Professional Documents
Culture Documents
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
Overview of Security
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens Copyright 2016, Oracle and/or its affiliates. All rights reserved.
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Objectives
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
e dd ble l
t h R ra
r aThe users e
fwho
a
Who:
h -tra n performs functions in your company, such as an Accounts Payable
Bsupervisor.
nonIndividual actions a user can perform, such as the ability to approve a payables
What:
invoice.
Which: The set of data that the user can perform the action on, such as payables
invoices within your assigned business units.
R e able
r h sfer
atreference
h a
The security
t r a n implementation covers all functions and actions that need to be
B
secured. The -security definitions were based on industry standards. Unless you have
nonexisting functions or added new functions, you shouldnt have to create any new
customized
job or duty roles. The implementation includes:
Complete set of job roles.
Duty roles and role hierarchy for each job role.
Privileges granted to each duty role.
Data security policies for each job role.
Policies that protect personally identifiable information.
Policies enforced across tools and access methods.
Policies related to segregation of duties that are reflected in the design of duties for the
job role.
Segregation of duties conflicts.
e dd ble l
t h R ra
a
The first r a nsfe user is for creating only the initial enterprise structure and is not a
implementation
realB
h -tHCM.
personnin ra After the initial enterprise structure is complete, you can create additional
o using the Manage Users or Import Worker Users tasks. Your users require that
users innHCM
a business unit, legal entity, and other setup be added after the initial implementation.
Planning is essential:
Analyze the access requirements specific to your organization, understanding who
needs access to what.
Compare the requirements with the predefined roles in the security reference
implementation, and decide which predefined roles meet your requirements and can be
used as-shipped, and which will require customizations to meet your requirements.
Certain product areas, such as Accounts Payable and General Ledger, include multiple
roles in the reference implementation. To compare accesses granted to each role, you
can use the Compare Role feature in the Security Console.
Other segment value security considerations:
For upgraded R11 customers, if you add or remove a BU or ledger, you must regenerate
roles from that data role template.
Consider having different users define roles and provision roles.
However, neither of these roles provides the required access for creating and managing
Oracle Fusion Applications users; therefore, the OIM system administrator must add the
following two OIM roles to the IT Security Manager job role:
Identity User Administrator, which carries user management entitlement.
Role Administrator, which carries role management entitlement.
Note: Assign the Xellerate Users organization to the IT Security Manager.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
You give function and data access through roles that you
assign to users.
Function security allows you to access:
A page or a specific object.
Functionality within a page, including services, screens, and
task flows. a s
Data security consists of privileges conditionally granted h
) as:a
c o m e
Data security policies carried by roles.
pe t Gu i d
h
Human Capital Management (HCM) security a r@ dprofiles.
e n
- k um Stu
e d dy this
t h r u se
a r a e to
y (bh icens Copyright 2016, Oracle and/or its affiliates. All rights reserved.
e dd ble l
t h R ra
a r
For example, s fecan enable users to work with journals. A data role that inherits the job
a a jobnrole
roleB
h -traaccess to the journal data within a ledger.
can provide
n
norole
The data General Accounting Manager US inherits functionality from the General
Accounting Manager job role, and it enables users to perform general ledger duties in the US
ledger.
e dd ble l
t h R ra
Assign a r
these s fe to users:
a rolesndirectly
Bh n-traYou can also create custom job roles.
Joboroles:
n
Abstract roles: All users are likely to have at least one abstract role that provides
access to a set of standard functions, such as expense reporting or procurement. You
can also create custom abstract roles.
Assign these roles to Job and Abstract roles, not directly to users:
Duty roles: You can also create custom duty roles.
s a
)h a
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y l i ce Copyright 2016, Oracle and/or its affiliates. All rights reserved.
R e able
a r
Role inheritance
ferconcept in the security model. The figure illustrates the hierarchy of
ath isnaskey
job B
h -role
and duty trainheritance, which are used as the building blocks in Oracle Cloud Security.
n
no every role is a hierarchy or collection of other roles.
Almost
- Job and abstract roles inherit duty roles.
- Duty roles can inherit other duty roles.
You can also assign privileges directly to job, abstract, and duty roles.
When you assign job and abstract roles to users, they inherit all of the data and function
security associated with those roles.
s a
)h a
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y l i ce Copyright 2016, Oracle and/or its affiliates. All rights reserved.
R e able
athbuilding f er
Rolesh arthe
are
t r a s
n blocks of security.
