View
217
Download
0
Category
Preview:
Citation preview
8/19/2019 Fusion Role Based Security Model
1/13
Fusion Role Based Security Model
Oracle Fusion Applications use a role based access-control security
model. Where users are assigned roles through which they gain access to functions and data within the
applications. Unlike Oracle Ebiz user do not need to select different responsibilities once they log in all roles
are acti!e concurrently i.e users do not ha!e to select any role when they sign in.
"ole based security in Oracle Fusion Application controls WHO can do WHAT on WHICH data. For e#ample$
A line manager %who& can promote %what& an employee %which&. 'his is also e#plained in the table below.Who What Which Data
Employee Can see payslip His own
Line Manager Can Transfer/terminate A worker from his team
HR Can give promotion Employees from a particular organization
Understand with an examle
At the beginning it sounds confusing but once you get the basic its easier
and con!enient same as your responsibilities and functions in Ebiz. 'o understand it better lets put a
hypothetical business re(uirement in-front of us.
Re!uirement " 'here is a )ecurity in chief %lets say *r. )ecurity& responsible for taking care of all
security measurements in your organization. +e needs to be gi!en authority to terminate any employee caught
!iolating security guidelines. ,n oracle terminology he needs to be gi!en a new role to be able to terminate any
employee within your organization.
ow the function to terminate employee is already a!ailable with few seeded roles like *anager and +"
)pecialist but you can not assign them to *r. )ecurity as using the seeded role *anager/ he would be able to
terminate only people falling under the manager hierarchy. 0ou cannot also assign another seeded role +r
)pecialist/ to *r )ecurity as it comes with many other powerful things along with 'ermination.
)o the only option is to create a new custom role only for terminating employees and assign it to *r )ecurity. ,n
the ne#t steps we will see how can this be done.
Setu Stes
8/19/2019 Fusion Role Based Security Model
2/13
ow we know that we ha!e to create a new role but what would be the
type of role as oracle fusion deli!ers four different types of role. )o lets talk about different roles a!ailable in
fusion before we login to application and start setting things up.
Oracle Fusion Applications uses four types of roles for security management which are gi!en below. 'he first
three roles can be assigned to user directly. 'hese roles also inherit some or other roles.
#ata Roles
1ata roles are combination of worker2s 3ob and the data instances on which 3obs can be performed. For
e#ample a data role $ayroll Administrator $ayroll UScombines a 3ob %4ayroll Administrator& with a data
instance %4ayroll U)&. As 3ob is the one factor it inherits 5ob "ole and for the data we attached a security profile with it %will be e#plained later&
%o& Roles
5ob role aligns with the 3ob that a worker is hired to perform. +uman "esource Analyst and 4ayroll *anager
are e#amples of predefined 3ob roles. 'ypically you include 3ob roles in data roles and assign those data roles to
users. 'he ,' )ecurity *anager and Application ,mplementation 6onsultant 3ob roles are e#ceptions because
they are not considered +6* 3ob roles and do not restrict data using +6* security profiles.
A&stract Roles
Abstract roles represent a worker2s role in the enterprise independently of the 3ob that the worker is hired to
do. 'here are three seeded abstract roles deli!ered with Oracle Fusion +6*. 'hese are the Employee 7ine
*anager and 6ontingent Worker roles. Abstract roles are assigned to user automatically when some e!ent
occurs like +ire an employee 'erminate an employee or 4romote an employee.
#uty Roles
1ata "ole aligns with the indi!idual duties that users perform as part of their 3ob but not assigned to user
directly. 'his role also grants access to work areas dashboards task flows application pages reports batch
programs and so on. 1uty roles are inherited by 3ob and abstract roles and can also be inherited by other duty
roles. eedless to say we can create custom role also if needed.
Below dia'ram shows how some o( the role inherits other
8/19/2019 Fusion Role Based Security Model
3/13
#ata Security Throu'h Security $ro(iles
8efore we start our setup steps there is one more important topic to discuss )ecurity 4rofiles. A security profile
identifies a set of data of a single type such as persons or organizations for e#ample $ All workers in
department +6* U). We can assign security profiles to$
• 1ata roles
• Abstract roles
• 5ob roles
We can create +6* security profiles for the following +6* business ob3ects %can be changed with future
releases&
• 4erson
• Organization
• 4osition
• 7egislati!e 1ata 9roup
• 6ountry
• 1ocument 'ype
8/19/2019 Fusion Role Based Security Model
4/13
• 4ayroll
• 4ayroll Flow
Okay enough theory so by now we know that for our re(uirement we ha!e to create a 1ata "ole to assign user
and that 1ata role should inherit a 3ob role which e!entually inherit a duty role. We also need to create a
security profile to restrict organization and attached with 1ata role. +ere are the steps:
Ste )* " Create a %o& Role
'o create a 3ob role search for the task *anage 5ob "oles/ and click on the 9o to 'ask. 'his will open up a new
window %O,* $ Oracle ,dentity *anager&
+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ; )earch for ame Mana'e %o&
Roles
6lick on the link Administration top right corner. 0ou will see a welcome page. 6lick on 6reate role %
& under Roles- And enter details as gi!en below. Once done click on sa!e and close the window.
