Fusion Product Hub Training Fusion Product Hub Security July 2014 Oracle Confidential Internal/Restricted/Highly Restricted
Role Based Access Control User Andrew Kelly Role Product Manager Role Employee Role Manager Access is provided via Roles
Fusion Security Model WHO can do WHAT on WHICH set of data? The Role e.g. Chief Product Manager Product Data Steward Function Security Search for Items Update/Edit Items Data Security Ability to access only items/data user or role has been granted
Key Concepts - Roles Who can do WHAT on WHICH set of data? Job Roles Enterprise Roles Roles associated with the Job of an employee Very close to job titles Provisioned to a user on request Example: Product Manager, Warehouse Manager, Order Manager Abstract Roles Roles that come with the job Normally assigned by the system (based on user attributes) but can be provisioned to a user on request Example: Employee, Manager 5
Key Concepts - Function Security Who can do WHAT on WHICH set of data? Functions represent basic entry points / operations / secured resources that do not have any data context Examples: Page X, Region Y, Button Z Function Security controls access to tasks
Key Concepts Function Security Privileges Individual permissions to access pages, reports, actions, etc Also referred to as Entitlements Monitor Item Work Area Create Item 8
Key Concepts Function Security Duty Roles Duties are tasks to be done on a job Duty roles Application Roles that give access to pages, reports, actions through function privileges Designed to be pluggable into new or existing job roles Provisioned through job or abstract roles; never assigned directly to a user Item Management Duty Item Catalog Management Duty Product Manager Andrew Kelly 9
Key Concepts Function Security Privilege - Role Association Product Manager (Job Role) Item Management Duty (Duty Role) Manage Item (Privilege)
Key Concepts Function Security Role Inheritance Duty role may inherit other duty roles from same application or from another application Level 1 Role Level 2 Role Level 3 Role Product Data Steward {Product Management Application, Job} Item Supplier Management Duty {Product Management Application, Duty} Item Management Duty {Product Management Application, Duty} Party Information Inquiry Duty {CRM Application Duty}
Key Concepts - Data Security Who can do WHAT on WHICH set of data? Business objects / documents hold sensitive data; the data needs to be secured Example: Items Role (Who) Auxiliary Verb Operation (Can Do What) Object Attribute Data Access (on which set of data) Worker (Duty) Product Manager (Job) Can Manage Item Purchasing Attributes Can Manage Item Costing Attributes For the items they have access to in item and inventory organizations For the items they have access to in item and inventory organizations
Key Concepts - Data Security Explicit (Indirect) using Data Roles Example: Warehouse Manager (D2) Seattle Distribution Center provides Warehouse Manager access to logistics data in Inventory Organization D2 Explicitly provisioned to users Data roles are not predefined. Data roles can only be defined by customers, as they are data dependent. Data role templates provide predefined structures for defining data roles. Implicit (Direct) using product specific access Data security is determined via product specific logic, and not by explicit provision of data roles Example: Product Managers can edit items belonging to specific item classes in specific organizations. 13
Key Concepts : Item Data Grants Item data grants can be managed at Item Class Or Item Level. Item data grants are given to external or application roles or to specific users. User/Role Item Class Item Data Grants Andrew Kelly Item Batch Management Duty TABLETS TABLETS Create Item Class Item View Item Basic Maintain Item Basic Create Item Class Item View Item Basic Maintain Item Basic User Job Role Duty Roles Item Class Item Data Grants John Smith Product Data Steward Worker Item Batch Management Duty TABLETS Create Item Class Item View Item Basic Maintain Item Basic
Product Management Roles - Tasks Product / Job Role Product: Product Model (EGP) Job Role: Product Manager Tasks Available in Item Work Area Items: Create Item Manage Items Create Item Structure Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers Catalogs: Manage Catalogs CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract
Product Management Roles - Tasks Product/ Job Role Product: Product and Catalog Management (EGO) Job Role: Product Manager Tasks Available in Item Work Area Items: Create Item Manage Items Create Item Structure Create Pack Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers New Item Requests: Create New Item Request Manage New Item Requests Change Orders: Create Change Order Manage Change Orders Catalogs: Manage Catalogs CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract
Product Management Roles - Tasks Product/ Job Role Tasks Available in Item Work Area Setup and Maintenance Product: Product Hub (EGI) Job Role: Product Data Steward Items: Create Item Manage Items Create Item Structure Create Pack Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers New Item Requests: Create New Item Request Manage New Item Requests Change Orders: Create Change Order Manage Change Orders Catalogs: Manage Catalogs Item Batches: Create Item Batch Manage Item Batches Manage Source Systems FSM: + Product Management Native Setup Tasks
Glossary Fusion Job Role Abstract Role Data Role E Business Suite Top Level Menu Responsibility Top Level Menu Responsibility Responsibility Duty Role Privilege Permission Sub Menu Form Function Executable
Managing Security Oracle Identity Manager (OIM) Manage Users Employees are created via Human Capital Management (HCM) Manage Enterprise Roles Job Roles and Data Roles Assign Enterprise Roles to Users Authorization Policy Manager (APM) View Users View Enterprise Roles Hierarchy Manage Application Roles (Duty Roles), Data Security Policies Manage Application Role Hierarchy Manage and run Data Role Templates 23
Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Oracle Confidential Internal/Restricted/Highly Restricted 25
Oracle Confidential Internal/Restricted/Highly Restricted 26