Whitepaper

SCP Security
WHITE PAPER / MAY 29, 2019

DINA JACOBS
DISCLAIMER
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described for Oracle’s products
remain at the sole discretion of Oracle.

2 W HITE PAPER / Whitepaper SCP Security

Table of Contents
Introduction .................................................................................................. 4

Scenario ...................................................................................................... 5

Add User Account ........................................................................................ 5

Create Role ................................................................................................. 7

Assign Role to User ................................................................................... 11

Set up Data Access Sets ........................................................................... 16

Use Case: Configure Read-Only Access For Specific Organization .......... 21

Use Case: Enable Write-Access For User-Specific Job And Read Only To
The Rest Of The Data................................................................................ 22

Conclusion ................................................................................................. 26

3 W HITE PAPER / Whitepaper SCP Security

 “Our goal has always been as
we move from one generation
of computing to the next, to
protect your investment in data
and applications and make it
easy to lift and move that into
the next generation.”

Oracle.com
Larry Ellison

INTRODUCTION

Oracle understands that the confidentiality, integrity, and availability of

customer’s SCP data is vital to the business operations. Supply chains
can be large and complex, involving many planners, suppliers doing
many different things. Designing and implementing effective security in
SCP will avoid data vulnerability in Supply Chain that may cause damage
and disruption. Infringements of this kind have led to in added expenses,
additional labour and resource allocation, and delayed time-to-market as
well as product delivery which all lead to lost business opportunities.
Supply chain security is, or at least should be, a high priority initiative
within your organization. As businesses enter new regions and supplier
bases expand, having confidence across supply chain processes is
paramount in managing overseas delivery strategies.

This paper intends to outline the security measures necessary to enhance

product security data protection.

This paper will start with some fundamental setup scenario and continue
into businesslike use cases.

4 W HITE PAPER / Whitepaper SCP Security

 SCENARIO

Create new SCP user to have access to Supply Planning, Demand

Management, Supply and Demand Planning and Plan Inputs.

ADD USER ACCOUNT

The initial user can perform all the necessary setup tasks. The initial user
is the Administrative user. This user can also perform security tasks,
including resetting passwords and the granting of additional privileges to
himself and others. After you sign in the first time, you can create
additional implementation users with the same broad setup privileges that
Oracle provides to the initial user. If you prefer, you can restrict the
privileges of these implementation users based on your business setup
needs. You provide these privileges through role assignment.

Only Administrative user will have access to Security Console (Tools ->
Security Console).

Select the Users tab on the left in the Security Console to open the User
Accounts page. Click the Add User Account button.

5 W HITE PAPER / Whitepaper SCP Security

 Under Associated Person Type, there are 2 types of users: Worker and
None. Select Worker. If selected None, the user will not be able to see
notes or Social Network.

You can create a user from scratch or in conjunction on the existing user.
We would recommend creating the user based on existing, you click
search icon next to Worker Name.

By default, you create an Active user with checkbox Active checked.

When an employee leaves your company, in most cases, it is
recommended that you inactivate the user account.

6 W HITE PAPER / Whitepaper SCP Security

 There are 2 User Category: DEFAULT and TEST. Select the User
Category with which you want to associate the user. If you are not sure
which user category to select, you may leave it unchanged. All new users
are automatically assigned to the Default user category.

Then enter the First Name, Last Name, Email, User Name, Password and
Confirm Password. The password policy type is simple: at least 8
characters and one number. Click Save and Close.

After successful user creation “Oracle Fusion Applications-Welcome E-

Mail” will be sent to the email address you configured with confirmation
and link to reset user’s password.

CREATE ROLE

Through Create Role we define a security policy. A data security policy

may be explicit or implicit.

An implicit policy applies a data privilege (such as read) to a set of data

from a specified data resource. Create this type of policy for a duty, job,
or abstract role. For each implicit policy, you must grant at least the read
and view privileges.

