Successfully reported this slideshow.

Oracle Fusion Applications Security - Designing Roles

8,264 views

Published on

Oracle Fusion Applications Security - How to design user roles within Fusion Applications..

Published in: Technology

Oracle Fusion Applications Security - Designing Roles

  1. 1. <Insert Picture Here>Designing Security RolesFunctional Architecture Implementation Support (FAIS Team)Kiran MundyMay, 2012
  2. 2. Disclaimer• I am an Oracle employee.• The content of this Presentation is my own and does not necessarily reflect the views of Oracle. 2
  3. 3. Contents• Overview • Screens you need to know about.. • Designing a new role • Privileges & Data Security Policies • Data Roles• Use Cases • Designing a new Role. • Generating a Data Role from a Template. • Stepping down a Duty hierarchy.• Terminology 3
  4. 4. Overview 4
  5. 5. Screens you need to know about… Oracle Identity Manager Authorization Policy Manager (Delegated Administration) (Oracle Entitlements Server) Create Users Data Create Roles Role & Hierarchies Duties Assign Role Generate Role Duties Duties Data Security Object + Policy Actions Role Role Duties Role Privilege Screens Role and Role Actions within ScreensAutomatically Yes, you could createSent HCM Screen users and assign roles in OIM Create Person But FSM Steps you through here because Roles Auto-provision HCM Employee details often needed in Apps 5
  6. 6. Designing a New Role - Overview Oracle Identity Manager Authorization Policy Manager (Delegated Administration) (Oracle Entitlements Server) Data Create Roles Role & Hierarchies Duties Generate Role Duties Duties Data Security Object + Policy actions Role Role Duties Role Privilege Screens Role and Role Actions within ScreensCreate a new Role & Assign Create new Duties and Create newDuties under it. Generate a assign Data Security Policies Policies &Data Role from it. & Privileges under it. Privileges Increasing Difficulty 6
  7. 7. Functional & Data Security Policies – Functional Policy = Data Security Policy = Code artifacts + Allowed Actions DB Objects + Allowed actions. Fusion Apps Screen Possible Actions: Read Function Object Update behind screen + Delete ManageNote – If there is no data security policy specified on a duty role, it meansthat all actions on all objects behind the screens (specified by functionalpolicy) are allowed. 7
  8. 8. Data RolesData role  Takes the Data Security Policy = DB Objects + Allowed actions.“data” your role has Invoices in BU 3access to (from the right)and slices it up by BU. Project Possible Actions: Possible Actions:Each data role has Project Project Object = + + + Read Possible Actions: Read Possible Actions: Readaccess to “one” slice. Invoices in BU 1 + Read Invoices in BU 2 8
  9. 9. Powerpoint Demo 9
  10. 10. Designing a New Role – Where to Start…• Security Reference Implementation – Gives Example Roles for each FSM Offering.• Login to OER as Guest https://fusionappsoer.oracle.com/oer/index.jsp• Search Criteria Type = Role, Logical Business Area = “All Fusion Apps…”• Under Documentation Tab, open up “Security Reference Manual” 10
  11. 11. 11
  12. 12. 12
  13. 13. Lets say to Billing InquiryDuty, you want to add“View Customer AccountContact” 13
  14. 14. Creating/Changing Duty Roles – Start with FSM Under “Define Security for … <your offering>”, click on “Manage Duties” 14
  15. 15. Find the Duty RoleChoose the rightApplication & searchfor the Duties 15
  16. 16. Can’t find Duty? Check -Find Existing Policies - Application - Starts With vs Contains - Display Name vs Role Name Query up the Duty, click on “Find Policies” to see the existing policies the role has 16
  17. 17. Alternatively Can Search – By Role 17
  18. 18. Then Open the Duty 18
  19. 19. And Find Policies 19
  20. 20. “Open” Policies to see all policies 20
  21. 21. Targets/Privileges shown.. 21
  22. 22. Here’s the privilege wewanted to add.. 22
  23. 23. Create a new functional policy 23
  24. 24. Add a target into the new policy 24
  25. 25. Search for the target (or entitlement).. 25
  26. 26. Give the new policy a name and save… 26
  27. 27. Re-query the Duty.. New policy and target show up… 27
  28. 28. Existing Data Security Policies Apparently there are no data security policies for “Billing Inquiry Duty” as yet, which means – Data access behind the screen is not restricted at this level. 28
  29. 29. Generating Data Roles• After you’ve implemented your system and have your BU’s etc in..• Figure out which role templates you want to use to generate your data roles… (How?) 29
  30. 30. Find the Role Template 30
  31. 31. Preview Roles about to be generated.. 31
  32. 32. Verify that they look correct… 32
  33. 33. Click on “Generate Roles” 33
  34. 34. Terminology 34
  35. 35. Terminology Review• Security Reference Implementation • An complete example implementation of Security for each Fusion Offering. • Details in Security Reference Manuals for each Product.• Role (External Role or Enterprise Role) • Created in LDAP (Using Oracle Identity Manager) • Can also create a hierarchy of these Roles • Normally data roles are generated which also govern the Business Unit (or other determinant) stripe of data the user will see.• Role Category • A way to classify roles. • Examples from Reference Implementation - HCM Abstract Roles, HCM Job Roles, Financials Job Roles etc.. 35
  36. 36. Terminology• Abstract Role (External Role or Enterprise Role) • “Abstract” is nothing more than a category we seed to classify roles in our Reference Implementation. • Roles we seed that are in this category are - • Accessory roles such as - Employee, Contingent Worker etc. • Not a role you would find described on Monster.com • Usually assigned directly - does not require data role generated on top of it.• Job Role • Also nothing more than a category we seed. • Roles we seed that are in this category are - • Roles that you would hire someone into – Accounts Payables Manager, Billing Clerk etc. • Usually requires a data role generated on top of it. 36
  37. 37. Terminology• Duty Role (Application Role or Principal) • This is the most granular form of role which is created and managed in Authorization Policy Manager. Privileges & data security policies are assigned to it.• Functional Policy • Each policy contains a set of targets that the policy provides access to.• Entitlement (or Privilege or Target) • Screens, buttons, lists, web services or other code artifacts 37
  38. 38. Terminology• Data Security Policy • Specifies an Object and what actions you can do to it. Possible actions you can pick from to create a policy are pre- defined for each Business Object.• Database Resource • Database table or groups of tables with data. 38

×