Understanding Access Control in Oracle Learning 1.2

Business / Technical Brief
Understanding Access Control

in Oracle Learning
Oracle Learning
May, 2022, Version 1.1

Copyright © 2022, Oracle and/or its affiliates
Public
1 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Purpose statement
This document provides an overview of Access Control in Oracle Learning.
Disclaimer
This document in any form, software or printed matter, contains proprietary
information that is the exclusive property of Oracle. Your access to and use of
this confidential material is subject to the terms and conditions of your Oracle
software license and service agreement, which has been executed and with
which you agree to comply. This document and information contained herein
may not be disclosed, copied, reproduced or distributed to anyone outside
Oracle without prior written consent of Oracle. This document is not part of your
license agreement nor can it be incorporated into any contractual agreement
with Oracle or its subsidiaries or affiliates.
This document is for informational purposes only and is intended solely to assist
you in planning for the implementation and upgrade of the product features
described. It is not a commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described in
this document remains at the sole discretion of Oracle. Due to the nature of the
product architecture, it may not be possible to safely include all features
described in this document without risking significant destabilization of the code.
Disclaimer
The revenue recognition disclaimer on this page is required for any business
brief that addresses future functionality or for products that are not yet generally
available (GA). If you are unsure whether your statement of direction needs the
disclaimer, read the revenue recognition policy. If you have further questions
about your content and the disclaimer requirements, e-mail
REVREC_US@oracle.com. If you do not need the disclaimer, you may delete it
and the page that it appears. First, display hidden characters by clicking on the
Paragraph icon on the Home toolbar. It is a small, square icon that appears to the
left of the Quick Style Gallery. Then, highlight all the text on this page and press
the Delete key. Notice that there is a section break displayed as a double-dotted
line at the bottom of this page. Continue to press Delete until the page
disappears and your cursor is on the Table of Contents page. Be sure not to
remove the section break, or the formatting of the title page will be incorrect.
Delete this note before publishing.
The testing disclaimer in the TM block on the last page (highlighted in yellow) is
provided by the FCC for hardware products. It must appear in the TM block.
Table of contents
Purpose statement 2
Disclaimer 2
Disclaimer 2
Document Control 8
Introduction 9
Access Groups 9
Types of Access Groups 9
How Access Groups Work 10
Understanding Access Control Data Processing 10
Job Role 10
Example Use case 14
Local Access Groups 18
Set System Wide Default Local Access Group 18
Define Access Rules 18
Set the Learning Item Default Access Group 20
Named or Ad Hoc Access 20
Set Access Group Priorities 20
Global Access Groups 21
Find Global Access Groups 21
Manage Global Access Groups 22
View Global Access Groups 22
Edit Global Access Groups 23
Create Global Access Groups 24
Associate Global Access Group to Learning Item 24
Global Access Comparison Example 24
Recommended Steps to Transition from Local Access Groups to Global
Access Groups 24
Global Access Group Security Needs 24
Access Group ESS Job 25
Self-Service View Mode Override 25
Community Membership and View Mode 29
Access List Management of Self-Service Learning Items 31
Follow Feature 33
Data Security Policy Based Access 33
Run ESS Job to Update User Permissions 38
Additional Data Security condition examples 38
Basic Method: Restricting Access to Catalog Items Using AOR 38
Advanced Method: Restricting Access Using Constant Flex Field 46
Advanced Method: Restrict the list of offerings visible to the user by
offering type 46
Advanced Method: Handling Learning Items by Instructors 47
Advanced Method: Handling Learning Items Based on Learning Item vs
Current User Flex Field Value. 49
Understanding Access Control Enforcement Across All Access Types 50
List of Images
I
Image 1. Target Person List #1 11
Image 2. Reconcile Person List with People Currently on Access List 12
Image 3. Target Person List #2 12
Image 4. Determine the List of People to Reconcile based on Destination
Type 13
Image 5. Reconcile Person List with People with People Currently on
Access List 14
Image 6. Data Access 15
Image 7. Data Access 15
Image 8. Data Access#1 16
Image 9. Reconciliation#1 16
Image 10. Data Access#2 17
Image 11. Reconciliation#2 17
Image 12. Learner Item Default Attributes 18
Image 13. Manage Default Access 20
Image 14. Catalog Resources 21
Image 15. Search Results 22
Image 16. View Global Access Groups#1 22
Image 17. View Global Access Groups#2 23
Image 18. Edit Global Access Groups#1 23
Image 19. Course Default Access 26
Image 20. Specialization Default Access 27
Image 21. Course Self Service View Mode 29
Image 22. Community Definition 30
Image 23. Community Membership 31
Image 24. Access LIst 32
Image 25. Community Privacy 33
Image 26. Data Security Policy 34
Image 28. Database Resource Condition 34
Image 29. Database Resource Filters 35
Image 30. Actions 36
Image 31. Listing of Policy Names on the Data Role 36
Image 32. Edit Data Security Policy 37
Image 33. Edit Data Role 37
Image 34. Modify Condition 38
Image 35. Modify Condition 39
Image 36. Manage Data Roles and Security Policies 39
Image 37. Edit Data Role: Security Criteria 40
Image 38. Assign Security Profile to Role 40
Image 39. Edit Role 41
Image 40. Edit Data Security 41
Image 41. Manage Database Resources 42
Image 42. Edit Database Resource 42
Image 43. Edit Data Security: Condition 43
Image 44. Manage Areas of Responsibility 43
Image 45. Learning Catalog: Offerings 44
Image 46. Learning Catalog: Courses 44
Image 47. Create Course 45
Image 48. Course Assignments 45
Image 49. Edit Role: Data Security Policies 47
List of Tables
Table 1. Course Details in Mobile Port 28

Table 2. Offering Details in Mobile Port 28
Table 3. Specialization Details in Mobile Port 29
Document Control
Change Record
Date Version Changes Reference

06-Jul-21 1.1 Advanced Method: Restrict the list of offerings visible to the user by
offering type.
23-May-22 1.2 Removed References to Mobile First.
Introduction
This Technical Brief discusses how you can set up Access Control in Oracle Learning. Access Control determines who
can access what learning items.
There are two ways you can set up Access Control to achieve this:
• Use Access Groups - This functionality is specific to Oracle Learning and enables you to control access to
learning items.
• Use Oracle HCM Cloud data security functionality – You can use data security policies to control access to
learning items.
Access Groups
Access groups define a set of rules at a learning item level. These rules determine:
• Whether an item is visible to learners, and the pre-assignment behavior in learner self-service;
• How much information is displayed to the learners
• How they can engage with the learning item.
When you create an access group, you are essentially creating an “access list” of all learners who can view a learning
item based on a set of rules. “Access records” represent the individual learners who can view a learning item within
the access list.
Access groups can be:

• Named – You can create a logical group of learners, based on selection criteria. These groups are
evaluated on an ongoing basis (at intervals that were determined during your implementation) and can
account for organizational changes and employee movement within the workforce structure. For
example, you can define a named access group based on an organization chart group. The access group
rules are applied to new people moving into the group and removed from the people no longer in the
group. (See Error! Reference source not found. below for more details.)
• Ad hoc - You can create access records outside of access groups. These are called “ad hoc access
records”. Ad hoc access groups are defined once and remain based on the same set of learners as at the
time of the group's creation. You can only manage these groups manually.
Types of Access Groups

There are two different types of access groups:
• Global Access Group - an access group that can be created once and then used across multiple learning
items, utilizing the same learner criteria (analysis object, org group, dynamic learner criteria, or other
learning items) and access details.
• Local Access Group – a unique set of learners and access details that are specific to a learning item.
How Access Groups Work
Access Groups control the access and visibility of a learning item for a specific user. You can determine whether a
learner can access a learning item and the extent of information (Detail or Summary) about that learning item that
can be viewed by members of an Access Group.
These are some considerations about Access Groups:

• Access Groups apply only until a learner is assigned a learning. Access Group has no impact after a learning is
assigned to a learner.
• Access Groups are created and managed similar to learning records. They are stored as access records in the
database, as a relationship between the learner and the learning objects they can access.
• Access Groups can be created once and reused on various learning items. Or, they can be created once for a
learning item.
• These settings are required to create and update access group records:
o OTBI security of “Run As” user if OTBI analysis is used to select learners
o Fusion Data Security (Choose Learner DSP) policy applied to the “Run As” user
• These conditions then apply to the learner selection criteria used for creating access groups, which can be from
OTBI analysis, Person Org Hierarchy, Person Criteria and Assignment Criteria.
• The access groups can be reconciled periodically (e.g. daily) to account for learners who fall in or out of the
destinations they are part of.
• There could be more than one access group set on a learning. The access is resolved where the access group with
higher priority supersedes the lower priority access group rule. The priority of access groups can be managed
anytime.
Read on for a detailed explanation of how to create and manage aspects of access groups and how they affect the
access to learning items
Understanding Access Control Data Processing

Access groups are evaluated based on three processes. One process is run dynamically during access group creation
or update. The other processes are run on an ongoing basis based on two jobs that are scheduled in the system
Job Role
When an access group is created or modified, the User creating the group can select the “Run As” User. This is the
User whose data security will be used to set the Access Group data security when it is created or modified.
There is a dynamic process called Generate a List of People from Analysis Report that is kicked off on access group
save. This process performs the following steps:
Step 1: Determine the Person List

• What User Can Determine a Person List?
o Determines the user that has been identified in the “Run As” field on the Global Access Group.
• What Data Access does this User Have?
o Review this user and the OTBI data access that they have if using an analysis object.
o Review this user and the Choose Learner Access Data: Person Details Resource associated with this
learner.
• The intersection of the Data Access of this user is the Target Person List.
Image 1. Target Person List #1
• Extract the Target Person List
Step 2: Reconcile this Person List with the current list of people in the access list
The reconciliation will be done as the Run As User. The Target person list will be placed in a person list table
and compared/reconciled against the current access list on the learning item.
• Persons that are new in the person list will be added to the access list.
• Persons that have are no longer present in the person list will be removed from the access list.
Note: The Generate a List of People from Analysis Report is run dynamically on create/edit and this job cannot be
scheduled by the Administrator
Image 2. Reconcile Person List with People Currently on Access List
Ongoing Person Evaluation and Reconciliation
People can fall in or out the destinations that are associated to the access group. For example, a new hire can come
into an Organization destination or a Person could fall off an analysis object. Therefore, there needs to be processes
that are scheduled to evaluate changes that are occurring within the organization and have impact on the access lists.
The first job process is scheduled to run for this evaluation and reconciliation process is the Evaluate Person IDs for
Assignment Rule. This job will:
• Determine the Person List – Determining the person list is dependent on the type of Destination that is
used:
o Analysis Object, Organization and Person: Extract the persons that are in the destinations
based on the User that created the job.
o Note: it is critical to ensure that the user that is creating the job has elevated data security
privileges (viewing largest data set) so that there are not any issues with the data being limited
during the evaluate process. It is in the customer’s best interest to use a user that has access to
all data, so data security issues do not arise and so that this job performs very quickly because
there is less data filtering needed.
o Learning Assignment Criteria and Person Criteria: Review the user that created the criteria
and apply this Users Choose Learner Access Data: Person Details Resource
Image 3. Target Person List #2
• Reconcile this list of Persons with the current list of people in the access list. Determining how to
perform the reconciliation is dependent on the type of Destination that is used:
o Analysis Object, Organization and Person:
▪ Determine what user should be used, this is the user that has been identified in the “Run
As” field.
▪ Review this user and the Choose Learner Access Data: Person Details Resource
associated with this learner.
▪ Reconcile the persons that are in the destinations with the appropriate Choose Learner
Access Data: Person Details Resource applied.
o Learning Assignment Criteria and Person Criteria:
▪ Review the User that created the Criteria and apply this Users Choose Learner Access
Data: Person Details Resource.
Note: In a future release, we will be changing the way we handle Learning Assignment Criteria and Person Criteria in
the reconciliation list of a person’s job. We will use the Run As user like we have done for the analysis object and the
organization and person.
Image 4. Determine the List of People to Reconcile based on Destination Type
Image 5. Reconcile Person List with People with People Currently on Access List
Example Use case

