BIP Reports - Chapter 15: Securing BI Publisher Reports in Oracle Fusion (Role-Based Access for Global HR)

 

🔐 Chapter 15: Securing BI Publisher Reports in Oracle Fusion (Role-Based Access for Global HR)

This chapter helps you:

  • Control who can run/view a report

  • Apply data-level filters based on user role (HRBP, Line Manager, etc.)

  • Use Fusion’s security model to secure BI reports

  • Avoid accidental data exposure

1. Types of Security in BI Publisher

TypeControls
Object-levelWho can run/view the report
Data-levelWhat data users see inside report
Fusion Role-basedCombines both for HR use cases

2. Object-Level Security: BI Catalog Permissions

In Catalog > Report > More > Permissions, you can:

  • Grant access to specific roles (e.g., HR Analyst, Line Manager)

  • Set permissions like:

    • Read (view/run)

    • Write (edit layout)

    • Schedule (submit jobs)

🔒 Example: Only HRBP role can schedule employee reports.

3. Data-Level Security with Fusion Roles

You can dynamically filter report data based on logged-in user role, using Fusion security profiles.

🎯 Use Case: HRBP Sees Only Their Business Unit

Step 1: Create Security Profile (In Fusion)

  • Go to: My Client Groups > Workforce Structures > Manage Data Roles and Security Profiles

  • Create or edit a custom role (e.g., HRBP – North BU)

  • Define a Person Security Profile scoped to Business Unit: North

Step 2: Assign Role to User

  • Assign this role using Manage User Accounts

Step 3: Use session_user in SQL Filter
sql
SELECT ...
FROM per_all_people_f per
JOIN ...
WHERE
    fnd_global.user_name = :P_USER -- passed at runtime

Or use Fusion bind variable directly:

sql
:fnd_global.user_id

🧠 Oracle automatically passes session context to BI Publisher if you reference session variables correctly.

4. Restricting by Manager Hierarchy

Use PER_PEOPLE_X_MANAGERS to show only direct/indirect reports of the logged-in manager.

sql
SELECT per.full_name
FROM per_all_people_f per
JOIN PER_PEOPLE_X_MANAGERS pxm ON per.person_id = pxm.person_id
WHERE pxm.manager_id = fnd_global.person_id

This ensures a line manager sees only their team — even if they try to modify the report filters.

5. Secure Delivery via Bursting

When bursting reports (see Chapter 12), ensure:

  • Email addresses are mapped from Fusion roles

  • Bursting SQL filters data based on role/security profile

Avoid sending full reports to broad recipients unless absolutely safe.

6. Folder-Based Access Control

Organize reports like this:

swift
/Custom/Human Capital/HRBP/
   HRBP-only reports

/Custom/Human Capital/LineManager/
   Line Manager reports

/Custom/Public/
   Shared summaries (no sensitive data)

Use Catalog > Folder Permissions to grant access to specific roles only.

7. Use BI Publisher Security Best Practices

Best PracticeWhy It Matters
Never expose raw person_id in layoutPrevents misuse of IDs
Always test as multiple rolesTo verify access behavior
Use Fusion security context variablesIntegrates cleanly with Fusion
Avoid hardcoded filters in SQLMakes security dynamic
Use separate reports for separate audiencesEasier to maintain

8. Summary

Now you can:

  • Secure BI reports at object and data level

  • Use Fusion roles to filter what each user sees

  • Protect sensitive HR data from exposure

  • Design smarter HR reporting experiences

📌 Next Chapter Preview:

Chapter 16: BI Publisher Integration with OTBI and SmartView

  • Use BI Publisher data in OTBI dashboards

  • Download reports to Excel using SmartView

  • Blend data from OTBI + BIP for advanced analysis

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)