Академический Документы
Профессиональный Документы
Культура Документы
Partner Workshop
June 2017
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole discretion of Oracle.
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 2
Program Agenda
1 Release 12 Security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 3
Program Agenda
1 Release 12 Security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 4
R12 Security Themes
Simplified user experience for the IT Security Manager
Easy integration with Identity & Access (IDM/IAM) Systems
Upgrade safe reference role model
Enhanced set of self service capabilities
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 5
Simplified experience for the IT Security Manager
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 6
Simplified experience for the IT Security Manager
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 7
Upgrade-safe reference role model
Pre-defined roles are protected
Cannot customize shipped policies
Can add data security policies
Privileges and resources are
protected
Allows safe upgrades to these
artifacts
No conflicts with customer changes
Easier adoption of future security
enhancements
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 8
User Account Management
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 9
Program Agenda
1 Release 12 security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6
Optimizing performance
7
Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 10
Program Agenda
1 Release 12 security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 11
Factory shipped roles
Release 9 Release 10
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 12
Factory Reset
P D P D
P D D
Seeded Custom
Impact Low
Solution Identify the customizations that should be preserved by running the Security
Customization Report.
Copy the customized roles and assign the new custom roles to users.
Who Customers
HCM Webcast HCM - Release 12 Security Pre-upgrade Planning for HCM Customers
(31 Jan 2017)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 14
Customized CX, ERP, SCM roles
Description Customizations to factory shipped roles will be reset during Release 12
upgrade
CX Webcast CX - Release 12 Security Deep Dive for Oracle Sales Cloud Customers with
(26 Jan 2017) Pre-upgrade Effort
ERP/SCM Webcast ERP / SCM - R12 Security Deep Dive for ERP Customers with Pre-upgrade
(1 Feb 2017) Effort
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 15
Customized common roles : FND, ASM roles
Description Customizations to factory shipped roles will be reset during Release 12
upgrade
Solution Oracle will contact affected customers with guidance on how to handle
customizations to these roles
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 16
Security Customization Report
Availability Release 11 February 2017 Quarterly Update Bundle (PB14)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 17
Security Customization Report
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 18
Security Customization Report
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 19
Security Customization Report
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 20
Security Customization Report
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 21
Customization report example output
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 22
Customization report example output
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 23
Customization report example output
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 24
Customization report example output
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 25
Support Process for R12 Security Customization Report (HCM)
Raise an SR
Use Problem Type: HCM Security (for HCM related issues)
Upload the Security Customization Report Output file to the SR
For example : hcm-production-base-delta.xlsx
1 SR per pod
Support have access to development resources
Depending on the issue Oracle may organize an OWC
FAQs published in MOS : Doc ID 2228180.1
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 26
Program Agenda
1 Release 12 Security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 27
Enterprise Roles and Application Roles
Before Release 12
Enterprise roles
Created in OIM and security console
Application roles
Created in APM and security console
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 28
Simplified Reference Role Model
Release 9 Release 10
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 29
Release 10/11 Job Role
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 30
Release 10/11 Job Role
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 31
Release 10/11 Job Role
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 32
Release 9 Job Role
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 33
Upgrade of Simplified Reference Roles (R10/11)
No enterprise roles in Release 12
EJRs that have not been customized are collapsed into their AJRs
EJRs no longer exist
Same role hierarchy under AJR
Customized EJRs converted to application roles
Same role name
Same role code
Same role hierarchy
HCM data roles converted to application roles
Same role name
Same role code
Same role hierarchy
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 34
EJR collapsed into AJR (no customizations to EJR)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 35
Consolidated view of hcm and obi roles
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 36
Consolidated view of hcm and obi roles
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 37
Consolidated view of hcm and obi roles
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 38
Customized EJR not collapsed into AJR
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 39
HCM Data Roles (before Release 12)
Data role : JT2 JT HR Spec View All
Based on : JT2 Human Resource Specialist job role
Data security policies generated against child application roles
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 40
HCM Data Role (after upgrade to Release 12)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 41
HCM Data Roles (Release 12)
hcm/fscm/crm child roles preserved during upgrade
Data security policies still stored under the child roles after upgrade
New HCM data roles
Just one role created
No hcm/fscm/crm child roles
Data security policies generated against the single HCM data role
Regenerate upgraded HCM data role
hcm/fscm/crm child roles preserved
Data security policies generated against the top level HCM data role
Data security policies removed from hcm/fscm/crm child roles
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 42
HCM Abstract Roles (before Release 12)
Abstract role: Employee
Data security policies generated against child application roles
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 43
HCM Abstract Roles (Release 12)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 44
Deep Copy Upgraded Employee Role
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 45
Shallow Copy Upgraded Employee Role dont do it!!
