ROLE CONCEPT IN ORACLE FUSION

APPLICATIONS
 Published on June 17, 2015

Surinder Singh
Manager-Consulting at Deloitte India
6 articles Follow

This training article will helps to understand basic concepts of different roles in Fusion
Applications and their brief definition and we will also try to understand relationship between
them. Let us first understand Role Based Access Control in Fusion applications- 

Role Based Access Control (RBAC)

An organisation needs to control who can do what on which functions or sets of data under what
conditions. The who is a user here. A user's access is based on the definition of the roles
provisioned (assigned) to the user. Access is defined as entitlement, which consists of privileges.
The what are the abstract operations or entitlement. The which represents the resources being
accessed.

RBAC normalizes access to functions and data through user roles rather than only users. User
access is based on the definition of the roles provisioned to the user. The roles are defined at
functional and technical levels. The functional level is the business definition that is used by
business users and the technical level is the implementation of roles using Oracle Technology. 

RBAC is based on the following concepts:

1. Role assignment - A subject can exercise permission only if the subject

has selected or been assigned a role.
2. Role authorization - A subject’s active role must be authorized for the
subject. With rule mentioned above, this rule ensures that users can
take on only roles for which they are authorized.
3. Permission authorization - A subject can exercise a permission only if
the permission is authorized for the subject’s active role. With rules 1
 and 2, this rule ensures that users can exercise only permissions for
which they are authorized.
Basically security in Fusion Application is based on Role Based Access Control (RBAC) In
Fusion Applications, the RBAC implementation is based on abstract, job, duty, and data roles
that work together to control access to functions and data. The definitions of these functional
roles are as follows:

ABSTRACT ROLE
This role categorizes the roles for reference implementation. It inherits duty role but does not
contain security policies. For example: Employee, Manager, etc.

JOB ROLE
This role defines a specific job an employee is responsible for. An employee may have many job
roles. It may require the data role to control the actions of the respective objects. For example:
Benefits Manager, Accounts Receivable Specialist, etc.

DATA ROLE
This role defines access to the data within a specific duty. Who can do what on which set of
data? The possible actions are read, update, delete, and manage. Only duty roles hold explicit
entitlement to the data. These entitlements control the privileges such as in a user interface that
can see specific screens, buttons, data columns, and other artifacts.

DUTY ROLE
This role defines a set of tasks. It is the most granular form of a role. The job and abstract roles
inherit duty roles. The data security policies are specified to duty roles to control actions on all
respective objects. Duty Role is the most granular form of role where mainly security policies are
attached and they are implemented as application role in Authorization Policy Manager (APM) 

Below diagram from the “Oracle Fusion Applications Security Guide” shows relationships
between these roles:

Functional roles are technically implemented as Enterprise and Applications roles. The Abstract,
Job and Data roles are called Enterprise roles and the Duty role is called Application role. 
ENTERPRISE ROLES
Across all Fusion Applications, Abstract, Job and Data roles are mapped to Enterprise roles.
These roles are stored in the Identity Store. They are managed through OIM and Identity
Administration tools. This tool includes the following capabilities with respect to Enterprise role
management:

 Create Fusion Applications Implementation Users

  Provision Roles to Implementation Users
  Manage Abstract, Job and Data roles including the job hierarchy
These roles can also be viewed from ODSM (Oracle Directory Services Manager) console.

APPLICATIONS ROLES
A “Duty Role” is mapped to Application Roles and is stored in the Policy Store. An application
role is supplied by a single application or pillar of applications. The application policies are
managed through “Authorization Policy Manager” (APM). APM is a graphical interface that
simplifies the creation, configuration, and administration of application policies. Applications
Authorization Policy Manager (APM) refers to enterprise roles as external roles. 

HOW ALL THESE ROLES AND SECURITY

POLICIES/PRIVILEGES WORK TOGETHER?
Fusion Applications seeds all the relevant roles, though they can be modified and customized
based on the business requirements. Lets also understand the functional and data security
policies.

FUNCTIONAL SECURITY POLICES

Function security consists of privileges granted to a user by means of the user’s membership in a
role, to control access to a page or a specific widget or functionality/operation within a page. A
function security policy consists of privileges assigned to duty roles and those duty roles
assigned to a job or abstract role. Function security policies are defined in the Authorization
Policy Manager (APM). 

DATA SECURITY POLICIES

Data security policies articulate the security requirement “Who can do What on Which set of
data,” where ‘Which set of data’ is an entire object or an object instance or object instance set
and ‘What’ is the object entitlement. By default, users are denied access to all data. Data security
makes data available to users by the following means.

 Policies that define grants available through provisioned roles

 Policies defined in the application code
A privilege is a single, real world action on a single business object. The possible actions are
read, update, delete, and manage. If these privileges are not specified on a duty or data role, then
all actions on the respective objects within a page, including services, screens, and flows, and
typically used in control of the main menu (specified by function policy) are allowed.

Enterprise roles provide access to data through data security policies defined for the inherited
application roles. When we provision a job role to a user, the job role implicitly limits data
access based on the data security policies of the inherited duty roles. When you provision a data
role to a user, the data role explicitly limits the data access of the inherited job role to a
dimension of data.

When setting up the enterprise with structures such as business units, data roles are automatically
generated that inherit job roles based on data role templates.

In order to see the Fusion Application seeded Roles, follow below navigation-

Login with your user and navigate to Functional setup Manager and search for Role Template- 

When you click on Goto Task, you will taken to Oracle Entitlement server as shown below- 

 Click on Search Role Template as shown in the screenshot-

 Search for General Ledger Template for Ledger and click on Open button and you will see
below screen 

 These are the various Oracle Fusion Application Seeded roles for a particular example of
General Ledger Role Template.