Thank you for the clarification. However, this remains a critical security concern for our organization.

The core issue: Users can see ALL DV objects in the catalog regardless of their application roles, because every role inherits DV Consumer permissions by default and these cannot be removed.

Business Impact Example: Our CEO Dashboard containing sensitive financial data is currently visible to all managers and directors in the catalog, even though they cannot access it. This violates our data governance policies and creates compliance risks.

Request:

1. What is the specific timeline for the planned enhancements mentioned?
2. Does Oracle have an official interim workaround for organizations requiring strict object-level visibility controls?
3. Can this be escalated as a security concern rather than a feature request?

This limitation makes OAC DV unsuitable for enterprise deployments with confidential content. We need either a solution or an official acknowledgment of this security gap for our risk assessment documentation

Hi @GayathriAnand-Oracle ,

Thank you for the detailed response.

We are using OAC DV exclusively (no classic version) with AD groups configured through IDCS.

I will check the following and report back:

1. IDCS ServiceViewer Role: Verify if ServiceViewer role is assigned to our default AD groups in IDCS Cloud Service Applications
2. AuthenticatedUser Membership: Check OAC Console > Users and Roles to see if AuthenticatedUser is a member of DV Consumer role

Questions for clarification:

• Should we avoid assigning ServiceViewer role to broad AD groups entirely?
• What is the recommended approach for granting appropriate DV access to AD groups without creating the "all users see all objects" issue?
• Are there other roles/permissions that might inadvertently grant broad DV Consumer access?

I'll test the suggested changes and update you with the results.

Thank you for pointing us toward the specific configuration areas to investigate.

Hi GayathriAnand-Oracle

Thank you for your assistance with our previous queries. We need detailed step-by-step guidance on implementing proper object-level security in our OAC environment.

Our Current Environment:

• Oracle Analytics Cloud (OAC) with Data Visualization (DV)
• Backend: Oracle Essbase (data security managed at Essbase level)
• Identity Management: Oracle Identity Cloud Service (IDCS)
• Authentication: Active Directory (AD) groups synced with IDCS
• Issue: All users can see all DV workbooks despite having different AD group memberships and application role assignments

Specific Assistance Required:

1. DV Consumer Role Removal: Could you please help us with step-by-step instructions for:

• How to safely remove the DV Consumer role from existing application roles in IDCS without breaking user functionality?
• What are the prerequisite checks we should perform before removing this role?
• Are there any dependencies or warnings we should be aware of?
• What is the rollback procedure if we encounter issues?

2. Object-Level Security Implementation with IDCS: - We need detailed guidance on:

• The correct method to implement workbook-level access control using AD groups through IDCS
• Step-by-step process to assign specific DV workbooks/projects to AD groups without using the DV Consumer role
• How to configure IDCS application roles for granular DV object access
• Best practices for mapping AD groups → IDCS roles → OAC DV object permissions

3. IDCS Configuration Steps: - Since we're using IDCS as our identity provider, please help us with:

• Specific IDCS console navigation steps for role management
• How to create custom application roles in IDCS for OAC DV access
• Proper way to assign AD groups to these custom roles
• How to verify the configuration is working correctly