Hi,

Why do you state that non HCM users can access HCM Reports? Do you have an example? I think that out of the box only HCM users can see HCM reports. That security is already in place. Do you agree?

I guess we need to agree on what is you definition of a human resources user? The reason I seek clarity is because security is implemented by roles. 2 users of hcm may have completely different user experience becasue they are granted different job roles or the same job roles but have different data access setup (in HCM with data roles security profiles).

So we can talk about the experience of a user with a particular job role and data role?

For example, a HR user might be defined as a user with

1) a job role listed in Oracle Fusion Cloud HCM Security Reference for HCM F77732-01 23B https://docs.oracle.com/en/cloud/saas/human-resources/23b/oawpm/index.html#COPYRIGHT_0000

2) and has data acess setup as per chapter HCM Data Roles and Security Profiles https://docs.oracle.com/en/cloud/saas/human-resources/23b/ochus/hcm-data-roles.html#s20029787

If you view the permissions on the shared folders you can see that some folders are secured by role, whether a user can see a folder in the catlaog with permission Read,Traverse or not, is implemented by pre-defined roles. For example, you need a job role that inherits role Human Capital Management Folder Reporting Duty to see folder /Shared Folders/Human Capital Management/. So if you create a user with a role that does not inherit this, a "non HR user", then in your testing assume that already out of the box that user can not see the HCM folder, such that "only the HR users to be able to access the HCM reports that are delivered by Oracle".

See the following guide regards how to make customizations to folder security suing the provided role

Custom BI Web Cat Reporting Duty

You may want to remove access to predefined catalog folders so that those associated with offerings you don't use aren't displayed. You can hide the entire predefined catalog or selectively display root catalog folders for offerings.

Futhermore we then get into data access security. Assume you are using the wider term "report" to refer to all objects in the otbi catalog both otbi analysis and otbi reports (publisher). With the analytics data access row/column security is built into the subject areas in the metadata repository database. So even if 2 users can see to open the same file in the catalog but each user will get different data results depending on their data access setup becasue the system will look up at runtime what setup they have then append where clauses to filter data in their session.

@Praveen Kumar Akkala-Oracle this appears to be an all or nothing approach though, right? We can't limit for say baseline employees, but allow others?

Check this , If it helps:

View Reporting Roles and Permissions