John Doe, our Learning Administrator would like to create a global access group and use an analysis object to create
the access list. John Doe has different data security setup across OTBI and Fusion.
• Analysis Object Created by Administrator that Shows all data in Business Units (BU A -> BU G)
• John Doe, has OTBI access but only has data access to BU A, and BU B
• John Doe in Fusion has data access to BU A, BU B and BU C
Let’s walk through the steps above to see what happens when John Doe creates an Access Group and then what
happens if changes are made to the global access group or to the destinations associated to the access group at a
later point in time.
John Doe Creates an Access Group and Selects his User as the Run As User
Determine the Person List
Determine what user should be used, this is the User that has been identified in the “Run As” field. Take this Run As
User and determine what type of data access they have across OTBI and Fusion and then choose the most restrictive
data set. In this case, the Global Access Group will have an access list that contains people from Business Unit A and
Business Unit B, which is the most restrictive data set.
Review this user and the OTBI data access that they have if using an Analysis object.
• John Doe has access to Business Unit A and Business Unit B in OTBI
Review this user and the Choose Learner Access Data: Person Details Resource associated with this Learner in Fusion
security.
John Doe has access to Business Unit A, Business Unit B, and Business Unit C in Fusion
Image 6. Data Access
The final access list for the global access list will include persons from Business Unit A, and Business Unit B.
Image 7. Data Access
John Doe Edits an Access Group
John adds a new Analysis object to the Global Access Group. This analysis object has only the person Jane Doe in it,
for simplicity sake, and John has access to Jane’s person record in both OTBI and Fusion. Let’s say at this time, Ron
Smith leaves the company so is no longer in Business Unit B.
• Analysis Object Created by Administrator that Shows all data in Business Units (BU A -> BU G)
• John Doe, has OTBI access but only has data access to BU A, and BU B and Jane Doe
• John Doe in Fusion has data access to BU A, BU B and BU C and Jane Doe
Because a change has been done to the Global Access Group the Generate a List of People from Analysis Report
will run on edit and determining the person list and the reconciling this list to update the access list will need to be
done.
Determine the Person List
Determine what User should be Used, this is the User that has been identified in the “Run As” field. Take this Run As
User and determine what type of data access they have across OTBI and Fusion and then choose the most restrictive
data set. In this case the Global Access Group will have an access list that contains people from Business Unit A and
Business Unit B and Jane, which is the most restrictive data set.
Review this User and the OTBI data access that they have if using an Analysis object.
• John Doe has access to Business Unit A and Business Unit B in OTBI and Jane Doe
Review this User and the Choose Learner Access Data: Person Details Resource associated with this Learner in
Fusion security.
• John Doe has access to Business Unit A, Business Unit B, and Business Unit C and Jane Doe in Fusion
Image 8. Data Access#1
The final data access temp table for the global access list will include persons from Business Unit A, and Business Unit
B and Jane.
Reconcile the New list of Persons with the current list of people in the final data access temp table. Jane is a new
person that is identified in a new analysis object destination and Ron Smith was in Business Unit B but has left the
organization. The reconciliation job will compare persons in the final data access temp table with persons that are
currently in the global access group and reconcile the two.
• Add persons to the access list if they do not exist, Jane is in the final data access temp table, but she is not in
the current global access list. Jane will be added to the Global Access List.
Remove persons from the access group if they do not exist. Ron is no longer in Business Unit B, so he is no longer in
the final data access temp table, but he is in the current Global Access List. Ron will be removed from the Global
Access List.
Image 9. Reconciliation#1
Ongoing Person Evaluation and Reconciliation – One-week later BU A is no longer in the Analysis object and
Business Unit B has Person Z added and Jane removed.
The first job that is scheduled to run for this evaluation and reconciliation process is the Evaluate Person IDs for
Assignment Rule.
Determine what User should be Used, this will be a User that has created the job, since this is an Analysis object, so
let’s say they have access to All Persons. Determine what type of data access this person has across OTBI and Fusion.
In this case the Data Access set will have BU A, BU B Jane and Person Z
Image 10. Data Access#2
Reconcile this list of Persons with the current list of people in the access list. Determining how to perform the
reconciliation is dependent on the type of destination that is used:
Review the user that should be used in Reconciliation. The user that should be used is the individual that is in the Run
As field who is John Doe. We will then use John Doe’s Choose Learner Access Data: Person Details Resource data
privilege to determine what data to reconcile. John Doe in Fusion has data access to BU A, BU B and BU C, and Jane
Doe. Therefore, in the reconciliation process it will ignore reconciling Person Z, even though this person exists in the
initial data access
Image 11. Reconciliation#2
Local Access Groups
Local Access Group rules are defined system-wide, per learning item, and per access group to provide you with the
ability to configure access as granularly as needed.
Set System Wide Default Local Access Group

The system-wide default rules are used as the learning item default rules for courses, specializations, and access
groups when they are created. Changes to the system level access rules do not affect learning item or access group
rules that already exist. Define default system-wide rules in the Setup area of Learning Cloud
• In the My Client Group area, click Learning.
• Click Setup.
• Click Learning Item Default Attributes
Image 12. Learner Item Default Attributes
Define Access Rules

Access Rules define how much information displays to learners, and how they can engage with the learning item.
• Self-Service Details View Mode: Defines if the learning item is discoverable in self-service, and if so, the
level of detail displayed on the learning item’s details page to learners.
o No Access: The learning item is not discoverable and not included in search results.
o Details View: The learning item is discoverable, and on the item self-service details page learners
see all the available information. This setting is not supported for offerings.
o Summary View: The learning item is discoverable, and on the item self-service details page, most
of the details are hidden to the user.
• Created by Learner: Defines if learners must obtain an approval or not when registering into a learning
item.
o Active: No approval needed, and learners can register themselves directly.
o Requested: Approval will be triggered when learner request to register
Two additional options appear when requested mode is selected

o Show learning request form: when selected, a form is presented to learners when requesting a
learning item to capture some information that can be used in the approval process
o Activate approved learner requests: when selected, the system will automatically active the
assignment after approval is obtained. When not selected, the assignment will remain in request
approved status and require manual activation by an administrator.
• Check box – Allow even if required prerequisites are not achieved. When selected, this option allows
learners to register or request the learning item, and his assignment will end up in a pending prerequisite
status.
• Number of days to expire assignments in pending prerequisite status – enabled when the above option is
selected and defines the number of days learners have to achieve the prerequisites before his
assignment is cancelled by the system.
• Created by manager – defines if the manager’s assignment to his people must obtain approval or not.
o Active: No approvals needed, and the manager’s assignment is activated automatically
o Requested: Approval will be triggered when the manager requests learning for his team. Same
two options as for learner request mode above
o Request Approved: No approval is triggered, but the assignment is created in a request approved
status requiring an administrator to manually activate it
▪ Only the additional Show learning request form option is available in this configuration
• For courses in a specialization: Option only available in setup and defines the default assignment mode
(active or requested) for courses in a specialization. This setup value is picked up by specializations by
default and can be changed per specialization
o Active: For courses access from specializations, force learners to active mode regardless of the
configuration on the course itself
o Requested: For courses access from specializations, force learners to request mode regardless of
the configuration on the course itself
o Inherit form Course: For courses access from specializations, respect the assignment mode
defined on the course
o Inherit from Specialization: For courses access from specializations, force learners to active or
request mode per the specialization configuration, regardless of the course configuration
A voluntary or required learning assignment on the item always provides full access to it and bypasses the access
rules that are defined. Additionally, when creating an offering, its default access rules are obtained from its parent
course, not the system level rules.
Set the Learning Item Default Access Group
Learning item default access rules apply to all learners accessing a learning item prior to having an assignment on it.
Image 13. Manage Default Access
These defaults are configurable from either the course, specialization or offering detail pages on the Learners tab, or
on the Access or Access Group sub tab via the Manage Default Access button. You can alter the access settings for
an individual learning item, and these settings apply to all learners who do not have an assignment on the item.
Named or Ad Hoc Access

