Session ID:
Prepared by:
Remember to complete your evaluation for this session within the app!
11063
Setting Up Security for
Oracle ERP Cloud
April 8th, 2019
Zsolt Varga
PM & BA
AXIA Consulting
Solving Complex Business & Technology
Problems with Experience & Knowledge
Core Values…
Be Vested
Be Authentic
Be There
Be Approachable
Be Honest
Committed To Excellence
Our client relationships start
with a project and turn into
lasting partnerships.
Local & Global
Delivering results for clients
in more than 54 countries
over 6 continents.
AXIA Consulting (founded in 2005 and
100% employee owned) helps clients
identify and solve complex problems with
teams of experts averaging over 20 years
of experience. AXIA is different than other
integrators because we do not “leverage”
a few highly experienced consultants with
less experienced resources.
AXIA Oracle Service Offerings
Oracle Consulting Mergers & AcquisitionsImplementations &
Functional Extensions
EBS Assessments &
RoadmapUpgrades Client Advisory Services
About The Speaker
Zsolt Varga▪ Project Manager
Senior Business Analyst
Employee Owner
▪ 12 years of Consulting Experience
▪ Extensive EBS FIN & ERP FIN Cloud Knowledge:• General Ledger
• Subledger Accounting
• Cash Management
• Payables
• Procurement
• Receivables
• Order Management
• Inventory
• Tax
• Projects
• Fixed Assets
Session Objectives
• Enterprise Resource Planning Cloud
• Security Console & Functional Setup Manager
• Functional Security – Abstract, Job & Duty Roles, Privileges
• Data Security – Data Roles, Security Profiles & Data Access
• Auto-Provisioning
• CoA Segment Security & CVRs
• BI Permissions
Client & Project
Client Overview:
SCHELBY COUNTY SCHOOLS
• Tennessee’s largest school district
• Within 25 largest public school districts in US
• Over 200 schools
• Approx. 12000 employees
• Total budget: $1.34 Billion
• Founded in 1867
Project Overview:
ORACLE CLOUD HCM, FSCM & PBCS
• Implementation & Configuration
• Conversion & CEMLI
• Testing & Training
• Business Process Transformation & OCM
Navigation in Oracle Cloud
Navigation in Oracle Cloud
Navigation in Oracle Cloud
Home, Favorites and Recent Items, Watchlist, Notifications
Security Console
IT Security Manager
Security Console > Single Sign-On
Security Console > Administration > Bridge for Active Directory
Functional Setup Manager
Here you will:• manage Data Access• set up Security Profiles
and assign to Data Roles• implement Role
Provisioning Rules for automation
• configure Security Rules• create Cross Validation
Rules
Fusion Role Based Security
Oracle Cloud uses Role-Based Access Control (RBAC) that secures access in a “who can do what on which functions or sets of data under what conditions” approach.The "who" is the user.The "what" are the abstract operations or entitlement to actions applied to resources.For example, view and edit are actions, and task flows or rows in data tables are resources.Entitlement secures access rights to application functions and data. Function access entitlement is granted explicitly to duty roles. This implicitly grants the function access to the job and abstract roles that inherit the duty roles. Data access entitlement is granted implicitly to abstract and job roles through data security policies on their inherited duty roles. Data access entitlement is granted explicitly to a data role through a data security policy applied directly to the inherited job or abstract role.
Fusion Role Based Security
Explicit entitlement names the specific function or data that the holder of the entitlement is authorized to access.Only duty roles hold explicit entitlement to functions. An entitlement to a function allows one or more actions (update, create and view) applied to a resource (for example task flow).Data roles hold explicit entitlement to data. Data roles are entitled access to functions through inherited role hierarchies.Implicit entitlement names roles to which explicit entitlement is granted through a role hierarchy.Abstract, job, and data roles have implicit access to functions through duty roles that they inherit.Abstract, job, and duty roles have implicit access to data through data security policies.Data is also secured implicitly with the underlying data model of the product family records.
Roles & Privileges
Data roles combine a worker's job and the data that users with the job must access.
Abstract roles represent a worker's role in the "enterprise" independently of the job that you hire the worker to do. These are for HCM, examples are Employee, Contingent Worker and Line Manager.
Job roles represent the job thatyou hire a worker to perform.
Aggregate privileges combine thefunctional privilege for an individualtask or duty with the relevant data security policies.
Duty roles represent a logical grouping of functional security privileges.
Users to Roles to Privileges
Example on how the structure ofan assignmentlooks like:
Roles & Privileges & Inheritance
Job Roles towards Privileges
Job Roles towards Roles or Privileges
Job Roles towards Privileges
Job Roles towards Privileges
Job Roles towards Users
Security Console > Administration
Custom Role Creation
Custom Role Creation
Unfortunately at the moment there is no job roles export-import functionality in the system.
HCM Person & User
Trivial but to be able to sign in into Oracle Cloud applications, you will need a User.Also, as discussed earlier, Roles are assigned to Users.
So basically our prerequisite setups for assignments are:• Home > My Team or My Client Groups > New Person > Tasks >
Add a Pending Worker• Home > Tools > Security Console > Users >
Add User Account
Of course, you can use HCM Data Loader or Import Worker Users.
Users
Add Roles to Users
Add Roles to Users
Unfortunately at the moment there is no user to job role assignments export-import functionality in the system.
However, there is aself-requestingfunctionality, if you allow users to manage their own accounts.
Processes
There are certain processes that have to be run and then also scheduled recurringly to keep your system in sync:• Run User and Roles Synchronization Process• Import Users and Roles into Application Security• (There are further %LDAP% programs in Scheduled Processes)
These 2 main processes make sure that setups are the same in LDAP (Lightweight Directory Access Protocol), policy store, Applications Core Grant schema and Oracle Fusion Applications Security tables. This results that your system and Security Console are fast and reliable.
Submit Processes & Manage Applications Security Preferences
Data Roles & Security Profiles
This functionality can be used mainly for HCM custom Data Roles creation to grant or restrict data access via Security Profiles.
Data Roles
Data Roles
Security Profiles
Examples of usage:• Organization SP works with HCM Dept
Tree or Org Tree or Org Classification or specific Dept(s) or Org(s).
• Country SP uses Territories or Countries.• Position, Document Type and Person SPs
are definitely HCM oriented.
First two examples workfor ERP Cloud as well…
Data Access
Manage Data Access for Users
Users, Roles & Security Context
Security Context:
Create Data Access in Spreadsheet (ADFdi)
Your Spreadsheet isbased on your Search.
Authorize Data Access tab shows missing setups.
You can fill in Security Context Value for these lines or even create new lines.
Create Data Access in Spreadsheet (ADFdi)
View Data Access tab shows existing setups.
You can use these as examples.
Data Access cannot be Auto-Provisioned.
Manage Data Access Set
• Full Ledger or Primary BSV
• Ledger or Ledger Set
• Read and Write or Read Only
Auto-Provisioning
Home > Setup and Maintenance > Financials >
Manage HCM Role Provisioning Rules
Role Mapping Rules
As the setup name hints to you, HCM related objects can be used, like Job, Position, Location,
Department, etc. and you can work with BU.
Role Provisioning Rules
Roles are directly assigned to Users.
Roles are not assigned to Jobs or Positions.
This automation helps to create these Role to User assignments based on Conditions.
This functionality works well for HCM Cloud but has limitations for ERP Cloud.
Maintenance effort for these Rules should be assessed and compared to the effort of handling assignments manually.
CoA Segment Security
Ho
me
>
Setu
p a
nd
Mai
nte
nan
ce >
Fin
anci
als
>
Man
age
Ch
art
of
Acc
ou
nts
Val
ue
Sets
Security enabled Value Set
After you
enabled security,
entered Data Security Resource Name and clicked Save…
You can
Edit Data Security
Edit Data Security – Conditions
Edit Data Security – Conditions
Conditions let you define your segment value inclusions, exclusions ranges, etc.
You can even work with Tree Operators…
Edit Data Security – Policies
You can use Policies
to link
Roles to Conditions
(in which you earlier specified your Segments)
Edit Data Security – Policies
Cross Validation Rules
CVR Condition & Validation Filters
Use Conditions for restriction and Validations for exception (within restriction)
CVR Error Message
Create CVRs in Spreadsheet (ADFdi)
Business Intelligence Permissions
BI Report Assignments
Assign Reports to Roles and/or Usersand set Permissions…
BI Permissions
Modify PermissionsforReport to Memberassignments…
Choose from options or customize…
Thank you!
April 8
April 10
April 11
…and do not forget to visit our booth! :-)
Session ID:
Remember to complete your evaluation for this session within the app!
11063