Recommendations for Setting Permissions

Follow these recommendations when setting permissions:

Use care when assigning permissions to ensure that you do not lock the object by preventing you, an administrator, or any other user from modifying the object.
Assign permissions through Application roles, even if you must assign permissions only for a single user. A less recommended alternative to using Application roles is to use Catalog groups, also known as Presentation Services groups. Application roles are central to Oracle BI EE while Catalog groups are specific to Presentation Services and are included in this release for backward compatibility.

For information on Application roles, see Security Guide for Oracle Business Intelligence Enterprise Edition.

For information on Catalog groups, see "Working with Catalog Groups" in Security Guide for Oracle Business Intelligence Enterprise Edition.
For Application roles (Catalog groups or users, if necessary) that are going to be modifying the dashboards and dashboard content accessible to the role, set the permissions for the role to Full Control. While allowing change and delete control, Full Control also enables the specified role to set permissions and to delete the object, folder, or dashboard.

If you plan to have numerous or varying users that create and modify dashboard content for a given group, then create a separate, corresponding "builder" role that has all the back-end permissions of the primary role, but with a different name. For example, you can create a Sales role and a SalesBuilder role. By giving the SalesBuilder role appropriate permissions to the Oracle BI Presentation Catalog, you can control and change who can make changes to dashboards and content. Assuming session variable security is in place, you can make a user a dashboard builder or content creator by changing the user's role from "Sales" to "SalesBuilder" in the database table that holds security information.
For each Subject Area, ensure that the BIConsumer and AuthenticatedUser roles have No Access permission to the Subject Area folder.
For roles that should be able to save analyses for public use against a given Subject Area, grant them Full Control to the Subject Area folder and everything it contains, and likewise for the Common folder.
To ensure that only members of the designated roles have access to Oracle BI Presentation Catalog folders, folder content, and dashboards, do not set explicit permissions for the AuthenticatedUser role.

Tip:

To provide a place for all users within an Application role to share analyses with each other, create a folder under the Subject Area folder called, for example, Share or Publish, and give the entire role Change/Delete permission to just that folder.