Learning items can have named or just ad hoc access.
Named access groups are accessible from the Access Groups sub-tab and represent a logical grouping or people with
a specific set of rules. You can select people in a variety of ways, similar to learning initiatives. The group or set of
people defined in an access group are evaluated on a continuous basis for changes. This is why named access groups
are used to capture those group definition changes, apply rules to new people, and remove rules for people no longer
in that definition. Ad hoc access groups are created from the access tab. While a logical group of people can be
defined when creating an ad hoc access group, once created, they can only be managed individually. Furthermore, ad
hoc access groups only evaluate the learner selection at creation time and not continuously afterwards; therefore,
group criteria changes are not applied.
The Access tab is also where the admin can find the expanded list of the named access groups and represents the full
set of people with access defined via named or ad hoc access groups.
Set Access Group Priorities

It is possible to define multiple named access groups, and each group may have overlapping sets of users. To resolve
conflicting rules between named access groups, each group has a priority defined. This determines the priority in
which the rules are evaluated for a given person to determine which rules will apply for them. Rules are applied as
follows for a given learner accessing the learning item prior to having an assignment on that item.
• Rules per the highest priority named access group that includes the learner
• If not included in any named access groups, then rules per the ad hoc access for that learner
• If no ad hoc access for this learner, then rules per the item’s default access rules
For example, let’s say there’s a sales group as priority 1 and a US employees’ group as priority 2. A person in both
groups will have the rules of the sales group applied, as that is the first priority, whereas a person only in the US
employees’ group would get the rules of that group applied. Rule evaluation priority also extends to ad hoc groups
that have the lowest of the priorities and apply only if the person is not included in any named access group.
Global Access Groups

Global Access groups helps you to create large numbers of local access groups containing large numbers of people.
With local access groups, you have to duplicate the same destination (analysis object, org group, dynamic learner
criteria, or other learning items) across all of your learning items. This duplication has caused a massive spike in the
number of records that are being stored in some of the Oracle Learning core tables, which then causes certain
scheduled jobs and features to perform at a non-optimal rate.
The key value proposition points for the global access group feature are:
• Streamline the creation of access control in Oracle Learning. You no longer need to create the same
access group with the same destination across multiple learning items. This will be very efficient for
administrators because they can create one global access group, and then associate it to multiple
learning items.
• Reduce data growth in certain tables within Oracle Learning.
• Increase performance for features that utilize access control by minimizing the number of records that
must be evaluated for access.
• Increase performance in the jobs that reconcile access in Oracle Learning. Currently, jobs are scheduled
to be run on a schedule to determine if there are new people that need to be added to access or removed
from access. If there is one global access group vs. multiple local access groups per learning item, there
are fewer records to review during the reconciliation process.
• Improve the usability of the Follow feature so it is clear how to associate access on an object based on a
parent object’s access.
Find Global Access Groups

To access Global Access Groups, click the Global Access Groups tab on the Catalog Resources page.
Image 14. Catalog Resources
You can use the search capability at the top of the page to find existing global access groups. You can use the
common search capabilities by clicking Advanced for more search fields. You can also add more columns to the
Search Results table by clicking View.
Manage Global Access Groups
In the Search Results section, you can edit a global access group by clicking Edit, or by clicking the global access
group to open view mode. When you remove a global access group, you are prompted to confirm the action, and you
are also notified if there are learning items that the global access group is associated with.
Image 15. Search Results
View Global Access Groups

When you click on a link to view a global access group, the global access view mode opens. From this page, you are
able to view the global access group definition, which consists of the learning item number and configuration settings
such as self-service and manager settings, assignment modes, and prerequisite configurations.
Image 16. View Global Access Groups#1
You can toggle to view the access information, which will display the access list (all of the people associated to the
global access group). You can use the common search capabilities by clicking Advanced for more search fields. You
can also add more columns to the Search Results table by clicking View.
Image 17. View Global Access Groups#2
Edit Global Access Groups

You can open edit mode from the view global access group page, or you can select the Edit action from the global
access group search results page. Making edits affects all learning items that a global access group is associated with.
If you edit viewers for learners, organization chart groups, select learning assignments, worker criteria, and learning
assignment criteria the changes will occur synchronously. All learning items associated with the global access group
are updated. The Generate a List of People from Analysis Report job is called to process this change.
If you edit viewers on an analysis, the changes occur asynchronously after the scheduled job Evaluate Person IDs for
Assignment Rule runs. All learning items associated with the global access group are updated. When you change an
asynchronous item, a message displays to alert you that the changes are processed.
If you edit any basic information or the access details of the access group, the changes will occur synchronously.
Image 18. Edit Global Access Groups#1
Create Global Access Groups
To create a new global access group:
• On the Catalog Resources page, click the Global Access Groups tab.
• Click Create to create a new Global Access Group.
• Enter the details for the access group. The fields are the same as those used with the local access groups
feature. (The difference between the global access group and the local access group creation process is
that global access groups do not maintain pricing data, and it does not support using a learning item as a
destination.)
Associate Global Access Group to Learning Item

When you associate a global access group to a learning item, the Generate a List of People from Analysis Report runs,
and the people associated to the global access group expand and become part of the access list on the learning item.
Global Access Comparison Example
• The table below shows an example of the difference in data volume when global access is used vs local
access only. In the example, the Learning Cloud had over 2900 local access groups defined for each
learning item, and many of the destinations were repetitive across these access groups. The
administrators created learning items using a default access of “no access” and then created an analysis
object for 40,000 employees. They then created an access group on every learning item with this
40,000-person analysis object to grant them access. This caused the data in the system to explode due
to all the records being created in the system. Groups Access Records Creation Reconciliation Impact
Local Access Groups – 2900
Global Access Group – 54 (53 Partner Groups and 1 Employee Group) Local Access Groups – 100 million rows
Global Access Group – 125,000 rows
(75K Partners and 50K Employees) Local Access Groups - Reconciliation has to Process 100 million rows
Global Access Groups – Reconciliation has to Process 125,000 rows
Recommended Steps to Transition from Local Access Groups to Global Access Groups
• Create a global access group that has the same destination of the local access you are replacing.
• Associate the global access group to the learning items that have the local access group you are
replacing.
• Ensure that the global access group is at a higher priority than the local access group.
• Use the Access tab to validate that the expansion has occurred, and that the global access records are
now present.
• Validate that access works with a set of users.
• Remove the local access group from learning item.
• Run the Expand and Reconcile Job.
• Validate that access works with set of users with the new global access group and the local access group
removed.
Global Access Group Security Needs

