Your SlideShare is downloading. ×
Oracle Fusion Applications Security - Designing Roles
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Oracle Fusion Applications Security - Designing Roles

3,753
views

Published on

Oracle Fusion Applications Security - How to design user roles within Fusion Applications..

Oracle Fusion Applications Security - How to design user roles within Fusion Applications..

Published in: Technology

4 Comments
15 Likes
Statistics
Notes
No Downloads
Views
Total Views
3,753
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
4
Likes
15
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. <Insert Picture Here>Designing Security RolesFunctional Architecture Implementation Support (FAIS Team)Kiran MundyMay, 2012
  • 2. Disclaimer• I am an Oracle employee.• The content of this Presentation is my own and does not necessarily reflect the views of Oracle. 2
  • 3. Contents• Overview • Screens you need to know about.. • Designing a new role • Privileges & Data Security Policies • Data Roles• Use Cases • Designing a new Role. • Generating a Data Role from a Template. • Stepping down a Duty hierarchy.• Terminology 3
  • 4. Overview 4
  • 5. Screens you need to know about… Oracle Identity Manager Authorization Policy Manager (Delegated Administration) (Oracle Entitlements Server) Create Users Data Create Roles Role & Hierarchies Duties Assign Role Generate Role Duties Duties Data Security Object + Policy Actions Role Role Duties Role Privilege Screens Role and Role Actions within ScreensAutomatically Yes, you could createSent HCM Screen users and assign roles in OIM Create Person But FSM Steps you through here because Roles Auto-provision HCM Employee details often needed in Apps 5
  • 6. Designing a New Role - Overview Oracle Identity Manager Authorization Policy Manager (Delegated Administration) (Oracle Entitlements Server) Data Create Roles Role & Hierarchies Duties Generate Role Duties Duties Data Security Object + Policy actions Role Role Duties Role Privilege Screens Role and Role Actions within ScreensCreate a new Role & Assign Create new Duties and Create newDuties under it. Generate a assign Data Security Policies Policies &Data Role from it. & Privileges under it. Privileges Increasing Difficulty 6
  • 7. Functional & Data Security Policies – Functional Policy = Data Security Policy = Code artifacts + Allowed Actions DB Objects + Allowed actions. Fusion Apps Screen Possible Actions: Read Function Object Update behind screen + Delete ManageNote – If there is no data security policy specified on a duty role, it meansthat all actions on all objects behind the screens (specified by functionalpolicy) are allowed. 7
  • 8. Data RolesData role  Takes the Data Security Policy = DB Objects + Allowed actions.“data” your role has Invoices in BU 3access to (from the right)and slices it up by BU. Project Possible Actions: Possible Actions:Each data role has Project Project Object = + + + Read Possible Actions: Read Possible Actions: Readaccess to “one” slice. Invoices in BU 1 + Read Invoices in BU 2 8
  • 9. Powerpoint Demo 9
  • 10. Designing a New Role – Where to Start…• Security Reference Implementation – Gives Example Roles for each FSM Offering.• Login to OER as Guest https://fusionappsoer.oracle.com/oer/index.jsp• Search Criteria Type = Role, Logical Business Area = “All Fusion Apps…”• Under Documentation Tab, open up “Security Reference Manual” 10
  • 11. 11
  • 12. 12
  • 13. Lets say to Billing InquiryDuty, you want to add“View Customer AccountContact” 13
  • 14. Creating/Changing Duty Roles – Start with FSM Under “Define Security for … <your offering>”, click on “Manage Duties” 14
  • 15. Find the Duty RoleChoose the rightApplication & searchfor the Duties 15
  • 16. Can’t find Duty? Check -Find Existing Policies - Application - Starts With vs Contains - Display Name vs Role Name Query up the Duty, click on “Find Policies” to see the existing policies the role has 16
  • 17. Alternatively Can Search – By Role 17
  • 18. Then Open the Duty 18
  • 19. And Find Policies 19
  • 20. “Open” Policies to see all policies 20
  • 21. Targets/Privileges shown.. 21
  • 22. Here’s the privilege wewanted to add.. 22
  • 23. Create a new functional policy 23
  • 24. Add a target into the new policy 24
  • 25. Search for the target (or entitlement).. 25
  • 26. Give the new policy a name and save… 26
  • 27. Re-query the Duty.. New policy and target show up… 27
  • 28. Existing Data Security Policies Apparently there are no data security policies for “Billing Inquiry Duty” as yet, which means – Data access behind the screen is not restricted at this level. 28
  • 29. Generating Data Roles• After you’ve implemented your system and have your BU’s etc in..• Figure out which role templates you want to use to generate your data roles… (How?) 29
  • 30. Find the Role Template 30
  • 31. Preview Roles about to be generated.. 31
  • 32. Verify that they look correct… 32
  • 33. Click on “Generate Roles” 33
  • 34. Terminology 34
  • 35. Terminology Review• Security Reference Implementation • An complete example implementation of Security for each Fusion Offering. • Details in Security Reference Manuals for each Product.• Role (External Role or Enterprise Role) • Created in LDAP (Using Oracle Identity Manager) • Can also create a hierarchy of these Roles • Normally data roles are generated which also govern the Business Unit (or other determinant) stripe of data the user will see.• Role Category • A way to classify roles. • Examples from Reference Implementation - HCM Abstract Roles, HCM Job Roles, Financials Job Roles etc.. 35
  • 36. Terminology• Abstract Role (External Role or Enterprise Role) • “Abstract” is nothing more than a category we seed to classify roles in our Reference Implementation. • Roles we seed that are in this category are - • Accessory roles such as - Employee, Contingent Worker etc. • Not a role you would find described on Monster.com • Usually assigned directly - does not require data role generated on top of it.• Job Role • Also nothing more than a category we seed. • Roles we seed that are in this category are - • Roles that you would hire someone into – Accounts Payables Manager, Billing Clerk etc. • Usually requires a data role generated on top of it. 36
  • 37. Terminology• Duty Role (Application Role or Principal) • This is the most granular form of role which is created and managed in Authorization Policy Manager. Privileges & data security policies are assigned to it.• Functional Policy • Each policy contains a set of targets that the policy provides access to.• Entitlement (or Privilege or Target) • Screens, buttons, lists, web services or other code artifacts 37
  • 38. Terminology• Data Security Policy • Specifies an Object and what actions you can do to it. Possible actions you can pick from to create a policy are pre- defined for each Business Object.• Database Resource • Database table or groups of tables with data. 38