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 46
Copying HCM Abstract Roles (Release 12)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 47
Upgrade of Predefined Release 9 Roles
If predefined roles not migrated to Simplified Reference Role Model...
Treated as custom roles
Same role names
Same role codes
Same role hierarchy
Colored green
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 48
Human Resource Specialist EJR (Release 9->12)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 49
Human Resource Specialist AJR (Release 9->12)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 50
Roles that have OTBI access
Compensation Analyst job role inherits these roles...
Role Code Role Name Application Stripe
FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY Compensation Transaction Analysis obi
Duty
ORA_FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY_HCM Compensation Transaction Analysis hcm (Rel 10/11/12)
FBI_COMPENSATION_TRANSACTION_ANALYSIS_DUTY_HCM Compensation Transaction Analysis hcm (Rel 9)
Duty
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 51
Compensation Analyst EJR (Release 11)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 52
Compensation Analyst EJR (Release 11)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 53
Compensation Analyst EJR (Release 11)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 54
Compensation Analyst AJR (Release 11)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 55
Compensation Analyst EJR (Release 11)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 56
Compensation Analyst EJR (Release 11)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 57
Compensation Analyst (Release 12)
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 58
Program Agenda
1 Release 12 Security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 59
After the upgrade
Run processes
Retrieve Latest LDAP Changes
Import User and Role Application Security Data
End scheduling of Retrieve Latest LDAP Changes
Much tighter integration between HCM and policy store in Release 12
No need to run any processes after creating or updating role definitions in security console
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 60
Security Upgrade Guide for HCM
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 61
Program Agenda
1 Release 12 Security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 62
Optimizing Person Security Performance
Traditional approach to data role design can lead to large numbers of
data roles
Maintenance overhead
Can lead to serious performance issues
Problems arising from a large number of data roles and security profiles.
All users slow
performance,
Many Users High Number Frequent Hard Slow upon first
use
Different Roles of Distinct SQLs Parsing
Specific user
slow
1 User Long Parse performance
Large SQL OTBI Reports
Many Roles Times fail to run
Each time the database encounters a new SQL statement, the first parse
is referred to as a hard parse. The first execution takes longer than
subsequent reruns of the same SQL.
When a large number of professional users log in, each with their own
distinct person security profiles, the number of distinct SQLs hitting the
database can grow very quickly.
This can cause the database to flush out the least recently used SQLs
from its cache. As users log on, log off and log on again - it gives rise to an
increase in the number of hard parses.
This can have an overall negative performance impact on ALL users of the
system.
Copyright 2017, Oracle and/or its affiliates. All rights reserved. |
Performance Concerns Long Hard Parse Times
A Person Security Profile => Distinct SQL WHERE clause.
A single user that has been assigned a large number of roles can spawn
very large SQL statements as a result of multiple clauses being ANDed
together.
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 73
Include Related Contacts
Removed from the person security profile
pages for new person security profiles
In existing person security profiles, the
option continues to appear only if it is
currently selected
Users who can view a worker in the
Manage Person work area and access the
Contacts tab can see the workers
contacts, provided that the contacts are
not also workers. If a contact is a worker,
then access to the contacts details is
secured by person security profile
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 74
Program Agenda
1 Release 12 Security
2 Demo
3 Before the upgrade
4 During the upgrade
5 After the upgrade
6 Optimizing performance
7 Labs
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential Internal 75
Copyright 2017, Oracle and/or its affiliates. All rights reserved. | Confidential Oracle Internal/Restricted/Highly Restricted 76