Additional aggregate privileges have been added for administrators:
• View Global Access Groups - Allows administrators to view the Global Access tab, search and find Global
Access Groups, and view the Global Access Group details.
• Manage Global Access Groups - Allows administrators to create and edit global access groups.
These are the recommended steps to enable Global Access Groups in the system with these aggregate privileges:
• Add the View Global Access Group abstract role to the Administrators data role.
• Add Manage Global Access Group abstract role to the Administrators data role.
• Go to Workforce Structures and update the description for the Administrator Data role to ensure that it
reinitializes successfully once it has been saved.
• Run Import User and Data Security Role job.
• Log out as the User, and log back in as the Administrator, and validate that the Administrator can View and
Manage the global access group
Access Group ESS Job

Use the new Reconcile Access Groups job to reconcile global and local access groups. Previously, the Reconcile
Dynamic Assignments job reconciled local access groups, as well as initiatives, community assignments, and other
dynamic assignments. There are now two learning reconciliation jobs:
• Reconcile Access Groups – This job only reconciles local and global access groups. Recommended run
frequency is daily.
• Reconcile Dynamic Assignments – This job reconciles initiatives, community assignments, and other
dynamic assignments.
Self-Service View Mode Override

The following feature has undergone a change for courses and specializations. This is configured using the view
mode override setting or course and specializations; courses in relation with the specialization where they are used
and the community catalog they are part of. This is similar to specializations that are part of a community.
Course
There are additional settings for access control of a course when it is a part of a specialization backing its activity or
when it is added to the catalog of any community. The course can use its own access settings or follow the access
details defined for the specialization and community. These settings can be seen on the Default Access pop-up
accessed from Course -> Learners->Access/Access Groups->Manage Default Access under the Self-Service View
Mode Override.
Image 19. Course Default Access
These two settings are available on a course and can be selected in under the Self-Service View Mode Override.
- When a Course Is Accessed from the Learning Community, Let the Learning Community Control Access and
Visibility
For example, create a course with default access set to No Access and the Learning Community Access and Visibility
is selected. In this case, learners will not be able to search and browse the course from the learning catalog. However,
for an open community, the course will be visible to all learners. For a closed and secret community, the course will be
visible for its members. Learners will also be able to browse and search for the course within the community catalog.
- When a Course Is Accessed from Specialization, Let Specialization Control Access and Visibility
In this case the course will follow the rules assigned to the specialization if the course is an activity within the
specialization.
For example, create a course with the default access set to No Access, and Let Specialization Control Access and
Visibility is selected. The specialization has default access as Detail View. In such a case, learners can search the
specialization and complete the course backing the specialization activity. The course will not be searchable directly in
the catalog, however.
Specialization
Similarly, a specialization can be configured such that its access mode can be overridden by the community access
settings when the specialization is part of this community catalog. This setting is available on the Default Access pop-
up accessed from Specialization -> Learners->Access/Access Groups->Manage Default Access under the Self-Service
View Mode Override.
- When a Specialization Is Accessed from a Learning Community, Let the Learning Community Control
Access and Visibility
Image 20. Specialization Default Access
The specialization will be available for browse and search within the community catalog.
The self-service view of the learning item page is affected by the View Mode defined for the learning item. The View
Mode can have three different values.
- Details View – shows detailed information about the learning item including DFFs, Prerequisites, Learning
Outcomes, Price etc.
- Summary View – shows limited restricted information about the learning item.
- No Access – cannot be searched or browsed from self-service.
The self-service View Mode affects the information that is visible to learner of a learning item when accessed from
self-service.
The View Mode becomes irrelevant when the learner has an Active assignment of the learning item, in which case
learner will always see Details View.
Self-Service View Mode
In the self-service UI, the specific attributes are indicated for Details View and Summary View for Course, Offering and
Specialization.
COURSE ATTTIBUTES SUMMARY VIEW DETAILS VIEW
Title ✓ ✓
Syllabus - ✓
Short Description ✓ ✓
Cover Art/Branding ✓ ✓
Expected Effort - ✓
DFF - ✓
Prerequisites - ✓
Learning Outcomes - ✓
Offering List - ✓
Learning Outcomes - ✓
Price - ✓
Table 1. Course Attributes
OFFERING ATTRIBUTES SUMMARY VIEW DETAILS VIEW
Title ✓ ✓
Description - ✓
Instructors - ✓
Offering Type ✓ ✓
Offering DFF - ✓
Offering Dates - ✓
Language ✓ ✓
Expected Effort - ✓
Language - ✓
Remaining Seats - ✓
Table 2. Offering Attributes
SPECIALIZATION ATTRIBUTES SUMMARY VIEW DETAILS VIEW
Title ✓ ✓
Short Description ✓ ✓
Cover Art/Branding ✓ ✓
Description - ✓
Sections - ✓
DFF - ✓
Section Activities - ✓
Table 3. Specialization Attributes
Details View shows all the learning item detail page sections and attributes within.
Summary View shows a message “Content restricted to members.” Learners need to enroll before they can see the
complete details.
Image 21. Course Self Service View Mode
Community Membership and View Mode

The visibility of a learning community is controlled by its Privacy and Membership. Privacy settings can be Open,
Closed and Secret.
Privacy
The Privacy setting impacts the self-service experience of learner as follows:
Open - Learning community appears in search results, and anyone can view the content in this learning community.
Closed - Learning community appears in search results, but only members can view the content in this learning
community.
Secret - Learning community appears in search results only for members of the community.
Image 22. Community Definition
Membership
Membership can be set to Members, Required Member and Community Manager.
Once a learner becomes member of a learning community, the visibility becomes irrelevant, and the access becomes
the same as an open community in self-service.
Membership controls what privilege members have with the community. Membership can be Community Manager,
Member and Required Member.
Community Managers can edit a learning community definition and create assignments. They can also add other
members with any level of community membership.
Required Members have access to the community catalog. Any required assignments get assigned to them
depending on the assignment settings. They can contribute to the community catalog if it is enabled.
Members can access learning from a catalog. They can contribute to the community catalog if it is enabled under
privacy settings.
Image 23. Community Membership
Access List Management of Self-Service Learning Items

Access groups are not used with self-service created learning items Video, Tutorial and Self-Service Learning
community.
In the case of self-service Video and Tutorial, the visibility is managed using the Privacy attribute which can be either
open to everyone or restricted via the Secret option to a selected list of people the user can add explicitly. In the
current version it supports adding a single user at a time. In such case, the learning item is visible in search results
only for the specified list of users that acts as access list. Note: Changes to Privacy or Access Lists do not affect
Approvals.
Tutorial Privacy is defined as Open or Secret. In the case of Secret, the author of tutorial can select individual people
who can view this tutorial. Selecting privacy is required and this value defaults to Open.
Image 24. Access LIst
Privacy for a self-service learning community can be Open, Closed and Secret.
• Open: appears in search results and anyone can view the content in this community.
• Closed: appears in search results but only members can view the content in this learning community.
• Secret: appears in search results only for the members of the community
The creator of a Learning community has Community Manager access by default. A Learning Community Manager
can optionally be added as a member. Learning Community Managers can define user access at the individual user
level or at the group access level. The member list shows the complete list of members currently in the community,
either added directly, or as a result of group access definition. Note: Self-service learning communities do not have
required members, unlike the admin community.
Image 25. Community Privacy
Follow Feature
The “Follow” feature has been removed from Learning Cloud because of this enhancement. In previous versions,
when you created a child learning item (such as an offering for a course), you were prompted to indicate whether you
wanted to have the learning item to “follow” the access control set on the parent item. This prompt is now gone.
Instead, you can use a Global Access Group for both the course and the offering.
However, you may not want an offering to follow the same access as the course. Maybe an offering on a course is
only offered to C level employees and the other offerings are available to everyone. In this case, the course would
have an access group that allows everyone and when the offering is created, they would create an access group for
only the C level employees.
Data Security Policy Based Access

Another option that can be used to set up access is by using data security policies.
In Oracle Learning, this is generally used to restrict access to items from the Learning Specialist user interface
(Catalog, Catalog Resources, and assignments).
In general, data security policies articulate the security requirement of "Who can do what with which set of data." A
data security policy identifies the entitlement (the actions that can be made on logical business objects), the roles that
can perform those actions, and the conditions that define the access. Conditions are readable WHERE clauses. The
WHERE clause is defined in the data as an instance set, and this is then referenced on a grant that also records the
table name and required entitlement. In the below setup example, let’s look at an Admin and a Learner and how we
would set up a custom condition for a group of Administrators and a group of Learners. Create a group of
administrators that is only able to see learning Items that have been created by someone within their hierarchy, and
learners that can only see learning items that have a certain language code.
• Use an Oracle Learning Database Resource that currently exists in the Learning Cloud. You can use “WLF” as
a prefix in your search. In the illustration below, you can see the object names that are supported, and the
descriptions of each object. For the examples that we are going to configure, we are going to look at isolating
Learning Items so we would use the “WLF_LEARNING_ITEMS_F” object.
Image 26. Data Security Policy
 Create database conditions. The condition defines the WHERE clause (what data can this action be done
against). Conditions can be created by a filter or a SQL predicate. In our example, we are going to create a
condition with an SQL predicate for the Administrator to analyze the Administrator’s hierarchy, and a
condition with a simple filter for learners.
 Administrator: Create a Custom SQL predicate to indicate only learning items in their hierarchy can
be displayed
Image 28. Database Resource Condition
EXISTS ((SELECT 1 from PER_ALL_ASSIGNMENTS_M A, PER_PERSONS P WHERE
P.PERSON_ID = A.PERSON_ID(+) AND TRUNC(SYSDATE) BETWEEN
A.EFFECTIVE_START_DATE(+) AND A.EFFECTIVE_END_DATE(+) AND
A.EFFECTIVE_LATEST_CHANGE(+)='Y' AND A.ASSIGNMENT_TYPE IN
('E','C','N','P') AND P.PERSON_ID=&TABLE_ALIAS.ATTRIBUTION_ID AND (
P.PERSON_ID=(SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM
DUAL) OR (( A.ASSIGNMENT_ID IS NULL ) OR ( A.ASSIGNMENT_ID IS NOT
NULL AND EXISTS (SELECT 1 FROM PER_MANAGER_HRCHY_DN MH WHERE
MH.PERSON_ID=A.PERSON_ID AND TRUNC(SYSDATE) BETWEEN
MH.EFFECTIVE_START_DATE AND MH.EFFECTIVE_END_DATE AND MH.MANAGER_ID =
(SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND
MH.MANAGER_TYPE = 'LINE_MANAGER' ) ))))UNION ALL SELECT 1 FROM
PER_SHARE_INFORMATION SI WHERE SI.GRANTEE_PERSON_ID = (SELECT
NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND
SI.PERSON_ID = &TABLE_ALIAS.ATTRIBUTION_ID )
 Learner: Create a filter to indicate only learning items where the language code is equal to English (en-us).
Image 29. Database Resource Filters
 Actions: Actions need not to be defined. They are seeded.
Image 30. Actions
 Associate the created data security policy to the appropriate data roles.
 Administrator: Associate the newly created administrator condition to the Data role that has been created by the
administrator. In the example below, we are going to put the custom condition on the Manage Catalog Learning
Offerings Privilege by editing the data security policy associated to the data role. The custom data security policy
condition selected will only allow administrators to manage offering learning items that have been created by
individuals in their hierarchy.
Image 31. Listing of Policy Names on the Data Role
Image 32. Edit Data Security Policy
 Modify the condition on the Manage Catalog Learning Offerings Privilege
 Learner: Associate the newly created Learner condition to the Data role that has been created by the
Administrator. In the below example we are going to put the custom condition on the View Catalog Learning
Items in Self Service Privilege by editing the data security policy. The custom data security policy condition
selected will only allow Learners to view learning items that have a language code equal to English (en-us).
Image 33. Edit Data Role
 Modify the condition on the View Catalog Learning Items in Self Service Privilege
Image 34. Modify Condition
Run ESS Job to Update User Permissions

Back to home page, click on Tools/Scheduled Processes. Then click on “Schedule new process”. Make sure to run the
following ESS Job in the Scheduled Process panel: “Retrieve latest LDAP changes”.
Additional Data Security condition examples

This section contains some additional examples that can be applied, and they are listed from common to more
extreme cases.
 By AOR (Area of Responsibility)
 By constant value on DFF (Data Flex Field)
 By Person DFF vs Learning Item DFF
 Establish an instructor role
Basic Method: Restricting Access to Catalog Items Using AOR

This section describes a standard method to restrict the learning specialist visibility to a specific AOR, showing the
learning specialist only the data created by another person who happens to fit the criteria defined by his area of
responsibility.
The simple model applied here is the following:
 User A created a course while he is part of Business Unit 1.
 User B is part of a different business unit but has an AOR that also allows visibility on Business Unit 1.
 User B will see and act upon learning items created by User A.
For this, you need to add a general data policy at the role level (in this case it is preferable to have created a new role
based on the existing seeded roles).
Create Security Profile for the Role

