Professional Documents
Culture Documents
Understanding Access Control in Oracle Learning 1.2
Understanding Access Control in Oracle Learning 1.2
Oracle Learning
1 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Purpose statement
This document provides an overview of Access Control in Oracle Learning.
Disclaimer
This document in any form, software or printed matter, contains proprietary
information that is the exclusive property of Oracle. Your access to and use of
this confidential material is subject to the terms and conditions of your Oracle
software license and service agreement, which has been executed and with
which you agree to comply. This document and information contained herein
may not be disclosed, copied, reproduced or distributed to anyone outside
Oracle without prior written consent of Oracle. This document is not part of your
license agreement nor can it be incorporated into any contractual agreement
with Oracle or its subsidiaries or affiliates.
This document is for informational purposes only and is intended solely to assist
you in planning for the implementation and upgrade of the product features
described. It is not a commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described in
this document remains at the sole discretion of Oracle. Due to the nature of the
product architecture, it may not be possible to safely include all features
described in this document without risking significant destabilization of the code.
Disclaimer
The revenue recognition disclaimer on this page is required for any business
brief that addresses future functionality or for products that are not yet generally
available (GA). If you are unsure whether your statement of direction needs the
disclaimer, read the revenue recognition policy. If you have further questions
about your content and the disclaimer requirements, e-mail
REVREC_US@oracle.com. If you do not need the disclaimer, you may delete it
and the page that it appears. First, display hidden characters by clicking on the
Paragraph icon on the Home toolbar. It is a small, square icon that appears to the
left of the Quick Style Gallery. Then, highlight all the text on this page and press
the Delete key. Notice that there is a section break displayed as a double-dotted
line at the bottom of this page. Continue to press Delete until the page
disappears and your cursor is on the Table of Contents page. Be sure not to
remove the section break, or the formatting of the title page will be incorrect.
Delete this note before publishing.
The testing disclaimer in the TM block on the last page (highlighted in yellow) is
provided by the FCC for hardware products. It must appear in the TM block.
2 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Table of contents
Purpose statement 2
Disclaimer 2
Disclaimer 2
Document Control 8
Introduction 9
Access Groups 9
Types of Access Groups 9
How Access Groups Work 10
Understanding Access Control Data Processing 10
Job Role 10
Example Use case 14
Local Access Groups 18
Set System Wide Default Local Access Group 18
Define Access Rules 18
Set the Learning Item Default Access Group 20
Named or Ad Hoc Access 20
Set Access Group Priorities 20
Global Access Groups 21
Find Global Access Groups 21
Manage Global Access Groups 22
View Global Access Groups 22
Edit Global Access Groups 23
Create Global Access Groups 24
Associate Global Access Group to Learning Item 24
Global Access Comparison Example 24
Recommended Steps to Transition from Local Access Groups to Global
Access Groups 24
Global Access Group Security Needs 24
Access Group ESS Job 25
Self-Service View Mode Override 25
Community Membership and View Mode 29
Access List Management of Self-Service Learning Items 31
Follow Feature 33
Data Security Policy Based Access 33
Run ESS Job to Update User Permissions 38
Additional Data Security condition examples 38
Basic Method: Restricting Access to Catalog Items Using AOR 38
3 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Advanced Method: Restricting Access Using Constant Flex Field 46
Advanced Method: Restrict the list of offerings visible to the user by
offering type 46
Advanced Method: Handling Learning Items by Instructors 47
Advanced Method: Handling Learning Items Based on Learning Item vs
Current User Flex Field Value. 49
Understanding Access Control Enforcement Across All Access Types 50
4 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
List of Images
I
Image 1. Target Person List #1 11
Image 2. Reconcile Person List with People Currently on Access List 12
Image 3. Target Person List #2 12
Image 4. Determine the List of People to Reconcile based on Destination
Type 13
Image 5. Reconcile Person List with People with People Currently on
Access List 14
Image 6. Data Access 15
Image 7. Data Access 15
Image 8. Data Access#1 16
Image 9. Reconciliation#1 16
Image 10. Data Access#2 17
Image 11. Reconciliation#2 17
Image 12. Learner Item Default Attributes 18
Image 13. Manage Default Access 20
Image 14. Catalog Resources 21
Image 15. Search Results 22
Image 16. View Global Access Groups#1 22
Image 17. View Global Access Groups#2 23
Image 18. Edit Global Access Groups#1 23
Image 19. Course Default Access 26
Image 20. Specialization Default Access 27
Image 21. Course Self Service View Mode 29
Image 22. Community Definition 30
Image 23. Community Membership 31
Image 24. Access LIst 32
Image 25. Community Privacy 33
Image 26. Data Security Policy 34
Image 28. Database Resource Condition 34
Image 29. Database Resource Filters 35
Image 30. Actions 36
Image 31. Listing of Policy Names on the Data Role 36
Image 32. Edit Data Security Policy 37
Image 33. Edit Data Role 37
Image 34. Modify Condition 38
5 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 35. Modify Condition 39
Image 36. Manage Data Roles and Security Policies 39
Image 37. Edit Data Role: Security Criteria 40
Image 38. Assign Security Profile to Role 40
Image 39. Edit Role 41
Image 40. Edit Data Security 41
Image 41. Manage Database Resources 42
Image 42. Edit Database Resource 42
Image 43. Edit Data Security: Condition 43
Image 44. Manage Areas of Responsibility 43
Image 45. Learning Catalog: Offerings 44
Image 46. Learning Catalog: Courses 44
Image 47. Create Course 45
Image 48. Course Assignments 45
Image 49. Edit Role: Data Security Policies 47
6 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
List of Tables
7 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Document Control
Change Record
8 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Introduction
This Technical Brief discusses how you can set up Access Control in Oracle Learning. Access Control determines who
can access what learning items.
