1. <Insert Picture Here>
Designing Security Roles
Functional Architecture Implementation Support (FAIS Team)
Kiran Mundy
May, 2012
2. Disclaimer
• I am an Oracle employee.
• The content of this Presentation is my own and does
not necessarily reflect the views of Oracle.
2
3. Contents
• Overview
• Screens you need to know about..
• Designing a new role
• Privileges & Data Security Policies
• Data Roles
• Use Cases
• Designing a new Role.
• Generating a Data Role from a Template.
• Stepping down a Duty hierarchy.
• Terminology
3
5. Screens you need to know about…
Oracle Identity Manager Authorization Policy Manager
(Delegated Administration) (Oracle Entitlements Server)
Create
Users Data Create Roles
Role & Hierarchies Duties
Assign Role
Generate Role Duties Duties
Data Security Object +
Policy Actions
Role Role Duties
Role Privilege Screens
Role and
Role Actions
within
Screens
Automatically Yes, you could create
Sent HCM Screen users and assign
roles in OIM
Create Person But FSM Steps you
through here because
Roles Auto-provision
HCM Employee details
often needed in Apps
5
6. Designing a New Role - Overview
Oracle Identity Manager Authorization Policy Manager
(Delegated Administration) (Oracle Entitlements Server)
Data Create Roles
Role & Hierarchies Duties
Generate Role Duties Duties
Data Security Object +
Policy actions
Role Role Duties
Role Privilege Screens
Role and
Role Actions
within
Screens
Create a new Role & Assign Create new Duties and Create new
Duties under it. Generate a assign Data Security Policies Policies &
Data Role from it. & Privileges under it. Privileges
Increasing Difficulty
6
7. Functional & Data Security Policies –
Functional Policy = Data Security Policy =
Code artifacts + Allowed Actions DB Objects + Allowed actions.
Fusion Apps Screen Possible Actions:
Read
Function Object Update
behind
screen
+ Delete
Manage
Note – If there is no data security policy specified on a duty role, it means
that all actions on all objects behind the screens (specified by functional
policy) are allowed.
7
8. Data Roles
Data role Takes the Data Security Policy =
DB Objects + Allowed actions.
“data” your role has
Invoices in BU 3
access to (from the right)
and slices it up by BU.
Project Possible Actions:
Possible Actions:
Each data role has
Project
Project
Object =
+ +
+ Read
Possible Actions:
Read
Possible Actions:
Read
access to “one” slice. Invoices in
BU 1
+ Read
Invoices in BU 2
8
10. Designing a New Role – Where to
Start…
• Security Reference Implementation – Gives Example
Roles for each FSM Offering.
• Login to OER as Guest
https://fusionappsoer.oracle.com/oer/index.jsp
• Search Criteria Type = Role, Logical Business Area =
“All Fusion Apps…”
• Under Documentation Tab, open up “Security
Reference Manual”
10
13. Lets say to Billing Inquiry
Duty, you want to add
“View Customer Account
Contact”
13
14. Creating/Changing Duty Roles – Start with FSM
Under “Define Security for …
<your offering>”, click on
“Manage Duties”
14
15. Find the Duty Role
Choose the right
Application & search
for the Duties
15
16. Can’t find Duty? Check -
Find Existing Policies - Application
- Starts With vs Contains
- Display Name vs Role Name
Query up the Duty,
click on “Find Policies”
to see the existing
policies the role has
16
28. Existing Data Security Policies
Apparently there are no data security
policies for “Billing Inquiry Duty” as
yet, which means –
Data access behind the screen is not
restricted at this level.
28
29. Generating Data Roles
• After you’ve implemented your system and have your
BU’s etc in..
• Figure out which role templates you want to use to
generate your data roles… (How?)
29
35. Terminology Review
• Security Reference Implementation
• An complete example implementation of Security for each
Fusion Offering.
• Details in Security Reference Manuals for each Product.
• Role (External Role or Enterprise Role)
• Created in LDAP (Using Oracle Identity Manager)
• Can also create a hierarchy of these Roles
• Normally data roles are generated which also govern the
Business Unit (or other determinant) stripe of data the user
will see.
• Role Category
• A way to classify roles.
• Examples from Reference Implementation - HCM Abstract
Roles, HCM Job Roles, Financials Job Roles etc..
35
36. Terminology
• Abstract Role (External Role or Enterprise Role)
• “Abstract” is nothing more than a category we seed to classify
roles in our Reference Implementation.
• Roles we seed that are in this category are -
• Accessory roles such as - Employee, Contingent Worker
etc.
• Not a role you would find described on Monster.com
• Usually assigned directly - does not require data role
generated on top of it.
• Job Role
• Also nothing more than a category we seed.
• Roles we seed that are in this category are -
• Roles that you would hire someone into – Accounts
Payables Manager, Billing Clerk etc.
• Usually requires a data role generated on top of it.
36
37. Terminology
• Duty Role (Application Role or Principal)
• This is the most granular form of role which is created and
managed in Authorization Policy Manager. Privileges & data
security policies are assigned to it.
• Functional Policy
• Each policy contains a set of targets that the policy provides
access to.
• Entitlement (or Privilege or Target)
• Screens, buttons, lists, web services or other code artifacts
37
38. Terminology
• Data Security Policy
• Specifies an Object and what actions you can do to it.
Possible actions you can pick from to create a policy are pre-
defined for each Business Object.
• Database Resource
• Database table or groups of tables with data.
38