B
Youocann- start at the bottom with duty roles, which you can combine with other duty roles.
n
For example, you can combine a journal entry duty role with a journal reporting duty
role.
The job and abstract roles inherit duty roles. For example, the General Accountant job
role can have one or more duty roles.
The data roles inherit the job role and give the user access to specific data such as
ledgers, asset books, or business units.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y l i ce Copyright 2016, Oracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atnow
h a
The diagram
t r a nshows Data Role added to secure Anita Kennedy to the UK Set of Data in
B - for her General Accountant Job role.
the UK Ledger
non
NEW
Applicable to new customers only.
Does not use data role templates.
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
R e able
r athethManages f er
h a
To access
t r a n Data Access for Users page, navigate to Setup and Maintenance >
B
Manage Data - Access for Users task.
non
NEW a
h a s
m )
o
c uide
p e
h nt G
r @
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens Copyright 2016, Oracle and/or its affiliates. All rights reserved.
e dd ble l
t h R ra
r a Manage s e
fData
You use
h athe
t r a n Access for Users task to assign users to data scopes, like
B - Ledgers, and Asset Books. You can access this task from the Setup and
Business Units,
non work area.
Maintenance
You assign data scopes to users by role, and you can only assign data scopes to roles a user
has been provisioned.
You can also import assignments from a spreadsheet. By clicking on the Authorize Data
Access button in the Manage Data Access page, you can download a spreadsheet which you
can use to import the data assignments. You can prepare the data from another source, such
as your legacy system, and populate the spreadsheet, and then import.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y l i ce Copyright 2016, Oracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atIdentity
a
h -tran Manager (OIM) access is granted to the predefined IT Security Manager
Oracle
Brole. n
noAdministration
Use Mode in OIM to create users and provision roles. OIM opens by
default to the self-service view.
- The title displays whether you are in Administration mode or Self-Service mode.
- To switch from Self-Service Mode to Administration Mode, click on the button in
the upper right hand corner.
e dd ble l
t h R ra
Access a r
the n s fe
atasks above:
Bh n-Users:
Create
tra Navigate to: Setup and Maintenance > Manage Users > Create icon or
on
o Navigator > My Team > Manage Users > Create icon.
nthe
Hire an Employee: On the Navigator > My Workforce > New Person > Tasks panel >
Hire an Employee. This task creates the full person record needed by HCM, such as job
assignment, job code, department, manager, etc., as well as the user account itself.
Create Implementation Users: Navigate to: Setup and Maintenance > Create
Implementation Users > Administration tab > Create User icon.
Import Worker Users: Navigate to: Setup and Maintenance > Import Worker Users >
Create Worker > Create Spreadsheet icon or on the Navigator > My Workforce > Data
Exchange > Tasks panel > Initiate Spreadsheet Load > Create Worker > Create
Spreadsheet icon.
Note: The import process handles both user account creation and auto provisioning of roles.
Manager.
Automatically provision a role to users by defining a
relationship, called a role mapping, between the role and
some conditions.
s a
a
)h
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y l i ce Copyright 2016, Oracle and/or its affiliates. All rights reserved.
R e able
r h sfer
atprovision
h a
To manually
t r a n roles, use the Create Implementation Users task from Setup and
B
Maintenancen-to access Oracle Identity Manager. Make sure you switch to Administration
noassign
mode to roles to users.
To assign a role to a specific user:
- Use the search box to search for the desired user.
- Open the user and go to the Roles tab.
- Click the Assign button to assign new roles to the user.
To assign the same role to multiple users:
- Search for the role.
- Go to the Members tab.
- Click the Assign button to assign multiple users to the same role.
Roles are automatically provisioned when one of the user's assignments matches all role-
mapping conditions and the auto provision option is selected.
R e able
r ath allow s f er
h a
Role Mappings
t r a n you to automatically assign roles to users if they match the conditions
B - Role Mappings. As users transfer departments or change jobs, the Role
specified innthe
nocan automatically assign the correct roles to the users.
Mappings
Each role mapping rule is based on a set of attributes that can be matched to a users
assignment, such as Department, Job, and Location. For example, you may define a rule that
limits role mapping to current employees of the Finance Department whose Job is Accounting
Manager.
Roles capture the nature of work intended to be performed by the user.
A range of security roles are granted to the new user.
This enables users to access application flows that are crucial for performing the tasks.
When the list of assigned security roles is populated, you can remove or add new roles as
needed.