There are two ways you can set up Access Control to achieve this:
• Use Access Groups - This functionality is specific to Oracle Learning and enables you to control access to
learning items.
• Use Oracle HCM Cloud data security functionality – You can use data security policies to control access to
learning items.
Access Groups
Access groups define a set of rules at a learning item level. These rules determine:
• Whether an item is visible to learners, and the pre-assignment behavior in learner self-service;
• How much information is displayed to the learners
• How they can engage with the learning item.
When you create an access group, you are essentially creating an “access list” of all learners who can view a learning
item based on a set of rules. “Access records” represent the individual learners who can view a learning item within
the access list.
• Ad hoc - You can create access records outside of access groups. These are called “ad hoc access
records”. Ad hoc access groups are defined once and remain based on the same set of learners as at the
time of the group's creation. You can only manage these groups manually.
• Local Access Group – a unique set of learners and access details that are specific to a learning item.
9 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
How Access Groups Work
Access Groups control the access and visibility of a learning item for a specific user. You can determine whether a
learner can access a learning item and the extent of information (Detail or Summary) about that learning item that
can be viewed by members of an Access Group.
• Access Groups are created and managed similar to learning records. They are stored as access records in the
database, as a relationship between the learner and the learning objects they can access.
• Access Groups can be created once and reused on various learning items. Or, they can be created once for a
learning item.
• These settings are required to create and update access group records:
o OTBI security of “Run As” user if OTBI analysis is used to select learners
o Fusion Data Security (Choose Learner DSP) policy applied to the “Run As” user
• These conditions then apply to the learner selection criteria used for creating access groups, which can be from
OTBI analysis, Person Org Hierarchy, Person Criteria and Assignment Criteria.
• The access groups can be reconciled periodically (e.g. daily) to account for learners who fall in or out of the
destinations they are part of.
• There could be more than one access group set on a learning. The access is resolved where the access group with
higher priority supersedes the lower priority access group rule. The priority of access groups can be managed
anytime.
Read on for a detailed explanation of how to create and manage aspects of access groups and how they affect the
access to learning items
Job Role
When an access group is created or modified, the User creating the group can select the “Run As” User. This is the
User whose data security will be used to set the Access Group data security when it is created or modified.
There is a dynamic process called Generate a List of People from Analysis Report that is kicked off on access group
save. This process performs the following steps:
o Determines the user that has been identified in the “Run As” field on the Global Access Group.
o Review this user and the OTBI data access that they have if using an analysis object.
10 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
o Review this user and the Choose Learner Access Data: Person Details Resource associated with this
learner.
• The intersection of the Data Access of this user is the Target Person List.
Step 2: Reconcile this Person List with the current list of people in the access list
The reconciliation will be done as the Run As User. The Target person list will be placed in a person list table
and compared/reconciled against the current access list on the learning item.
• Persons that are new in the person list will be added to the access list.
• Persons that have are no longer present in the person list will be removed from the access list.
Note: The Generate a List of People from Analysis Report is run dynamically on create/edit and this job cannot be
scheduled by the Administrator
11 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 2. Reconcile Person List with People Currently on Access List
People can fall in or out the destinations that are associated to the access group. For example, a new hire can come
into an Organization destination or a Person could fall off an analysis object. Therefore, there needs to be processes
that are scheduled to evaluate changes that are occurring within the organization and have impact on the access lists.
The first job process is scheduled to run for this evaluation and reconciliation process is the Evaluate Person IDs for
Assignment Rule. This job will:
• Determine the Person List – Determining the person list is dependent on the type of Destination that is
used:
o Analysis Object, Organization and Person: Extract the persons that are in the destinations
based on the User that created the job.
o Note: it is critical to ensure that the user that is creating the job has elevated data security
privileges (viewing largest data set) so that there are not any issues with the data being limited
during the evaluate process. It is in the customer’s best interest to use a user that has access to
all data, so data security issues do not arise and so that this job performs very quickly because
there is less data filtering needed.
o Learning Assignment Criteria and Person Criteria: Review the user that created the criteria
and apply this Users Choose Learner Access Data: Person Details Resource
12 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
• Reconcile this list of Persons with the current list of people in the access list. Determining how to
perform the reconciliation is dependent on the type of Destination that is used:
o Analysis Object, Organization and Person:
▪ Determine what user should be used, this is the user that has been identified in the “Run
As” field.
