Security Overview

Release 11

Securing Oracle ERP Cloud

An Overview
Agenda
• Introduction

• Planning your Security Implementation

• Implementing Security for Oracle ERP Cloud

• Customizing Security

• Managing Security

• Auditing Security
Introduction
Understanding the basic concepts of Oracle ERP Cloud security
Introduction
• Oracle ERP Cloud’s security methodology can be summarized with the
simple statement:

“WHO can do WHAT on WHICH set of data”

Who = User
What = Individual Actions a User can perform
Which = Which set of data, i.e., business units and ledgers to name a few
Understanding Roles
• Oracle ERP Cloud uses role-based access control (RBAC). Access to functions and
data are defined via roles, not directly against users.
• Oracle ERP Cloud uses 3 types of roles:
– Job Roles
• Represent jobs that users perform in an organization, e.g. General Accountant, Accounts Payable Manager
• Can be assigned to users
– Abstract Roles
• Represent people in the organization independent of the jobs they perform, e.g. Employee, Line Manager
• Can be assigned to users
– Duty Roles
• Logical collection of privileges that grant access to tasks that someone performs as part of a job
• Not assignable to users directly
Understanding Role Inheritance
• Almost every role is a hierarchy or
collection of other roles
– Job and abstract roles inherit duty roles
– Duty roles can inherit other duty roles
• Job, abstract and duty roles can also
be assigned privileges and aggregate
privileges directly.
• When you assign job and abstract
roles to users, they inherit all of the
data and function security associated
with those roles
Understanding Function & Data Security Policies
• Function Security Policies are defined via function security privileges
• Each function security privilege secures the code resources that make up
the relevant pages, page components (like tabs and buttons) and scheduled
jobs
• Data Security Policy defines access by a role, to a business object, with a
condition and for an action (data security privilege)
• Aggregate Privilege combines function security privileges with related data
security policies
Understanding External vs. Application Roles
• External Roles are roles that are assigned to users
• Application Roles are roles that can be assigned authorization policies,
such as function security policies and data security policies
• As job roles and abstract roles are assignable to users, they are defined as
external roles
• Duty roles are defined as application roles
• As job roles and abstract roles can also be assigned authorization policies,
they are also created as application roles
Summary
The statement

“WHO can do WHAT on WHICH set of data”

is implemented by assigning users (WHO) to function security policies

(WHAT) and data security policies (WHICH set of data) via roles
Planning
Planning your Oracle ERP Cloud security implementation
Predefined Security Reference Implementation
• Oracle ERP Cloud comes with a predefined security reference
implementation, consisting of:
– Predefined Job Roles
– Predefined Duty Roles
• Content of each predefined job role and duty role is documented in the
Security Reference Manuals
– You can access the security reference manual on cloud.oracle.com. Select Resources -
Documentation – Applications
Matching Predefined Roles to Your Needs
• Analyze the access requirements specific to your organization,
understanding who needs access to what
• Compare the requirements with the predefined roles in the security
reference implementation, and decide which predefined roles meet your
requirements and can be used as-shipped, and which will require
customizations to meet your requirements
• Certain product areas, such as Accounts Payable and General Ledger,
include multiple roles in the reference implementation. To compare
accesses granted to each role, you can use the Compare Role feature in the
Security Console
Customizing Roles
• If jobs exist in your enterprise that aren't represented in the security
reference implementation, then you can create custom job roles. You can
then add duty roles and privileges to custom job roles, as appropriate.
• If the privileges for a predefined job role don't match the corresponding job
in your enterprise, then you create a custom version of the role. If you copy
the predefined role, then you can edit the copy to add or remove duty
roles, function security privileges, and data security policies, as
appropriate.
Customizing Security – Best Practices
We recommend the following when you wish to make security customizations:
• You must not customize predefined roles. You can identify these predefined roles by the
ORA_ prefix in the Role Code field. During each upgrade, predefined roles are updated
to the specifications for that release, so any customizations would be overwritten.
• Instead, always make a copy of the predefined role. Then, edit the copy and save it as a
custom role.
• Making your changes in a copy of a predefined role means that you can always compare
to and roll back to the delivered role.
• After a maintenance update or upgrade, you can compare your customized copy to the
updated predefined source role. You can see the updates to the predefined role and
decide whether to incorporate them into your custom role.
Implementing
Implementing security for Oracle ERP Cloud
Implementing Security
• Creating Users
• Assigning Roles to Users
• Assigning Data Scopes to Users
• Creating Custom Roles
Creating Users
• Use the Create User task to create users if Human Capital Management
(HCM) is not being implemented. Create User task creates a minimal
person record and a user account
• If HCM is being implemented, use the Hire an Employee task to create
users instead. Hire an Employee task creates the full person record needed
by HCM as well as the user account
• Use the Create Implementation Users task to create implementation users.
Implementation users are user accounts without the associating person
record.
Create User Task
• Access the Manage Users page from the
Setup and Maintenance work area or
Navigator > My Team > Manage Users
• Under Personal Details, enter the user’s
name, primary work email address, and
hire date. For non-workers, enter the user
start date instead. This date is not
updateable
• Under User Details, enter the desired user
name. If you leave this blank, a user name
will be generated using the enterprise’s
default format.
• You can choose to send the username and
passwords to the user’s email address.
• Under Employment Information, choose a
person type, then select the Legal Employer
and Business Unit.
Create Implementation Users Task
• Use the Create
Implementation Users task
to create implementation
users. This task accesses
Oracle Identity Manager
(OIM)
• Select Create User.
• Under Basic User
Information and Account
Settings, fill in the necessary
information.
• Click Save.
Using Oracle Identity Manager
• Oracle Identity Manager
access is granted to the
predefined IT Security
Manager role
• Make sure you are using
Administration Mode in OIM.
• The title will display whether
you are in Administration
mode or Self Service mode.
• To switch from Self-Service
Mode to Administration Mode,
click on the button in the
upper right hand corner.
Importing Users
• You can import workers using a spreadsheet from legacy applications to
Oracle ERP Cloud using the Import Worker Users task
• The task is accessible from the Setup and Maintenance work area
• The import process handles both user account creation and auto
provisioning of roles
Provisioning Roles to Users
• Roles can be provisioned (assigned) to users
– Manually
– Automatically
• You can manually provision roles to users using Oracle Identity Manager
(OIM)
• To automatically provision a role to users, you define a relationship, called a
role mapping, between the role and some conditions
• Roles are automatically provisioned when one of the user's assignments
matches all role-mapping conditions.
Manually Provision Roles to Users
• Use the Oracle Identity Manager (OIM) to quickly assign roles to users
• Use Create Implementation Users or Manage Job Roles tasks from the
Setup and Maintenance work area to access OIM. Make sure you switch to
Administration mode to assign roles to users. By default, Oracle Identity
Manager will be opened in Self-Service mode
Manually Provision Roles to Users
• In the Search Box, select
Users, and then search for
the desired user.
• Once you’ve found the
desired user, open the user,
go to the Roles tab, and see
the roles currently assigned
to the user.
• Click the “Assign” button to
assign new roles to the user.
Manually Provision Roles to Users
• To assign the same role to
multiple users, you can
instead search for the role, go
to the Members tab, and
click the “Assign” button to
assign multiple users to the
same role.
Creating and Managing Role Mapping
• If you wish to enable automatic provision of roles, you need to create role
mapping rules.
• Use the Manage Role Provisioning Rules task to create and manage role
mapping rules
– If HCM is implemented, use the Manage HCM Role Provisioning Rules task instead
• Each role mapping rule is based on a set of attributes that can be matched
to a user’s assignment, such as Department, Job, Location
• One or more roles are then attached to the rule, each with options
indicating whether the role is requestable, self-requestable, or auto-
provisioned when the conditions in the rule are matched.
Manage Role Mappings

