Академический Документы
Профессиональный Документы
Культура Документы
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
1. Oracle is pleased to allow its business partner (“Partner”) to download the Materials found on this area of the Site. The Materials provided on or through this area of the Site are
confidential to Oracle and protected by intellectual property laws, and provided to Partner under and pursuant to the terms, conditions and restrictions of Partner’s agreement with
Oracle to participate in the applicable beta program pertaining to the Software (as defined below) (“Beta Trial License Agreement”), as well as any additional terms, conditions and
restrictions set forth in any area of this Site or in any Materials provided on or through this Site. In the event of any conflict or inconsistency between the terms, conditions and
restrictions set forth in the Beta Trial License Agreement and those set forth in any area of this Site on in any Materials provided on or through this Site, the former shall have
precedence with respect to Partner’s access and use of the Site and Materials, provided, however, that notwithstanding anything to the contrary in the Beta Trial License Agreement,
Partner will restrict access to and disclosure of Materials only to its employees who require access to Materials in connection with the Beta Trial License Agreement.
2. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
3. Oracle disclaims any warranties or representations as to the accuracy or completeness of any Materials. Materials are provided "as is" without warranty of any kind, either express,
implied or statutory, including without limitation the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, accuracy, timeliness and non-infringement
of third-party rights. The information contained herein is subject to change without notice.
4. Under no circumstances shall Oracle be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of these Materials. As a
condition of use of the Materials, Partner agrees to indemnify Oracle from and against any and all actions, claims, losses, damages, liabilities and expenses (including reasonable
attorneys' fees) arising out of Partner’s use of the Materials.
4
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Purpose:
This document provides an overview of features and enhancements included in pre-release Oracle Fusion Applications 1.0 and applicable updates (the
“Software”). It is intended solely for use in connection with the internal pre-production evaluation and testing of the Software. As stated above, this
document is confidential to Oracle and may not be used for training, promotion, or sales to customers or other partners or third parties.
Disclaimer:
This document is for informational purposes only and is intended solely for use in connection with the internal pre-production evaluation and testing of the
Software. This is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development,
release, and timing of any features or functionality, and inclusion or not thereof in the commercially available version of the Software, if any, is always at Oracle’s
sole discretion. This document is not considered part of the applicable program documentation.
Due to the nature of the product architecture, it may not be possible to safely include all features described in this document without risking significant
destabilization of the code
5
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Agenda
• Security Overview
• Security Profiles and Data Roles
• User and Role Provisioning <Insert Picture Here>
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Cloud security
• Where are my data located?
– Can I determine where my data are physically stored?
– Which legislation is applicable to my data?
2. Authorization
The process of granting or revoking a privilege to interact with one or more protected system resources.
The ‘system resource’ could be a data object like opportunities or contacts or clinical information, or functional objects
like menus, pages, workflows, buttons, reports, dashboards, tasks, jobs, web services etc.
• Answers the question of Who Can Do What & Who Can Do What
on Which Set of Data
• Translates to Function Security and Data Security
• Function Security – Who Can Do What
As Human Resources Specialist you can manage employees
• Data Security – Who Can Do What on Which Data
As Human Resource Specialist for the North American Region you can
manage employees only in North America
• RBAC provides a valuable level of abstraction to promote security administration at a business enterprise level rather than
at the user identity level in older access control models.
3
2
4 4
1
2
Line in Job Description Duty 3
4
4
Enterprise Role
Abstract Role
External Role
Job Role
What is your Job?
Duty Role
“What would you say you do Area of the System
here?”
Privileges
How exactly do you get that Specific Task flow
done?
Return to Security Index Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Role Based Access Control
User
Charles Watson
Benefits
Job Roles Administrator
Person
Benefits Setup
Duty Roles Configuration
Duty
Duty
Employee
Employee
Absence Payroll View
Worker Duty
Recording Duty Payslip View Duty
Anna.morris
Employee security
profiles Employee
Employee
Absence Payroll View
Worker Duty
Recording Duty Payslip View Duty
Human Resource
Specialist
Absence Worker
Users and Roles
Management Duty Administration
Processing Duty
Duty
Worker
Person HCM Document
Employment
Management Duty Management Duty
Maintenance Duty
Benefits Manager
Benefits Specialist
Compensation Administrator
Compensation Analyst
Compensation Manager
Compensation Specialist
Contingent Worker
Employee
Human Resource VP
Line Manager
Payroll Administrator
Payroll Manager
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Data Roles
Job role is a cookie cutter to generate data roles.