▪ Review this user and the Choose Learner Access Data: Person Details Resource
associated with this learner.
▪ Reconcile the persons that are in the destinations with the appropriate Choose Learner
Access Data: Person Details Resource applied.
o Learning Assignment Criteria and Person Criteria:
▪ Review the User that created the Criteria and apply this Users Choose Learner Access
Data: Person Details Resource.
Note: In a future release, we will be changing the way we handle Learning Assignment Criteria and Person Criteria in
the reconciliation list of a person’s job. We will use the Run As user like we have done for the analysis object and the
organization and person.
13 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 5. Reconcile Person List with People with People Currently on Access List
Let’s walk through the steps above to see what happens when John Doe creates an Access Group and then what
happens if changes are made to the global access group or to the destinations associated to the access group at a
later point in time.
John Doe Creates an Access Group and Selects his User as the Run As User
Determine what user should be used, this is the User that has been identified in the “Run As” field. Take this Run As
User and determine what type of data access they have across OTBI and Fusion and then choose the most restrictive
data set. In this case, the Global Access Group will have an access list that contains people from Business Unit A and
Business Unit B, which is the most restrictive data set.
Review this user and the OTBI data access that they have if using an Analysis object.
• John Doe has access to Business Unit A and Business Unit B in OTBI
Review this user and the Choose Learner Access Data: Person Details Resource associated with this Learner in Fusion
security.
14 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
John Doe has access to Business Unit A, Business Unit B, and Business Unit C in Fusion
The final access list for the global access list will include persons from Business Unit A, and Business Unit B.
John adds a new Analysis object to the Global Access Group. This analysis object has only the person Jane Doe in it,
for simplicity sake, and John has access to Jane’s person record in both OTBI and Fusion. Let’s say at this time, Ron
Smith leaves the company so is no longer in Business Unit B.
• Analysis Object Created by Administrator that Shows all data in Business Units (BU A -> BU G)
• John Doe, has OTBI access but only has data access to BU A, and BU B and Jane Doe
• John Doe in Fusion has data access to BU A, BU B and BU C and Jane Doe
Because a change has been done to the Global Access Group the Generate a List of People from Analysis Report
will run on edit and determining the person list and the reconciling this list to update the access list will need to be
done.
Determine what User should be Used, this is the User that has been identified in the “Run As” field. Take this Run As
User and determine what type of data access they have across OTBI and Fusion and then choose the most restrictive
data set. In this case the Global Access Group will have an access list that contains people from Business Unit A and
Business Unit B and Jane, which is the most restrictive data set.
Review this User and the OTBI data access that they have if using an Analysis object.
15 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
• John Doe has access to Business Unit A and Business Unit B in OTBI and Jane Doe
Review this User and the Choose Learner Access Data: Person Details Resource associated with this Learner in
Fusion security.
• John Doe has access to Business Unit A, Business Unit B, and Business Unit C and Jane Doe in Fusion
The final data access temp table for the global access list will include persons from Business Unit A, and Business Unit
B and Jane.
Reconcile the New list of Persons with the current list of people in the final data access temp table. Jane is a new
person that is identified in a new analysis object destination and Ron Smith was in Business Unit B but has left the
organization. The reconciliation job will compare persons in the final data access temp table with persons that are
currently in the global access group and reconcile the two.
• Add persons to the access list if they do not exist, Jane is in the final data access temp table, but she is not in
the current global access list. Jane will be added to the Global Access List.
Remove persons from the access group if they do not exist. Ron is no longer in Business Unit B, so he is no longer in
the final data access temp table, but he is in the current Global Access List. Ron will be removed from the Global
Access List.
Image 9. Reconciliation#1
Ongoing Person Evaluation and Reconciliation – One-week later BU A is no longer in the Analysis object and
Business Unit B has Person Z added and Jane removed.
The first job that is scheduled to run for this evaluation and reconciliation process is the Evaluate Person IDs for
Assignment Rule.
16 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Determine what User should be Used, this will be a User that has created the job, since this is an Analysis object, so
let’s say they have access to All Persons. Determine what type of data access this person has across OTBI and Fusion.