• To manage role provisioning

rules, query tasks Manage Role
Provisioning Rules or Manage
HCM Role Provisioning Rules
from the Setup and
Maintenance work area
• You can either search for
existing role mappings, or create
a new one
• To create role mappings, go
directly to the Search Results
section of the page, click Create
Create Role Mappings
• To create a role mapping, enter
a unique Mapping Name, then
enter the condition values as
needed
• All conditions are optional
• In the Associated Roles section,
click Add Row. In the Role Name
field, search for and select the
role that you're provisioning,
then select one or more of the
role-provisioning options
• Add more rows as appropriate.
When finished, click Save and
Close
Edit Role Mapping
• If you want to edit an existing
role mapping, enter the search
criteria to find the rule, then
click on the mapping name to
open the Edit Role Mapping
page, shown here
• Here, you can disable the
mapping by setting the effective
end date, modify conditions on
the rule, or add / remove roles
associated to this mapping
Assigning Data Scopes to Users
• Use the Manage Data Access for Users task to assign users to data scopes
• You assign data scopes to users by provisioned role
• You can use the import capability to create a large number of assignments
Create Data Access for Users
• Navigate to the Manage Data
Access for Users task through
Setup and Maintenance. Skip to
the Search Results region and
click the Add button.
• Enter the user you wish to
create data assignments for, the
role which the data assignment
is against, the security context
you want to assign to the
selected user and role and the
finally the data scope, or
security context value
• Use the add / duplicate button
to add more records
Importing Data Access for Users
• In addition to create
assignments online, you can
also import assignments from a
spreadsheet
• Click the “Authorize Data
Access” button to download a
spreadsheet which you can use
to import the data assignments
• You can prepare the data from
another source, such as your
legacy system, and populate the
spreadsheet
Customizing Security
Customizing Security
• Use the Security Console to customize security
• You can create and edit custom roles, but not
predefined roles
• The Security Console can be accessed via the
Navigator menu, under Tools
• Access to the Security Console is granted through the
predefined IT Security Manager role
Customizing Security – Before You Start
• 2 Profile Options govern the behavior of the Security Console
• Security Console Working App Stripe (ASE_WORKING_APP_STRIPE)
– Controls the App Stripe the user works on
– Set to “fscm” either at site level, or for specific users with Security Console access
• Enable Data Security Policies and User Membership Edits
(ASE_ROLE_MGMR_PREF)
– Preference to enable data security policies and user membership editing in Security
Console
– Set to “Yes” to enable both at site level, or for specific users
Security Console – Getting Started
• Once you open the Security Console, you need to first find your desired
role you wish to view, edit, or copy
• As you type, matches will be
automatically shown
• Once you’ve found the
desired role, click on it to
open it in search results.
Copy Role
• Use Security Console to copy a role. You must first select a role before initiating a copy.
• Copy option is
available from the
Search Results
• It is also available
when you right
click a role in the
Visualizer.
• You have the option
to copy just the top
role, or top role and
inherited roles.
Copy Role – Basic Information
• Under Basic Information, you
can modify the defaulted role
name, and role code. You can
also modify the role description.
• You can setup default names in
the Preferences section of the
Security Console
Copy Role – Function Security Policies
• Under Function Security
Policies, you can review the
function security privileges that
are assigned to the source role,
to be copied to the target role.
• You can also review the code
resources tied to each privilege.
• You can add or remove function
security privileges from the
target role here.
• This option is only available to
application roles
Copy Role – Data Security Policies