7 W HITE PAPER / Whitepaper SCP Security

 Multiple SCP privileges can be analyzed in the Roles tab. For example,
Copy Planning Measure Data, Delete Measure Definition, Delete
Planning Notes, Delete Plans, Edit Data in Planning Tables privileges and
etcetera. Roles represent a logical collection of privileges that grant
access to tasks that someone performs as part of a job.

An explicit policy grants access to a particular set of data, such as that

pertaining to a particular business unit. This type of policy is not used in
predefined roles in Oracle ERP Cloud. This paper focuses on explicit
security policy.

To create a new role, use the Roles tab on the left and click “Create
Role”.

Note, when you copy the Role, to keep in mind, you inherit all the setups
and privileges of that Role. In this example, you want to create new
privileges, therefore, use “Create Role” and not copy.

8 W HITE PAPER / Whitepaper SCP Security

 Fill Role Basic Information. In the Role Code field, create an internal
name for the role. Do not use "ORA_" as the beginning of a role code.
This prefix is reserved for roles predefined by Oracle. For SCP roles to
be visible in the Data Access Set (accessed via Plan Inputs), Role Code
must include “MSC_” string. Role Category should be “SCM – Job Roles”.
Job roles represent the job functions in your organization. Job roles
provide users with the permissions they need to perform activities specific
to their jobs.

Click Next and an editing train opens

On the next screen “Function Security Policies” click Next

9 W HITE PAPER / Whitepaper SCP Security

 On the next screen “Data Security Policies” click Next.

On the next screen “Role Hierarchy” click Next.

10 W HITE PAPER / Whitepaper SCP Security

 On the next screen “Summary” click Save and Close.

ASSIGN ROLE TO USER

In the next step, assign this newly created Role to the new user. Click on
Users tab on the left, find your user and click Edit.

11 W HITE PAPER / Whitepaper SCP Security

 On “Edit User Account” screen click “Add Role”. From the Search box,
type the first 3 letters of the newly created role and click “Add Role
Membership”.

For SCP, the user will need to be assigned other SCP roles to be able to
access SCP work areas. There are 8 roles associated with SCP modules.

12 W HITE PAPER / Whitepaper SCP Security

 The following SCP roles enable SCP work areas in the Home screen:

1. Supply Planning - Supply Chain Planner Role

(ORA_MSC_SUPPLY_CHAIN_PLANNER_JOB). Manage Supply
Plan

2. Demand Management - Demand Planner Role

(ORA_MSC_DEMAND_PLANNER_JOB). Manages demand plans

3. Demand and Supply Planning - Supply and Demand Planner

Role (ORA_MSC_DEMAND_AND_SUPPLY_PLANNER_JOB).
Manages, balances, and analyzes all demand and supply in the
supply chain, using advanced analytical, statistical, and
optimization techniques.

4. Global Order Promising - Order Promising Manager Role

(ORA_MSC_ORDER_PROMISING_MANAGER_JOB). Manages
commitment of fulfilment dates, allocating scarce supply among
competing demands and trading-off service levels with fulfilment
costs.

5. Sales and Operations Planning - Sales and Operations Planner

Role (ORA_MSC_SALES_AND_OPERATIONS_PLANNER_JOB).
Manages sales and operations plans.

6. Plan Inputs - Supply Chain Application Administrator

(ORA_RCS_SUPPLY_CHAIN_APPLICATION_ADMINISTRATOR_
JOB). Individual responsible for supply chain application
administration. Collaborates with supply chain application users to
maintain consistent application setup, rules, and access.

7. Planning Central - Materials Planner

(ORA_MSC_MATERIALS_PLANNER_JOB). Manages and
balances all demand and supply in the supply chain.

Note. To enable SCC under SCP has different role code naming format:

13 W HITE PAPER / Whitepaper SCP Security

 8. Supply Chain Collaboration - Supply Chain Collaboration
Planner (ORA_VCS_SUPPLY_CHAIN_COLLABOR). Reviews
order forecasts published to the trading partner and negotiates with
the trading partner to ensure that forecast commits align with the
expectations of the company's buyers and supply chain planners.

