Categories
- All Categories
- 5 Oracle Analytics Sharing Center
- 11 Oracle Analytics Lounge
- 195 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.5K Oracle Analytics Forums
- 6K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 68 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Catalog folder level security OAS 2024
Hi All,
we have built a new environment.
I have 6 folders, and 4 application Roles as of now
Role1 - BIcontentAuthor role mapped
Role2 - Bi consumer role mapped
Role3 - BIcontentAuthor role mapped
Role4 - BI consumer role is mapped
Folder1 - Read & Write for Role1 and Consumer access to Role2
Folder2 - Read & Write for Role1 and Consumer access to Role2
Folder3 - Read & Write for Role3 and Consumer access to Role4
Folder4 - Read & Write for Role3 and Consumer access to Role4
Folder5 - Read & Write for Role1
Folder6 - Read & Write for Role2
on top of above, I have 2 more roles
AuthorUserRole —-should have read/write/delete access to all the 4 folders
ConsumerUserRole ——should have read access to all the 4 folders
when I try giving permissions at folder level, I see permissions are getting replaced. do I need to start giving permissions from lowest folder. (like under path Shared/ABCfolder/folder1/ - i have 2 folders SAcontent and ReportsFolder)
so do I start providing permissions from SAcontent and ReportsFolder.
when I select application role on permissions of "ABCfolder" I see option Replace Options dropdown which is automatically replacing the child level folder permissions all the time,
so do I need to start giving permissions from child level and go upwards giving access.
also I assume for all these app roles I need to provide Subject area level Read and write permissions.
Best Answer
-
From the doc I linked above:
If you select either Replace Listed Accounts or Remove Listed Accounts, then make sure that you also remove from the list in the Permissions area the entries that you do not want changed.
In theory you could use the "Replace Listed Accounts" to only add the 2 new you need.
In practice, I didn't try that to make sure it doesn't destroy anything unexpectedly …
For sure you better backup your catalog before modifying it.
And then again: if you have a same set of permissions to set on all the objects inside those folders, you can let the tool apply them recursively.
The behaviour of the product is well defined (assuming there aren't bugs), it does give you many options to make your job quickly in just a few clicks.
You don't HAVE to apply from bottom-up, that's your choice. You can still do it top-down, you can do it in a random order, doesn't matter. You need to know exactly if you can use the checkbox to modify all the items in a folder or all the sub-folders too, and then the order doesn't matter as long as you apply the security model you need.
0
Answers
-
Hi,
You can do as you prefer, it depends on you if you want to set permission bottom-up and never use any inheritance or you want to go top-down and use inheritance to do less work.
The "Replace Options" you can see it described at , it's a way to make your life easier when you have lots of permissions.
I would say most of the time the default "Replace all" make sense: permissions will be what you see in the permission pop-up, nothing more, nothing less. The apply permission checkboxes for the sub-folders or items within folder are just there to make your life easier when you want to modify many objects in one click.
Of course you also need to be careful, because with just a checkbox you can replace the whole security on a full branch of your catalog tree, and that's maybe not what you want.
In your case, if all the objects and folders inside your top 6 folders need to have the same permissions, the 2 checkboxes let you set everything with a single click.
Subject areas permissions don't have a link with the catalog, that depends on your security model, we can't assume what permission you need there.
You should consider having a fully documented security model, that allows you easily check if you covered all your need.
Excel can actually help, making a pivot crossing catalog structure and features permissions and RPD permissions with your application roles. This will also usually help you decide if you need a new application role when new requirements are defined, or if you can simplify your model by grouping some roles together.
There isn't a fixed rule for the security model: some split catalog & content permissions from product features, and use the combination of 2 approles to give users access to the right content with the right set of features. Others just have a single list of approles that mix features privileges and content permissions. Both works, your security model depends on your needs and only your needs: nothing is mandatory.
0 -
Thank you for the reply,
initial setup is completed for security for all the above mentioned Roles,
I need what I applied already for other application roles.
now I'm asked to add below 2 rolesAuthorUserRole —-should have read/write/delete access to all the 4 folders
ConsumerUserRole ——should have read access to all the 4 folders
when I try applying on shared folder as replace dropdown replaces existing setup, so i wants to know know if I need to apply from child folder and upwards, on each folder I need to apply permissions.
is my understanding correct!
Thank you0