In Setup and Maintenance, search and select “Assign Security Profile to Role”
Image 35. Modify Condition
Find the role on which you want to restrict access
Image 36. Manage Data Roles and Security Policies
In the various parts, either select an existing security profile of your choice, or create new ones
Image 37. Edit Data Role: Security Criteria
If you select a restriction by AOR, you are asked to define that AOR. The illustration below shows the Responsibility
Type as Learning representative, and the Scope of Responsibility as Business Unit.
Image 38. Assign Security Profile to Role
 Submit your new policy on the role.
 Verify changes.
 Assign this role to a user.
Return to the security console. View the role to see that in the Data Policies applied, it has now been filled up with
different data policies on different privileges.
Image 39. Edit Role
The illustration below shows that each privilege under that role now is subject to an SQL-based filter condition that
applies each time a learning specialist tries to search for a specific item in Learning Cloud. This is the case when data
security is applied to a specific role from Setup and Maintenance, so it facilitates the SQL condition.
Image 40. Edit Data Security
You can customize this per privilege, and on each you can apply a different security policy if available. This means
each privilege identified in a role can hold its own predifined condition. (For example, Course view and creation could
be Global, but Offering View and Creation could be AOR-based).
If you want more details on how that policy works, you can go directly in the Administration panel of the security
console and click Manage Database Resources.
Image 41. Manage Database Resources
 Search for “WLF” on Object Name filter, and pick WLF_LEARNING_ITEMS_F up.
 Click Edit.
Image 42. Edit Database Resource
• When the resource opens, select the Conditions tab.
• Look for the custom policy you created before.
• Select it and click Edit.
Image 43. Edit Data Security: Condition
When you click Edit, you can see the SQL predicate that was generated by the system upon the policy creation. Keep
in mind the more complex the query becomes, the more impactful it will be upon UI search performance and OTBI
reports.
Verify AOR of the selected User(s)
Make sure the user has the right AOR and AOR criteria set up (here, by business unit).
Image 44. Manage Areas of Responsibility
Once it has successfully run, use the user to whom you added that custom role. In the offering search, notice that you
cannot find any other offering existing in the catalog:
Image 45. Learning Catalog: Offerings
It is the same for courses.
Image 46. Learning Catalog: Courses
However, users can create their own courses, and they will see all courses created by users who are part of the
business unit covered by the same AOR.
Image 47. Create Course
When creating assignments for a course, users can only target people from their AOR. In the following illustration, it is
based on business unit.
Image 48. Course Assignments
Advanced Method: Restricting Access Using Constant Flex Field
This example shows how to segregate catalog access on the learning specialist user interface, based on the constant
value of a flex field at learning item level. This constant data can be replaced by a list of value if required.
It works better when segregating the catalog by learning item criteria (like a catalog category) rather than by criteria
related to the current page user.
SQL Predicate Example:
&TABLE_ALIAS.LEARNING_ITEM_ID IN (SELECT c.learning_item_id
FROM WLF_LI_COURSES_F c
WHERE c.CRS_ATTRIBUTE1 ='Compliance' and c.CRS_ATTRIBUTE1 is not null)
Next, perform the same changes as the ones described in the above chapter to apply this condition to the role. This
newly created condition can be applied as an exception to the following privileges depending on the desired effect.
• Manage Catalog Learning Specializations
• Manage Catalog Learning Courses
• Manage Catalog Learning Offerings
• View Catalog Learning Items by Administrator
Make sure to run the Retrieve Latest LDAP Changes scheduled process.
Advanced Method: Restrict the list of offerings visible to the user by offering type
The following SQL predicate example should be used, when there is a need to restrict the list of offerings visible to the
user by offering type, so that the person only sees, for example, ILT offerings, or self-paced offerings.
Step 1: Create a custom sql condition that will limit the result set to only self-paced offerings
EXISTS (
/*offerings search: sp offerings only*/
SELECT 1
FROM wlf_learning_items_f itm,
wlf_li_classes_f c
WHERE itm.learning_item_id = QRSLT.learning_item_id
AND itm.learning_item_type = 'ORA_CLASS'
AND itm.learning_item_id = c.learning_item_id
AND c.delivery_mode = 'ORA_SP'
/*other delivery modes are ORA_ILT and ORA_BLENDED*/
AND trunc(sysdate) between itm.effective_start_date and itm.effective_end_date
AND trunc(sysdate) between c.effective_start_date and c.effective_end_date
UNION
/*for anything other than offerings search*/
SELECT 1
FROM wlf_learning_items_f itm
AND itm.learning_item_type <> 'ORA_CLASS'
AND trunc(sysdate) between itm.effective_start_date and itm.effective_end_date
) )
Step 2: Edit the data role granted to the administrator and set the data policy condition for “View Catalog Learning
Items by Administrator” to the above condition.
Image 49. Edit Role: Data Security Policies
Advanced Method: Handling Learning Items by Instructors

