You’re dealing with a three-layer security issue that’s common when onboarding new users in Oracle Fusion Analytics. Let me break down the complete solution addressing role-based access control, BI catalog permissions, and row-level security.
First, role-based access control mapping: Your users have the correct Fusion SCM application role, but this needs to be bridged to the BI security framework. Log into Security Console, navigate to Roles > Application Roles, and search for ‘Transportation Manager’. Click on the role, then select the ‘BI Security’ tab. Here you need to create or verify the mapping to the BI Application Role ‘BI Transportation Analyst’ or similar. If this mapping doesn’t exist, click ‘Add BI Role Mapping’ and select the appropriate BI role from the dropdown. Save and allow 10-15 minutes for the security cache to refresh.
Second, BI catalog permissions: Navigate to Analytics > Catalog > Shared Folders > Custom > Transportation. Locate your freight cost analysis dashboard, right-click, and select ‘Permissions’. You’ll see it’s currently granted to individual users. Click ‘Add’ and in the ‘Add Principals’ dialog, change the dropdown from ‘Users’ to ‘Application Roles’. Search for and select ‘Transportation Manager’ (this will now appear because of the mapping you created in step one). Grant ‘Read’ and ‘Execute’ permissions. Critically, you must also check the ‘Apply to Sub-folders’ option and apply the same permissions to the parent folder ‘/Custom/Transportation’ and any report objects the dashboard depends on. Many admins miss this - dashboards can reference multiple reports and analyses, each requiring separate permissions.
Third, row-level security configuration: Access Analytics > Administration > Manage Data Security Policies. Look for policies named ‘Transportation Data Access’ or similar. These policies filter data based on business unit, carrier, or geographic region. Click on the policy and review the ‘User/Role Assignments’ section. Your new users need to be added to the appropriate data access group. If they should see all transportation data like existing coordinators, add the ‘Transportation Manager’ application role to the ‘Full Access’ group within the policy. If they should have restricted access, create a new data access group specific to their scope (e.g., ‘UK Transportation Team’) and assign both the users and the data filters (Business Unit = UK Operations).
Fourth, verify the initialization blocks: Sometimes user attributes aren’t properly initialized for new users. Go to Analytics > Administration > Manage Repository Variables and find the SESSION variables used by your transportation dashboards (common ones are USER_BU, USER_REGION, USER_CARRIER_ACCESS). Click ‘Edit’ on each and review the initialization query. Make sure new users are included in the source tables or queries that populate these variables. If users are missing from HR or security tables, the variables return NULL and trigger access denied errors.
After making these changes, have your new users completely log out and clear their browser cache before logging back in. The security context is cached both server-side and client-side, so a fresh session is essential. If issues persist for specific users, check the BI Server query log (Analytics > Administration > Manage Sessions and Query Cache > View Log) to see exactly which security check is failing. The log will show whether it’s a catalog permission denial, row-level filter issue, or initialization block problem.
One final note: in 23D, there’s a known issue where newly created application roles take up to 30 minutes to propagate to the BI security framework even after mapping. If you’re still seeing access denied after following all steps, wait 30 minutes and try again before escalating to Oracle Support.