Session ID:

Prepared by:

Remember to complete your evaluation for this session within the app!

11063

Setting Up Security for

Oracle ERP Cloud

April 8th, 2019

Zsolt Varga

PM & BA

AXIA Consulting

Solving Complex Business & Technology

Problems with Experience & Knowledge

Core Values…

Be Vested

Be Authentic

Be There

Be Approachable

Be Honest

Committed To Excellence

Our client relationships start

with a project and turn into

lasting partnerships.

Local & Global

Delivering results for clients

in more than 54 countries

over 6 continents.

AXIA Consulting (founded in 2005 and

100% employee owned) helps clients

identify and solve complex problems with

teams of experts averaging over 20 years

of experience. AXIA is different than other

integrators because we do not “leverage”

a few highly experienced consultants with

less experienced resources.

AXIA Oracle Service Offerings

Oracle Consulting Mergers & AcquisitionsImplementations &

Functional Extensions

EBS Assessments &

RoadmapUpgrades Client Advisory Services

About The Speaker

Zsolt Varga▪ Project Manager

Senior Business Analyst

Employee Owner

▪ 12 years of Consulting Experience

▪ Extensive EBS FIN & ERP FIN Cloud Knowledge:• General Ledger

• Subledger Accounting

• Cash Management

• Payables

• Procurement

• Receivables

• Order Management

• Inventory

• Tax

• Projects

• Fixed Assets

Session Objectives

• Enterprise Resource Planning Cloud

• Security Console & Functional Setup Manager

• Functional Security – Abstract, Job & Duty Roles, Privileges

• Data Security – Data Roles, Security Profiles & Data Access

• Auto-Provisioning

• CoA Segment Security & CVRs

• BI Permissions

Client & Project

Client Overview:

SCHELBY COUNTY SCHOOLS

• Tennessee’s largest school district

• Within 25 largest public school districts in US

• Over 200 schools

• Approx. 12000 employees

• Total budget: $1.34 Billion

• Founded in 1867

Project Overview:

ORACLE CLOUD HCM, FSCM & PBCS

• Implementation & Configuration

• Conversion & CEMLI

• Testing & Training

• Business Process Transformation & OCM

Navigation in Oracle Cloud

Navigation in Oracle Cloud

Navigation in Oracle Cloud

Home, Favorites and Recent Items, Watchlist, Notifications

Security Console

IT Security Manager

Security Console > Single Sign-On

Security Console > Administration > Bridge for Active Directory

Functional Setup Manager

Here you will:• manage Data Access• set up Security Profiles

and assign to Data Roles• implement Role

Provisioning Rules for automation

• configure Security Rules• create Cross Validation

Rules

Fusion Role Based Security

Oracle Cloud uses Role-Based Access Control (RBAC) that secures access in a “who can do what on which functions or sets of data under what conditions” approach.The "who" is the user.The "what" are the abstract operations or entitlement to actions applied to resources.For example, view and edit are actions, and task flows or rows in data tables are resources.Entitlement secures access rights to application functions and data. Function access entitlement is granted explicitly to duty roles. This implicitly grants the function access to the job and abstract roles that inherit the duty roles. Data access entitlement is granted implicitly to abstract and job roles through data security policies on their inherited duty roles. Data access entitlement is granted explicitly to a data role through a data security policy applied directly to the inherited job or abstract role.

Fusion Role Based Security

Explicit entitlement names the specific function or data that the holder of the entitlement is authorized to access.Only duty roles hold explicit entitlement to functions. An entitlement to a function allows one or more actions (update, create and view) applied to a resource (for example task flow).Data roles hold explicit entitlement to data. Data roles are entitled access to functions through inherited role hierarchies.Implicit entitlement names roles to which explicit entitlement is granted through a role hierarchy.Abstract, job, and data roles have implicit access to functions through duty roles that they inherit.Abstract, job, and duty roles have implicit access to data through data security policies.Data is also secured implicitly with the underlying data model of the product family records.

Roles & Privileges

Data roles combine a worker's job and the data that users with the job must access.

Abstract roles represent a worker's role in the "enterprise" independently of the job that you hire the worker to do. These are for HCM, examples are Employee, Contingent Worker and Line Manager.

Job roles represent the job thatyou hire a worker to perform.

Aggregate privileges combine thefunctional privilege for an individualtask or duty with the relevant data security policies.

Duty roles represent a logical grouping of functional security privileges.

