1. Managing Security for Oracle Analytics Server
  2. Set Up Security With Users, Groups, and Application Roles
  3. Grant or Revoke Permission Assignments

Grant or Revoke Permission Assignments

Use the grantPermissionSetsToBIRole and revokePermissionSetsFromBIRole scripts to fine-tune permission assignments.

After you upgrade from Oracle BI EE to Oracle Analytics Server, Oracle Analytics Server automatically assigns any new permissions or permission sets to your application roles to make the new features available to users. Therefore it's important that you review how Oracle Analytics Server assigned these permissions. Use the scripts to make any necessary adjustments.

Certain features work only when permission sets are granted together. If you revoke an individual permission set, you might experience unforeseen side effects.

Note:

Oracle Analytics Server includes standard permissions that are assigned to predefined application roles. For example, the Create and Edit Datasets permission is automatically assigned to the DV Content Author role. These standard permissions are included in the permission sets listed below, and in some cases the standard permission are included when you grant a permissions set. If you want to grant or revoke standard permissions to user-defined application roles, use the Console. See Copy Permissions to an Existing User-Defined Application Role.

To grant or revoke permissions for an application role, run the appropriate script:

  • grantPermissionSetsToBIRole.sh
  • revokePermissionSetsFromBIRole.sh

Path: Oracle/Middleware/Oracle_Home/user_projects/domains/bi/bitools/bin

Usage:

./grantPermissionSetsToBIRole.sh [-d domainHome] [-s sikey] -r BIRoleName -p PermissionSets

./revokePermissionSetsFromBIRole.sh [-d domainHome] [-s sikey] -r BIRoleName -p PermissionSets

-d: Specify the domain home (including the final domainName directory). By default, the DOMAIN_HOME value is set. If the value isn't set, enter the actual domain home path.

-s: Specify the key for the service instance. The default is ssi.

-r: Specify the application role name.

-p: Specify the comma-separated list of permission sets.

For example:
./grantPermissionSetsToBIRole.sh -r myAdministrator -p va.author,customScripts.admin

Table 2-1 Permission Sets Available in Oracle Analytics Server

Permission Set Name Permissions
actio.admin Administrator permissions to view and modify all jobs within the server instance, irrespective of the job owner. This permission is required to schedule or view the schedules for various objects (for example, data flows).
actio.author Permissions to view or modify jobs owned by the user.
actio.operator Permissions to restart jobs. Doesn't include permissions to create jobs.
actio.viewer View job scheduling permissions. (Not for Classic or Publisher)
bilifecycle.admin Corresponding functionality not supported in Oracle Analytics Server.
bip.administrator Publisher administration permissions.
bip.author Publisher author permissions.
bip.consumer Publisher consumer permissions.
bisecurity.admin BI security administration permissions. (Internal API)
bisecurity.author BI security author permissions. (Internal API)
bisecurity.GBUAdmin Corresponding functionality not supported in Oracle Analytics Server.
bisecurity.impersonate BI security impersonate permissions.
bisecurity.lifecycle.admin Corresponding functionality not supported in Oracle Analytics Server.
customScripts.admin Advanced analytics custom scripts administration permissions.
dataReplication.access Data replication access permissions.
infer.administrator Required social and storage providers configuration permissions.
majel.administrator Mobile administration permissions.
obips.administrator BI Presentation Server administration permissions.
obis.administrator BI Server administration permissions.
obisch.administrator BI Scheduler administration permissions. (For Classic)
obisch.author BI Scheduler author permissions.
oracle.bi.dss.CustomKnowledge.admin Data preparation custom knowledge administrator permissions.
oracle.bi.dss.CustomKnowledge.consumer Data preparation custom knowledge consumer permissions.
oracle.bi.dss.SystemKnowledge.admin Data preparation custom knowledge administration permissions.
oracle.bi.tech.dv.consumer Data Visualization basic login permissions.
pod.admin System settings administration permissions.
rdc.admin Remote data connections for interoperability with Oracle Analytics Cloud. Corresponding functionality not supported in Oracle Analytics Server.
rdc.consumer Remote data connections for interoperability with Oracle Analytics Cloud. Corresponding functionality not supported in Oracle Analytics Server.
rdc.monitor Remote data connections for interoperability with Oracle Analytics Cloud. Corresponding functionality not supported in Oracle Analytics Server.
sac.advanced.approle.administrator Application role user interface management permissions advanced features.
sac.approle.administrator Oracle Analytics Console administration permissions to manage Users and Roles, Connections, and Virus Scanner configuration pages.
sac.snapshot.administrator Snapshot administration permissions.
semanticmodeler.author Permissions to manage and deploy semantic models.

Note that assigning this permission set allows users to bypass the Oracle BI Server security filters.

See Grant Semantic Modeler Permissions Assignments.

va.admin Data Visualization administration permissions.
va.author Data Visualization author permissions.
va.interactor Data Visualization basic interaction permissions.