Add Employee Abstract Role (ORA_PER_EMPLOYEE_ABSTRACT) to

the user that Identifies the person as an employee. Abstract roles
represent a worker's role in the enterprise independently of the job that
you hire the worker to do. You can create your own abstract roles. All
workers are likely to have at least one abstract role that allows them to
access standard functions, such as managing their own information and
searching the worker directory. You assign abstract roles directly to
users. The employee is an example of an abstract role.

Next, add “Supply Chain Planning Application Administrator” this will

enable the user to access Plan Inputs work area and configure Data
Access Sets.

14 W HITE PAPER / Whitepaper SCP Security

 As per White Paper’s scenario, add roles for Supply work area, Demand
work area and Supply and Demand work area.
Add Supply Chain Planner role.

Add Demand Planner role.

Add Demand and Supply Planner role.

Review roles and click Save and Close and Done on the next screen.

15 W HITE PAPER / Whitepaper SCP Security

 SET UP DATA ACCESS SETS

Sign out with your Administrative user and log in with the user you just
created.
On the Home page, you can see only work areas you have just created:
Plan Inputs, Demand Management, Supply Planning, Demand and Supply
Planning.

16 W HITE PAPER / Whitepaper SCP Security

 To set up the Data Access Sets. Go to Plan Inputs -> Tasks ->
Configuration -> Administer Planning Security.

Important to note, before creating Data Access Sets, verify, there is no

Data Access Sets with the same role of different users that may create
unexpected results. Let’s look at the concrete example to understand the
scenario better. In the below screenshot, there is an existing “Das1001”
Data Access Set that has the same roles as your new user: Demand and
Supply Planner, Material Planner and Chain Planning Application
Administrator. If “Das1001” configuration has the write access condition
and your new Data Access Set configuration has read-only access
condition then write access condition will take precedence since
application uses “OR” operator when combining conditions. The
recommendation is to set Data Access Set from the brand new start. In
this example, delete all the Data Access Sets that have the same roles as
your user.

17 W HITE PAPER / Whitepaper SCP Security

 Enter the name of new Data Access Set and click on the edit icon. Select
Job Roles dialogue will appear. As mentioned earlier, having “MSC”
inside job role will ensure the role to be displayed in SCP available Job
Roles. Select your newly created role.

To enter condition to the newly created DAAS Data Access Set, use
Details form and click Add Row:

18 W HITE PAPER / Whitepaper SCP Security

 One Data Access Set can have one or more conditions. In this example,
the user needs to restrict the planner to do any modification to any
Organizations’ data but still have visibility data. Select under Entity
column “Organization” from the drop-down; for the Level column, click on
Search from the drop-down and type Hierarchy “Enterprise” and select
“Enterprise - Organization”, click OK.

Uncheck “Unable Write” for read-only access. Under Condition Name

column click on the drop-down icon and click Create. If you had created
conditions previously, they would be displayed in the drop-down. Select
Level “Organization”, Operator “Contains” and click Insert. Give the name
to the condition: “All Orgs Read Only”. Click OK.

19 W HITE PAPER / Whitepaper SCP Security

 Click Save and Close.

20 W HITE PAPER / Whitepaper SCP Security

 To see the effect of the configuration, go to Supply Planning, open
Supplies and Demands table and try to modify any values. You should
get the error: “Rows containing the value M1 for object type Organization
were not updated because you do not have privileges for value M1”.

USE CASE: CONFIGURE READ-ONLY ACCESS FOR SPECIFIC ORGANIZATION

The user needs to implement read-only access to the Organization

“Boston Manufacturing” for a specific role. As mentioned before, users
are connected to roles. As in the previous example, click on Condition
Name drop down and select Create.

In Operator form, select Equals, in Value form select Starts With and type
“Boston”. Select “Boston Manufacturing”, click Insert and OK.