In this case the Data Access set will have BU A, BU B Jane and Person Z
Reconcile this list of Persons with the current list of people in the access list. Determining how to perform the
reconciliation is dependent on the type of destination that is used:
Review the user that should be used in Reconciliation. The user that should be used is the individual that is in the Run
As field who is John Doe. We will then use John Doe’s Choose Learner Access Data: Person Details Resource data
privilege to determine what data to reconcile. John Doe in Fusion has data access to BU A, BU B and BU C, and Jane
Doe. Therefore, in the reconciliation process it will ignore reconciling Person Z, even though this person exists in the
initial data access
17 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Local Access Groups
Local Access Group rules are defined system-wide, per learning item, and per access group to provide you with the
ability to configure access as granularly as needed.
• Click Setup.
18 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
o Activate approved learner requests: when selected, the system will automatically active the
assignment after approval is obtained. When not selected, the assignment will remain in request
approved status and require manual activation by an administrator.
• Check box – Allow even if required prerequisites are not achieved. When selected, this option allows
learners to register or request the learning item, and his assignment will end up in a pending prerequisite
status.
• Number of days to expire assignments in pending prerequisite status – enabled when the above option is
selected and defines the number of days learners have to achieve the prerequisites before his
assignment is cancelled by the system.
• Created by manager – defines if the manager’s assignment to his people must obtain approval or not.
o Active: No approvals needed, and the manager’s assignment is activated automatically
o Requested: Approval will be triggered when the manager requests learning for his team. Same
two options as for learner request mode above
o Request Approved: No approval is triggered, but the assignment is created in a request approved
status requiring an administrator to manually activate it
▪ Only the additional Show learning request form option is available in this configuration
• For courses in a specialization: Option only available in setup and defines the default assignment mode
(active or requested) for courses in a specialization. This setup value is picked up by specializations by
default and can be changed per specialization
o Active: For courses access from specializations, force learners to active mode regardless of the
configuration on the course itself
o Requested: For courses access from specializations, force learners to request mode regardless of
the configuration on the course itself
o Inherit form Course: For courses access from specializations, respect the assignment mode
defined on the course
o Inherit from Specialization: For courses access from specializations, force learners to active or
request mode per the specialization configuration, regardless of the course configuration
A voluntary or required learning assignment on the item always provides full access to it and bypasses the access
rules that are defined. Additionally, when creating an offering, its default access rules are obtained from its parent
course, not the system level rules.
19 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Set the Learning Item Default Access Group
Learning item default access rules apply to all learners accessing a learning item prior to having an assignment on it.
These defaults are configurable from either the course, specialization or offering detail pages on the Learners tab, or
on the Access or Access Group sub tab via the Manage Default Access button. You can alter the access settings for
an individual learning item, and these settings apply to all learners who do not have an assignment on the item.
Named access groups are accessible from the Access Groups sub-tab and represent a logical grouping or people with
a specific set of rules. You can select people in a variety of ways, similar to learning initiatives. The group or set of
people defined in an access group are evaluated on a continuous basis for changes. This is why named access groups
are used to capture those group definition changes, apply rules to new people, and remove rules for people no longer
in that definition. Ad hoc access groups are created from the access tab. While a logical group of people can be
defined when creating an ad hoc access group, once created, they can only be managed individually. Furthermore, ad
hoc access groups only evaluate the learner selection at creation time and not continuously afterwards; therefore,
group criteria changes are not applied.
The Access tab is also where the admin can find the expanded list of the named access groups and represents the full
set of people with access defined via named or ad hoc access groups.
20 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
For example, let’s say there’s a sales group as priority 1 and a US employees’ group as priority 2. A person in both
groups will have the rules of the sales group applied, as that is the first priority, whereas a person only in the US
employees’ group would get the rules of that group applied. Rule evaluation priority also extends to ad hoc groups
that have the lowest of the priorities and apply only if the person is not included in any named access group.
The key value proposition points for the global access group feature are:
• Streamline the creation of access control in Oracle Learning. You no longer need to create the same
access group with the same destination across multiple learning items. This will be very efficient for
administrators because they can create one global access group, and then associate it to multiple
learning items.
• Reduce data growth in certain tables within Oracle Learning.
• Increase performance for features that utilize access control by minimizing the number of records that
must be evaluated for access.
• Increase performance in the jobs that reconcile access in Oracle Learning. Currently, jobs are scheduled
to be run on a schedule to determine if there are new people that need to be added to access or removed
from access. If there is one global access group vs. multiple local access groups per learning item, there
are fewer records to review during the reconciliation process.
• Improve the usability of the Follow feature so it is clear how to associate access on an object based on a
parent object’s access.
You can use the search capability at the top of the page to find existing global access groups. You can use the
common search capabilities by clicking Advanced for more search fields. You can also add more columns to the
Search Results table by clicking View.
21 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Manage Global Access Groups
In the Search Results section, you can edit a global access group by clicking Edit, or by clicking the global access
group to open view mode. When you remove a global access group, you are prompted to confirm the action, and you
are also notified if there are learning items that the global access group is associated with.
You can toggle to view the access information, which will display the access list (all of the people associated to the
global access group). You can use the common search capabilities by clicking Advanced for more search fields. You
can also add more columns to the Search Results table by clicking View.