• ame $
8/19/2019 Fusion Role Based Security Model
5/13
Ste ). " Ma #uty role with %o& role
From the abo!e diagram and e#planation we know that a 5ob "ole must inherit a 1uty "ole. )o to link a duty
role with the 3ob role we ha!e created %A!i 'erminate Worker& search for the task *anage 1uties/ and click on
9o to 'ask
+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ; )earch for ame Mana'e #uties
Once again this will open a new window %A4* $ Authorization 4olicy *anager&. 6lick?select hcm from
application name and then click on )earch e#ternal "oles under search and create.
+ote $ All roles defined in the Oracle ,dentity *anager %O,*& are considered as E#ternal roles in Authorization
4olicy *anager %A4*&
8/19/2019 Fusion Role Based Security Model
6/13
ow in the ne#t page search for the role %A!i 'erminate Worker& we created in O,*. ,n the search result section
select the 5ob "ole and click on Open "ole/. 0ou will see following screen.
8/19/2019 Fusion Role Based Security Model
7/13
On the abo!e page click on Application "ole *apping/ tab and click on /Maicon. ,t will bring a pop-up.
)elect hcm as application and search for the role Worker 'ermination 1uty/ ,n the search reselct section click
on the result and than click on Ma Roles- ow we ha!e successfully mapped the duty role with our 3ob role.'his duty role will help us to terminate the worker.
0ou must be wondering how did , know that , ha!e to add only Worker 'ermination 1uty/ duty role with the
3ob role to gi!e termination access do we need to remember all these duty roles@ Answer is O. 0ou can
download the mapping from oracle note *apping Of "oles 1uties and 4ri!ileges in Fusion Applications %1oc
,1 BCDBC.&
Ste )0 " Run the rocess 1Retrie,e 2atest 2#A$ Chan'es3
+a,i'ation $ a!igator ; 'ools ; )cheduled 4rocess
ow run the process "etrie!e 7atest 71A4 6hanges/. We need to run this program to synchronize roles
between 71A4 and +6*. After successful run our 3ob role will be a!ailable to +6*. Once the program statusis succeeded we can mo!e to ne#t step.
+ote $ 4lease see the post )cheduling a 4rocess in oracle Fusion to get an idea how process are schedules in
Fusion application.
Ste )4 " Create Security $ro(ile 5Otional6
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21http://iavinash.com/scheduling-process-fusion/http://iavinash.com/scheduling-process-fusion/http://iavinash.com/scheduling-process-fusion/http://iavinash.com/scheduling-process-fusion/https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=454165700579644&id=1460486.1&_adf.ctrl-state=xi8u73p9d_21
8/19/2019 Fusion Role Based Security Model
8/13
+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ;)earch for *anage 4erson )ecurity
4rofile
As we know we can attach security profile with 1ata role to gi!e access on particular set of data. ,f you do not
create any security profile you can select the iew All/ option when creating 1ata role. ,n this e#ample we will
create a security profile based on 4erson )ecurity profile.
'o create a security profile search for the task *anage 4erson )ecurity 4rofile/ and click on 9o to task icon. Anew page will appear in the search result section click on Create icon.
On the Create $erson Security $ro(ile page. 9i!e it a name and select the check bo# Secure &y 2e'al
emloyer- From the list select the legal employer for which you want *r )ecurity to gi!e access to terminate
worker. Once done click on Sa,e and close. 6lick 7es if when you recei!e warning.
Ste )4 " Create a #ata Role
+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ;)earch for Assi'n Security
$ro(iles to Role
)earch for the task Assign )ecurity 4rofiles to "ole/ and click on 9o to task. A new page will appear. ,n thesearch result section click on Create icon.
First gi!e you data role a name and select the 5ob role that you create before. Once done click on +ext.
8/19/2019 Fusion Role Based Security Model
9/13
,n the ne#t guided process select the security profile that you had created earlier. Once done click on +ext
+OT8 $ ,f you did not follow the pre!ious steps you can still create a security profile from here or 3ust select the
iew All from the list.
e#t screen will show all security profiles associated with this data role. 6lick on+ext again which will bring
the "e!iew 4age. "e!iew it once and once satisfied click on Su&mit-
Ste )9 " Create Role $ro,isionin' Rule
+a,i'ation $ a!igator ; 'ools ; )etup and *aintenance ; All 'asks 'ab ; )earch for ame Mana'e Role
$ro,isionin' Rules
Using the role pro!isioning rule we add an e#tra layer of security and can define which role will be a!ailable to
which set of users. Using this we can also set rules to automatically assign a role to users if predefined
conditions are met.
