Fusion Security Model

Prepare for the Fusion
Security Model by
Understanding Role-based
Access Control in R12
Revised Sept-2015
Susan Behn
Agenda
Understanding User Management Principles
Overview
Building Blocks for User Management
Modeling Security Policy Basic Example
User Management Surprises
Reporting
Read-Only Diagnostics
Integration Repository
Grant Worklist Access
Cash Management Security Wizard
View Concurrent Requests
Flexfield Value Set Security
Security Reports
EBS vs Fusion Security Model?
Proxy User Access (If time allows)
References
2 Gold
Partner
Copyright 2014 Infosemantics, Inc. All Rights Reserved . Any other commercial product names herein are trademark, registered trademarks or service marks of their respective owners.
User Management Layers
Core security levels 1 2 is accomplished through
AOL or with grants and permissions
Core security level 3 is required for some apps
Administrative features levels 4 6 are optional
6 User access requests with AME
Approval Processes
5 Registration processes
4 Administer functions/data for
specific groups
3 Grant access to roles that
include function/data security
2 What data can a user see
1 What can a user do
3 Gold
Partner
Role Based Access Control
RBAC The RBAC standard supports the mapping of
user access control based upon a users role in the
organization rather than their unique identity
Roles a grouping of all the responsibilities, lower level
permissions (functions), permission sets, and data
security rules that a user requires to perform a specific
task
Role Categories Organize roles into groups
4 Gold
Partner
Components by Responsibility
System Administrator Responsibility
Manage responsibilities and menus; Create users
User Management Layers 3 and up
Functional Administrator Responsibility

Function Security Layer
Functional Developer Responsibility

Data Security Layer
5 Gold
Partner
User Management Building Blocks
Objects
Define data to be secured a table or view
Stored in FND_OBJECTS, FND_OBJECTS_TL
Object Instance Sets
The WHERE clause for an object
Stored in FND_OBJECT_INSTANCE_SETS,
FND_OBJECT_INSTANCE_SETS_TL
Managed in Functional Developer Responsibility
6 Gold
Partner
Permissions 2 types function and data
Function Security Permissions control access to
abstract functions
Examples
Executable function is access to User Management Roles &
Role Inheritance Form
Abstract functions are defined as role permissions
Create Role Assign Role
Manage Role Revoke Role
Data Security Permissions control access to objects
Data limited by where clause
Stored in FND_FORM_FUNCTIONS,
FND_FORM_FUNCTIONS_TL
7 Gold
Partner
Permission Sets
Grouping of permissions
Example: All User Administration Privileges
A permission set can contain other permission sets
Stored in FND_MENUS, FND_MENUS_TL,
FND_MENU_ENTRIES, FND_MENU_ENTRIES_TL
8 Gold
Partner
Grants
Provide permissions for actions on a specified object
Attach function permissions and data permissions (data
security polices) to grantee
Grantee
Who gets the grant
A role or group
A specific user
All Users
Data Security Policy
Grant that includes both an object and permission set
Stored in FND_GRANTS
9 Gold
Partner
STACKING UP THE BUILDING
BLOCKS
Modeling Security Policies
Step 1 Assign access to user management to
appropriate users
Step 2 Identify or create permissions/permission sets
that group functions (function security)
Step 3 Identify or create product seeded objects /
object instance sets (data security)
Step 4 Identify seeded grants / create grants
Step 5 Assign role
11 Gold
Partner
Grant access to user management
to appropriate user(s)
12 Gold
Partner
Managing Users Step 1
By default, only Sysadmin has access to User
Management
Assign a user management role to the appropriate user
Click
pencil to
Search edit
for user
13 Gold
Partner
Click the Assign Roles button to add a role
Click assign roles and

then click the apply
button
14 Gold
Partner
Search for the Security Administrator Role, check the
box and click select
Customer Administrator manage users with party type =
customer
Partner Administrator manage users with party type =
partner
Other seeded security roles