22 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 17. View Global Access Groups#2
If you edit viewers for learners, organization chart groups, select learning assignments, worker criteria, and learning
assignment criteria the changes will occur synchronously. All learning items associated with the global access group
are updated. The Generate a List of People from Analysis Report job is called to process this change.
If you edit viewers on an analysis, the changes occur asynchronously after the scheduled job Evaluate Person IDs for
Assignment Rule runs. All learning items associated with the global access group are updated. When you change an
asynchronous item, a message displays to alert you that the changes are processed.
If you edit any basic information or the access details of the access group, the changes will occur synchronously.
23 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Create Global Access Groups
To create a new global access group:
• On the Catalog Resources page, click the Global Access Groups tab.
• Enter the details for the access group. The fields are the same as those used with the local access groups
feature. (The difference between the global access group and the local access group creation process is
that global access groups do not maintain pricing data, and it does not support using a learning item as a
destination.)
• The table below shows an example of the difference in data volume when global access is used vs local
access only. In the example, the Learning Cloud had over 2900 local access groups defined for each
learning item, and many of the destinations were repetitive across these access groups. The
administrators created learning items using a default access of “no access” and then created an analysis
object for 40,000 employees. They then created an access group on every learning item with this
40,000-person analysis object to grant them access. This caused the data in the system to explode due
to all the records being created in the system. Groups Access Records Creation Reconciliation Impact
Global Access Group – 54 (53 Partner Groups and 1 Employee Group) Local Access Groups – 100 million rows
(75K Partners and 50K Employees) Local Access Groups - Reconciliation has to Process 100 million rows
Recommended Steps to Transition from Local Access Groups to Global Access Groups
• Create a global access group that has the same destination of the local access you are replacing.
• Associate the global access group to the learning items that have the local access group you are
replacing.
• Ensure that the global access group is at a higher priority than the local access group.
• Use the Access tab to validate that the expansion has occurred, and that the global access records are
now present.
• Validate that access works with a set of users.
• Remove the local access group from learning item.
• Run the Expand and Reconcile Job.
• Validate that access works with set of users with the new global access group and the local access group
removed.
24 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
• Manage Global Access Groups - Allows administrators to create and edit global access groups.
These are the recommended steps to enable Global Access Groups in the system with these aggregate privileges:
• Add the View Global Access Group abstract role to the Administrators data role.
• Add Manage Global Access Group abstract role to the Administrators data role.
• Go to Workforce Structures and update the description for the Administrator Data role to ensure that it
reinitializes successfully once it has been saved.
• Log out as the User, and log back in as the Administrator, and validate that the Administrator can View and
Manage the global access group
• Reconcile Dynamic Assignments – This job reconciles initiatives, community assignments, and other
dynamic assignments.
Course
There are additional settings for access control of a course when it is a part of a specialization backing its activity or
when it is added to the catalog of any community. The course can use its own access settings or follow the access
details defined for the specialization and community. These settings can be seen on the Default Access pop-up
accessed from Course -> Learners->Access/Access Groups->Manage Default Access under the Self-Service View
Mode Override.
25 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 19. Course Default Access
These two settings are available on a course and can be selected in under the Self-Service View Mode Override.
- When a Course Is Accessed from the Learning Community, Let the Learning Community Control Access and
Visibility
For example, create a course with default access set to No Access and the Learning Community Access and Visibility
is selected. In this case, learners will not be able to search and browse the course from the learning catalog. However,
for an open community, the course will be visible to all learners. For a closed and secret community, the course will be
visible for its members. Learners will also be able to browse and search for the course within the community catalog.
- When a Course Is Accessed from Specialization, Let Specialization Control Access and Visibility
In this case the course will follow the rules assigned to the specialization if the course is an activity within the
specialization.
For example, create a course with the default access set to No Access, and Let Specialization Control Access and
Visibility is selected. The specialization has default access as Detail View. In such a case, learners can search the
specialization and complete the course backing the specialization activity. The course will not be searchable directly in
the catalog, however.
Specialization
Similarly, a specialization can be configured such that its access mode can be overridden by the community access
settings when the specialization is part of this community catalog. This setting is available on the Default Access pop-
up accessed from Specialization -> Learners->Access/Access Groups->Manage Default Access under the Self-Service
View Mode Override.
26 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
- When a Specialization Is Accessed from a Learning Community, Let the Learning Community Control
Access and Visibility
The specialization will be available for browse and search within the community catalog.
The self-service view of the learning item page is affected by the View Mode defined for the learning item. The View
Mode can have three different values.
- Details View – shows detailed information about the learning item including DFFs, Prerequisites, Learning
Outcomes, Price etc.
- Summary View – shows limited restricted information about the learning item.
- No Access – cannot be searched or browsed from self-service.
The self-service View Mode affects the information that is visible to learner of a learning item when accessed from
self-service.
