- About
Getting to know us
- Industries
Recent case study:
Oracle EBS Cloud Deployment
Consolidating and Migrating assets into Oracle Cloud Infrastructure.
.png?width=250&name=stonewater-logo%20(1).png)
Most Visited Pages
-
- Resources
DSP-Explorer acquires leading Oracle Applications Managed Services Provider, Claremont, to further extend its data management capabilities.
Resources
- Contact us
Oracle Data Visualization Cloud Service – Controlling Access
Contents
Last month, I provided an overview of Oracle’s growing Data Visualization portfolio, particularly with the launch, in recent months, of Data Visualization Cloud Service (DVCS) and Data Visualization Desktop (DVD).
I promised to investigate specific areas of functionality over the coming months, and this month I will focus particularly on controlling access to projects, data sources and functionality within DVCS.
Key Concepts
The ability to define the functionality, the shared folders and projects and the data sets within Visual Analytics projects, that users can access is managed by configuration in the Users & Roles section within the Console area.
Figure 1. Users & Roles section within Console area
My Services
DVCS users and roles are actually defined within Oracle Cloud My Services, not DVCS. It is here that user and role profiles are created and where roles can be associated with particular cloud services, including Data Visualization Cloud Service. There are some pre-defined roles in My Services, principally, the Identity Domain Administrator a role that by default gets administrator privileges in DVCS.
Application Roles
However, it is the configuration of application roles within DVCS that forms the foundation of determining what users can see and do in DVCS.
There are four pre-defined application roles with a fixed set of privileges, in a hierarchical structure where child application roles inherit privileges from a parent.
| Application Role | Description | Default Member |
| Administrator | Delegate privileges – access to console to perform administrative tasks e.g. + User privileges |
Identity Domain Administrator |
| User | Create visualizations, explore and load data (including with Rest API and Data Sync) + Viewer privileges |
Administrator |
| Viewer | View and run visualizations | User |
| Data Loader | Not used |
Additionally, custom application roles can be created, with the privileges determined by assigning them to the pre-defined application roles as members. Alternatively, users or roles can be assigned to application roles as members.
The screenshots below show a simple example where I have created two custom application roles; ‘Explorer Development’ and ‘Explorer Sales’. ‘Explorer Development’ has been assigned to the ‘User’ application role and will inherit its privileges. And ‘Explorer Sales’ has been assigned to the ‘Viewer’ application role and will inherit its privileges. I have then assigned a user ‘ViewerTest’ to the custom application role ‘Explorer Sales’.
Figure 2. Custom application roles defined in Console > Users & Roles
Figure 3. Assigning Predefined Application Roles to Custom Application Roles
Figure 4. Assigning Users to Custom Application Roles
By configuring users, roles and application roles within the Console, administrators can manage what users can do. Now we can go onto look at how application roles are used to control what users can see.
Controlling Access to Projects
Control of users’ access to Visual Analyzer projects is managed within the Catalog area of DVCS. Both folders and individual projects can have permissions defined independently.
Folder and project permissions can be assigned to users or to application roles.
There are several permission levels that can be granted, listed below.
| Folder Permissions | Available Functions |
| Full Control | Full Control (Modify plus change permissions and set ownership) |
| Modify | Read, Write, Delete, Traverse |
| Open | Read, Traverse |
| Traverse | Traverse |
| No Access | None |
| Custom | Any combination of:
|
| Project Permissions | Available Functions |
| Full Control | Full Control (Modify plus change permissions and set ownership) |
| Modify | Read, Write, Delete, Execute |
| Open | Read |
| No Access | None |
| Custom | Any combination of:
|
So continuing the theme, from above the screenshots below show how the ‘Explorer Development’ application role has been given ‘Modify’ access to the project in the Development sub-folder within the Company Shared folder. Both the ‘Explorer Sales’ and ‘Explorer Development’ application role have been provided with ‘Read’ and ‘Traverse’ access to the ‘PCW15 – Sales’ project in the ‘Sales’ sub-folder within the Company Shared folder.
Figure 5. Project Permissions in Catalog – Development
Figure 6. Project Permissions in Catalog – Sales
Controlling Access to Data
The final key aspect of permissions in DVCS is controlling access to data.
As with permissions to folders and projects, these are managed by assigning users and/or application roles to individual data sources.
Within the Data Source menu option, for an individual data source, select Option, then Inspect, then Permissions tab to manage the permissions for a dataset.
There are several permission levels that can be granted, listed below.
| Folder Permissions | Available Functions |
| Full Control | User can modify and set permissions on the dataset |
| Modify | User can read, refresh data, and edit dataset properties |
| Read | User can view and create projects using this dataset |
| No Access | User can’t view or access the dataset |
If at least ‘Read’ level permission isn’t granted to a particular user/application role for any data source used by a project, then the associated users will not be able to see the Visual Analyzer project, even if they have sufficient folder/project permissions.
Again, continuing on the theme, I have granted ‘Read’ permission to ‘Explorer Sales’ and ‘Modify’ permission to ‘Explorer Development’ application roles, for all data sources used by the Sales VA project. The data source ‘PCW15 D Stores’ is used in the example screenshot below.
Figure 7. Setting Permissions for Data Sources
Now, having applied the appropriate level permissions to my application roles, we can check that users have the expected access. So, user ViewerTest with Read access to the ‘PCW15 – Sales’ project and to the data sources that it references is able to access the project, but cannot save changes.
Figure 8. Sharing VA Projects with Other Users
Controlling Access in DVD
The concepts supporting access controls that I have summarised are not relevant to DVD. DVD is a single installation to a specific PC desktop device, intended for use only by the user of that device. Users will be able to create, manipulate and export/import visual analytics projects based on data sets for which their access is controlled externally e.g. access to database, network drives etc. This, perhaps, could be regarded as the equivalent in DVCS of a default granting of User application role with Modify permissions.
The concept of shared access does not exist, as with DVCS, so there is no requirement for the Console, or administrator user level access to configure application roles and role membership.
Summary
By providing a limited number of pre-defined application roles for DVCS with pre-set attributes, and by using application roles at the foundation of permissions control, Oracle has ensured that controlling access within DVCS should be quite straight forward.
And yet, by providing different permission levels separately to control access to functionality, projects and data sources, it should be flexible enough to manage access controls effectively.
Next month, I shall investigate further into the management of Data Sources in DVCS and DVD.
Trial Data Visualization
Both DVCS and DVD are available to use to trial / evaluate:
- DVD no-production version available from OTN: Download DVD now from OTN
- DVCS available for 30 day free trial: Data Visualization Cloud Service (DVCS) and click ‘Try It’
Other Links
- Oracle Data Visualization Desktop community
- Oracle Help Center: Oracle Data Visualization Desktop – Get Started
- Oracle Help Center: Oracle Data Visualization Cloud Service – Get Started
- Oracle Help Center: Using Oracle Data Visualization Cloud Service – Managing the Service
Author: Philip Ratcliffe
Job Title: Oracle APEX Development Consultant
Bio: Philip is a Development Consultant at DSP-Explorer. Building on considerable experience in development including using Oracle PL/SQL and supporting Oracle EBS, Philip is employing APEX to provide quality, bespoke software solutions to a range of organisations.