Implementing Custom Security in Oracle Fusion Analytics Warehouse
FAW Product Management and Engineering
Introduction
Oracle Fusion Analytics Warehouse (FAW) delivers a robust security framework that protects your
business data from unauthorized access, secures access to analytic objects based on the user’s job
functions and secures access to data they are allowed to view. The framework also provides you with
the ability to view, create or administer objects in the semantic model.
Additionally, FAW offers you the ability to configure security according to your specific needs, beyond
what is delivered out of the box. This document describes how you can configure data security to
address more complex requirements.
Security Framework in FAW
Figure 1 illustrates the basic security framework in FAW. FAW synchronizes users and groups from
Fusion Cloud Applications. These users and groups are then associated with FAW Licensed Groups that
allow you to access FAW’s pre-built analytics. They also specify the user’s system permissions (i.e.,
whether they can consume, author or administer content for a specific module). For example, users in
the “FAW Licensed ERP Authors” group can create visualizations in FAW specific to ERP Analytics Subject
Areas. Users are further constrained by their Job Roles, which in turn have Duty Roles and Data Roles.
Duty Roles are tied to the functional responsibilities of the user and allow you to restrict access to
specific Subject Areas, while Data Roles and Security Contexts help define the data access boundaries.
For example, a user with the “Workforce Core Analysis” Duty Role and with the security context of the
Business Unit defined as “California” will allow the user to see headcount and turnover data for the
California Business Unit of the organization.
�Implementing Custom Security in Fusion Analytics Warehouse
Advanced Data Security
FAW allows you to define advanced data security to meet more complex needs. Customers who want to
override the data security delivered as part of the FAW implementation for specific users can take
advantage of this capability. Data-level security in FAW is implemented in four basic steps:
F
i
g1. Set up security assignments in a custom table that incorporate the desired security rules for the
u specific users. This is your custom security data source.
r
e2. Set up session variables and initialization blocks that obtain specific security-related information
S when a user logs in. Initialization blocks obtain dimension members for each user session in
E
Q order to restrict row-level access to data in facts or dimensions.
F3. Set up desired custom Application Roles (data roles) and assign desired users and groups to
i these data roles.
g
u 4. Set up data filters that specify the values for specific dimensions that will be passed to the
r session variable for the . While defining data filters, you can use functional groups to further
e
\ control how multiple data filters will be applied.
*
A
TheRfollowing section shows an example of an advanced security implementation.
A
B
Example
I
C example, we will take the case of the user Ravi Chouhan, a line manager who also needs to view
In this
2
data: for his department, grade, or his own record. The following requirements need to be met:
A● As a line manager, Ravi should have access to assignments within his reporting hierarchy and his
d
v own assignments.
a● As an analyst, Ravi should have access to:
n
c o Person assignments from department = “BI_HR-Dept14-Business Visit Unit”
e o Grade: “BI_HR_IC3 - Individual Contributor Pay Grade 03”
d
TheDfollowing steps show how this can be set up in FAW:
a
1) taSetup custom security assignment data in custom schema
S● Login to ADW’s custom schema (OAX$OAC).
e● Create a table as per the custom security Assignments requirement per user.
c
u o For this use case, create a custom table with following columns
r ▪ USERNAME
i
t 2
y
C
o
m
p
�Implementing Custom Security in Fusion Analytics Warehouse
▪ SEC_OBJ_CODE
▪ SEC_OBJ_NUMBER
▪ SEC_OBJ_NAME
● As an analyst and line manager Ravi has access to multiple departments and grades, so insert
one record for each of those.
2) Customize FAW to create session variables to return list of departments, grades for logged in
user
● Log in to the FAW console as a Service Admin (or a user assigned a modeler role)
● Navigate to Semantic Model Extensions 🡪 User Extensions
● Create a Branch and Add Step → Add Session Variables
3
�Implementing Custom Security in Fusion Analytics Warehouse
● Add Session variables for grade and department list. You will also need to create the
Initialization blocks as part of the process. Ensure the “Row-wise initialization” check box is
selected if the variable is to return a list of values
4
�Implementing Custom Security in Fusion Analytics Warehouse
F
i
g
u
● rMerge the steps to Main branch
● eClick Create a Tag and name it appropriately, e.g., Variable_List
S
● E
Publish Model
Q
F
i
g
u
r
e
\
*
A
R
A
B
I
C
5
I
n
i
t
i
a
l
i
z
a
t
i
o
n
b 5
l
o
c
k
s
�Implementing Custom Security in Fusion Analytics Warehouse
3) Create Custom Roles in the Security Console
● Navigate to Console → Security 🡪 Application Roles
● Create new Application role: AA_CUSTOM_LM_DATA_ROLE
● Navigate to Security → Groups
● Create new Group: AA Custom Line Manager
F
i
● Add AA_CUSTOM_LM_DATA_ROLE
g to AA Custom Line Manager Group
● Add Requiredu Duty roles
r
e
S
E
Q
F
i
g
u
r
e
\ 6
*
A
R
A
B
�Implementing Custom Security in Fusion Analytics Warehouse
● Add user TM-RCHOUHAN (Ravi Chouhan) to the group
4) Setup data filters for the custom role
● Navigate to Console → Semantic Model Extensions 🡪 Security Configurations
● Click Add Data Security Step
▪ Provide a step name
▪ Choose AA_CUSTOM_LM_DATA_ROLE for the application role. Click Next
▪ Choose Logical Objects from the Available Objects dropdown and add security clause for
each object to be secured.
▪ Sample:
o Dim – Grade
o Dim – Department
o Dim – Assignment Details
o Dim – Worker
o Fact – Assignment
o Fact – Assignment Event
7
�Implementing Custom Security in Fusion Analytics Warehouse
F
i
● gClick Finish
● uPublish Model
● rMonitor the published activity, until it is completed.
e
S
Examine theEPhysical SQL generated for Ravi Chouhan
Q
F
In the generated
i Physical SQL, you would notice that there is an OR clause generated with the
contextsgused in security:
u
r
e
\
*
A
R
A
B
Points to note
I
While implementing
C custom data security, the following points should be noted:
1
1. Do not re-use
2 any data roles delivered out-of-the-box (OOTB) in FAW. The behavior of these seeded
:
roles cannot be altered if used as part of a custom role implementation. This includes using
U
functional
s group construct on OOTB roles – this is not supported.
2. All data roles
i used as part of a custom security implementation need to be custom roles
3. Create ancustom role for each unique combination of dimension security context. For example, if
g
you needs to configure data security for a group of users by Line Manager + Department + Grade,
e
and another group by Line Manager + Grade, create separate data roles for each
s
4. Create ascustom role for each variation of AND vs OR scenario, even though the same combination
of dimension
i is to be used. For example, if a Line Manager needs to have data secured by Line
Managero OR (Business Unit AND Grade), and the HR analyst role also needs the same, they are two
n
differentv personas having different security. You will need to create a separate custom role for each
a
such scenario.
r
i
a
b 8
l
e
s
i
n
�Implementing Custom Security in Fusion Analytics Warehouse
5. Secure all required facts and dimensions with these custom roles. You should not combine facts and
dimensions that are partially secured by these custom roles, i.e., some are secured by custom roles
while others are secured by out-of-the-box roles. Custom and out-of-the-box roles cannot be
applied together.
Conclusion
The FAW security framework provides robust capabilities to secure user access to analytic objects and
the data shown within those objects. The framework also allows you to implement your own security
rules, as shown in the sections above. It should be kept in mind that implementing custom security is
often complex and requires a good understanding of your business rules, the tools and options available
to customize security and availability of technical and functional resources. We encourage customers
considering implementation of this framework to consult with Oracle Partners and/or System
Integrators, who bring considerable domain and technical knowledge to design, implement, automate
and support complex, custom security implementations within FAW.