The View Mode becomes irrelevant when the learner has an Active assignment of the learning item, in which case
learner will always see Details View.
27 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Self-Service View Mode
In the self-service UI, the specific attributes are indicated for Details View and Summary View for Course, Offering and
Specialization.
Title ✓ ✓
Syllabus - ✓
Short Description ✓ ✓
Cover Art/Branding ✓ ✓
Expected Effort - ✓
DFF - ✓
Prerequisites - ✓
Learning Outcomes - ✓
Offering List - ✓
Learning Outcomes - ✓
Price - ✓
Title ✓ ✓
Description - ✓
Instructors - ✓
Offering Type ✓ ✓
Offering DFF - ✓
Offering Dates - ✓
Language ✓ ✓
Expected Effort - ✓
Language - ✓
Remaining Seats - ✓
28 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
SPECIALIZATION ATTRIBUTES SUMMARY VIEW DETAILS VIEW
Title ✓ ✓
Short Description ✓ ✓
Cover Art/Branding ✓ ✓
Description - ✓
Sections - ✓
DFF - ✓
Section Activities - ✓
Details View shows all the learning item detail page sections and attributes within.
Summary View shows a message “Content restricted to members.” Learners need to enroll before they can see the
complete details.
Privacy
Open - Learning community appears in search results, and anyone can view the content in this learning community.
Closed - Learning community appears in search results, but only members can view the content in this learning
community.
Secret - Learning community appears in search results only for members of the community.
29 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 22. Community Definition
Membership
Once a learner becomes member of a learning community, the visibility becomes irrelevant, and the access becomes
the same as an open community in self-service.
Membership controls what privilege members have with the community. Membership can be Community Manager,
Member and Required Member.
Community Managers can edit a learning community definition and create assignments. They can also add other
members with any level of community membership.
Required Members have access to the community catalog. Any required assignments get assigned to them
depending on the assignment settings. They can contribute to the community catalog if it is enabled.
Members can access learning from a catalog. They can contribute to the community catalog if it is enabled under
privacy settings.
30 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 23. Community Membership
In the case of self-service Video and Tutorial, the visibility is managed using the Privacy attribute which can be either
open to everyone or restricted via the Secret option to a selected list of people the user can add explicitly. In the
current version it supports adding a single user at a time. In such case, the learning item is visible in search results
only for the specified list of users that acts as access list. Note: Changes to Privacy or Access Lists do not affect
Approvals.
Tutorial Privacy is defined as Open or Secret. In the case of Secret, the author of tutorial can select individual people
who can view this tutorial. Selecting privacy is required and this value defaults to Open.
31 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 24. Access LIst
Privacy for a self-service learning community can be Open, Closed and Secret.
• Open: appears in search results and anyone can view the content in this community.
• Closed: appears in search results but only members can view the content in this learning community.
• Secret: appears in search results only for the members of the community
The creator of a Learning community has Community Manager access by default. A Learning Community Manager
can optionally be added as a member. Learning Community Managers can define user access at the individual user
level or at the group access level. The member list shows the complete list of members currently in the community,
either added directly, or as a result of group access definition. Note: Self-service learning communities do not have
required members, unlike the admin community.
32 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 25. Community Privacy
Follow Feature
The “Follow” feature has been removed from Learning Cloud because of this enhancement. In previous versions,
when you created a child learning item (such as an offering for a course), you were prompted to indicate whether you
wanted to have the learning item to “follow” the access control set on the parent item. This prompt is now gone.
Instead, you can use a Global Access Group for both the course and the offering.
However, you may not want an offering to follow the same access as the course. Maybe an offering on a course is
only offered to C level employees and the other offerings are available to everyone. In this case, the course would
have an access group that allows everyone and when the offering is created, they would create an access group for
only the C level employees.
In Oracle Learning, this is generally used to restrict access to items from the Learning Specialist user interface
(Catalog, Catalog Resources, and assignments).
In general, data security policies articulate the security requirement of "Who can do what with which set of data." A
data security policy identifies the entitlement (the actions that can be made on logical business objects), the roles that
can perform those actions, and the conditions that define the access. Conditions are readable WHERE clauses. The
WHERE clause is defined in the data as an instance set, and this is then referenced on a grant that also records the
table name and required entitlement. In the below setup example, let’s look at an Admin and a Learner and how we
would set up a custom condition for a group of Administrators and a group of Learners. Create a group of
33 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
administrators that is only able to see learning Items that have been created by someone within their hierarchy, and
learners that can only see learning items that have a certain language code.
• Use an Oracle Learning Database Resource that currently exists in the Learning Cloud. You can use “WLF” as
a prefix in your search. In the illustration below, you can see the object names that are supported, and the
descriptions of each object. For the examples that we are going to configure, we are going to look at isolating
Learning Items so we would use the “WLF_LEARNING_ITEMS_F” object.
