Oracle APEX Blog

Oracle Data Visualization Cloud Service – Controlling Access

Written by Philip Ratcliffe | Jul 13, 2016 10:48:00 AM

Last month, I provided an overview of Oracle’s growing Data Visualization portfolio, particularly with the launch, in recent months, of Data Visualization Cloud Service (DVCS) and Data Visualization Desktop (DVD).

I promised to investigate specific areas of functionality over the coming months, and this month I will focus particularly on controlling access to projects, data sources and functionality within DVCS.

Key Concepts

The ability to define the functionality, the shared folders and projects and the data sets within Visual Analytics projects, that users can access is managed by configuration in the Users & Roles section within the Console area.

Figure 1. Users & Roles section within Console area

My Services

DVCS users and roles are actually defined within Oracle Cloud My Services, not DVCS. It is here that user and role profiles are created and where roles can be associated with particular cloud services, including Data Visualization Cloud Service. There are some pre-defined roles in My Services, principally, the Identity Domain Administrator a role that by default gets administrator privileges in DVCS.

Application Roles

However, it is the configuration of application roles within DVCS that forms the foundation of determining what users can see and do in DVCS.

There are four pre-defined application roles with a fixed set of privileges, in a hierarchical structure where child application roles inherit privileges from a parent.

Application Role Description Default Member
Administrator Delegate privileges – access to console to perform administrative tasks e.g.
+ User privileges
Identity Domain Administrator
User Create visualizations, explore and load data (including with Rest API and Data Sync)
+ Viewer privileges
Administrator
Viewer View and run visualizations User
Data Loader Not used  

Additionally, custom application roles can be created, with the privileges determined by assigning them to the pre-defined application roles as members. Alternatively, users or roles can be assigned to application roles as members.

The screenshots below show a simple example where I have created two custom application roles; ‘Explorer Development’ and ‘Explorer Sales’. ‘Explorer Development’ has been assigned to the ‘User’ application role and will inherit its privileges. And ‘Explorer Sales’ has been assigned to the ‘Viewer’ application role and will inherit its privileges. I have then assigned a user ‘ViewerTest’ to the custom application role ‘Explorer Sales’.


Figure 2. Custom application roles defined in Console > Users & Roles


Figure 3. Assigning Predefined Application Roles to Custom Application Roles


Figure 4. Assigning Users to Custom Application Roles

By configuring users, roles and application roles within the Console, administrators can manage what users can do. Now we can go onto look at how application roles are used to control what users can see.

Controlling Access to Projects

Control of users’ access to Visual Analyzer projects is managed within the Catalog area of DVCS. Both folders and individual projects can have permissions defined independently.

Folder and project permissions can be assigned to users or to application roles.

There are several permission levels that can be granted, listed below.

Folder Permissions Available Functions
Full Control Full Control (Modify plus change permissions and set ownership)
Modify Read, Write, Delete, Traverse
Open Read, Traverse
Traverse Traverse
No Access None
Custom Any combination of:

 

  • Read
  • Traverse
  • Write
  • Delete
  • Change Permissions
  • Set Ownership
Project Permissions Available Functions
Full Control Full Control (Modify plus change permissions and set ownership)
Modify Read, Write, Delete, Execute
Open Read
No Access None
Custom Any combination of:

 

  • Read
  • Traverse
  • Write
  • Delete
  • Change Permissions
  • Set Ownership

So continuing the theme, from above the screenshots below show how the ‘Explorer Development’ application role has been given ‘Modify’ access to the project in the Development sub-folder within the Company Shared folder. Both the ‘Explorer Sales’ and ‘Explorer Development’ application role have been provided with ‘Read’ and ‘Traverse’ access to the ‘PCW15 – Sales’ project in the ‘Sales’ sub-folder within the Company Shared folder.

Figure 5. Project Permissions in Catalog – Development

Figure 6. Project Permissions in Catalog – Sales

Controlling Access to Data

The final key aspect of permissions in DVCS is controlling access to data.
As with permissions to folders and projects, these are managed by assigning users and/or application roles to individual data sources.

Within the Data Source menu option, for an individual data source, select Option, then Inspect, then Permissions tab to manage the permissions for a dataset.

There are several permission levels that can be granted, listed below.

Folder Permissions Available Functions
Full Control User can modify and set permissions on the dataset
Modify User can read, refresh data, and edit dataset properties
Read User can view and create projects using this dataset
No Access User can’t view or access the dataset

If at least ‘Read’ level permission isn’t granted to a particular user/application role for any data source used by a project, then the associated users will not be able to see the Visual Analyzer project, even if they have sufficient folder/project permissions.

Again, continuing on the theme, I have granted ‘Read’ permission to ‘Explorer Sales’ and ‘Modify’ permission to ‘Explorer Development’ application roles, for all data sources used by the Sales VA project. The data source ‘PCW15 D Stores’ is used in the example screenshot below.


Figure 7. Setting Permissions for Data Sources

Now, having applied the appropriate level permissions to my application roles, we can check that users have the expected access. So, user ViewerTest with Read access to the ‘PCW15 – Sales’ project and to the data sources that it references is able to access the project, but cannot save changes.

Figure 8. Sharing VA Projects with Other Users

Controlling Access in DVD

The concepts supporting access controls that I have summarised are not relevant to DVD. DVD is a single installation to a specific PC desktop device, intended for use only by the user of that device. Users will be able to create, manipulate and export/import visual analytics projects based on data sets for which their access is controlled externally e.g. access to database, network drives etc. This, perhaps, could be regarded as the equivalent in DVCS of a default granting of User application role with Modify permissions.

The concept of shared access does not exist, as with DVCS, so there is no requirement for the Console, or administrator user level access to configure application roles and role membership.

Summary

By providing a limited number of pre-defined application roles for DVCS with pre-set attributes, and by using application roles at the foundation of permissions control, Oracle has ensured that controlling access within DVCS should be quite straight forward.

And yet, by providing different permission levels separately to control access to functionality, projects and data sources, it should be flexible enough to manage access controls effectively.

Next month, I shall investigate further into the management of Data Sources in DVCS and DVD.

Trial Data Visualization

Both DVCS and DVD are available to use to trial / evaluate:

 

Other Links

 

 

Author: Philip Ratcliffe

Job Title: Oracle APEX Development Consultant

Bio: Philip is a Development Consultant at DSP-Explorer. Building on considerable experience in development including using Oracle PL/SQL and supporting Oracle EBS, Philip is employing APEX to provide quality, bespoke software solutions to a range of organisations.