include Customer
Administrator and Partner
Administrator
15 Gold
Partner
Enter a justification and click Apply
User Management
responsibility is inherited
by assigning this role
16 Gold
Partner
System Administrator User Define
User Management is shown as an indirect responsibility
17 Gold
Partner
STEP 2
IDENTIFY SEEDED
PERMISSIONS
CREATE PERMISSIONS
Permissions
To demonstrate function security, Approvals
Management will be used as the example
A user will be given access to perform all functions in
approvals management
To gain familiarity with permissions available
Go to Functional Administrator Permissions to search
for seeded permissions
19 Gold
Partner
Permissions
There are 16
permissions
available for
AME
Click the
update
button to
examine the
AME Action
Create
Permission
20 Gold
Partner
Permissions
This permission belongs to one permission set with the
same name as the permission
21 Gold
Partner
Permission Set
In our example, we want the user to have access to
ALL functions the transaction type AP Invoice
Approval
Go to the permission set tab to see the permission set
for all AME functions which is AME All Permission
Sets
Note that this permission set includes other permission
sets Other
Permission
sets
included in
set
22 Gold
Partner
STEP 3
SEEDED OBJECTS
Seeded Objects
To demonstrate data security, Approvals Management
will be used again as the example
A user will be given access to manage the approval
process for the payables invoice approval
Go to Functional Developer Objects to search for
available seeded objects
If an object is not available, you can create objects
24 Gold
Partner
Seeded Objects
Tip: Query by
responsibility to get Click update to
familiar with what is view details but
seeded avoid changing
seeded objects
25 Gold
Partner
Seeded Objects
Two columns are included which can be used to limit
access
Note the Object

Instance Sets Tab
and Grants Tab
26 Gold
Partner
Seeded Objects
Click on the Object Instance Set tab for this object to
view the where clause
The predicate
allows the user to
enter the
parameters to
select the
application and
transaction type in
the grant
27 Gold
Partner
STEP 4
IDENTIFY SEEDED GRANTS
CREATE GRANTS
Grants
Create the grant to allow sbehn to perform all AME
function for the payables invoice approval transaction
type
Click on grants tab
Notice this takes you to the same form as you see in the
Functional Administrator responsibility
We are going to enter an object to establish a Data
Security Policy
29 Gold
Partner
Grants
Enter name,
description,
grantee
type,
grantee
Enter the
object name
Click Next
30 Gold
Partner
Grants
Choose the context to limit rows
For this example, choose instance set
31 Gold
Partner
Grants
We already determined there was an AME Transaction
Type Instance Set
Chose this value and Click Next
32 Gold
Partner
Grants
Now enter the values for
the parameters we saw
earlier in the object instance
set
The predicate is displayed
for reference
Parameter 1 is the
application
Parameter 2 is the AME
transaction type
33 Gold
Partner
Grants
Scroll down and choose the functions the grantee will
be allowed to execute for this group of data by
selecting the permission set AME All Permission Sets
34 Gold
Partner
Grants
The final page is a review page
Click finish and the confirmation page will appear
Now you have access to data and functions you can
perform on that data
Click OK
35 Gold
Partner
Role Based Access Control
In step 1, we gave someone access to user
management
In step 2, we identified the AME All Permission Sets
to provide function security
In step 3 we identified the AME Transaction Types
object to provide data security
In step 4 we joined the function and data security
together in a grant to allow SBEHN to perform all
functions for AME for Payables Invoice Approvals
Butthe user still doesnt have access yet to the
responsibility used to manage AME
36 Gold
Partner
STEP 5
ASSIGN RESPONSIBILITIES
TO ROLES
Assign Roles
Assign AME roles to SBEHN the same way we
assigned the Security Administrator role
Query the user and click the pencil
38 Gold
Partner
Assign Roles
Click the Assign Roles button
39 Gold
Partner
Seeded Roles
Choose the Approvals Management Administrator role
and provide justification
Grants multiple roles shown in the hierarchy below and
two responsibilities having a code starting with
FND_RESP
Responsibility
40 Gold
Partner
Seeded Roles
Below is a partial list of products with seeded roles; This
changes frequently
Approvals Management
Diagnostics
Learning Management
Territory Management
User Management
iReceivables
iSetup
Integrated SOA Gateway (New)
To see whats new after patches, look for roles in User
Management responsibility or query WF_ALL_ROLES_VL
41 Gold
Partner
R12 Surprises
42 Gold
Partner
Read-Only Diagnostics
43 Gold
Partner
Read-Only Diagnostics in 12.1.3
Function Security (outside of UMX)
Set profile option Hide Diagnostics Menu Entry to No
Assign one or more of the read only subfunctions to the
menu where this functionality is needed
Apps password will not be requested in read-only mode
44 Gold
Partner
Read-Only Diagnostics 12.1.3
Example - Payables, Vision Operations (USA)
responsibility linked to menu AP_NAVIGATE_GUI12
Leave prompt and Submenu null
45 Gold
Partner
46 Gold
Partner
New Surprises: Access to Integration
Repository
Release 11i
http://irep.oracle.com/
As of March, 2014 the above link is not working
Early R12
Assign Responsibility Integrated SOA Gateway
Release 12.1+
Assign one of following roles
47 Gold
Partner
48 Gold
Partner
From Form
Click Worklist
Access link
To limit security
risk request
this
functionality
from system
administrators
From
Functional
Administrator
Responsibility
Grants Tab
Create Grant
49 Gold
49 Partner
Select
specific user
Data Security
object is
Notifications
50 Gold
50 Partner
Seeded instance
Set
User that
Grantee can see
Abstract
Functions
51 Gold
51 Partner
By default,
notifications are
limited to active
workflows or those
in Lookup type
WF_RR_ITEM_TY Note: Predicate
PES does not list
To limit this access Parameter2
to specific
workflow types,
enter in Parameter2
parameter2 stores specific
(hidden workflows
parameter)
52 Gold
52 Partner
Cash Management
Security Wizard
53 Gold
Partner
Cash Management Bank Account Security
Grant access to manage banks to the responsibility Cash
Management, Vision Operations (USA)
Go to User ManagementRoles & Role Inheritance
In the Type field, select Roles and Responsibilities
In the Category field, select Miscellaneous
In the Application field, select Cash Management, then
click Go
54 Gold
Partner
Click on the pencil to update for the correct
responsibility
55 Gold
Partner
Click on the security wizard button
On the next page, click the icon to run the CE UMX

Security Wizard
56 Gold
Partner
Click the button to add legal entities
Select the legal entities this responsibility will manage
57 Gold
Partner
Check the boxes for the privileges needed for this
responsibility and apply your changes
Repeat these steps for additional responsibilites
58 Gold
Partner
View Concurrent
Requests
59 Gold
Partner
New Surprises: Access to Concurrent
Requests
Profile Option Concurrent Report Access Level is
obsolete in 12.1
Allowed users to see all concurrent requests in a
responsibility
Except for View Own and System Administrator View
Logs, this functionality is replaced by RBAC
permissions
See My Oracle Support ID 737547.1
60 Gold
Partner
View Others Requests
Object Concurrent Requests
Start with the Concurrent Requests data object shown
below which is seeded
61 Gold
61 Partner
View Others Requests-Permission Set /
Permission
The Request Operations permission set includes
permissions to submit and view requests
62 Gold
62 Partner
View Others Requests-Instance Sets
Several object instance sets are seeded or you can
create your own
63 Gold
63 Partner
View Others Requests - Seeded Instance Sets
Examples of seeded object instance sets
View all my requests from any responsibility
More efficient then trying to remember where you ran a request
View my requests for the application identified by

parameter 2
64 Gold
64 Partner
View Others Requests - Create Instance Sets
From Functional Developer Objects
Query Object
Click link in Name column, then Object Instance Sets tab,
then Create Instance Set
65 Gold
65 Partner
View Others Requests-Create Instance Sets
Any user of a responsibility can see all requests in that
responsibility
Exact replacement of obsolete profile option
MOS ID 804296.1 R12: How To Configure Access To
Request Output Of The Same Responsibility
66 Gold
66 Partner
View Others Requests
Site Level Grant for All Responsibilities
Grant New Instance
Set to All Users
All users can see
requests in only in
responsibility that ran
request
67 Gold
67 Partner
View Others Requests-Operating Unit Level
***Same as previous
example but limited by
operating unit
Grant New Instance
Set to Specific
Operating Unit or
responsibility
Repeat for each
desired Operating Unit
Still can only see
requests in
responsibility that ran
request
68 Gold
68 Partner
View Others Requests - User Level
Recommended
only for help
desk/support
users who have
limited
responsibilities in
Production AccesstotoAll
Access Allto
Requests
Specific to
User
Can see any Specific User
request
regardless of
what
responsibility
currently using
69 Gold
69 Partner
Help Diagnostics
Menus
70 Gold
Partner
Diagnostic Permission sets
Permission sets are available now for all Diagnostic
menu items starting in R12.1.3.
71 Gold
Partner
Setup Profile Options
R12.1.3+
Utilities: Diagnostics
Set to Yes (not secure)
RBAC create role
with permission set
FND Diagnostics
Personalizations
Menu and assign as
needed
72 Gold
Partner
Flexfield Security
Required in 12.2
73 Gold
Partner
Flexfield Value Set Security FNDFFMSV
12.2
Upon upgrade,
users will not
have access to
any records in
this form
Many ways to
get to this
formour
example
GLSetup
FinancialsF
lexfieldsVal
idationValu
es
74 Gold
74 Partner
Function and Data Security
Must set up function security to define what the user
can do in the form
Grant by flexfield, report or value set
Grant to application, user, group
Must set up data security to define which values can be
queried
Affects Independent and Dependent value sets.
Affects what privileges users have in the Segment
Values form.
Note: Even if you create a new value set, you still wont
be able to assign values to that set until security is set
up
75 Gold
Partner
Grant access to the data
Functional AdminstratorGrants
This example General Ledger, Vision Operations
(USA) responsibility needs to see GL value sets for
Vision Operations Accounting Flexfield
76 Gold
Partner
Data Security - Instance Set
Flexfield Value Set Security Object
Key Flexfield Structure by app id, key flexfield code and
structure number
77 Gold
Partner
Other Instance Sets
78 Gold
Partner
Permission set for allowable actions
For this example, I chose to allow insert or update
Seeded permission sets for flexfield security
79 Gold
Partner
Results
Now I have access to all the value sets for the
accounting flexfield
80 Gold
Partner
Security Reports
81 Gold
Partner
Security Reports
From User Management, Security Reports
Choose Report Type - Remaining screen repaints based
on Type
MUST specify
Role/Resp
Example
Select Output
format
Choose Offline to
get underlying SQL
82 Gold
82 Partner
Security Reports
Report Status
Output click Output icon
83 Gold
83 Partner
Security Reports
For Log (and
query), click
Details, then
View Log
Partial log
shown
84 Gold
84 Partner
Security Reports
List of Users w/access to key User Management
function
Clicking Show displays