• Under Data Security Policies,
you can review the data security
policies that are assigned to the
source role, to be copied to the
target role
• You can edit or remove data
security policies copied from the
source role to the target role, or
create new data security policies
under the target role.
Copy Role – Role Hierarchy
• Under Role Hierarchy, you can
review the role hierarchies of
the source role, to be copied to
the target role.
• You can add or remove inherited
roles from the target role here.
Copy Role – Users
• Under Users, you can assign
users to the target role.
• This option is only available to
external roles, as you can only
assign external roles to users
Copy Role – Summary and Impact
• Under Summary and Impact,
you can review the additions
and deletions you have made to
the artifacts associated with the
target role
• Once you have reviewed the
information, you should click
Submit and Close. Click Cancel
if you wish to cancel the current
copy request.
Compare Roles
• Use Compare Roles to compare
the function and data security
policies granted between 2
roles.
• The Compare Roles feature is
available from the Security
Console. You can launch
“Compare Roles” directly by
clicking on the button, or by
choosing the “Compare Rolse”
option in the Search Results
• By selecting “Compare Roles”
after selecting a role, that role
will be prefilled
Compare Roles
• You have the option to view all
comparison results, artifacts
that only exist in either the first
or the second role, artifacts that
exist in both roles
• You can also choose to view only
comparison results for function
security policies, data security
policies, inherited roles, or
combinations.
Create Custom Role
• Use Security Console to create a custom role
• Click on the Create Role button to initiate the create role process
Create Role
• The Create Role process is
similar to the Copy Role process
• First you enter the basic
information regarding the role.
For Role Source, choose External
Role if you wish to assign this
role to users, or Application Role
is you wish this role to act like a
custom duty role
• Once you enter the basic
information, you can add
functional and data security
policies, and inherited roles, to
create the custom role
Creating Data Security Policies for User Data Assignments
• Data security policies that derive the individual user’s data assignments based on assignment records as
managed via the Manage Data Access for Users UI require specific conditions to be used
• The following 2 slides include the conditions to be used for different data security contexts.
• The new data security policies must be created against the job roles that are assigned to the users, and
cannot be created against duty roles.
Data Security Conditions for Direct Accesses
Database Resource Condition
Business Unit Access the business units for which the user is explicitly authorized
Cost Organization Access the cost organization for table CST_COST_ORGS_V for the cost organizations for which they are
authorized
Data Access Set Access the general ledger data access set for table GL_ACCESS_SETS for the general ledger data access sets for
which they are authorized
Fixed Asset Book Access the fixed asset book for table FA_BOOK_CONTROLS for the asset books for which they are authorized
Intercompany Organizations Access the Intercompany Organization for table FUN_INTERCO_ORGANIZATIONS for the intercompany
organizations for which they are authorized
Inventory Organization Access the inventory organization parameter for table INV_ORG_PARAMETERS for the inventory organizations
for which they are authorized
Ledger Access the ledger for table GL_LEDGERS for the ledgers for which they are authorized
Manufacturing Plant Access the manufacturing plant for table RCS_MFG_PARAMETERS for the manufacturing plants in which they
can operate
Project Organization Project Creator Job Role can create project for the project organizations for which they are authorized as
defined in Manage Data Access for Users Page.
SetID Set Access the application reference data sets for which the user is explicitly authorized
Data Security Conditions for Derived Accesses
Database Resource Access Derived From Condition

Business Unit Ledgers Access the business unit for table FUN_ALL_BUSINESS_UNITS_V for the business units
derived from specific ledgers for which they are authorized

Business Unit Intercompany Organizations Access the business unit for table FUN_ALL_BUSINESS_UNITS_V for the business units
associated with the intercompany organizations for which they are authorized

Business Unit Data Access Set Access the business unit for table FUN_ALL_BUSINESS_UNITS_V for the business units
derived from data access sets for which they are authorized

Cost Organization Data Access Set Access the cost organization for table CST_COST_ORGS_V for the cost organizations
associated to the ledgers for which the user is authorized

Ledger Business Unit Access the ledger for table GL_LEDGERS for the ledgers derived from business units for
which they are authorized
Project Organization Business Unit Project Creator can create project for all Organization in the assigned authorized
Business Unit as defined in Manage Data Access for Users Page.
Managing Security
Managing Users
• Use the Manage Users task to
manage user accounts
• Manage Users task allows you
to:
– Edit user account details
– Add to and remove roles from a
user
– Reset password
• Users can also request new
roles and reset password
themselves by selecting About
Me - My Account from the
home page
Managing Implementation Users
• Use Oracle Identity Manager to
make changes to existing
implementation users
• Make sure you are using the
Administration Mode in Oracle
Identity Manager .
• In the Search Box, select Users,
and then search for the desired
user.
• Once you’ve found the desired
user, open the user to make
changes
Managing Role Assignments for Users
• Use Oracle Identity Manager to
manage a user’s role
assignment
• Open Oracle Identity Manager
in Administration Mode, search
for the user, and open the Roles
tab.
• Roles currently assigned to the
selected user are shown.
• You can assign additional roles
by clicking on the “Assign”
button, or select an assigned
role and click “Revoke” to
revoke this role from the user.
Managing Data Access for Users

• Use the Manage Data Access for

Users task to manage data
scope assignments
• Search assignments for a single
user or a single role
• You can further filter the search
results, or export the results to
Excel
• You can also authorize
additional data accesses
Managing Roles
• Use Security Console to edit a role. You must first select a role.
• Edit Role option is
available from the
Search Results
• It is also available
when you right
click a role in the
Visualizer
• You cannot edit
predefined roles, i.e.
roles that start with
the ORA_ prefix
Edit Role Process
• You go through steps similar to the Copy Role and Create Role process
• You can skip to the sections you wish to edit by clicking on the
corresponding stops in the train
• Once you have completed your changes, go to Summary and Impact
Report, review the changes, then click Save and Close.
Auditing Security
Auditing Security
The following audit reports are available:
• List of users and provisioned roles
• List of users and provisioned function and data accesses
• List of inactive users
User Role Membership Report
• Use this report to show a list of users and roles that are provisioned
• Report can be run for all users, or you can optionally filter the list of users
by name, department, and location.
User and Role Access Audit Report
• Use this report to show users and the provisioned list of roles, privileges, and data
security policies
• Report can be run for one user, all users, one role or all roles.
• One User / All Users
– Separate report outputs will show role hierarchy w/ privileges, tabular listing of privileges,
and list of data security policies provisioned to the user.
– All Users option will result in one set of reports for each user
• One Role / All Roles
– Separate report outputs will show role hierarchy w/ privileges, tabular listing of privileges,
and list of data security policies for given role
– All Roles option will result in one set of reports for each role
Inactive Users Report
• Use this report to identifies users who have not signed in for a period of
time that you define.
• You need to run the Import User Login History process as a prerequisite
• As you run the report, you need to provide the inactivity period, in days. The
default is 30.
• You can optionally filter the list of users by name, department, location, and
last activity date.
• The report will show all inactive users that match the criteria, with the
number of days the user has been inactive, the user’s username , given
name, surname, location and department, and the user’s status.
Customizing Security
Use Security Console whenever possible
• Use Security Console to customize security instead of APM or OIM
whenever possible
• Security Console includes features specifically designed for Oracle ERP
Cloud Service, such as Copy Role and Compare Roles
• Security Console is granted to the predefined IT Security Manager role
• Security Console can be accessed from the Navigator,
under the Tools section
Don’t Customize Predefined Roles
• You must not customize predefined roles. You can identify these predefined
roles by the ORA_ prefix in the Role Code field.
• During each upgrade, predefined roles
may be updated to the specifications for that
release, so any customizations would be
overwritten.
• By customizing predefined roles,
you also lose the reference of what
each role is designed to do.
Consider Copying Predefined Roles before Customizing
• If you want to modify the content of a predefined role, make a copy fist,
then edit the copy and save it as a custom role.
• Making your changes in a copy of a predefined role means that you can
always compare to and roll back to the delivered role.
• After a maintenance update or upgrade, you can compare your customized
copy to the updated predefined role. You can see the updates to the
predefined role and decide whether to incorporate these changes into your
custom role.
• Copy Role and Compare Roles are supported in the Security Console
Copy Role
• Use Security Console to copy a role. You must first select a role before initiating a copy.
• Copy option is
available from the
Search Results
• It is also available
when you right
click a role in the
Visualizer.
• You have the option
to copy just the top
role, or top role and
inherited roles.
Compare Roles
• Use Compare Roles to compare
the function and data security
policies granted between 2
roles.
• The Compare Roles feature is
available from the Security
Console. You can launch
“Compare Roles” directly by
clicking on the button, or by
choosing the “Compare Rolse”
option in the Search Results
• By selecting “Compare Roles”
after selecting a role, that role
will be prefilled
Compare Roles
• You have the option to view all
comparison results, artifacts
that only exist in either the first
or the second role, artifacts that
exist in both roles
• You can also choose to view only
comparison results for function
security policies, data security
policies, inherited roles, or
combinations.
It’s Easier to Add than to Remove
• You can always add more privileges to a role while isolating the predefined
content, but you cannot remove privileges from a role without modifying
the predefined content
• Consider the drawbacks before removing a privilege; they may outweigh
the benefits
• If you need to add more privileges to a predefined role, group all the added
privileges in one or more custom duties, and then assign the custom duties
to the job role.
Consider Segregation of Duties when creating Custom Roles
• Enforced policies and violations of the predefined roles are documented in
the Security Reference Manuals
– Security Reference for Oracle Financials Cloud
– Security Reference for Common Features
• When designing custom roles, please consider possible segregation of duty
violations if you are adding new privileges to predefined roles.
Don’t Customize Predefined Privileges
• You must not customize predefined
privileges.
• Each predefined privilege contains
authorizations to specific code artifacts,
or resources, that are designed to work as
a cohesive unit.
• Granting only a subset of these resources
to a user may result in unexpected and
erroneous behaviors.
• During each upgrade, predefined
privileges may be updated to the
specifications for that release, so any
customizations would be overwritten.
Avoid Creating Custom Privileges
• You should avoid creating custom privileges
• Resources that are designed to work as a cohesive unit, granted via
predefined privileges
• Granting only a subset of these resources to a user may result in
unexpected and erroneous behaviors
• Exception – If you are creating custom resources, such as a custom ESS job,
then you will need to secure the corresponding resource to a privilege to
grant execution rights to a user. In this case, it is OK to create custom
privileges.
Don’t Grant Resources Directly to Roles
• Avoid granting resources directly to roles. Resources should be granted via
privileges to roles.
• Resources within a privilege are designed to work as a cohesive unit and
are not intended to be granted separately.
• Granting resources directly to roles complicates auditing.
Managing Users & Roles
Limit the Number of Roles Assigned to a User
• In general, assigning a large
number of roles to a user might
impact performance, particularly
when the system needs to check
the authorization policies for the
user
• The following slides will discuss
several practices to limit the
number of roles assigned to a user
Don’t Assign Overlapping Roles to a User
• Some products predefine multiple reference roles with incremental capabilities
– For example, in Fusion General Ledger, General Accountant includes all capabilities granted to Financial
Analyst, and General Accounting Manager includes all capabilities to granted to General Accountant
• There is no need to assign all such roles to the same user; assigning the role with the most
access is sufficient.
– Assigning General Accountant role in addition to the General Accounting Manager to the same user would
have no material impact, as access granted by General Accountant role is already granted by General
Accounting Manager role
• Use the Security Manual to
compare the differences in
authorizations between 2 roles.
You can also use the
“Compare Roles” feature in
Security Console.
Overlapping Roles
Product If You Assign This Role… No Need to Assign This Role…
Fixed Assets Asset Accounting Manager Asset Accountant
General Ledger General Accounting Manager CFO*^
Controller*^
General Accountant
Financial Analyst

General Ledger General Accountant Financial Analyst

Accounts Payable
Accounts Receivable
Accounts Receivable
Accounts Receivable
Tax
Accounts Payable Manager + Accounts Payable Accounts Payable Specialist
Supervisor
Accounts Receivable Manager Accounts Receivable Specialist
Billing Manager* Billing Specialist*
Revenue Manager* Revenue Analyst*
Tax Manager Tax Administrator
Tax Accountant
Tax Specialist

* Obsolete Roles as of Release 10

^ CFO and Controller roles provide identical access as General Accounting Manager
Don’t Assign Job Roles AND corresponding Data Roles
• Each data role already inherits the corresponding job role, providing the
necessary function security privileges under the job
• There is no need to separately assign the job role to the user if you are
assigning the corresponding data roles
• Only assign job roles directly for job roles that don’t utilize data roles to
provide data security
– Examples of such roles include
Cash Manager and Application
Implementation Consultant
Use Data Access Sets to Grant Access to Multiple Ledgers
• General Ledger’s Data Access Sets can be used to grant access to a group of
ledgers
• General Ledger’s predefined job roles, such as General Accounting
Manager and General Accountant, uses Data Access Set as the basis for
data security and data role generation
• While a new Data Access Set is automatically created whenever a new
Ledger is created, you can create your own Data Access Sets
Consider using Custom Roles in lieu of Data Roles
• Accessing all Business Units / Ledgers / etc
– Custom roles can be introduced to grant access to all Business Units / Ledgers / etc
– Instead of multiple data roles, user only needs to be assigned 1 role
– Users are automatically granted access to new Business Units
• Accessing the same subset of Business Units / Ledgers for multiple users
– Typical in Shared Service Center environments
– Custom roles can be introduced to grant access to the subset
• Accessing the same Business Units across multiple functions
– e.g. AP Manager w/ Procurement Inquiry access
– Custom roles can be introduced to combine the 2 accesses, eliminating the need for one set
of the data roles
Upgrade Considerations
Decide to Uptake New R10 Role Hierarchy or not
• In R10, we have re-designed the role hierarchies to deliver simpler, more
streamlined structures.
• These simplified hierarchies are only available for new R10 customers.
• If you are upgrading to R10, you will be using the old hierarchies to preserve
any customizations you may have made to them.
• You are encouraged to review the differences between your roles and the
new simplified roles (use Compare Roles too for a quick comparison)
• If you want to switch to use the new hierarchies, follow the instructions in
the whitepaper Upgrade Guide for Oracle Cloud Applications Security (Doc
ID 2016990.1)
Review New Privileges for New Features
• If you have created copies of our predefined reference roles for
customization purposes, new privileges granted to the reference roles will
not be available in the copied versions.
• Starting R10, we publish the list new privileges that correspond to each
new feature. Review the list and grant these new privileges manually if you
wish to uptake a new feature.
• You can also use the Compare Roles tool from the Security Console to
compare the custom role with the updated predefined role.
Additional Information
• Oracle Financials Cloud Security Reference (HTML)
• Oracle Financials Cloud Security Reference (PDF) Better viewing of Role Hierarchy
• Security Reference for Common Features
• Securing ERP Cloud Online Help
• These and other security related documents can be accessed via docs.oracle.com
• Upgrade Guide for Oracle Cloud Applications Security (white paper) (Doc ID
2016990.1)
• YouTube video: Copying Roles Using the Security Console
• YouTube video: How to Compare Roles Using the Security Console
• YouTube video: R11 Security Workshop How to Modify a Financials Role
Additional Information
• Oracle
Other Fusion Help
https://fusionhelp.oracle.com/
Fusion Cloud Documentation
http://docs.oracle.com/cloud/latest/financialscs_gs/financialscs_use.htm