users and security
DESCRIPTION
Fusion OracleTRANSCRIPT
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 131
Fusion ApplicationsUsers and Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 132
Agenda
Security Overview
Reference Implementation
Role Based Access Control
Security Process Overview
Walk through – Roles, Duties, Privileges etc.
Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 133
Cloud Implementation – Ground Zero
Customer will be provided a Cloud Administrator user Cloud Administrator User is assigned 3 Roles:
– Applications Implementation Consultant
– Applications Diagnostic Administrator
– IT Security Manager
It is a unique name provided by the customer
Assumptions for Baseline
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 134
Tools Used to Perform Security Tasks
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 135
Security Components:How They Fit Together
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 136
Agenda
Security Overview
Reference Implementation Role Based Access Control
Security Process Overview
Walk through – Roles, Duties, Privileges etc.
Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 137
Security Reference Implementation
There are a set of Roles that you will recognize as Jobs and a role hierarchy that contains the Duties for those Jobs
The Duties respect the Segregation of Duties constraints that come with the Access Controls Governor solution
Reference implementation has– ~280 job roles
– ~1700 duty roles
– ~4300 privileges
There are a set of role provisioning events and workflows The provisioning workflows test the Segregation of Duties Constraints
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 138
Security Reference Implementation
Complete Set of Job roles Duty roles and role hierarchy for each Job role Privileges granted each Duty role Data Security Policies for each Job role Policies that protect personally identifiable information Policies enforced across tools and access methods Segregation of Duties Policies respected in the design of duties for the
job role Segregation of Duties Conflicts
Security Reference Manual describes seed data delivered
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 139
Agenda
Security Overview
Reference Implementation
Role Based Access Control Security Process Overview
Walk through – Roles, Duties, Privileges etc.
Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1310
Security Role
Abstract Role – nothing more than a Role Category we seed to classify roles in the reference implementation
– Accessory role such as Employee, Contingent Worker, Line Manager etc.
– Not a role found described on Monster.com
– Usually assigned directly – does not require a data role generated on top of it
Job Role – again it is a seeded Role Category of Roles– Roles that you would hire someone into: Accounts Payable Manager,
Billing Specialist etc.
– Usually requires a data role generated on top of it, i.e., for access to business unit striped data
Abstract Roles v. Job Role
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1311
Duty Role
Represents a duty that is performed by somebody– Worker Promotion Duty
– Payables Invoice Creation Duty
Inherited by job roles and abstract roles Not assigned to users Security privileges granted to duty roles Used as building blocks
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1312
Data Roles
Job roles– Included in reference implementation
– Can access task flows, reports, batch programs etc.
– Cannot access secured data
– Not assigned to users
– Example: Human Resource Specialist
Data roles– Created by customers
– Can access secured data
– Inherit job roles
– Assigned to users
– Example: Human Resource Specialist – Vision Operations
Job Role v. Data Role
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1313
Role Based Access
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1314
Job Role
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1315
Data Role
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1316
Data Role
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1317
User Account Provisioning
User accounts are created automatically when workers are hired Line managers and HR specialists can request user accounts for
workers that do not yet have one– Search for existing user
– Create new user
User accounts can be automatically revoked within the Termination flow
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1318
Provisioning Roles to Users
Role provisioning built into HR flows– New hire flow
– Promote flow
– Transfer flow
Users can self-request new roles Line managers and HR specialists can request new roles and revoke
existing roles from people they manage/administer
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1319
Create Automatic Role Provisioning Rules
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1320
Oracle Identity Manager
Operates in 3 Modes
1. Self Service – Where you can manage your own roles/privileges.
2. Delegated Administration – Where you manage the roles/privileges of other users
3. Advanced Administration – Where you can manage password policies and do other system administrative functions.
The 3rd is not available in SaaS currently.
SAAS v. On-Premise
Not Available for SAAS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1321
Agenda
Security Overview
Reference Implementation
Role Based Access Control
Security Process Overview Walk through – Roles, Duties, Privileges etc.
Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1322
O
Security Process Overview
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1323
Agenda
Security Overview
Reference Implementation
Role Based Access Control
Security Process Overview
Walk through – Roles, Duties, Privileges
etc. Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1324
Define Security: Setup Tasks
Common to Fusion– Manage Job Roles
– Manage Duties
– Manage Data Security Policies
– Manage Role Templates
– Manage HCM Role Provisioning Rules
– Import Worker Users
– Mange Users
Financials Specific– Manage Data Access Sets
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1325
Manage Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1326
Manage Roles
Define Hierarchy
Edit
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1327
Manage Duties
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1328
Manage Duties
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1329
Manage Duties
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1330
Manage Duties – View Privileges
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1331
Manage Duties - Data Security Policies
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1332
Manage Role Templates
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1333
Manage Role Templates – External Roles
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1334
Import Worker Users
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1335
Manage Users
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1336
Manage Users
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1337
Manage Data Access Sets (Financials)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1338
Additional Resources
Fusion Applications Security Guide http://fmwdocs.us.oracle.com/doclibs/fmw/E15586_01/fusionapps.1111
/e16689/toc.htm Security Reference Manual:
http://docs.oracle.com/cd/E15586_01/fusionapps.1111/e23061/toc.htm#_Toc299016543_1_1
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1339
Questions?