how assigned and by whom
85 Gold
85 Partner
Security Reports
List of users
with access
to view all
concurrent
requests
List of users
with access
to the user
management
role
86 Gold
86 Partner
FUSION SECURITY MODEL VS
EBS SECURITY MODEL
EBS Security Model
Users
Personal
-izations
Data Security Function Security
(Data grants can (Permissions can Roles (For RBAC
Responsibilities
be assigned to be assigned to enabled modules)
user) individual users)
Function Security Function Security

Data Security Data Security
(Permissions Menus Responsibilities (Permissions
assigned to roles assigned to roles
assigned to roles) assigned to roles)
Some Function
Menus
Security
Some Function
Security
88 Gold
Partner
Fusion Security Advantages
Provisioning workflows test Segregation of Duties
Oracle Identity Management performs SOD checks
against Application Access Controls Governor (AACG)
Role Based Access Control Building Blocks are pre-
defined
Over 280 job roles
Over 1700 duty roles
Over 4300 priviledges
89 Gold
Partner
Fusion Security Model
User
Payables Clerk Vision

Operations (Explicit Access to Data Role
Business Unit)
Inherited by Data Role

Job Role
Payables Clerk
Inherited by Job Role

Duty Role
Invoice Creation
Create, view, cancel, delete

invoices (Function) Data Security Function Security
Implicit Product Specific Access Policies Privileges
90 Gold
Partner
Payables Duty
91 Gold
Partner
Fusion Privileges for Payables Invoice Duty
92 Gold
Partner
Fusion Data Security Policy
93 Gold
Partner
Proxy User Access
94 Gold
Partner
Proxies
Proxy authority can be granted to another user for a
specific time period
Cover vacation/leave of absence/emergencies
Audit control - Actions are tracked to show delegate is
acting on behalf of delegator
12.2.4+ new features (Now backported to 12.1)
Limit responsibilities and workflow notifications granted to
proxy user
Responsibility exclusions
Delegation policies
Grant proxy capabilities to all to selected users
Patch for 12.1 is 19804456
95 Gold
Partner
Grant Proxy Privileges to Individual 12.1 and
12.2+
In order to delegate or receive authority, users must
have the Manage Proxies role
Query the users, click the pencil to update, click the
Assign Roles button and add the Manage Proxies role
Enter a justification and save
96 Gold
Partner
Proxy Configuration 12.2.4+
User Management Proxy Configuration Privileges
(Who can delegate)
Grant proxy privileges to all users
Choose the All Users radio button, then click Apply
97 Gold
Partner
Grant proxy privileges to selected users
Choose the Users with Selected Roles or Responsibilities
radio button, then click the Add button
98 Gold
Partner
Search and choose the responsibility or role
Note the code for responsibilities start with FND_Resp; Roles
start with UMX
99 Gold
Partner
User Management Proxy Configuration
Exclusions (What can be delegated)
Identify responsibilities which can never be delegated
Click the Add Responsibility button and add any responsibility
that should never be delegated
100 Gold
Partner
User Management Proxy Configuration Policies
(Who can you delegate to?)
By default, you can delegate proxy access to any user
101 Gold
Partner
User Management Proxy Configuration Policies
In 12.2.4, you can add a pre-defined policy using the Add
button or create your own using the Create and Add
Policy button
In this example, we will only allow a user to delegate
only to their direct supervisor and peers of that
supervisor
102 Gold
Partner
Click the add button; Enter % to see all seeded policies
Check the policy desired and click the select button
103 Gold
Partner
Click on the track can to remove the policy for All Users
Then click the Apply button
Remember, you can also create a policy if the seeded
policies do not meet your needs
104 Gold
Partner
Proxies Prior to 12.2.4
Once you have been granted the Manage Proxies
roleClick the preference button
There is now a new Manage Proxies function
The Add People Button will allow the user to designate a