)earch for the task Mana'e Role $ro,isionin' Rules/ and click on :o to tas; . ,n the ne#t page clickon Create under the search result section. 9i!e a mapping name select 6onditions %left blank in this e#ample&
and in the associated role section select the data role we ha!e created. 4lease ensure re(uestable check bo# is
selected and Autopro!ision is unchecked. 6lick on )a,e and Close-
+ote $ ,f you notice 1elegation Allowed/ option is disabled because when we created our data role %step DB&
we did not select 1elegation Allowed/ check bo#. We will discuss about role pro!isioning in details in some
other topic.
8/19/2019 Fusion Role Based Security Model
10/13
Ste )< " Assi'n #ata Role to user
ow you 1ata role is ready. 0ou can assign this to any person. 'here are different ways you can assign a role touser either through O,* or from task *anage Users/. We are assuming you are already aware aout this steps.
,n the below image 1ata "ole was assigned through Oracle ,dentity *anager. 0ou can see *r. )ecurity has two
roles Employee %abstract "ole& and A!i 'erminate Worker > Operation U) Only
Ste )= " >alidate the #ata Role Assi'ned to user
8/19/2019 Fusion Role Based Security Model
11/13
+a,i'ation $ a!igator ; 4erson 9allery ; )earch for person
'o !alidate the 1ata "ole *r. )ecurity will login to application.
a!igate to 4erson gallery and search for any worker. At left hand side under the Action menu he will see theoption to terminate worker.
0ou can go through the post 6onfigure and 6ustomize Appro!al "ules in Oracle Fusion/ to see how an
appro!al can be customized for termination.
Additional Resource (or Fusion Role Based Security
, hope you will also like to check following oracle notes.
• *apping Of "oles 1uties and 4ri!ileges in Fusion Applications %1oc ,1 BCDBC.&
• *apping Of 1uty "oles 'o 'op 7e!el *enu Entries in Fusion Applications %1oc ,1 BGHI.&
+ope this article was of any help for you. 0ou can let me know your thought by commenting in the comment
section or?and by gi!ing your re!iew. 0ou can also ask any (uestion if you ha!e any in ourforum.
Share this"
n Fusion security we will encounter following "oles$
• 1uty "ole
• 5ob "ole
• Abstract "ole
• 1ata "ole
• 1ata Access )et
7et us understand the abo!e roles one by one in practical terms.
. #uty Roles" 1ata "ole is also known as Application "ole. 7et2s say a manager has a
duty of creating in!oices appro!ing in!oices or creating 3ournals. 'he duty of creating
?appro!ing in!oices ?3ournals are called 1uty "oles.
.
I. %o& Roles" 5ob roles are also known as E#ternal "ole. 'hese roles are created in
Authorization 4olicy *anager %A4*&. E#amples of these roles are 4ayable Accounts
*anager 6hief Financial *anager Finance 6ontroller etc. arious duties will be assigned
to a 5ob role. ,n other words a 5ob role must ha!e duty role. For instance 4ayable Accounts
*anager will ha!e duty of creating in!oices appro!ing in!oices running payment batch
http://iavinash.com/approval-rules-and-workflow-oracle-fusion/https://support.oracle.com/https://support.oracle.com/http://ask.iavinash.com/http://ask.iavinash.com/http://ask.iavinash.com/http://ask.iavinash.com/http://iavinash.com/approval-rules-and-workflow-oracle-fusion/https://support.oracle.com/https://support.oracle.com/http://ask.iavinash.com/http://ask.iavinash.com/
8/19/2019 Fusion Role Based Security Model
12/13
etc.
.
J. A&stract Roles" When an employee is hired by a company by default he should get
a role-Employee and in case of 6ontractor he should get a role- 6ontingent worker. 'he
functions which are assigned to them are known as Abstract "ole.
.
B. #ata Roles" As per business need if we don2t want UK ledger to be accessed by the
user in U) organisation we take the help of data role which needs to be assigned selecti!ely.
When we create ledger or business unit system will automatically create 3ob role with
ha!ing access to data role. When a 3ob role when attached with a data role the 3ob role
created is confined to that particular ledger or business unit. Once it is done the 3ob role gets
the access to data it can perform re(uired function related to data.
.
G. #ata Access Set" 1ata access set is mainly related to ledger data. 7et2s say within a
ledger we ha!e multiple balancing segments. On business interest we don2t want to gi!e the
access of 6ompany D to the user ha!ing access to 6ompany DI. ,n order to do so we ha!e to
create few data access policies. 'his in turn will create a data role. ,n other words when we
create a ledger by default it creates a role which has an access to the entire ledger. +owe!er
with data access set we can restrict the access to a particular balancing segment.
8elow is the pictorial representation of !arious roles discussed abo!e-
8/19/2019 Fusion Role Based Security Model
13/13
Recommended