Create database conditions. The condition defines the WHERE clause (what data can this action be done
against). Conditions can be created by a filter or a SQL predicate. In our example, we are going to create a
condition with an SQL predicate for the Administrator to analyze the Administrator’s hierarchy, and a
condition with a simple filter for learners.
Administrator: Create a Custom SQL predicate to indicate only learning items in their hierarchy can
be displayed
34 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
EXISTS ((SELECT 1 from PER_ALL_ASSIGNMENTS_M A, PER_PERSONS P WHERE
P.PERSON_ID = A.PERSON_ID(+) AND TRUNC(SYSDATE) BETWEEN
A.EFFECTIVE_START_DATE(+) AND A.EFFECTIVE_END_DATE(+) AND
A.EFFECTIVE_LATEST_CHANGE(+)='Y' AND A.ASSIGNMENT_TYPE IN
('E','C','N','P') AND P.PERSON_ID=&TABLE_ALIAS.ATTRIBUTION_ID AND (
P.PERSON_ID=(SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM
DUAL) OR (( A.ASSIGNMENT_ID IS NULL ) OR ( A.ASSIGNMENT_ID IS NOT
NULL AND EXISTS (SELECT 1 FROM PER_MANAGER_HRCHY_DN MH WHERE
MH.PERSON_ID=A.PERSON_ID AND TRUNC(SYSDATE) BETWEEN
MH.EFFECTIVE_START_DATE AND MH.EFFECTIVE_END_DATE AND MH.MANAGER_ID =
(SELECT NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND
MH.MANAGER_TYPE = 'LINE_MANAGER' ) ))))UNION ALL SELECT 1 FROM
PER_SHARE_INFORMATION SI WHERE SI.GRANTEE_PERSON_ID = (SELECT
NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND
SI.PERSON_ID = &TABLE_ALIAS.ATTRIBUTION_ID )
Learner: Create a filter to indicate only learning items where the language code is equal to English (en-us).
35 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Actions: Actions need not to be defined. They are seeded.
Associate the created data security policy to the appropriate data roles.
Administrator: Associate the newly created administrator condition to the Data role that has been created by the
administrator. In the example below, we are going to put the custom condition on the Manage Catalog Learning
Offerings Privilege by editing the data security policy associated to the data role. The custom data security policy
condition selected will only allow administrators to manage offering learning items that have been created by
individuals in their hierarchy.
36 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 32. Edit Data Security Policy
Learner: Associate the newly created Learner condition to the Data role that has been created by the
Administrator. In the below example we are going to put the custom condition on the View Catalog Learning
Items in Self Service Privilege by editing the data security policy. The custom data security policy condition
selected will only allow Learners to view learning items that have a language code equal to English (en-us).
37 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Modify the condition on the View Catalog Learning Items in Self Service Privilege
User B is part of a different business unit but has an AOR that also allows visibility on Business Unit 1.
User B will see and act upon learning items created by User A.
38 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
For this, you need to add a general data policy at the role level (in this case it is preferable to have created a new role
based on the existing seeded roles).
39 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
In the various parts, either select an existing security profile of your choice, or create new ones
If you select a restriction by AOR, you are asked to define that AOR. The illustration below shows the Responsibility
Type as Learning representative, and the Scope of Responsibility as Business Unit.
Verify changes.
Return to the security console. View the role to see that in the Data Policies applied, it has now been filled up with
different data policies on different privileges.
40 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 39. Edit Role
The illustration below shows that each privilege under that role now is subject to an SQL-based filter condition that
applies each time a learning specialist tries to search for a specific item in Learning Cloud. This is the case when data
security is applied to a specific role from Setup and Maintenance, so it facilitates the SQL condition.
You can customize this per privilege, and on each you can apply a different security policy if available. This means
each privilege identified in a role can hold its own predifined condition. (For example, Course view and creation could
be Global, but Offering View and Creation could be AOR-based).
If you want more details on how that policy works, you can go directly in the Administration panel of the security
console and click Manage Database Resources.
41 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 41. Manage Database Resources
Search for “WLF” on Object Name filter, and pick WLF_LEARNING_ITEMS_F up.
Click Edit.
42 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Image 43. Edit Data Security: Condition
When you click Edit, you can see the SQL predicate that was generated by the system upon the policy creation. Keep
in mind the more complex the query becomes, the more impactful it will be upon UI search performance and OTBI
reports.
Make sure the user has the right AOR and AOR criteria set up (here, by business unit).
43 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Once it has successfully run, use the user to whom you added that custom role. In the offering search, notice that you
cannot find any other offering existing in the catalog:
44 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
However, users can create their own courses, and they will see all courses created by users who are part of the
business unit covered by the same AOR.
When creating assignments for a course, users can only target people from their AOR. In the following illustration, it is
based on business unit.