If Job Role has access to the “Loaf”, it’s “generated data roles” have access to “one
slice”.
For the “Reference Implementation” each Product decides on the “slicing criteria” or
dimension for each job role. Dimension is an attribute of the data for that job role, like
Business Unit.
Example – Purchase Orders by Business Unit
&TABLE_ALIAS.PERSON_ID IN
Anna.morris David.east
Human Resource
Specialist
Worker
Person HCM Document
Employment
Management Duty Management Duty
Maintenance Duty
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
User creation
• Create Person
• Create User
• Import users
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 38
User account provisioning
1 Give it a name
Role is added
Self Requestable Request t access
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 45
Role Delegation
• Role delegation is the assignment of a role from the current owner of the role, known as
the delegator, to another user, known as the proxy. The delegation can be either for a
specified period or indefinite.
• You can delegate roles to any user whose details you can access by means of a public
person security profile. This profile typically determines who you can search for in the
Person Gallery.
• When you delegate a role, the proxy user can perform all tasks associated with the
delegated role on the relevant data instance set. For example, you may have a line
manager role that enables you to manage absence records for your reports. If you
delegate that role, then the proxy can also manage the absence records of your reports.
You do not lose the role while it is delegated.
• The proxy user signs in to Oracle Fusion HCM using his or her own user name, but has
additional function and data privileges associated with the delegated role.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 46
Which Roles Can I Delegate?
• You can delegate any role that you have currently, provided that:
– The role is enabled for delegation.
– The assignment that qualifies you for the role does not have a future-dated termination. For example,
if you try to delegate a role today and the assignment that matches the role-mapping conditions (as
defined in the role's role-provisioning rule) has a future-dated end date, then you can't delegate the
role.
• You can also delegate any role that you can provision to other users, provided that the
role is enabled for delegation. Such roles are defined as Requestable in a role mapping
for which you satisfy the role-mapping conditions. By delegating rather than
provisioning roles to a user, you can:
– Specify a limited period for the delegation.
– Enable the proxy to access the data that you can access.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 47
Ending Role Delegation
• If you specify an end date when you delegate a role, the delegation ends on
that date. The request to end the role delegation is sent to OIM by the
Send Pending LDAP Requests process on the delegation-end date.
• You can enter or update an end date at any time during the delegation
period. If you enter today’s date, the delegation ends immediately.
• Role delegation ends before the specified end date if the proxy user’s
assignment is terminated.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 49
Delegation notes:
• When you include a delegatable role in a role mapping, users who qualify
for the role can delegate it if they have the role themselves or if the
Requestable option is selected for the role.
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Role Management Tools
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Tools Used to Perform Security Tasks
• Fusion HCM
– Create Users (mapped to HR people)
– Provision Roles to Users
– Revoke Roles from Users
– Revoke User Accounts (on termination)
– Create Data Roles
– Manage Security Profiles
– Assign Security Profiles to Roles
– Manage Role Provisioning Rules
– Synchronize Data between HR and LDAP
Identity Store
Store
Identity OIM Policy Store APM (Function security policies)
XML Generated from Design
Engineering Deliverables
Database
Target Type
Role Enterprise Role Permission Task Flow Page
Enterprise Job
User Grant File
role Web Center View Object
Abstract
Permission Set
Data
Action
Role Hierarchy
( Secured Operation )
Duty Role Application role (HCM duty roles are under the hcm application)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 62
Agenda
• Security Overview
• Security Profiles and Data Roles
• User and Role Provisioning <Insert Picture Here>
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Function Security
Worker Promotion Duty
(Duty Role)
Promote Worker
Promote Worker Data / Choose Position Data /
(Function Security Person Assignment / Position / condition
Privilege) condition
(Data Security Policy)
(Data Security Policy)
Promote Worker
(Function Security
Privilege)
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Fusion Security At Run Time
BI & Reporting Security
• Fusion Apps BI uses the same security infrastructure as FA
– BI can also use same Identity Store, Policy Store and APM for policy management
as other fusion application components
– SSO enabled
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 73
Data Security
• The data that is returned in OTBI reports is secured in a similar way to how data is returned in Fusion
HCM pages, meaning that access is granted by the roles that are linked to security profiles.
