<Insert Picture Here>

Fusion Applications - Role Based Security

FA Implementations Solutions Team
Kiran Mundy
Sep, 2012
 Contents

Overview
Steps To Implement Security
1. Start with Security Reference Implementation
2. Change Roles
3. Do Application Setups.
4. Generate Data Roles.
5. Auto-Provisioning Rules
Terminology

2
Overview

3
 Vision

You have Enterprises

Operations in
Germany & the US Vision Germany Vision US

You need to hire a Procurement Manager

for your German Operations
Job Posting FA Job Def Screen

Job Title Job Role All Duties assigned

under Job Role
1

3
2

4 4
1
2
Line in Job Description Duty 3
4
4
Meet Doris

She applies for the

job
 Doris is hired

For doing what all

employees do
For doing the job she Expense Reports
was hired for.. Purchase Requisitioner

Procurement Procurement
Data Manager - Manager -
Roles US Germany
Abstract Expense
Reports
Job Role
Procurement
Manager
Roles
Duty Enter Expenses
Submit
Duty Buyer Mgt PO Changes Roles Expenses
Duty
Roles Duty
 What can Doris do and view ?

Duties
Provide Duties
Access to Provide Access
Screens, to data behind
Reports, the screens
Dashboards
Via Data
Security
Via
Privileges
 Doris Starts Using Fusion Apps

She starts work

Sees only the Menu Items

she is entitled to.

Sees only data for Vision

Germany.
 What is Role Based Security?

WHO can do WHAT on WHICH set of data?

Job Role

Duties

Privilege Data Security

The Role
Examples -
Procurement Manager
Channel Sales Manager
Chief Financial Officer Privileges
Buyer Examples: Data Security / Data Roles
HR Specialist Reassign Purch Doc View All Purchase Orders.
Manage Procurement Agent Update Item Purchase Orders for
Manage PO Changes Germany.
Hire Buyers for Germany
 Who is Doris assigned a set of Roles

User
Doris

Data Role
Abstract Role Abstract Role
Procurement Manager -
Employee Line Manager
Germany

Access is via Roles

Courtesy: John Thuringer

 What is Duties/Privileges under the Roles
Controls access to work areas, dashboards, task flows, reports, services

12
 What determines Menu Items

Courtesy: John Thuringer

 What determines Tasks

Courtesy: John Thuringer

 WHICH is Data Security
determines onscreen data
Which Data? Type of Access Condition
Fusion Read When specific criteria is met.
Business Write
Objects Delete
Create

Combined to create policy lines.

For example -
Employee Salary View For my own
Employee Salary View, Update My Direct Reports
Opportunity View, Update For Opp within my territories
Opportunity View All Opportunities
 Data Security - Cautionary Note
Policy Lines you create get stored in FND_GRANTS
Something has to read this information and ensure
the right data is returned.
This Something is implemented by Fusion Apps
Development as one of the following
Security Enablement at EO Level (Checkbox).
VO Level enablement via Filters (Naming convention)
Programmatic (eg. Button to appear if specific privilege
present in FND_GRANTS for that role)
If you create policy lines on a business object and
nothing has been enabled on that object at VO or
EO or Programmatic level data will not be restricted
via the sql predicate youve specified.

16
 Data Roles
Job role is a cookie cutter to generate data roles.

If Job Role has access to the Loaf, its generated data

roles have access to one slice.

Eg: Procurement Manager vs

Procurement Manager US

For the Reference Implementation each Product decides

on the slicing criteria or dimension for each job role.
Dimension is an attribute of the data for that job role, like
Business Unit or Set ID.
Example Purchase Orders by Business Unit

17
 Data Roles What to slice data by?

Examples of Slicing Criteria (Dimensions)

used by Fusion Products
Reference Data Sets (All) Dimension is Set Id
Business Unit (All) Dimension is Business Unit Id
Data Access Set (FIN) Dimension is Access Set Id
Cost Organization (PRJ ) Dimension is Cost Org Id

18
 Product Family Implementations

Function Security (Job Role, Duty Role, Privilege)

Implementation similar across Product Families.
Some have created more granular duties (HCM).
Some have created higher level duties grouping many
privileges together.
Data Security
CRM Rules around opportunities, leads, territories:
Implemented via Data Security (Detailed example in ppt)
HCM Rules around access based on relationship to employee
Implemented via data security.
HCM custom screen to generate data roles using Security
Criteria & Profiles Leverages data security.

19
 Summary So Far

Who Implemented as Job Role

What Implemented as Duties/Privileges
Controls Menus, Screens, Buttons
Which Implemented as Data Security + Data Roles
Controls Onscreen Data
Caveat
Screen could be a view only screen.
Data Access to update the data wont help.

