Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Avoid DV Content Author to have access to Machine learning ?

Accepted answer
32
Views
8
Comments
Boris Gisselere
Boris Gisselere Rank 4 - Community Specialist
in Oracle Analytics Cloud and Server

How can I manage to avoid DV Content Author to have access to Machine learning ?

image.png

I've seen a permissions author_MLmodel but it seems to be strictly bind to va.author :

image.png

Maybe is it possible to desactivte it but i did not find how to do it

Regards

Boris.

Tagged:

Best Answer

  • SteveF-Oracle
    SteveF-Oracle Mod
    edited Apr 9, 2025 4:19PM Answer ✓

    Hi @Boris G. ,

    Welcome to the Oracle Analytics Community!

    Typically, this would be achieved via a specific permission, About Permissions

    However, since one does not exist, it would fall under an Idea Lab request (enhancement )

    There is already an Idea Lab request for this which is marked "Under Review"

    https://community.oracle.com/products/oracleanalytics/discussion/10269/restrict-access-to-options-in-dv-navigator?utm_source=community-search&utm_medium=organic-search&utm_term=machine+learning+permission

    You can up-vote and comment on the request.

    Thank you for your question.

    @Adam Bloom-Oracle

Answers

  • Gianni Ceresa
    Gianni Ceresa Mod
    edited Apr 9, 2025 8:30PM

    Hi Boris,

    You tagged OAS, therefore I assume you are using that product.

    In OAS you have full control on your security model, you can adjust policies as per your requirements, and remove the one you don't want to have, granting it to a new role, let's say "DV Content Author with ML". And use inheritance to make sure that it does inherit the rest of the DV Content Author permissions and grants in case you need the equivalent of the out of the box role.

    And then you just assign roles as needed.

  • Boris Gisselere
    Boris Gisselere Rank 4 - Community Specialist
    https://community.oracle.com/products/oracleanalytics/discussion/comment/66176#Comment_66176

    Hello Adam,

    I saw the request in Idea Lab, it's exaclty what I was searchinf for. Thank you.

    I will then follow it and see what happen there !

  • Boris Gisselere
    Boris Gisselere Rank 4 - Community Specialist
    https://community.oracle.com/products/oracleanalytics/discussion/comment/66179#Comment_66179

    Hello again Gianni,

    I already tried this way but the issue was with granularity of premissions that I don't have the one I need.

    I hope to be clear enough as my mother tongue is not english 🙄

  • Gianni Ceresa
    Gianni Ceresa Mod

    Pas de soucis Boris, je comprends bien ce que vous essayez de faire :)

    What version of OAS are you using? (they should be mostly the same, but just to be sure)

    I didn't look into the DV policies and various privileges recently, I will look at what is in there once I find an OAS around…

  • Gianni Ceresa
    Gianni Ceresa Mod
    image.png

    This is what I meant with looking into the policies linked with DV Content Author.

    In OAS you still have full access to the permission sets, and you could look into the resources and permissions linked to the application role via the permission set, and try to find something matching your needs (by name and guessing only: I did ask some years ago for the various policies resources to be documented, but Oracle said they didn't have such document internally and therefore there wasn't one that could be published).

  • Boris Gisselere
    Boris Gisselere Rank 4 - Community Specialist

    Yes,

    I follow the same path, and found this permission action (author_MLmodel) and resource (oracle_bi_resource_dataflow) but I was blocked by the fact that I don't know how to modify (va.author) permission set to remove this action.

    Or maybe you suggest to create a new permission set (va.author like) without this permission action ?

    Is this possible ?

  • Gianni Ceresa
    Gianni Ceresa Mod

    Here is where Oracle said there wasn't a need to document the details of the permission sets…

    The doc only cover the permission set itself: https://docs.oracle.com/en/middleware/bi/analytics-server/security-oas/grant-or-revoke-permissions-assignments.html

    But, there are WLST commands that allow to work "inside" the permission sets.

    On https://docs.oracle.com/en/middleware/fusion-middleware/platform-security/12.2.1.4/idmcr/security_wlst.html you can see that there are many commands available. A permission set is called "entitlement" in the WLST commands.

    There is for example the command getEntitlement that let you display the resources and actions for a permission set.

    If you execute getEntitlement(appStripe='obi', name='va.author') you get the output of the screenshot above coming from FMW EM.

    Then there are commands like revokeResourceFromEntitlement or addResourceToEntitlement that allows you to remove or add a resource to a permission set.

    Those commands could be used to remove the ML resource from the va.author permission set.

    An alternative approach could be to use createEntitlement and create a permission set that replicates va.author but without the pieces you don't want, you can then grant the new permission set to the application role instead of va.author (meaning that you don't touch va.author, giving you more chances to be able to restore things if you broke everything by mistake).

    I didn't test if it does work and what is the result. In my scripts I usually only list the resources for a permission set to compare across environments when doing migrations. I never had the need to remove or add a resource myself. But the commands are documented and should do the job.

    (No need to say that you should only run this on an environment you can afford to lose, because when you are down there so deep things could go wrong…)