Handling Fine-Grained Data Visualization Permissions in Oracle Analytics Cloud

The November 2023 Update for Oracle Analytics Cloud came out a few weeks ago, and in this article I'm going to deep dive into the new feature which allows you to handle permissions at a finer grain than previously possible in Data Visualization.

Oracle Analytics Cloud provides several predefined application roles which already include a fixed set of permissions to get you started. For instance, members of the DV Content Author role are allowed to create and edit connections, data flows, sequences, datasets, watchlists, and workbooks (exactly as it happened before the update).

You can't delete predefined application roles, remove default memberships, or grant/revoke permissions for them. On the other hand, you have the flexibility to create user-defined application roles, granting individual permissions to align with your specific requirements or revoking permissions that are no longer needed.

Application roles can have users, groups, or other application roles as members. This means that a user who is a member of one application role might inherit permissions granted to other application roles, and unlike what happens in Analytics Classic, there is no way to explicitly deny individual permissions.

Creating a User-Defined Application Role

To create a user-defined application role from scratch with no permissions, begin by expanding the Navigator menu, and then select Users and Roles in the Console page. Within this section, select the Application Roles tab, and click on the Create Application Role button (Figure 1).

Figure 1. Creating a new user-defined application role

Enter suitable values for the application role name, display name and an optional description, then conclude the process by clicking on the Create button (Figure 2).

Figure 2. The Create Application Role dialog

As an alternative, you can create an application role with the same permissions as one of the predefined application roles. To do it, begin by clicking on the name of a predefined application role in the Application Roles tab, and then select the Permissions option. Within this section, expand the action menu, select Copy Permissions To, and then select New Application Role (Figure 3).

Figure 3. Copying permissions to a new application role

You can also copy permissions to an existing user-defined application role by selecting the Existing Application Role option from the previous menu.

Granting and Revoking Permissions for Application Roles

To grant individual permissions to a user-defined application role, begin by clicking on the name of the role in the Application Roles tab, select the Permissions option, and then click on the Add Permissions button (Figure 4).

Figure 4. Granting permissions to a user-defined application role

In the subsequent dialog, select the permission you want from the list, and click on the Add button to finalize the process (Figure 5).

Figure 5. The Add Permissions dialog

After selecting the Permissions option for a given user-defined application role, a list of permissions directly granted to that role is displayed. To revoke permissions, hover over them, click on the Remove Permission icon, and then click on the Remove button to confirm (Figure 6).

Figure 6. Revoking permissions for a user-defined application role

Conclusion

Until now, the all-or-nothing approach for handling permissions in Data Visualization posed a significant hurdle to its widespread adoption since administrators understandably preferred to fully disable it, rather than granting their users excessive power. The ability to handle individual permissions described in this article allows you to overcome the aforementioned barrier, enabling you to tune your Data Visualization security at finer grain than previously possible. I also had confirmation that the list of individual permissions will be expanded further, and I'm really looking forward to have this feature included in the next release of Oracle Analytics Server as well.