Users to Roles to Privileges

Example on how the structure ofan assignmentlooks like:

Roles & Privileges & Inheritance

Job Roles towards Privileges

Job Roles towards Roles or Privileges

Job Roles towards Privileges

Job Roles towards Privileges

Job Roles towards Users

Security Console > Administration

Custom Role Creation

Custom Role Creation

Unfortunately at the moment there is no job roles export-import functionality in the system.

HCM Person & User

Trivial but to be able to sign in into Oracle Cloud applications, you will need a User.Also, as discussed earlier, Roles are assigned to Users.

So basically our prerequisite setups for assignments are:• Home > My Team or My Client Groups > New Person > Tasks >

Add a Pending Worker• Home > Tools > Security Console > Users >

Add User Account

Of course, you can use HCM Data Loader or Import Worker Users.

Users

Add Roles to Users

Add Roles to Users

Unfortunately at the moment there is no user to job role assignments export-import functionality in the system.

However, there is aself-requestingfunctionality, if you allow users to manage their own accounts.

Processes

There are certain processes that have to be run and then also scheduled recurringly to keep your system in sync:• Run User and Roles Synchronization Process• Import Users and Roles into Application Security• (There are further %LDAP% programs in Scheduled Processes)

These 2 main processes make sure that setups are the same in LDAP (Lightweight Directory Access Protocol), policy store, Applications Core Grant schema and Oracle Fusion Applications Security tables. This results that your system and Security Console are fast and reliable.

Submit Processes & Manage Applications Security Preferences

Data Roles & Security Profiles

This functionality can be used mainly for HCM custom Data Roles creation to grant or restrict data access via Security Profiles.

Data Roles

Data Roles

Security Profiles

Examples of usage:• Organization SP works with HCM Dept

Tree or Org Tree or Org Classification or specific Dept(s) or Org(s).

• Country SP uses Territories or Countries.• Position, Document Type and Person SPs

are definitely HCM oriented.

First two examples workfor ERP Cloud as well…

Data Access

Manage Data Access for Users

Users, Roles & Security Context

Security Context:

Create Data Access in Spreadsheet (ADFdi)

Your Spreadsheet isbased on your Search.

Authorize Data Access tab shows missing setups.

You can fill in Security Context Value for these lines or even create new lines.

Create Data Access in Spreadsheet (ADFdi)

View Data Access tab shows existing setups.

You can use these as examples.

Data Access cannot be Auto-Provisioned.

Manage Data Access Set

• Full Ledger or Primary BSV

• Ledger or Ledger Set

• Read and Write or Read Only

Auto-Provisioning

Home > Setup and Maintenance > Financials >

Manage HCM Role Provisioning Rules

Role Mapping Rules

As the setup name hints to you, HCM related objects can be used, like Job, Position, Location,

Department, etc. and you can work with BU.

Role Provisioning Rules

Roles are directly assigned to Users.

Roles are not assigned to Jobs or Positions.

This automation helps to create these Role to User assignments based on Conditions.

This functionality works well for HCM Cloud but has limitations for ERP Cloud.

Maintenance effort for these Rules should be assessed and compared to the effort of handling assignments manually.

CoA Segment Security

Ho

me

>

Setu

p a

nd

Mai

nte

nan

ce >

Fin

anci

als

>

Man

age

Ch

art

of

Acc

ou

nts

Val

ue

Sets

Security enabled Value Set

After you

enabled security,

entered Data Security Resource Name and clicked Save…

You can

Edit Data Security

Edit Data Security – Conditions

Edit Data Security – Conditions

Conditions let you define your segment value inclusions, exclusions ranges, etc.

You can even work with Tree Operators…

Edit Data Security – Policies

You can use Policies

to link

Roles to Conditions

(in which you earlier specified your Segments)

Edit Data Security – Policies

Cross Validation Rules

CVR Condition & Validation Filters

Use Conditions for restriction and Validations for exception (within restriction)

CVR Error Message

Create CVRs in Spreadsheet (ADFdi)

Business Intelligence Permissions

BI Report Assignments

Assign Reports to Roles and/or Usersand set Permissions…

BI Permissions

Modify PermissionsforReport to Memberassignments…

Choose from options or customize…

Thank you!

April 8

April 10

April 11

…and do not forget to visit our booth! :-)

Session ID:

Remember to complete your evaluation for this session within the app!

11063

Q&Azsolt.varga@axiaconsulting.net