Safety and Controlling Separation of Duties in Business Intelligence

Security in Business Intelligence

When Oracle Business Intelligence is used to make business information accessible, security plays a crucial role. Users of the software are often grouped by departments, with specific data access depending on their roles.

BI Security

Within BI, there are three primary user roles:

• BI Consumers: Can interactively view BI Objects (Dashboards & Analytics).
• BI Authors: Can create and save their analyses.
• BI Administrators: Can manage all dashboards and publish analyses.

Each role has distinct access rights. BI Authors serve as an intermediate role; they can create analyses for the organization, but their data access can be restricted to specific areas.

Permissions and access levels are structured at two critical levels:

• Web Catalog – Determines who can view and use specific dashboards.
• Common Enterprise Information Model – Specifies which parts of the information model are accessible and which data can be filtered.

Schematically the above relates as follows:

Additional Security Guidelines

• Access rights are linked to roles, and roles are assigned to user groups.
• It’s advisable to define a specific role per group to keep access clear and manageable.
• In cases of access conflicts, the “least restrictive” principle applies, meaning users have access to the broadest permissions a role offers.
• Data can be restricted, for example, to information from specific branches or customer groups.

By default, no one has access to data until explicit access is granted. This “negative security” approach ensures that data remains secure and accessible only to authorized individuals.

JD Edwards Security

When Oracle JD Edwards has been in use for a long time, specific access levels are often established to support different roles and departments within the organization. Oracle BI allows these settings, such as access to company or departmental data, to be used in the Business Intelligence system. While this may seem straightforward, JD Edwards users are often operational employees, while BI users can include strategic leaders like managers or executives, necessitating a broader approach.

Beyond JD Edwards, Oracle Business Intelligence can also integrate data from other systems, such as an HR or laboratory system. For daily reports, Oracle BI offers a useful feature, BI Publisher, which extracts data from JD Edwards while respecting existing JD Edwards security settings. This means employees in Oracle JD Edwards with BI Publisher see the same data with the same security and user-friendly data display. 

Centralized User registration 

Oracle is making it increasingly easy to manage all software access from a single central system. This means users log in once and gain access to the relevant applications at the appropriate level. Oracle JD Edwards can also utilize this central system for user management, allowing a single login system (like Single Sign-On or Microsoft Active Directory) to provide access to all necessary tools.

Data Filtering

A powerful feature in Oracle BI is data filtering, which restricts information to what a user is authorized to see. For instance, a director can view data for all branches, while a manager can only view data for a specific region. These filter settings are part of the information model, ensuring only authorized data is visible.

Dashboards and acces

In Oracle BI, a dashboard contains information on a specific topic. BI tools ensure that employees only access dashboards and data relevant to their roles. For example, an HR employee wouldn’t have access to sales information.

An example:

A branch manager can view the revenue data for their own store in Oracle BI. Additionally, Oracle BI shows them their store’s contribution to total revenue and how they compare to other stores. However, they cannot see detailed information about other stores.

This example might seem like a security paradox, but Oracle Business Intelligence provides tools to make this possible. For instance, the system can limit displayed data (Pars Pro Toto) only if the figure is based on more than five components. If only two stores are involved, it would be easy for the branch manager to deduce the other store’s contribution. This ensures that averages and contributions are only shown when they represent a meaningful sample size. For instance, a percentage might only display if the average is based on at least ten elements.

This is an example of the powerful analytical capabilities Oracle Business Intelligence offers.

Definitions – One Version of the Truth

Once again, everything stands or falls with definitions. After all, data filtering restricts what you see and thus influences the complete truth. It is therefore important to include the roles, groups and data filtering in the description of the company definitions in the aforementioned company dictionary. Turnover is not just Turnover. The content of the grade depends on:

• How this is defined in terms of operating technology
• Which implementation issues in Oracle JD Edwards have been applied to administer this
• What conditions underlie the presentation
• Which restrictions must be applied from a security point of view

It is therefore important to involve security at an early stage in the analysis and design of the applications in Oracle Business Intelligence. It can have a major influence on the choices and approach of the realization and thus on the truth that one sees.

Security Matrix

A Security Matrix can be used to keep track of permissions, roles, and groups in Oracle BI. This matrix helps document which data and dashboards are accessible to different roles and user groups. It aids application administrators in identifying who needs access to new BI content, like dashboards.

Implementing a BI solution involves much more than reports or visually appealing dashboards. BI aims to make the right information available to the right people at the right time. Cadran supports companies with a project approach that avoids BI implementation pitfalls and helps organizations make decisions based on reliable data.