The following SQL predicate example should be used when there is a need for a specific instructor role, where
instructor should be only allowed to see a set of courses and offerings where he/she is designated as part of the
course instructors.
SQL Predicate Example:
EXISTS
/*for course search*/
SELECT 1
WLF_ACCESS_PERMISSIONS_F prms,
WLF_ASSIGNMENT_RECORDS_F recs
WHERE itm.learning_item_id = recs.learning_item_id
AND recs.EVENT_TYPE ='ORA_LI_INSTRUCT'
AND recs.ACCESS_PERMISSION_ID = prms.ACCESS_PERMISSION_ID
AND prms.INSTRUCTOR_ACCESS_MODE = 'Y'
AND recs.LEARNER_ID = HRC_SESSION_UTIL.GET_USER_PERSONID
AND itm.learning_item_id = QRSLT.learning_item_id
AND itm.learning_item_type = 'ORA_COURSE'
AND TRUNC(sysdate) BETWEEN itm.effective_start_date AND itm.effective_end_date
AND TRUNC(sysdate) BETWEEN prms.effective_start_date AND prms.effective_end_date
AND TRUNC(sysdate) BETWEEN recs.effective_start_date AND recs.effective_end_date
UNION
/*for offering search look for primary instructor */
SELECT 1
wlf_li_classes_f c,
wlf_instructor_resources r
WHERE c.primary_instructor_ID = r.instructor_id
AND r.person_id = HRC_SESSION_UTIL.GET_USER_PERSONID
AND itm.learning_item_id = QRSLT.learning_item_id
AND itm.learning_item_type = 'ORA_CLASS'
AND itm.learning_item_id = c.learning_item_id
AND TRUNC(sysdate) BETWEEN c.effective_start_date AND c.effective_end_date
UNION
/*for anything other than course/offering search*/
SELECT 1
FROM wlf_learning_items_f itm
AND itm.learning_item_type NOT IN ('ORA_COURSE','ORA_CLASS')
);
Then perform the same changes as the ones described in the above chapter to apply this condition to the role. This
newly created condition can be applied as an exception to the following privileges depending on the desired effect.
 Manage Catalog Learning Specializations
 Manage Catalog Learning Courses
 Manage Catalog Learning Offerings
 View Catalog Learning Items by Administrator
Advanced Method: Handling Learning Items Based on Learning Item vs Current User Flex Field Value.
This method will be used in more extreme cases of scenario where security by AOR or by learning item flex field alone
is not either strong or flexible enough. The use case covered here will work as follows:
When an administrator searches for a learning item, the system will filter out the learning item result entries which do
NOT contain a specific value in a flex field.
This flex field value needs to be the same as the value of another flex field from the current user person profile value.
A similar method could be used on the Learner’s role.
 User A has ABCD value in his profile designated flex field.
 User B has EFGH value in his profile designated flex field.
 User D creates a learning item and adds ABCD in the flex field of the learning item.
 User A will be able to find the learning item because both his profile flex field and the learning item flex field
values are matching.
 User B will not be able to find the learning item (unless the flex field value of this course changes to EFGH or his
own profile flex field changes to ABCD)
The SQL predicate demonstrated here needs to be implemented just like in the above example, by creating a custom
condition that will later on be applied to a specific privilege of a specific role:
EXISTS
/* Course Search page */
SELECT 1
FROM FUSION.WLF_LEARNING_ITEMS_F T
WHERE TRUNC(SYSDATE) BETWEEN T.EFFECTIVE_START_DATE AND T.EFFECTIVE_END_DATE
AND T.LEARNING_ITEM_ID =
QRSLT.LEARNING_ITEM_ID
AND T.CO_ATTRIBUTE1 = 'BU1'
AND T.learning_item_type = 'ORA_COURSE'
UNION
/*Anything other than course search*/
SELECT 1 FROM wlf_learning_items_f T
WHERE T.learning_item_id = QRSLT.learning_item_id
AND TRUNC(SYSDATE) BETWEEN T.EFFECTIVE_START_DATE AND T.EFFECTIVE_END_DATE
AND T.learning_item_type not in ('ORA_COURSE')
Note: The flex fields referenced here as placeholders, and the flex field column name might vary from one instance to
another.
Understanding Access Control Enforcement Across All Access Types
A learning item can have a combination of access control types applied to it when a learner is attempting to access
the learning item. The following access control types can influence the access behavior:
 Data security
 Access records
 Assignments
Access enforcement is evaluated in the following priority order:

1. Data Security - Data security trumps all the other types of access. If through data security learners don’t have
the authority to view the learning item, they will not be able to view the learning item and the other access
control types are not evaluated.
2. Assignment Records - Assignments trump access records. If a learner has access to an item via data security,
and they have a required or voluntary assignment, then the access record control type does not need to be
evaluated.
a. Required or Voluntary Assignment – If a learner has a required or voluntary assignment then they
can access the learning item even though they are not granted access via an access record.
b. Recommended by an Administrator - If a learner has a recommended assignment then they can

access the learning item even though they are not granted access via an access record.
Recommended assignments by the learner’s manager or via Self-Service recommendations do not
override access records.
Access Records: If learners don’t have access to the learning item because the learning item is set to no access by
default and they do not have a corresponding learning access record, then they will not have access.
Connect with us
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at: oracle.com/contact.
blogs.oracle.com facebook.com/oracle twitter.com/oracle
Copyright © 2022, Oracle and/or its affiliates. All rights reserved. This document is Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be
provided for information purposes only, and the contents hereof are subject to change trademarks of their respective owners.
without notice. This document is not warranted to be error-free, nor subject to any other
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC
warranties or conditions, whether expressed orally or implied in law, including implied
trademarks are used under license and are trademarks or registered trademarks of SPARC
warranties and conditions of merchantability or fitness for a particular purpose. We
International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or
specifically disclaim any liability with respect to this document, and no contractual
registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open
obligations are formed either directly or indirectly by this document. This document
Group. 0120
may not be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without our prior written permission. Disclaimer: If you are unsure whether your data sheet needs a disclaimer, read the revenue
recognition policy. If you have further questions about your content and the disclaimer
This device has not been authorized as required by the rules of the Federal
requirements, e-mail REVREC_US@oracle.com.
Communications Commission. This device is not, and may not be, offered for sale or
lease, or sold or leased, until authorization is obtained.

Understanding Access Control in Oracle Learning 1.2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding Access Control in Oracle Learning 1.2

Uploaded by

Copyright:

Available Formats

Business / Technical Brief

Understanding Access Control

May, 2022, Version 1.1

Table 1. Course Details in Mobile Port 28

Date Version Changes Reference

Access groups can be:

Types of Access Groups

These are some considerations about Access Groups:

Understanding Access Control Data Processing

Step 1: Determine the Person List

• What Data Access does this User Have?

Image 1. Target Person List #1

• Extract the Target Person List

Ongoing Person Evaluation and Reconciliation

Image 3. Target Person List #2

Image 4. Determine the List of People to Reconcile based on Destination Type

Example Use case

Determine the Person List

Image 6. Data Access

Image 7. Data Access

John Doe Edits an Access Group

Determine the Person List

Image 8. Data Access#1

Image 10. Data Access#2

Image 11. Reconciliation#2

Set System Wide Default Local Access Group

• Click Learning Item Default Attributes

Image 12. Learner Item Default Attributes

Define Access Rules

Two additional options appear when requested mode is selected

Image 13. Manage Default Access

Named or Ad Hoc Access

Set Access Group Priorities

Global Access Groups

Find Global Access Groups

Image 14. Catalog Resources

Image 15. Search Results

View Global Access Groups

Image 16. View Global Access Groups#1

Edit Global Access Groups

Image 18. Edit Global Access Groups#1

• Click Create to create a new Global Access Group.

Associate Global Access Group to Learning Item

Global Access Comparison Example

Local Access Groups – 2900

Global Access Group – 125,000 rows

Global Access Groups – Reconciliation has to Process 125,000 rows

Global Access Group Security Needs

• Run Import User and Data Security Role job.

Access Group ESS Job

Self-Service View Mode Override

Image 20. Specialization Default Access

COURSE ATTTIBUTES SUMMARY VIEW DETAILS VIEW

Table 1. Course Attributes

OFFERING ATTRIBUTES SUMMARY VIEW DETAILS VIEW

Table 2. Offering Attributes

Table 3. Specialization Attributes

Image 21. Course Self Service View Mode

Community Membership and View Mode

The Privacy setting impacts the self-service experience of learner as follows:

Membership can be set to Members, Required Member and Community Manager.

Access List Management of Self-Service Learning Items

Data Security Policy Based Access

Image 26. Data Security Policy

/offerings search: sp offerings only/

/other delivery modes are ORA_ILT and ORA_BLENDED/

/for anything other than offerings search/

/for course search/

/for offering search look for primary instructor /