8/13/2019 User Management 2012
1/88
Presented by Susan Behn
VP, Oracle Practice
Infosemantics, Inc.
R12 Function and Data Security - UMXand Role Based Access Control
8/13/2019 User Management 2012
2/88
Agenda
User Management Layers AOL Function and Data Security
New Read-only Diagnostic Function Security in 12.1.3 Role Based Access Control Overview Building Blocks for User Management Modeling Security Policy Examples Delegated Administration Provisioning Self Service & Approvals Proxy Users References
8/13/2019 User Management 2012
3/88
User Management Layers
Core security levels 1 2 is accomplished throughAOL orwith grants and permissions
Core security levels 3 is required for some apps Administrative features levels 4 6 are optional
6 User access requests with AME
Approval Processes
5 Registration processes
4 Administer functions/data for
specific groups
3 Grant access to roles that
include function/data security
2 What data can a user see
1 What can a user do
8/13/2019 User Management 2012
4/88
Responsibilities are theintersection of thefollowing: Menu (authorizes
executablefunctions)
Data Group (authorizesschemas)
Request Group(authorizes concurrentprograms)
Not used by OAF Allows for submenus
and functions to beincluded/excluded
AOL Function and Data Security
8/13/2019 User Management 2012
5/88
Read-Only Diagnostics in 12.1.3
Function security through menus is still a significant pieceof the puzzle LOOK WHATS NEW!
Set profile option Hide Diagnostics Menu Entry to No Assign one or more of the read only subfunctions to the
menu where this functionality is needed
Apps password will not be requested in read-only mode
8/13/2019 User Management 2012
6/88
Read-Only Diagnostics 12.1.3
Example - Payables, Vision Operations (USA)responsibility linked to menu AP_NAVIGATE_GUI12 Leave prompt and Submenu null
8/13/2019 User Management 2012
7/88
Role Based Access Control
RBAC The RBAC standard supports themapping of user access control based upon a
users role in the organization rather than their
unique identity
Roles a grouping of all the responsibilities, lowerlevel permissions (functions), permission sets,
and data security rules that a user requires to
perform a specific task
Role Categories Organize roles into groups
8/13/2019 User Management 2012
8/88
Examples of Roles
Employee Create Employee role with access to HR self service andiExpenses
AP Clerk Grant Employee role Grant AP Clerk role with access to AP clerk functions
Sales Rep Grant Employee role Grant Sales role with access to sales functions
AP Supervisor Grant Employee Role Grant AP Clerk Role Grant AP Manage role with access to AP Manger functions
8/13/2019 User Management 2012
9/88
Components by Responsibility
System Administrator Responsibility Manage responsibilities and related objects
User Management Layers 3 and up Functional Administrator Responsibility
Function Security Layer
Functional Developer Responsibility Data Security Layer
8/13/2019 User Management 2012
10/88
User Management Building Blocks
Objects Define data to be secured a table or view Stored in FND_OBJECTS, FND_OBJECTS_TL
Object Instance SetsA group of related objects defined by usingWHERE clause Stored in FND_OBJECT_INSTANCE_SETS,
FND_OBJECT_INSTANCE_SETS_TL
Managed in Functional DeveloperResponsibility
8/13/2019 User Management 2012
11/88
User Management Building Blocks
Permissions 2 types function and data Function Security Permissions control access to
abstractfunctions Examples
Executable function is access to User Management!Roles &Role Inheritance Form
Abstract functions defined as role permissions Create Role Assign Role Manage Role Revoke Role
Data Security Permissions control access to objects Data limited by where clause
Stored in FND_FORM_FUNCTIONS,FND_FORM_FUNCTIONS_TL
8/13/2019 User Management 2012
12/88
User Management Building Blocks
Permission Sets Grouping of permissions
Example: All User Administration PrivilegesA permission set can contain other sets Stored in FND_MENUS, FND_MENUS_TL,
FND_MENU_ENTRIES,
FND_MENU_ENTRIES_TL
8/13/2019 User Management 2012
13/88
User Management Building Blocks
Grants Provide permissions for actions on a specified objectAttach function permissions and data permissions (data
security polices) to grantee
Grantee
Who gets the grantA role or group
A specific userAll Users
Data Security Policy Grant that includes both an object and permission set
Stored in FND_GRANTS
8/13/2019 User Management 2012
14/88
STACKING UP THE BUILDINGBLOCKS
8/13/2019 User Management 2012
15/88
Modeling Security Policies
Step 1 Grant access to user management toappropriate users
Step 2 Identify or create permissions thatgroup functions (function security)
Step 3 Identify product seeded objects /object instance sets (data security)
Step 4 Identify seeded grants / creategrants
Step 5 Create roles / Identify seeded roles
8/13/2019 User Management 2012
16/88
GRANT ACCESS TO USER
MANAGEMENT TOAPPROPRIATE USER(S)
8/13/2019 User Management 2012
17/88
Managing Users Step 1
By default, only Sysadmin has access to UserManagement
Grant a user management role to the appropriateuser
Clickpencil to
edit
Searchfor user
8/13/2019 User Management 2012
18/88
Managing Users Step 1
Click the Assign Roles button to add a role
Click assign roles andthen click the apply
button
Click assign roles andthen click the apply
button
8/13/2019 User Management 2012
19/88
Managing Users Step 1
Search for the Security Administrator Role, check thebox and click select Customer Administrator manage users with party type =
customer
Partner Administrator manage users with party type =partner
Other seeded security rolesinclude Customer
Administrator and PartnerAdministrator
8/13/2019 User Management 2012
20/88
Managing Users Step 1
Enter a justification and click Apply
User Managementresponsibility is inherited
by assigning this role
8/13/2019 User Management 2012
21/88
Managing Users Step 1
System Administrator!User!Define User Management is shown as an indirect responsibility
8/13/2019 User Management 2012
22/88
STEP 2
IDENTIFY SEEDED PERMISSIONSCREATE PERMISSIONS
8/13/2019 User Management 2012
23/88
Permissions
To demonstrate function security, ApprovalsManagement will be used as the example
A user will be given access to perform allfunctions in approvals management
Go to Functional Administrator!Permissions to search for seeded permissions
8/13/2019 User Management 2012
24/88
Permissions
There are16permissionsavailable forAME
Click theupdatebutton toexaminethe AMEActionCreatePermission
8/13/2019 User Management 2012
25/88
Permissions
This permission belongs to one permission setwith the same name as the permission
8/13/2019 User Management 2012
26/88
Permission Set
Permissions are part of the story Examine the permission set by selecting the permission setin the permission set tab and clicking the update button
8/13/2019 User Management 2012
27/88
Permission Set
Notice the AME Action Create includes morethan one permission
Grants are to permission sets not topermissions
Become familiar with the security hierarchy Working with seeded permission, permission sets and
other seeded user management components are a
good way to learn user management concepts
8/13/2019 User Management 2012
28/88
Permission Set
In our example, we want the user to have access toALL functions for a specific approval transaction typewhich is called AP Invoice Approval
The permission set for all AME functions is AME AllPermission Sets
OtherPermission
setsincluded in
set
8/13/2019 User Management 2012
29/88
STEP 3
SEEDED OBJECTS
8/13/2019 User Management 2012
30/88
Seeded Objects
To demonstrate data security, ApprovalsManagement will be used again as theexample
A user will be given access to manage theapproval process for the payables invoiceapproval
Go to Functional Developer!Objects tosearch for available seeded objects
If an object is not available, you can createobjects
8/13/2019 User Management 2012
31/88
Seeded Objects
Tip: Query by
responsibility to getfamiliar with what is
seeded
Click update toview details but
avoid changingseeded objects
8/13/2019 User Management 2012
32/88
Seeded Objects
Two columns are included which can be usedto limit access
Note the ObjectInstance Sets Tab
and Grants Tab
8/13/2019 User Management 2012
33/88
Seeded Objects
Click on the Object Instance Set tab for thisobject to view the where clause
The predicateallows the user
to enter theparameters to
select the
application andtransaction type
in the grant
8/13/2019 User Management 2012
34/88
STEP 4
IDENTIFY SEEDED GRANTSCREATE GRANTS
8/13/2019 User Management 2012
35/88
Grants
Create the grant to allow sbehn to perform allAME function for the payables invoiceapproval transaction type
Click on grant tab Notice this takes you to the same form as you see
in the Functional Administrator responsibility
We are going to enter an object in this case toestablish a Data Security Policy
8/13/2019 User Management 2012
36/88
Grants
Entername,description,granteetype,grantee
Enter theobject
name Click Next
8/13/2019 User Management 2012
37/88
Grants
Choose the context to limit rows For this example, choose instance set
8/13/2019 User Management 2012
38/88
Grants
We already determined there was an AMETransaction Type Instance Set
Chose this value and Click Next
G
8/13/2019 User Management 2012
39/88
Grants
Now enter the valuesfor the parameters wesaw earlier in the
object instance set
The predicate isdisplayed for reference
Parameter 1 is theapplication
Parameter 2 is the AMEtransaction type
G t
8/13/2019 User Management 2012
40/88
Grants
Scroll down and choose the functions thegrantee will be allowed to execute for thisgroup of data by selecting the permission set
AME All Permission Sets
G t
8/13/2019 User Management 2012
41/88
Grants
The final page is a review page Click finish and the confirmation page will
appear
Now you have access to data and functionsyou can perform on that data
Click OK
R l B d A C t l
8/13/2019 User Management 2012
42/88
Role Based Access Control
In step 1, we gave someone access to usermanagement
In step 2, we identified the AME All PermissionSets to provide function security
In step 3 we identified the AME TransactionTypes object to provide data security
In step 4 we joined the function and data securitytogether in a grant to allow SBEHN to perform allfunctions for AME for Payables Invoice
Approvals Butthe user still doesnt have access yet to
the responsibility used to manage AME
8/13/2019 User Management 2012
43/88
STEP 5
CREATE ROLE CATEGORIESCREATE ROLES
ASSIGN RESPONSIBILITIES TO ROLES
A i R l
8/13/2019 User Management 2012
44/88
Assign Roles
Assign AME roles to SBEHN the same waywe assigned the Security Administrator role
Query the user and click the pencil
A i R l
8/13/2019 User Management 2012
45/88
Assign Roles
Click the Assign Roles button
8/13/2019 User Management 2012
46/88
8/13/2019 User Management 2012
47/88
FULL UTILIZATION OF RBAC
ROLE CATEGORIES
CREATING ROLES FOR
RESPONSIBILITIES
Role Categories
8/13/2019 User Management 2012
48/88
Role Categories
User Management!Role Categories
ClickUpdate
Button
Role Categories
8/13/2019 User Management 2012
49/88
Role Categories
Click Add
AnotherRow
Role Categories
8/13/2019 User Management 2012
50/88
Role Categories
Add a category to help organize your roles
ClickApply
Create Role
8/13/2019 User Management 2012
51/88
Create Role
User Management!Role & Role Categories
ClickCreate
Role
Create Role
8/13/2019 User Management 2012
52/88
Create Role
Select category, provide role code, displayname, description and application and clickapply
Create Role
8/13/2019 User Management 2012
53/88
Create Role
To add responsibility - re-query role, view inhierarchy, then add node
Click Viewin
Hierarchy
Click AddNode
Create Role
8/13/2019 User Management 2012
54/88
Create Role
Query the responsibility required, then clickthe Quick Select icon
Create Role
8/13/2019 User Management 2012
55/88
Create Role
Payables Manager role now includesPayables Manager responsibility
Add other responsibilities as needed
Responsibility
Role
Seeded Roles
8/13/2019 User Management 2012
56/88
Seeded Roles
Oracle has provided seeded roles forApprovals Management Diagnostics Learning Management Territory Management User Management Integration Repository iReceivables iSetup
To see whats new after patches, look for roles inUser Management responsibility or queryWF_ALL_ROLES_VL
New Surprises: Access to iRep
8/13/2019 User Management 2012
57/88
New Surprises: Access to iRep
Release 11i Go to My Oracle Support
Early R12Assign Responsibility Integrated SOA Gateway
Release 12.1+Assign one of following roles
57
8/13/2019 User Management 2012
58/88
Roles vs Responsibilities
8/13/2019 User Management 2012
59/88
Roles vs. Responsibilities
User Management!Roles & Role Inheritance Responsibilities start with FND_RESP
No inherited privileges Roles start with UMX
Logically group roles, responsibilities, permissionsand data security policies
Must include at least one responsibility
8/13/2019 User Management 2012
60/88
DELEGATED
ADMINISTRATION
Delegated Administration
8/13/2019 User Management 2012
61/88
Delegated Administration
Create local administrators to manage a subsetof users and/or roles
What is required?A role that grants User Management!Users to user
who will be delegated administrator
Grant of subset of UMX_PERSON_OBJECT definingwhich users can be administered
Grant of permission set with appropriate privileges Query Person Details Edit Person Details Manage User Accounts Reset Passwords
Delegated Administration
8/13/2019 User Management 2012
62/88
Delegated Administration
Presentations with good examples Create a role to administer a specific organization
Collaborate 2009: From Responsibilities to Roles:Moving Toward the Role Based Access Control
(RBAC) Model
Marquette University Create a junior workflow administrator
Collaborate 2009: Whats New in Workflow: 11i RUP5,RUP6 and R12
Karen Brownfield and Susan Behn
8/13/2019 User Management 2012
63/88
PROVISIONING
Provisioning (Registration)
8/13/2019 User Management 2012
64/88
Provisioning (Registration)
Three types supported Self-service account requests typically invoked
from a web page
Collections Self Registration iReceivables Self Registration
Requests for additional access Employee Registration
Account Creation by AdministratorsAccount Creation for Existing Person
Provisioning (Registration)
8/13/2019 User Management 2012
65/88
Provisioning (Registration)
Other products also utilize the usermanagement registration engine forregistration process, but they access theregistration process through their own UI
iSupplier Consult the implementation guide for those
products to utilize those registrationprocesses
iSupplier users are not created in usermanagement
Provisioning (Registration)
8/13/2019 User Management 2012
66/88
Provisioning (Registration)
Update an existing process or duplicate tocreate new processes
Provisioning (Registration)
8/13/2019 User Management 2012
67/88
Provisioning (Registration)
See Oracle User Management DeveloperGuide
Example Self Service Account Creation
Provisioning (Registration)
8/13/2019 User Management 2012
68/88
Provisioning (Registration)
Example Self Service Account CreationCreate pages to ask
all the required
questions
Business eventwhich raises a
workflow forapproval and identify
verificationnotification
Event to invoke
custom business logic
AME transaction typeto manage approvals
Registration Process Flow
8/13/2019 User Management 2012
69/88
Registration Process Flow
8/13/2019 User Management 2012
70/88
SELF SERVICE AND
APPROVALS
Self Service and Approvals
8/13/2019 User Management 2012
71/88
Self Service and Approvals
Once registration processes are configured, usersperform self service tasks to request access
Login and click the preferences button in the top rightcorner
Click the Access Requests button on the left side ofthe screen
Current roles will be displayed Click the Request Access button
Self Service and Approvals
8/13/2019 User Management 2012
72/88
Self Service and Approvals
Select the role to add and click next
Enter a justification and click next
Self Service and Approvals
8/13/2019 User Management 2012
73/88
Se Se ce a d pp o a s
Review and click submit
Note the Warning For iReceivables, additional information is required Click on the link to enter the addition information
Self Service and Approvals
8/13/2019 User Management 2012
74/88
pp
Once all the requested information is entered,the business event will raise the workflow tocomplete the registration process
8/13/2019 User Management 2012
75/88
Proxies
8/13/2019 User Management 2012
76/88
Proxy authority can be granted to anotheruser for a specific time period Cover vacation/leave of absence
Delegator grants/revokes proxy privilege touser User utilizes proxy switcher feature tochange roles
All forms will show proxy mode statusAudit control - Actions are tracked to show
delegate is acting on behalf of delegator
Proxies
8/13/2019 User Management 2012
77/88
In order to delegate or receive authority, usersmust have the Manage Proxies role Query the users, click the pencil to update, click
the Assign Roles button and add the Manage
Proxies role Enter a justification and save
Proxies
8/13/2019 User Management 2012
78/88
Click the preference button There is now a new Manage Proxies function
The Add People Button will allow the user todesignate a proxy user
Proxies
8/13/2019 User Management 2012
79/88
Add a user and apply Now the operations user can act on my behalf Set an End Date at this time if this is to cover a
fixed vacation period or other leave of absence
Proxies
8/13/2019 User Management 2012
80/88
When the operations user is logged in a Switch User optionwill be available
Notice that the user is currently logged is as OPERATIONS
Click the Switch icon to switch users
Proxies
8/13/2019 User Management 2012
81/88
Now there is a Return to Self button The user is logged in as Operations operating
as Proxy for SBEHN
Proxies
8/13/2019 User Management 2012
82/88
Run the Page Access Tracking DataMigration concurrent program to populate theProxy Report There are no parameters
Then go back to Manage Proxies and clickthe Run Proxy Report Button
Proxies
8/13/2019 User Management 2012
83/88
The report shows all navigation completed bythe proxy user
Security Reports
8/13/2019 User Management 2012
84/88
Reports are available for lists of users, roles/responsibilities, functions and data securityobjects
Reports can be generated in html, excel orpdf
Summary
8/13/2019 User Management 2012
85/88
RBAC allows organizations to create roles based on job functions Less maintenance after initial setup Better security
Delegated administration allows organizations to decentralize themanagement of users Will this help your organization distribution the load of user access
assignments more efficiently or provide better security across globalorganizations?
Registration processes enable organizations to automate theprocess to provide user access Think about how much time system administrators or DBAs would
save over a period of one year by automating this process
Self Service requests and approvals allow users to request access Less paper More efficiency
References
8/13/2019 User Management 2012
86/88
Oracle EBS User Management SIG http://ebsumx.oaug.org/
Oracle Applications System Administrator'sGuide - Security
See Oracle User Management DeveloperGuide
My Oracle Support ID: 553547.1 DataSecurity Terminology
My Oracle Support ID: 553290.1 Introduction to the Grants Security System
and Data Security
Books Co-Authored by Susan Behn
8/13/2019 User Management 2012
87/88
The Release 12 Primer Shining a Light on theRelease 12 World
The ABCs of Workflow for OracleE Business Suite Release 11i andRelease 12
! # $
8/13/2019 User Management 2012
88/88
!"#$% '()*
+),#$ -."$
,),#$/0."$12$3(,.4#$526,/6(4
777/2$3(,.4#$526,/6(4!"#$%" '()*+, -)(.(/0 1#%2+(#/* 3#0"+4")