users and security

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 131

Fusion ApplicationsUsers and Security


Agenda

Security Overview

Reference Implementation

Role Based Access Control

Security Process Overview

Walk through – Roles, Duties, Privileges etc.

Q&A


Cloud Implementation – Ground Zero

Customer will be provided a Cloud Administrator user Cloud Administrator User is assigned 3 Roles:

– Applications Implementation Consultant

– Applications Diagnostic Administrator

– IT Security Manager

It is a unique name provided by the customer

Assumptions for Baseline


Tools Used to Perform Security Tasks


Security Components:How They Fit Together


Agenda

Security Overview

Reference Implementation Role Based Access Control



Q&A


Security Reference Implementation

There are a set of Roles that you will recognize as Jobs and a role hierarchy that contains the Duties for those Jobs

The Duties respect the Segregation of Duties constraints that come with the Access Controls Governor solution

Reference implementation has– ~280 job roles

– ~1700 duty roles

– ~4300 privileges

There are a set of role provisioning events and workflows The provisioning workflows test the Segregation of Duties Constraints


Security Reference Implementation

Complete Set of Job roles Duty roles and role hierarchy for each Job role Privileges granted each Duty role Data Security Policies for each Job role Policies that protect personally identifiable information Policies enforced across tools and access methods Segregation of Duties Policies respected in the design of duties for the

job role Segregation of Duties Conflicts

Security Reference Manual describes seed data delivered


Agenda

Security Overview


Role Based Access Control Security Process Overview


Q&A


Security Role

Abstract Role – nothing more than a Role Category we seed to classify roles in the reference implementation

– Accessory role such as Employee, Contingent Worker, Line Manager etc.

– Not a role found described on Monster.com

– Usually assigned directly – does not require a data role generated on top of it

Job Role – again it is a seeded Role Category of Roles– Roles that you would hire someone into: Accounts Payable Manager,

Billing Specialist etc.

– Usually requires a data role generated on top of it, i.e., for access to business unit striped data

Abstract Roles v. Job Role


Duty Role

Represents a duty that is performed by somebody– Worker Promotion Duty

– Payables Invoice Creation Duty

Inherited by job roles and abstract roles Not assigned to users Security privileges granted to duty roles Used as building blocks


Data Roles

Job roles– Included in reference implementation

– Can access task flows, reports, batch programs etc.

– Cannot access secured data

– Not assigned to users

– Example: Human Resource Specialist

Data roles– Created by customers

– Can access secured data

– Inherit job roles

– Assigned to users

– Example: Human Resource Specialist – Vision Operations

Job Role v. Data Role


Role Based Access


Job Role


Data Role


User Account Provisioning

User accounts are created automatically when workers are hired Line managers and HR specialists can request user accounts for

workers that do not yet have one– Search for existing user

– Create new user

User accounts can be automatically revoked within the Termination flow


Provisioning Roles to Users

Role provisioning built into HR flows– New hire flow

– Promote flow

– Transfer flow

Users can self-request new roles Line managers and HR specialists can request new roles and revoke

existing roles from people they manage/administer


Create Automatic Role Provisioning Rules


Oracle Identity Manager

Operates in 3 Modes

1. Self Service – Where you can manage your own roles/privileges.

2. Delegated Administration – Where you manage the roles/privileges of other users

3. Advanced Administration – Where you can manage password policies and do other system administrative functions.

The 3rd is not available in SaaS currently.

SAAS v. On-Premise

Not Available for SAAS


Agenda

Security Overview



Security Process Overview Walk through – Roles, Duties, Privileges etc.

Q&A


O



Agenda

Security Overview




Walk through – Roles, Duties, Privileges

etc. Q&A


Define Security: Setup Tasks

Common to Fusion– Manage Job Roles

– Manage Duties

– Manage Data Security Policies

– Manage Role Templates

– Manage HCM Role Provisioning Rules

– Import Worker Users

– Mange Users

Financials Specific– Manage Data Access Sets


Manage Roles


Manage Roles

Define Hierarchy

Edit


Manage Duties


Manage Duties – View Privileges


Manage Duties - Data Security Policies


Manage Role Templates


Manage Role Templates – External Roles


Import Worker Users


Manage Users


Manage Data Access Sets (Financials)


Additional Resources

Fusion Applications Security Guide http://fmwdocs.us.oracle.com/doclibs/fmw/E15586_01/fusionapps.1111

/e16689/toc.htm Security Reference Manual:

http://docs.oracle.com/cd/E15586_01/fusionapps.1111/e23061/toc.htm#_Toc299016543_1_1

http://fmwdocs.us.oracle.com/doclibs/fmw/E15586_01/fusionapps.1111/e16689/toc.htm

http://fmwdocs.us.oracle.com/doclibs/fmw/E15586_01/fusionapps.1111/e16689/toc.htm

http://docs.oracle.com/cd/E15586_01/fusionapps.1111/e23061/toc.htm

http://docs.oracle.com/cd/E15586_01/fusionapps.1111/e23061/toc.htm


Questions?

users and security

Documents

oracle andor

oracle fusion middleware

security copyright

security tasks copyright

set of roles

oracle identity management

security components

job roles