proxy user
105 Gold
Partner
Add a user and apply
Now the operations user can act on my behalf
Set an End Date at this time if this is to cover a fixed
vacation period or other leave of absence
The proxy user has access to all responsibilities and all
notifications
106 Gold
Partner
When the operations user is logged in a Switch User
option will be available
Notice that the user is currently logged is as
OPERATIONS
Click the Switch icon to switch users
107 Gold
Partner
Now there is a Return to Self button
The user is logged in as Operations operating as Proxy
for SBEHN
108 Gold
Partner
Run the Page Access Tracking Data Migration
concurrent program to populate the Proxy Report
There are no parameters
Then go back to Manage Proxies and click the Run
Proxy Report Button
109 Gold
Partner
The report shows all navigation completed by the proxy
user
110 Gold
Partner
Proxies 12.2.4+
Click the settings gear, then Manage Proxies
Note: Clicking the settings gear, then Preferences will

show the Manage Proxies option on the left similar to
earlier releases
111 Gold
Partner
Proxies 12.2.4+
The Manage Proxies page looks only slightly different
in 12.2.4
Click the Add Proxy button
In early releases, this button is Add People
112 Gold
Partner
Proxies 12.2.4+
Choose the user name, then choose the appropriate
options for responsibility and workflow access
113 Gold
Partner
Proxies 12.2.4+
To grant selected responsibility access, click the
Selected radio button and all current responsibilities
will appear
Move the desired responsibilities from the available
column to the selected column
114 Gold
Partner
Proxies 12.2.4+
To grant selected worklist access, click the Selected
radio button and all current workflow item types will
appear
Move the desired item types from the available column to
the selected column
115 Gold
Partner
Proxies 12.2.4+
A workflow notification is sent to the user who is
granted proxy access
116 Gold
Partner
Proxies 12.2.4+
As the SBEHN user, click the switch user icon
Then click the switch icon
117 Gold
Partner
Proxies 12.2.4+
Now logged in as SBEHN as Proxy for Operations
Only includes Only includes

responsibilities item types
granted granted
118 Gold
Partner
Proxy User Training
Transfer of Information training
http://ilearning.oracle.com/ilearn/en/learner/jsp/offerin
g_details_find.jsp?classid=1524577857
119 Gold
Partner
References
Oracle Applications System Administrator's Guide - Security
See Oracle User Management Developer Guide
My Oracle Support ID: 553547.1 Data Security
Terminology
My Oracle Support ID: 553290.1 Introduction to the Grants
Security System and Data Security
E-Business Suite User Management SIG
http://ebsumx.oaug.org/
Release 12.2.3 "Oracle E-Business Suite Flexfields Guide,
Release 12.2" Part No. E22963-07 has updated
documentation
TOI: Oracle E-Business Suite 12.2: Implement & Use
Oracle E-Business Suite - Flexfield Value Set Security
http://oukc.oracle.com/static12/opn/login/?t=checkuserco
okies%7Cr=-1%7Cc=1362916480
120 Gold
Partner
Questions?
Comments
Thank You!!!
Susan Behn
Susan.Behn@Infosemantics.com
121 Gold
Partner

Fusion Security Model

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Fusion Security Model

Încărcat de

Drepturi de autor:

Formate disponibile

Prepare for the Fusion

Functional Administrator Responsibility

Functional Developer Responsibility

Click assign roles and

Other seeded security roles

Note the Object

On the next page, click the icon to run the CE UMX

Select the legal entities this responsibility will manage

Repeat these steps for additional responsibilites

View my requests for the application identified by

Seeded permission sets for flexfield security

Output click Output icon

Clicking Show displays

Function Security Function Security

Payables Clerk Vision

Inherited by Data Role

Inherited by Job Role

Create, view, cancel, delete

The Add People Button will allow the user to designate a

Click the Switch icon to switch users

Note: Clicking the settings gear, then Preferences will

Then click the switch icon

Only includes Only includes

S-ar putea să vă placă și