Object security role to control presentation catalog access to Common - Warehouse Refresh Statistics subject area. Common Common - Warehouse Refresh Statistics
OA4F_COMMON_USAGE_TRACKING_DUTY Usage Tracking Analysis Duty Object security role to control presentation catalog access to Common - Usage Tracking subject area. Common Common - Usage Tracking
OA4F_SECURITY_REPORTING_DUTY Security Reporting Duty Object security role to control presentation catalog access to Security Assignment and Security Audit History subject areas. Common

Common - Security Assignment

Common - Security Audit History

Data Roles

The predefined data roles used to secure the predefined objects, custom facts, and custom dimensions are:

Licensed Roles

The licensed application roles corresponding to the existing licensed groups made available in release Platform 23.R4 onwards are as follows.

The licensed application roles are by default associated with the applicable system roles described in System Roles.

Licensed Role Associated System Role Mapped to Licensed Group
FAW Service Administrator Role Service Administrator FAW Service Administrator
FAW Functional Administrator Role Functional Administrator FAW Functional Administrator
FAW Security Administrator Role Security Administrator FAW Security Administrator
FAW Modeler Administrator Role Model Administrator FAW Modeler Administrator
FAW Modeler Role Modeler FAW Modeler
FAW Licensed CX Authors Role Author

FAW Licensed CX Authors

FAW Licensed ERP Authors Role Author

FAW Licensed ERP Authors

FAW Licensed HCM Authors Role Author FAW Licensed HCM Authors
FAW Licensed SCM Authors Role Author

FAW Licensed SCM Authors

FAW Licensed CX Consumer Role Consumer

FAW Licensed CX Consumers

FAW Licensed ERP Consumer Role Consumer

FAW Licensed ERP Consumers

FAW Licensed HCM Consumer Role Consumer FAW Licensed HCM Consumers
FAW Licensed SCM Consumer Role Consumer

FAW Licensed SCM Consumers

System Roles

The system roles for Oracle Fusion Data Intelligence available in Oracle Identity Cloud Service through provisioning of Oracle Fusion Data Intelligence are:

Role Name Role Description Purpose Permissions
Administrator Tenant administrator for service instances Creates and manages Oracle Fusion Data Intelligence instances and administers Oracle Identity Cloud Service users and roles.
  • Creates and manages Oracle Fusion Data Intelligence instances
  • Administers Oracle Identity Cloud Service users and roles
  • Has no access to the Data Pipeline user interface
  • Has no access to the Data Security user interface
  • Has no access to the Job Monitoring Console user interface
  • Has no access to the Console menu
  • Has no access to user and group administration
  • Has no access to workbooks, visualizations, key metrics, visualizations, projects, and content
Service Administrator Oracle Fusion Data Intelligence service administrator Customer facing (Snapshots, Connections, System Settings) administrator access to Oracle Fusion Data Intelligence.
  • Can't create snapshots or modify the data model file (RPD)
  • Can access the Data Pipeline user interface
  • Can access the Data Security user interface
  • Has no access to the Job Monitoring console
  • Can access the Console menu
  • Can access the user and group administration pages
  • Can access the Semantic Model Extensions user interface
  • Has read-only access to the ready-to-use Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Requests from Oracle Fusion Data Intelligence to Oracle Analytics Cloud are routed through the Service Administrator user
  • Can create, update, and delete the Oracle Analytics Cloud content
  • Has read-only access to the ready-to-use key metrics
  • Can create, update, and delete key metrics
  • Can create, update, and delete workbooks and visualizations
  • Can share workbooks and visualizations
  • Can create Oracle Analytics Publisher reports
  • Has no access to data modeling
  • Has access to create Oracle Analytics Cloud connections to other non-Oracle Applications sources, such as Excel files and Google drive
  • Has access to create Oracle Analytics Cloud datasets
Functional Administrator Oracle Fusion Data Intelligence functional administrator Performs functional configuration (pipeline, reporting) in Oracle Fusion Data Intelligence.
  • Can access the Data Pipeline and Custom Data Configuration user interfaces
  • Has no access to the Data Security user interface
  • Has no access to the Job Monitoring console
  • Can access the Console menu
  • Has no access to user and role administration
  • Has no access to the Semantic Model Extensions user interface
  • Has no access to the prebuilt Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Has no access to the prebuilt key metrics
  • Has no access to workbooks, key metrics, and Oracle Analytics Cloud projects
  • Can't create any Oracle Analytics Cloud content and key metrics
  • Can't create, update, and delete workbooks and visualizations
  • Can't share workbooks and visualizations
  • Has no access to Oracle Analytics Publisher
  • Has no access to data modeling
  • Has no access to create Oracle Analytics Cloud connections
  • Has no access to create Oracle Analytics Cloud datasets
Security Administrator Oracle Fusion Data Intelligence security administrator Administers system roles and data security.
  • Has no access the Data Pipeline user interface
  • Has access to the Data Security user interface
  • Has no access to the Job Monitoring console
  • Can access the Console menu
  • Has access to user and group administration
  • Has no access to the Semantic Model Extensions user interface
  • Has no access to the prebuilt Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Has no access to the prebuilt key metrics
  • Has no access to workbooks, key metrics, and Oracle Analytics Cloud projects
  • Can't create any Oracle Analytics Cloud content and key metrics
  • Can't create, update, and delete workbooks and visualizations
  • Can't share workbooks and visualizations
  • Has no access to Oracle Analytics Publisher and data modeling
  • Has no access to create Oracle Analytics Cloud connections
  • Has no access to create Oracle Analytics Cloud datasets
Modeler Administrator Oracle Fusion Data Intelligence data model administrator Promote data model (RPD) customization to the Oracle Analytics Cloud instance.
  • Has no access to the Data Pipeline user interface
  • Has no access to the Data Security user interface
  • Has no access to the Job Monitoring console
  • Can access the Console menu
  • Has no access to user and role administration
  • Can access the Semantic Model Extensions user interface
  • Can access the prebuilt Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Can access the prebuilt key metrics
  • Can create key metrics
  • Can create Oracle Analytics Cloud content
  • Can't create, update, and delete workbooks and visualizations
  • Can't share workbooks and visualizations
  • Can't create Oracle Analytics Publisher reports
  • Has access to data modeling
  • Can apply the data model file (repository file) to the Test environment
  • Can create Oracle Analytics Cloud connections
  • Can create Oracle Analytics Cloud datasets
Modeler Oracle Fusion Data Intelligence modeler Modify the semantic model to bring in custom dimensions and attributes.
  • Has no access to the Data Pipeline user interface
  • Has no access to the Data Security user interface
  • Has no access to the Job Monitoring console
  • Can access the Console menu
  • Has no access to user and role administration
  • Can access the Semantic Model Extensions user interface
  • Can access the prebuilt Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Can access the prebuilt key metrics
  • Can create Oracle Analytics Cloud content
  • Can create key metrics
  • Can't create, update, and delete workbooks and visualizations
  • Can't share workbooks and visualizations
  • Can't create Oracle Analytics Publisher reports
  • Has access to data modeling
  • Can create Oracle Analytics Cloud connections
  • Can create Oracle Analytics Cloud datasets
Author Oracle Fusion Data Intelligence author Create and edit key metrics, visualizations, workbooks, visualization projects, reports, and dashboards.
  • Has no access to the Data Pipeline user interface
  • Has no access to the Data Security user interface
  • Has no access to the Job Monitoring console
  • Has no access to the Console menu
  • Has no access to user and role administration
  • Has no access to the Semantic Model Extensions user interface