45 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Advanced Method: Restricting Access Using Constant Flex Field
This example shows how to segregate catalog access on the learning specialist user interface, based on the constant
value of a flex field at learning item level. This constant data can be replaced by a list of value if required.
It works better when segregating the catalog by learning item criteria (like a catalog category) rather than by criteria
related to the current page user.
SQL Predicate Example:
FROM WLF_LI_COURSES_F c
Next, perform the same changes as the ones described in the above chapter to apply this condition to the role. This
newly created condition can be applied as an exception to the following privileges depending on the desired effect.
• Manage Catalog Learning Specializations
Make sure to run the Retrieve Latest LDAP Changes scheduled process.
Advanced Method: Restrict the list of offerings visible to the user by offering type
The following SQL predicate example should be used, when there is a need to restrict the list of offerings visible to the
user by offering type, so that the person only sees, for example, ILT offerings, or self-paced offerings.
Step 1: Create a custom sql condition that will limit the result set to only self-paced offerings
EXISTS (
SELECT 1
wlf_li_classes_f c
46 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
UNION
SELECT 1
) )
Step 2: Edit the data role granted to the administrator and set the data policy condition for “View Catalog Learning
Items by Administrator” to the above condition.
EXISTS
SELECT 1
WLF_ACCESS_PERMISSIONS_F prms,
WLF_ASSIGNMENT_RECORDS_F recs
47 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
AND recs.LEARNER_ID = HRC_SESSION_UTIL.GET_USER_PERSONID
UNION
SELECT 1
wlf_li_classes_f c,
wlf_instructor_resources r
UNION
SELECT 1
);
Then perform the same changes as the ones described in the above chapter to apply this condition to the role. This
newly created condition can be applied as an exception to the following privileges depending on the desired effect.
Make sure to run the Retrieve Latest LDAP Changes scheduled process.
48 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Advanced Method: Handling Learning Items Based on Learning Item vs Current User Flex Field Value.
This method will be used in more extreme cases of scenario where security by AOR or by learning item flex field alone
is not either strong or flexible enough. The use case covered here will work as follows:
When an administrator searches for a learning item, the system will filter out the learning item result entries which do
NOT contain a specific value in a flex field.
This flex field value needs to be the same as the value of another flex field from the current user person profile value.
A similar method could be used on the Learner’s role.
User D creates a learning item and adds ABCD in the flex field of the learning item.
User A will be able to find the learning item because both his profile flex field and the learning item flex field
values are matching.
User B will not be able to find the learning item (unless the flex field value of this course changes to EFGH or his
own profile flex field changes to ABCD)
The SQL predicate demonstrated here needs to be implemented just like in the above example, by creating a custom
condition that will later on be applied to a specific privilege of a specific role:
EXISTS
SELECT 1
FROM FUSION.WLF_LEARNING_ITEMS_F T
AND T.LEARNING_ITEM_ID =
QRSLT.LEARNING_ITEM_ID
UNION
Note: The flex fields referenced here as placeholders, and the flex field column name might vary from one instance to
another.
Make sure to run the Retrieve Latest LDAP Changes scheduled process.
49 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Understanding Access Control Enforcement Across All Access Types
A learning item can have a combination of access control types applied to it when a learner is attempting to access
the learning item. The following access control types can influence the access behavior:
Data security
Access records
Assignments
2. Assignment Records - Assignments trump access records. If a learner has access to an item via data security,
and they have a required or voluntary assignment, then the access record control type does not need to be
evaluated.
a. Required or Voluntary Assignment – If a learner has a required or voluntary assignment then they
can access the learning item even though they are not granted access via an access record.
Access Records: If learners don’t have access to the learning item because the learning item is set to no access by
default and they do not have a corresponding learning access record, then they will not have access.
50 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public
Connect with us
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at: oracle.com/contact.
Copyright © 2022, Oracle and/or its affiliates. All rights reserved. This document is Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be
provided for information purposes only, and the contents hereof are subject to change trademarks of their respective owners.
without notice. This document is not warranted to be error-free, nor subject to any other
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC
warranties or conditions, whether expressed orally or implied in law, including implied
trademarks are used under license and are trademarks or registered trademarks of SPARC
warranties and conditions of merchantability or fitness for a particular purpose. We
International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or
specifically disclaim any liability with respect to this document, and no contractual
registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open
obligations are formed either directly or indirectly by this document. This document
Group. 0120
may not be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without our prior written permission. Disclaimer: If you are unsure whether your data sheet needs a disclaimer, read the revenue
recognition policy. If you have further questions about your content and the disclaimer
This device has not been authorized as required by the rules of the Federal
requirements, e-mail REVREC_US@oracle.com.
Communications Commission. This device is not, and may not be, offered for sale or
lease, or sold or leased, until authorization is obtained.
51 Business / Technical Brief / Understanding Access Control in Oracle Learning / Version 1.1
Copyright © 2022, Oracle and/or its affiliates / Public