BIP Reports - Chapter 9: BI Publisher Security — Roles, Permissions, and Folder Access (Global HR Focus)

 

Chapter 9: BI Publisher Security — Roles, Permissions, and Folder Access (Global HR Focus)

Security is critical when working with sensitive HR data in BI Publisher. Oracle Fusion uses a combination of:

  • Catalog folder permissions

  • Duty and job roles

  • Data-level security (via SQL)

In this chapter, you’ll learn how to:

  • Restrict access to HR reports

  • Create secure folders

  • Assign roles

  • Control data visibility at row level

1. Understanding BI Publisher Security Layers

LayerWhat It Controls
Catalog SecurityAccess to reports and folders (read/edit/run)
Role-Based AccessWho can see/run reports based on Fusion roles
Data SecurityWhat data is shown (e.g., department-based)

2. HR Reports: Why Security is Crucial

Global HR reports may contain:

  • Employee personal info (phone, email, address)

  • Job & salary data

  • Termination or performance notes

Only authorized HR users should view/run these reports.

3. Creating a Secure HR Folder

  1. Navigate to BI Publisher Catalog

  2. Create a new folder:
    Path: /Custom/HCM/HR_Reports/

  3. Click More > Permissions

  4. Remove BI Consumer or Public access if inherited

  5. Click Add Users/Roles

Example: Grant to HR Analyst Role

  • Search for: Human Capital Management Analyst

  • Grant:

    • Read (to run reports)

    • View (to see folder)

    • Execute (for data models)

    • Leave Write/Delete unchecked unless needed

4. Assigning Permissions to Specific Users

If roles are not sufficient, you can give access directly:

  • Add Fusion usernames like: john.doe or anita.hr

  • Assign Read and Run Report permissions

⚠️ Avoid giving write/delete access unless user builds reports.

5. Controlling Data Access by Role or Department

Use bind variables or Fusion session variables in SQL for data-level filtering.

Example: Show only data for logged-in user's business unit

sql
WHERE business_unit_id = :X_BU_ID

Or filter by role using:

sql
WHERE EXISTS (
   SELECT 1 FROM fnd_user_resp_groups
   WHERE user_name = :XDO_USER_NAME
     AND role_name = 'HR_MANAGER'
)

6. BI Publisher Session Variables (Useful for Security)

VariableDescription
:XDO_USER_NAMECurrent logged-in Fusion username
:XDO_ORG_IDUser’s organization ID
:X_BU_IDUser’s Business Unit ID
:X_LEGAL_ENTITY_IDUser’s legal entity ID

Use them in WHERE clauses to restrict data shown to the user.

7. Tips for Secure HR Reporting

TipBenefit
Use separate folders for HRAvoid accidental exposure
Apply row-level filters in SQLEnforce data access policy
Use Fusion job roles (like HR Analyst)Easier maintenance
Avoid broad permissionsReduce risk of data leaks
Test with dummy HR usersValidate restrictions

8. Auditing and Logs

BI Publisher lets you view:

  • Job history logs

  • Failed executions

  • User activity (via Audit reports in Fusion)

Use this to monitor who ran which HR report and when.

9. Summary

You now understand how to:

  • Secure HR reports using BI Catalog permissions

  • Assign access via Fusion roles or individual users

  • Implement data-level security using SQL and session variables

This ensures only the right HR personnel access the right data.

📌 Next Chapter Preview:

Chapter 10: Using Excel Templates in BI Publisher

  • When to use Excel over RTF

  • Designing Excel layouts with formulas, charts

  • Dynamic sheet tabs and pivot tables

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)