• Each of the (xx) Transaction Analysis Duty roles that grants access to subject areas and BI Catalog folders
inherits one or more (xx) Reporting Data Duty role. These are the duty roles that grant access to the data.
The reporting data duty roles are found under the hcm application in APM.
• If you create custom job roles that have access to OTBI reports, you must give your job roles both the obi
version of the transaction analysis duty roles and the hcm version of the transaction analysis duty role
so that your job role has both the function and data security access needed to run the reports. For
example, if you want your custom role to have access to the workforce transaction analysis subject
areas, ensure that it inherits the following duty roles:
– Workforce Transaction Analysis Duty under the obi application
– Workforce Transaction Analysis Duty(HCM) under the hcm application
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 74
OBIEE Security
• BI roles apply to both BI Publisher and OTBI. They grant access to functionality within BI,
for example, the ability to run or author reports. Users need one or more of these roles
in addition to the roles that grant access to reports, subject areas, BI catalog folders,
and Fusion HCM data.
• BI roles include:
– BI Consumer: Enables you to run BI reports.
– BI Author: Enables you to create and edit reports.
– BI Administrator: Enables you to perform administrative tasks such as creating and editing dashboards and modifying security
permissions for reports, folders, and so on.
– BI Publisher Data Model Developer: Enables you to create and edit BI Publisher data models.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 75
BI Publisher Security
• In conceptual terms, BI catalog folders that contain BI Publisher reports are secured using duty roles.
These duty roles are not the same as those that secure OTBI subject areas and folders.
• Individual BI Publisher reports are secured using function security privileges that are granted to these
duty roles.
• For example, the Payroll Register Report is in the Payroll Calculations folder. The report is secured using a
privilege called Run Payroll Register Report, and this privilege is granted to Payroll Distribution Calculation
Management Duty. The Payroll Calculations folder is secured using this duty role.
• The way this is actually implemented in reality is slightly different because BI security works slightly
differently than regular Fusion Applications security. The key difference is that BI security supports
application roles, but it does not support privileges. So, we implement the privileges that secure BI
Publisher reports as application roles.
• In the preceding example, the privilege Run Payroll Register Report is implemented as an application role
called Run Payroll Register Report (OBI), which is inherited by another application role called Payroll
Distribution Calculation Management Duty OBI.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 76
BI Publisher Data Security and Secured List Views
• When you access data using a BI Publisher data model that uses an SQL
Query as the data source, you have two options:
1. Select directly from a database table, in which case the data you return is not subject to data security
restrictions. Note that because BI Publisher allows you to create data models on unsecured data, you
should minimize the number of users who have access to create data models.
2. Join to a secured list view in your select statements, in which case the data returned will be
determined by the security profiles that are assigned to the roles of the user who is running the report.
• The tables in the student guide show, for each table, the secured list view,
the data security privilege that is needed to report on data in the table (if
accessed via the secured list view) and the duty role that has the security
privilege.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 77
Program Agenda with Highlight
User User
Entitlements
Run Global Third Party Balances Summary
Accounts Payable Manager Common Country Third Report
Party Reporting Duty Run Global Third Party Account Balance
Accounts Payable Specialist Report
Run Global Journals and Third Party Report
Run Global Subledger Detail Journal Report
• Create custom role and copy the hierarchy from seeded role
Seeded Job Role Custom Job Role
• Grant all top level duty roles of the seeded job to custom job role in APM
• Steps:
1. Open seeded job role in APM
2. Open each top level duty role
3. Go to “External Role Mapping” tab
4. Add custom job role
5. Repeat for all the top level duty roles in all applications ( aka Policy Stripes)
• Repeat the same for every top level duty role in all policy stripes
Go to Application Role
Mapping
Select Seeded
Duty
Open Seeded
Duty
Seeded Duty
Opened
Find Seeded
Policies
Open Functional
Policies
Create New
Data Policy
Edit Seeded
Data Policy
End Data
Seeded Data
Policy
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Additional information
• Oracle Fusion Applications Help provides a library of information:
– Filter on Product = Customer Relationship Management
– Search for keywords (security, security guide, job role)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential
Additional information
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 102
Additional topic:
• Customizing Security for Your Needs
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 103
Q&A
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle Confidential Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |