Professional Documents
Culture Documents
Role Based Access Control
Role Based Access Control
com/en/blog/all-articles/2021/09/27/oracle-fusion-cloud-setting-up-
individual-users
But, if you look a bit deeper, this role-based access control model introduces several complexities you
should be aware of. This since:
In order to get access to a specific cloud service, individual users gain access to application data and
functions when you assign them different roles. These roles can be divided into four different categories:
Abstract Roles: This role defines the user’s functions in the organization, which are independent
of the actual job the individual has. It inherits duty role but does not contain security policies. (e.g.
Employee)
Job Roles: This role defines a specific job an employee is responsible for. An employee may
have many job roles. It may require the data role to control the actions of the respective objects.
(e.g. Accounts Receivable Specialist).
Data Roles: This role defines access to the data within a specific duty. Who can do what on
which set of data? The possible actions are "read," "update," "delete," and "manage." Only duty
roles hold explicit entitlements to access the data. These entitlements control the privileges such
as in a user interface that can see specific screens, buttons, data columns, etc.
Duty Roles: This role defines a set of tasks. It is the most granular form of a role. The job and
abstract roles inherit duty roles. The data security policies are specified to duty roles to control
actions on all respective objects.
The below diagram provides an overview of the relationship between the different roles:
image 1:
Oracle’s Program Documentation (source: https://docs.oracle.com)
Understanding this concept makes you realize that one individual user can have any number of different
roles at the same time. The combination of roles determines the user's level access to a specific cloud
service.
Sales Manager
Sales Analyst
Employee
Example
In order to understand how the individual user with his or her associated roles and privileges creates the
license requirements for the different cloud services and their associated cloud subscriptions, the below
real-life example has been created.
User and its Roles: User John Doe has the roles of "Manager" and "Employee."
Roles and their Privileges: An individual user can have one or multiple roles.
Privileges and its Cloud Services: A privilege can belong to one or more cloud services. If you start
"mapping" the different privileges to cloud services, the following conclusions can be drawn:
Cloud Services vs Cloud Subscriptions: A functional cloud service can belong to one or more "Cloud
Subscriptions" that can be purchased from Oracle. If you start "mapping" the different cloud services to
cloud subscriptions, the following conclusions can be drawn:
The cloud service "Time and Labor Cloud Service" relates to the cloud subscription "Oracle
Fusion Time and Labor Cloud Service"
The cloud service "Enterprise Resource Planning for Self Service Cloud Service" relates to the
cloud subscription "Oracle Fusion Enterprise Resource Planning for Self Service Cloud Service"
The cloud service "Performance Management Cloud Service" relates to the cloud subscription "Oracle
Fusion Talent Management and Workforce Compensation Cloud Service," or
The cloud service "Workforce Reputation Management Cloud Service" relates to the cloud
subscription "Oracle Human Capital Management Base Cloud Service"
The cloud service "Oracle Learning Cloud Service" relates to the cloud subscription "Oracle
Fusion Learning Cloud Service"
Conclusion: After doing all these “mappings,” the individual user “John Doe” requires (among others) a
Hosted Named User subscription for:
Oracle Fusion Time and Labor Cloud Service Oracle Fusion Enterprise Resource Planning for
Self Service
Oracle Fusion Talent Management and Workforce Compensation Cloud Service, or
Oracle Fusion Talent Management for Coexistence Cloud Service
Oracle Human Capital Management Base Cloud Service
Oracle Fusion Learning Cloud Service
However, there are several disadvantages as well. Apart from the fact that many end-users do not have
any visibility into how the usage of the Fusion Cloud Service complies with their security requirements
(since it is based on Oracle’s Cloud SoD Policies which are not publicly available), each quarter, a new
update of the Oracle Fusion Cloud software is made available.
The updates of the Oracle Fusion Cloud software can introduce new functionality and access into these
pre-configured "seeded roles." In other words, the individual users that are making use of "seeded roles"
can unknowingly provide individuals access to functionality or cloud services that you as an end-user
organization do not have an Oracle Cloud Subscription for, therefore creating a compliance issue. This is
because each individual that is "authorized" to make use of the cloud service, regardless of whether the
individual is actively using the cloud service, is required to have a subscription!
Although standard seeded roles are positioned to be used as "the way to go" (and although Oracle
Support representatives sometimes may state that you don’t receive support if you are making use of
custom roles) you are at all times recommended – both from a security and from a license
compliance and cost control perspective – to make use of custom job roles. Custom roles will not
be affected by newer versions of the cloud service.
Although many end-users thought that with the "cloud," all the compliance issues are gone, the reality is
completely different. Having a clear, accurate, and up-to-date understanding of the obtained rights from
your cloud subscriptions, and reconciling these with your actual consumption of the different cloud
subscriptions on a regular basis, is necessary to avoid and save costs. SoftwareONE’s Oracle Advisory
Services are specifically designed to help you as an end-user to achieve these goals. Reach out to your
SoftwareONE representative to schedule a call with one of our solution specialists to find out more.