  • Has read-only access to the ready-to-use Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses); if you need a change, then create a copy using "Save As"
  • Has read-only access to the ready-to-use key metrics
  • Can edit the custom Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Can edit the custom key metrics
  • Can change the filter values for existing visualization projects
  • Can add filters for existing visualization projects
  • Can create and edit Oracle Analytics Cloud content, key metrics, workbooks, and visualizations
  • Can delete custom key metrics, workbooks, and visualizations
  • Can consume key metrics, workbooks, and visualizations created by other users on which they have access permissions
  • Can share workbooks and visualizations
  • Can create Oracle Analytics Publisher reports
  • Has no access to data modeling
  • Has no access to create Oracle Analytics Cloud connections
  • Has access to create Oracle Analytics Cloud datasets
Consumer Oracle Fusion Data Intelligence consumer Read access to Oracle Analytics Cloud content and can create visualizations and workbooks.
  • Has no access to the Data Pipeline user interface
  • Has no access to the Data Security user interface
  • Has no access to the Job Monitoring console
  • Has no access to the Console menu
  • Has no access to user and role administration
  • Has no access to the Semantic Model Extensions user interface

  • Has read-only access to the ready-to-use Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Has read-only access to the ready-to-use key metrics
  • Has read-only access to the custom Oracle Analytics Cloud objects (visualization projects, dashboards, and analyses)
  • Has read-only access to the custom key metrics
  • Can change the filter values for the existing visualization projects
  • Can't add filters for the existing visualization projects
  • Can't create any Oracle Analytics Cloud content
  • Can't create any key metrics
  • Can create, update, and delete workbooks and visualizations
  • Can share workbooks and visualizations
  • Has read-only access to Oracle Analytics Publisher
  • Has no access to data modeling
  • Has no access to create Oracle Analytics Cloud connections
  • Has access to create Oracle Analytics Cloud datasets

Refer to the full list of privileges in Mapping of System Roles to Permissions in Fusion Data Intelligence. This document is updated typically for each release of Oracle Fusion Data Intelligence. Ensure that you're signed into Cloud Customer Connect prior to viewing this document.

About Data Access through Security Assignments

You grant the data security assignments at the user-level.

Data security assignments apply data filters to display only the data corresponding to the security assignment values assigned to the users. For example, John Smith and Marie Pierce are both Accounts Payable Manager in an organization, but John Smith needs to see only the US business unit-specific data and Marie needs to see only the UK business unit-specific data. Even though both have the same functional role, their data security assignments differ. John is assigned all the US business units and Marie is assigned all the UK business units only.

You ensure data-level security with a combination of data roles, security context, and security assignments assigned to the user. Oracle Fusion Data Intelligence maps a security context 1:1 onto a data role. You grant the data security assignments within a security context. The user must have the data role through the group assigned to them in order to have access to the security context and its corresponding list of values to pick from. You assign a user one or more job-specific groups. The groups have data roles mapped to them, and when querying data, the semantic layer applies the data filters.

For Enterprise Resource Planning, the ledger, payables business unit, and receivables business unit values are restricted by the ledgers that you selected while setting up the report parameters. To establish the security permissions, you'd need to map users to security assignments. If a user doesn't have security assignment values mapped, then the user doesn't get to see any datasets corresponding to the job role (and implicitly data role) assigned to them. When you add data security assignments to a user, you ensure that the user can access specific data within a security context, such as ledger, payables business unit, or receivables business unit.

For Human Capital Management, the data security is based on the line manager hierarchy defined in Oracle Fusion Cloud Applications for the user having the Line Manager role. For Human Capital Management, the data security is based on the talent acquisition hierarchy defined in Oracle Fusion Cloud Applications for the user having the Job Application or Job Requisition roles. All users can see their own records using the HCM Show context. A user with the HR Analyst role has access to all Human Capital Management data and no security restrictions are applied to the Human Capital Management data set. A user with the Hiring Manager role has access to non-restricted job applications, while users with the Recruiter and Recruiting Manager role can view all job applications. The business unit, legal employer, department, country security context, and related data roles are restricted by contexts and assigned predicate values. To establish the security permissions, you'd need to map users to security assignments