Note: Auto-provision: Deprovisions roles immediately from users who are no longer eligible
for roles that they currently have.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens Copyright 2016, Oracle and/or its affiliates. All rights reserved.
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
e dd ble l
t h R ra
a r
Best Practices s fe
a fornCustomizing Roles
B h -tra
Do o notn customize predefined roles. These predefined roles begin with the ORA_ prefix
innthe Role Code field. During each upgrade, the upgrade process updates the
predefined roles to the specifications for that release, so any customizations are
overwritten.
Always make a copy of the predefined role. Then, edit the copy and save it as a custom
role.
Compare the copy of the predefined role with the new customized role and roll back to
the delivered role, if necessary.
After a maintenance update or upgrade, compare your customized copy to the updated
predefined source role. You can see the updates to the predefined role and decide
whether to incorporate those changes into your custom role.
s a
)h a
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y l i ce Copyright 2016, Oracle and/or its affiliates. All rights reserved.
R e able
th sfer
arastart
Beforehyou
t r n the Security Console, set two profile options that govern the behavior
using
a
B n- Console in the Manage Administrator Profile Values task.
of the Security
n o
Security Console Working App Stripe: Controls the App Stripe the user works on.
Please set this profile option to fscm, either at the site level, or for specific users with
Security Console access.
Enable Data Security Policies and User Membership Edits: Sets the preference to
enable data security policies and user membership editing in Security Console. Set this
profile option to Yes to enable both, at the site level, or for specific users.
e dd ble l
t h R ra
a
The Copyr a ninsthe
feature
feSecurity Console enables you to:
Bh n-default
Setoup
tra names in the Preferences section of the Security Console.
n
Review the code resources tied to each function security privilege.
Important:
To add, edit, or remove data security policies, set the profile option Enable Data Security
Policies and User Membership Edits to Yes, either at the site level or for the current
user.
To assign users to this new role, set the profile option Enable Data Security Policies and
User Membership Edits to Yes, either at the site level or for the current user.
Note: This option is only available to external roles, as you can only assign external roles to
users.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens Copyright 2016, Oracle and/or its affiliates. All rights reserved.
e dd ble l
t h R ra
View: har
a nsfe
All o n -tra results.
B comparison
n
Artifacts that only exist in either the first or the second role.
Artifacts that exist in both roles.
Choose to view only comparison results for:
Function security policies.
Data security policies
Inherited roles, or combinations.
Use the following icons on the left hand side of the page:
Roles: Copy, create, and compare roles.
Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens Copyright 2016, Oracle and/or its affiliates. All rights reserved.
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
Comparing a role.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens Copyright 2016, Oracle and/or its affiliates. All rights reserved.
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
roles.
User and Role Access Audit Report: List of users and
provisioned function and data accesses.
Inactive Users Report: List of inactive users.
s a
)h a
m
co uide
e
@ hp nt G
m ar tude
y - ku is S
e d d th
r e
r a th to us
( b ha nse
d d y l i ce Copyright 2016, Oracle and/or its affiliates. All rights reserved.
R e able
r th sfer
aMembership
User Role
h a t r a n Report: You can run the report for all users, or you can optionally filter
B n- by name, department, and location.
the list of users
n o
User and Role Access Audit Report: Report can be run for one user, all users, one role, or all
roles.
One User / All Users
- Separate report outputs show role hierarchy with privileges, tabular listing of
privileges, and list of data security policies provisioned to the user.
- The All Users option results in one set of reports for each user.
One Role / All Roles
- Separate report outputs show role hierarchy with privileges, tabular listing of
privileges, and list of data security policies for a given role.
- The All Roles option results in one set of reports for each role.
s a
h
) a
o m
p e c uide
@ h nt G
r
a tude
u m
d y -k his S
r e d se t
a r ath e to u
y (bh icens
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no
e dd ble l
t h R ra
e
nsf is applicable to the needs of midsized, horizontal enterprises
ara traSecurity
OraclehFinancial
B between
generally - 250 and 10,000 employees. It can be changed or scaled to accommodate
noninto vertical industries such as health care, insurance, automobiles, or food
expansion
manufacturing.
For more resources on the Oracle Help Center, see:
Oracle Financial Security Guides:
http://docs.oracle.com/cloud/latest/financialscs_gs/docs.htm.
Oracle Fusion Middleware Security Guides:
http://docs.oracle.com/middleware/1221/cross/securedocs.htm.
e dd ble l
t h R ra
a r a nsfe
Bh n-tra
no