Professional Documents
Culture Documents
03.1 Implementing Users Security
03.1 Implementing Users Security
Release 11
• Customizing Security
• Managing Security
• Auditing Security
Introduction
Understanding the basic concepts of Oracle ERP Cloud security
Introduction
• Oracle ERP Cloud’s security methodology can be summarized with the
simple statement:
Who = User
What = Individual Actions a User can perform
Which = Which set of data, i.e., business units and ledgers to name a few
Understanding Roles
• Oracle ERP Cloud uses role-based access control (RBAC). Access to functions and
data are defined via roles, not directly against users.
• Oracle ERP Cloud uses 3 types of roles:
– Job Roles
• Represent jobs that users perform in an organization, e.g. General Accountant, Accounts Payable Manager
• Can be assigned to users
– Abstract Roles
• Represent people in the organization independent of the jobs they perform, e.g. Employee, Line Manager
• Can be assigned to users
– Duty Roles
• Logical collection of privileges that grant access to tasks that someone performs as part of a job
• Not assignable to users directly
Understanding Role Inheritance
• Almost every role is a hierarchy or
collection of other roles
– Job and abstract roles inherit duty roles
– Duty roles can inherit other duty roles
• Job, abstract and duty roles can also
be assigned privileges and aggregate
privileges directly.
• When you assign job and abstract
roles to users, they inherit all of the
data and function security associated
with those roles
Understanding Function & Data Security Policies
• Function Security Policies are defined via function security privileges
• Each function security privilege secures the code resources that make up
the relevant pages, page components (like tabs and buttons) and scheduled
jobs
• Data Security Policy defines access by a role, to a business object, with a
condition and for an action (data security privilege)
• Aggregate Privilege combines function security privileges with related data
security policies
Understanding External vs. Application Roles
• External Roles are roles that are assigned to users
• Application Roles are roles that can be assigned authorization policies,
such as function security policies and data security policies
• As job roles and abstract roles are assignable to users, they are defined as
external roles
• Duty roles are defined as application roles
• As job roles and abstract roles can also be assigned authorization policies,
they are also created as application roles
Summary
The statement
Business Unit Ledgers Access the business unit for table FUN_ALL_BUSINESS_UNITS_V for the business units
derived from specific ledgers for which they are authorized
Business Unit Intercompany Organizations Access the business unit for table FUN_ALL_BUSINESS_UNITS_V for the business units
associated with the intercompany organizations for which they are authorized
Business Unit Data Access Set Access the business unit for table FUN_ALL_BUSINESS_UNITS_V for the business units
derived from data access sets for which they are authorized
Cost Organization Data Access Set Access the cost organization for table CST_COST_ORGS_V for the cost organizations
associated to the ledgers for which the user is authorized
Ledger Business Unit Access the ledger for table GL_LEDGERS for the ledgers derived from business units for
which they are authorized
Project Organization Business Unit Project Creator can create project for all Organization in the assigned authorized
Business Unit as defined in Manage Data Access for Users Page.
Managing Security
Managing Users
• Use the Manage Users task to
manage user accounts
• Manage Users task allows you
to:
– Edit user account details
– Add to and remove roles from a
user
– Reset password
• Users can also request new
roles and reset password
themselves by selecting About
Me - My Account from the
home page
Managing Implementation Users
• Use Oracle Identity Manager to
make changes to existing
implementation users
• Make sure you are using the
Administration Mode in Oracle
Identity Manager .
• In the Search Box, select Users,
and then search for the desired
user.
• Once you’ve found the desired
user, open the user to make
changes
Managing Role Assignments for Users
• Use Oracle Identity Manager to
manage a user’s role
assignment
• Open Oracle Identity Manager
in Administration Mode, search
for the user, and open the Roles
tab.
• Roles currently assigned to the
selected user are shown.
• You can assign additional roles
by clicking on the “Assign”
button, or select an assigned
role and click “Revoke” to
revoke this role from the user.
Managing Data Access for Users