20
 Visual Summary
EBS Mapping US Security Profile EMEA Security Profile APAC Security Profile

Benefits Benefits Benefits

Responsibility Data Roles Administrator - Administrator - Administrator -
US EMEA APAC

Top Menu Job Roles Benefits

Administrator

Person
Sub Menu Duty Roles Configuration
Benefits Setup
Duty
Duty

Form Function Privileges: Manage HR

Manage Person Manage Benefit
Function & Data Type
Name Format
Eligibility Profile
(Data)
Security Policies
Steps to Implement Security

22
 Steps

1. Look at Security Reference Implementation

Decide what Roles/Duties/Privileges/Data Security Policies
you want.
2. Go in to screens & make changes.
3. Complete your application setups.
4. Generate your data roles.
5. Create rules for auto-provisioning roles.

23
 Security Reference Implementation

Seeded common denominator Implementation

Starting point to make changes.
Manuals for each product describe details.
Manuals Accessible via OER.
Excel spreadsheet format of Roles, Duties &
Privileges available via Metalink Note 1460486.1
Menu to privilege mapping currently available as a
spreadsheet via Metalink Note 1459828.1
Both these spreadsheets will also be available via
OER shortly.

24
 Steps

1. Look at Security Reference Implementation

Decide what Roles/Duties/Privileges/Data Security Policies
you want.
2. Go in to screens & make changes.
3. Complete your setups.
4. Generate your data roles.
5. Create rules for auto-provisioning roles.

25
 Screens to Make Changes..
Oracle Identity Manager Authorization Policy Manager
(Delegated Administration) (Oracle Entitlements Server)
Data
Create Role
Users
Assign Role Generate Duties
Data Security
Duties
Role Duties
Policy

Privilege

Automatically Yes, you could create

Sent HCM Screen users and assign roles
in OIM

Create Person But FSM Steps you

through here because
Roles Auto-provision
HCM Employee details
often needed in Apps
for approvals etc..

26
 Non-Employee Access to Fusion Apps

Options
1. Create a different HCM person type and create the
user in HCM with this person type.
This will create the OIM user account.
2. Create the user in Oracle Identity Manager
Delegated Administration Screen (instead of HCMs
Manage Users Screen) and assign the external
role directly there.
User will not exist in HCM tables, but access to applications
will work fine.

27
 Changing a Role..
Oracle Identity Manager Authorization Policy Manager
(Delegated Administration) (Oracle Entitlements Server)

Data Duties

Role
Duties Duties
Data Security
Generate Policy
Duties
Role Privilege

Change Role Name in OIM. ***Change Duties by changing

Change Duties assigned to Role. Privileges under them.

Increasing Difficulty
***For HCM this is not recommended as HCM duty roles are very granular)

28
 Steps

1. Look at Security Reference Implementation

Decide what Roles/Duties/Privileges/Data Security Policies
you want.
2. Go in to screens & make changes.
3. Complete your application setups.
4. Generate your data roles.
5. Create rules for auto-provisioning roles.

29
 Data Role Generation

Can only be done after your setups (dimensions)

are created. Done in Authorization Policy Manager.
Subsequently when you add a Dimension, roles get
automatically generated.
HCM has its own screen for generating data roles.
Allows you to specify Security Criteria & Security
Profiles features unique to HCM.

30
 Steps

1. Look at Security Reference Implementation

Decide what Roles/Duties/Privileges/Data Security Policies
you want.
2. Go in to screens & make changes.
3. Complete your setups.
4. Generate your data roles.
5. Create rules for auto-provisioning roles.

31
 Create Auto-Provisioning Rules

Courtesy: John Thuringer

Create Person Auto-Provisioning

33
Terminology

34
 Terminology Review
Security Reference Implementation
An complete example implementation of Security for each
Fusion Offering.
Details in Security Reference Manuals for each Product.
Role (External Role or Enterprise Role)
Created in LDAP (Using Oracle Identity Manager)
Can also create a hierarchy of these Roles
Normally data roles are generated which also govern the
Business Unit (or other determinant) stripe of data the user
will see.
Role Category
A way to classify roles.
Examples from Reference Implementation - HCM Abstract
Roles, HCM Job Roles, Financials Job Roles etc..

35
 Terminology
Abstract Role (External Role or Enterprise Role)
Abstract is nothing more than a category we seed to classify
roles in our Reference Implementation.
Roles we seed that are in this category are -
Accessory roles such as - Employee, Contingent Worker
etc.
Not a role you would find described on Monster.com
Usually assigned directly - does not require data role
generated on top of it.
Job Role
Also nothing more than a category we seed.
Roles we seed that are in this category are -
Roles that you would hire someone into Accounts
Payables Manager, Billing Clerk etc.
Usually requires a data role generated on top of it.

36
 Terminology

Duty Role (Application Role or Principal)

This is the most granular form of role which is created and
managed in Authorization Policy Manager. Privileges are
assigned to it.
Entitlement (or Privilege)
A right that can be granted or denied to a Duty Role.
Each privilege may secure function or data security
Functional Policy
Grant of a set of privileges to a duty role.

37
 Terminology

Data Security Policy

Grant of a set of privileges to a duty role on an Object for a
given condition.
Possible actions you can pick from to create a policy are pre-
defined for each Business Object.
Database Resource
Database table or groups of tables with data.

38