Monday, January 10, 2022

Granting Service Administrator privilege to OAC instance

 When working with Oracle Analytics Cloud (OAC) certain users need the super user privileges. The Service Administrator. The user that created the instance gets it by default. The standard setup of inside OAC (Console->Users and Roles->Application Roles->BI Service Administrator) is not enough.

One of the major problems is connecting to Data Modeler Client and getting an Error while all parameters seems fine.




 Most of what we need can be found in the A-Team blog, Provisioning Oracle Analytics Cloud Natively in Oracle Cloud Infrastructure. I will summarize the relevant parts.

When creating OAC instances, if the user is not OCI (Oracle Cloud Infrastructure) Admin, the user should be assigned to a group and the group should get a privilege to manage analytics-instances in the relevant compartment  see here for more about privileges.

allow group <IAM Group> to manage analytics-instances in compartment <Compartment>

 

Next we should get to the IDCS screen. Find the relevant Oracle Cloud Service and assign the User, Group or Application Role to the ServiceAdministrator Application Role.

This the detailed description of the above paragraph:

From Burger menu on the left select Identity & Security and Federation:

There click on the Identity Provider

 

And press the Oracle Identity Cloud Service Console link:

There select the burger menu and Oracle Cloud Services:

You might have one or many services there. Find the ANALYTICSINST that is relevant to you and click on it.

Now find the Application Roles tab. There click on the menu (on the right) for Service Administrator and assign User, Group or Application Role to it.

Once you select an option, a search screen with all possible values appears.

Select who you want to add to Service Administrator Application Role.



If you are interested in the relationship between "Application Roles Available in Oracle Cloud Infrastructure Console" and "Permissions in Oracle Analytics Cloud", you can find it here:

 https://docs.oracle.com/en/cloud/paas/analytics-cloud/acabi/users-and-groups.html#GUID-811DEC21-ECF8-4E98-86F3-8BC2088A11A4


 Basic table from documentation:

Application Roles Available in Oracle Cloud Infrastructure ConsolePermissions in Oracle Analytics Cloud

ServiceAdministrator

Member of BI Service Administrator, BI Data Model Author, and BI Data Load Author. Allows users to administer Oracle Analytics Cloud and delegate privileges to others.

The user who creates the service is automatically assigned this application role.

ServiceUser

Member of BI Content Author and DV Content Author.

Allows users to create and share content.

ServiceViewer

Member of BI Consumer and DV Consumer.

Allows users to view and explore content.

ServiceDeployer

Not used in Oracle Analytics Cloud.

ServiceDeveloper

Not used in Oracle Analytics Cloud.

Detailed table from Analytics perspective: 

Predefined Application
Role in Oracle Identity
Cloud Service

Default Members

Description

Predefined Application Roles in Oracle
Analytics Cloud

ServiceAdministrator

Administrator who created the
service

Allows users to administer Oracle Analytics Cloud and
delegate privileges to others using the Console.

BI Service Administrator

ServiceAdministrator

BI Service Administrator

Allows users to manage data models in Oracle
Analytics Cloud using Data Modeler

BI Data Model Author

ServiceAdministrator

BI Service Administrator

Allows users to load data.

BI Data Load Author

ServiceUser

BI Service Administrator

Allows users to create visualization projects, load data
for data visualizations, and explore data
visualizations.

DV Content Author

ServiceUser

BI Service Administrator

DV Content Author

Allows users to create analyses and dashboards in
Oracle Analytics Cloud and share them with others.

BI Content Author

ServiceViewer

DV Content Author

Allows users to explore data visualizations.

DV Consumer

ServiceViewer

DV Content Author
BI Content Author

BI Data Load Author

Allows users to view and run reports in Oracle
Analytics Cloud (projects, analyses, dashboards).
Use this application role to control who has access to
the service.

BI Consumer

ServiceDeployer

ServiceDeveloper

 

 

Not used






1 comment: