r12 system administrator fundamentals chapter 4

8/10/2019 R12 System Administrator Fundamentals Chapter 4

1/12

Copyright Oracle, 2009. All rights reserved.

Introduction to Data SecurityChapter 4 - Page 1

Introduction to Data Securi tyChapter 4


2/12




3/12



Introduction to Data Security


4/12



Objectives

Data Security

In this section, references to specific applications are used as examples only. Data Security isnot implemented in all Oracle Applications products. Some applications may requireorganizations to create multiple responsibilities to operate with their existing security models.For more information, please consult the application-specific documentation.This section is meant to introduce data security and its concepts only. Custom implementationof data security or modification of shipped data security policies is not covered and is beyondthe scope of this course. Extreme care should be taken if any customization or modification isdone with data security implementations.


5/12



Introduction to Data Security

IntroductionWorking in conjunction with Function Security, Data Security provides additional accesscontrol on the data a user can see and what actions a user can perform on that data. Using DataSecurity, for example, you could control access to the set of orders that an order administratorcan update within the Order Management application.Data Security Policies restrict the actions or operations that can be performed on a specific

business object (for example, inventory items). Data Security Policies can reflect access to: All Instances All instances of an object represents all rows in the database table or view.

For example, assume that we have an object inventory item in the database. Creating adata security policy for all instances of our object would result in providing access toevery single inventory item we have catalogued in the database.

An Instance Set An instance set is a related set of instances of an object. Thiscorresponds to a set of rows in the database. Using our object example, an instance setcould be constructed to include all inventory items with a shelf life of 7 days.

A Specific Instance A specific instance generally corresponds to a single row in thedatabase. A specific instance is generally identified by a primary key value for the object.Using our example, we could enter a unique serial number for the inventory item. Thiswould return one and only one inventory item from the database.


6/12



Data Secur ity Components - Objects

Objects(N) Functional Developer responsibility > ObjectsAn object is a system entity on which an operation can be performed. In Oracle Applications,an object typically maps to records in relational tables/views, Forms/HTML pages, and UIwidgets. Examples in Oracle Applications include: a person, an machine, and a file.Examples of operations include: Create, Update, Escalate, Approve, and Reject. In OracleApplications, operations are implied by a permission definition. Permission has been definedas an operation on a object; for example, Invoke Service Request Form, Update Order,Approve Expense Report, and Query Customers.An object instance is a specific example of an object, such as Project Number 123 or UserJDOE. An object instance generally corresponds to a row in the database, and is identified by

a set of one or more primary key values as defined by the object.Related object instances can be grouped together into an object instance set .


7/12



Grants

Grants(N) Functional Administrator Responsibility > GrantsGrants are used to provide specified users access to specific objects or functions.Grants that deal with business objects are called Data Security Policies.Grants can also be used to control access to an application's functionality. For example, youcould use a grant to secure an aspect of a menu, page, or other widget within the application.For example, you want to provide access to a set of administrative menus to a select group ofusers.The grantee defines who is being granted access. The grantee can be one of three types:

A group of users A specific user for example, Joe Smith All users (global) all users of the system, except the Guest account


8/12



Permissions and Permission Sets

PermissionsThe Role Based Access Control (RBAC) Model defines permission as "an approval to performan operation on one or more RBAC-protected objects." This definition maps to what has beenreferred to as functions earlier. Permissions can be grouped into permission sets.Permission sets can be granted to users or roles independently of menus or responsibilities.Permission assignments, or Grants, reflect the access granted to users through roles.Permissions are discussed more in the User Management lessons.


9/12



Data Secur ity Policies

Data Security PoliciesUsing Data Security, access to a specific object can be specified using a data security policy .A data security policy restricts operations so that these operations can only be performed on asubset of instances of the corresponding database object (an object instance set). Data security

policies can reflect access to: All Instances (rows) of an object An Instance Set, which is defined as a SQL predicate (WHERE clause), and can

optionally be implemented as a VPD (Virtual Private Database) policy A Specific Instance, identified by a primary key value


10/12



Example of a Data Secur ity Policy

Example of a Data Security PolicyThe Customer Administrator role includes a grant to users with this role that gives customeradministrators the ability to perform some basic administration privileges (All UserAdministration Privileges, defined by UMX_OBJ_ADV_ADMIN_PERMS) through a

permission set.This grant specifies these permissions can be performed on the object (User ManagementPerson, UMX_PERSON_CODE), but only on the instance set composed of people in thecustomers own organization.


11/12



Summary


12/12



r12 system administrator fundamentals chapter 4

Documents