21 W HITE PAPER / Whitepaper SCP Security

 Uncheck Enable Write column and review Details of the newly created
condition.

USE CASE: ENABLE W RITE-ACCESS FOR USER-SPECIFIC JOB AND READ ONLY
TO THE REST OF THE DATA

As an example for this use case, let’s look at the successful Auto
Business company that has its planners working on a diverse set of data.
For example, a group of planners work with Lane-keep Assist vehicles
data set or Adaptive Cruise Control vehicle data set or Adaptive
Headlights vehicle data set or Collision Warning System vehicle data set.

22 W HITE PAPER / Whitepaper SCP Security

 Customer classified users based on the data sets; then created a role for
each group and Data Access Set for each role. As mentioned before, it’s
not recommended to add seeded roles to Data Access Set as it may
contradict the conditions.

Additionally, customer created AUTO Supply Chain Planner End User

Role with Data Access Set that by default contains read-only access to all
organizations. To differentiate user-defined roles, customer prefixed roles
with “AUTO-

Tip: As mentioned before, most of SCP Oracle’s Roles start with

ORA_MSC_*. To differentiate customer’s role, you can add the company’s
short name in front of the role, for example, AUTO_MSC
The following 5 Roles were created:

23 W HITE PAPER / Whitepaper SCP Security

 Customer assigned to the above roles the users based on their work via
Tools -> Security Console. Then customer logs in into the Plan Input and
define Data Access Sets for each role.

For role “Auto Supply Chain Plan End User”, customer-defined Data
Access Set called “DAAS ALL” with read-only access on Enterprise-
Business Unit level to cover all the organization. “OR” operator separates
values of Business Units.

For Adaptive Cruise Control Planner Role, customer created a new Data
Access Set with “Auto Adaptive Cruise Control Planner” role and defined
details for Data Access Set. The details will be different, as user needs
write permission on the specific organization level. Assuming the naming
convention for organizations starts with “CRUISE_ORG%”.

The same goes with all the rest Data Access Sets for roles Auto Collision
Warning Planner, Auto Adaptive Headlights Planner and Auto Line-Keep
Planner. Examples in the screenshots below:

24 W HITE PAPER / Whitepaper SCP Security

 Auto Collision Warning System Planner role

Auto Adaptive Headlights Planner role:

Auto Lane-Keep Assist Planner role:

25 W HITE PAPER / Whitepaper SCP Security

 CONCLUSION

The following should be considered. Business may have hundreds or

thousands of users with each having different write access permission, in
this case, business will need to insert hundreds or thousands of rows in
DAAS. Designing and grouping users accurately are part of the proper
security design.

Business may have hundreds or thousands of organizations that

application needs to run SQL against all the Organization to determine
organization permission in explicitly defined Organization in DAAS. The
above may impact application performance and should be taken into
account during security design. Security should always be handled by the
administrator and not by the planner.

26 W HITE PAPER / Whitepaper SCP Security

ORACLE CORPORATION

Worldwide Headquarters
500 Oracle Parkway, Redwood Shores, CA 94065 USA

Worldwide Inquiries
TELE + 1.650.506.7000 + 1.800.ORACLE1
FAX + 1.650.506.7200
oracle.com

CONNECT W ITH US
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at oracle.com/contact.

blogs.oracle.com/oracle facebook.com/oracle twitter.com/oracle

Copyright © 2019, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are
subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. W e specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. This device has
not been authorized as required by the rules of the Federal Communications Commission. This device is not, and may not be, offered for sale or lease,
or sold or leased, until authorization is obtained. (THIS FCC DISLAIMER MAY NOT BE REQUIRED. SEE DISCLAIMER SECTION ON PAGE 2 FOR
INSTRUCTIONS.)
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks
of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0519
White Paper Title
January 2017
Author: [OPTIONAL]
Contributing Authors: [OPTIONAL]