Oracle Business Intelligence Cloud Service (BICS) is part of Oracle’s Platform as Service (PaaS) offerings. The Oracle cloud offerings permit enterprise IT teams to rapidly build and deploy applications without the need to set up expensive infrastructure. There’s still a need, however, for strong security capabilities in the cloud, and this blog post discusses how BICS security works and how to set up secure dashboard access in the solution via a sales and marketing dashboard sample business case.
How Oracle Cloud Security Works
When your business signs up for an Oracle Cloud account, Oracle Cloud creates an identity domain specific to your company. As users log in to an Oracle Cloud service, Oracle cloud identity management controls the user authentication and the features of the service users can access using Oracle Enterprise Single Sign-On (SSO). SSO may be federated between on-premise and cloud SSO. Oracle Cloud uses LDAP schemas for storing the identities.
User and Role Management Overview
BICS Security is comprised of two items: 1. Oracle Cloud Identity Domain Users and Roles and 2. Oracle BICS Application Users and Roles.
First, we add the user to Oracle Cloud Identity Management using the Identity Management Administrator credentials. Click “Users,” then on the following form, click “Add”:
Typically, we use the email address as the user name.
A few things have changed in this form. We can now set a role in the Cloud Service for each user. If the new user just views reports, we will click on the “Service” drop down, select “BICS (Business Intelligence),” and then click the button with the two “greater than” signs. This pushes the roles to the “Selected Roles” box. If the user is not a reports or dashboard author, then uncheck: “bics BI Cloud Service Advanced Content Authors” as shown above.
Click “Add” to save the user.
Next, open BICS as an administrator to complete user creation. Open “Console” and select “Users” and “Roles.”
In BICS, there are five predefined application roles. We do not have to add our new user to any of the predefined application roles.
Sales and Marketing Dashboard Example
Let’s say we want to secure our data by sales region. We have a global sales manager who should be able to see all sales regions. In our fact table, we have the name of the sales region on each data row. We want to secure the dashboard to only the members of the sales department, and then to filter the data where the salesperson may only see their own regional data and the sales manager should be able to see all regions. Let’s also say there are marketing departmental dashboards in BICS and marketing should not be able to see the sales dashboard and sales should not be able to see the marketing dashboard.
To do this, we can establish two application roles to manage the dashboard level. Add “Sales Dashboard.” Click “Save.” Repeat for the marketing dashboard.
Add members (users) to “Sales” by selecting the button at the right end of the “Sales Application Role” and then by selecting “Manage Members:”
Search for “John Doe” and add this user to the “Sales Dashboard Role” by clicking the user name in the left box and then by clicking the single arrow to place the user in the “Selected Users” panel. Click “OK” to save.
Create the marketing dashboard role and add users to that role using the same process.
Next, we will create roles to secure the data in the “Sales” fact. Open “Application Role” and add the following roles:
Global Sales Manager Data
Eastern Sales Data
Western Sales Data
Use the same process as creating the “Sales Application Role,” and add a member to each role.
We can divide the sales regions as many ways as we want as long as the sales region data in our fact has data to support our scenario to slice up the data. To simplify the example, we will establish two sales regions and then a sales manager role (who sees all sales regions).
Once the application roles are complete, we can navigate to the “BICS Modeler” to secure the data, and then to the “BICS Catalog” to secure the dashboards.
In the Modeler, we will need administrator rights so we can filter the data by role:
Open “Data Model” in the left panel
Select “Lock to Edit” button
Select “Data Filters” tab
Select “Role” as “Eastern Sales Data”
Click the “FX” button
Select to filter the fact data on Region=’eastern’
Repeat for the Western region. This secures our data.
Lastly, as demonstrated in the image below, we will secure the dashboards by opening the Catalog:
Under the “Company Shared Folder,” we established “Sales” and “Marketing” folders
Add both the sales and marketing dashboard roles to each folder
Apply permissions recursively
Select the “Sales” folder
In the “Tasks” pane, select “Permissions”
Click the ‘+’ button to add new application roles Select the sales and marketing dashboard roles
Set as custom permissions
Use the pencil icon on the “Marketing” role and uncheck all of the boxes to change the permissions to “No Access.”
Repeat the process for the “Marketing” dashboard, but set the “Marketing” role to “Full Control” and the “Sales” role to “No Access.”