SCM PIM Security WhitePaper Fusion V1

White Paper
Using Data Security Features

Of Oracle Fusion Product Data Hub
White Paper: Using Data Security Features of Oracle Fusion Product Hub Page 1 of 48
Document Control
Change Record
Date Author Version Change Reference
16-Dec-15 Dave Prasad V0

(Principal Product Manager ,
Oracle Fusion Product Hub)
06-Feb-18 Dave Prasad V1 Updated the document for Navigation & UI changes for 18C
(Principal Product Manager ,
Oracle Fusion Product Hub)
Contributors, Reviews and Approvals
Contributors
Name Role
Ganesh Tirtur Director, PIM Data Hub Customer Success

Anirudh Pasupuleti Applications Engineer, PIM Data Hub
Customer Success
Reviewers
Name Role Status Version Reviewed Date Reviewed Comments
Approvers
Name Role Status Version Approved Date Approved Comments
Table of Contents
.
Introduction ............................................................................................................................... 6
Scope and Audience................................................................................................................ 6
Release ................................................................................................................................. 6
Scope .................................................................................................................................... 6
Audience ............................................................................................................................... 6
Pre-Requisite ........................................................................................................................ 6
Overview ................................................................................................................................... 7
Dimension-A: Who or Which Job Role............................................................................... 7
Dimension-B: Which Item Organization ............................................................................. 7
Dimension-C: What Actions ................................................................................................ 7
Dimension-D: Which Set of Product Hub Business Objects ............................................ 7
Summary............................................................................................................................... 8
Product Hub Security Concepts Map ..................................................................................... 9
................................................................................................................................................... 9
Concept Components – Detailed ......................................................................................... 10
Dimension-A: Function Security for Product Hub .......................................................... 11
1.1 Function Privileges for Product Hub ...................................................................... 11
1.2 Duty Role for Product Hub ...................................................................................... 12
1.3 Job Role for Product Hub........................................................................................ 13
1.4 Person for Product Hub........................................................................................... 14
Dimension-B: Item Organization for Product Hub.......................................................... 15
2.1 Item Organization..................................................................................................... 15
Dimensions-C&D: Data Security for Product Hub ........................................................ 17
3.1 Actions for Product Hub Operational Attributes .................................................... 17
3.2 Actions for Item EFF ................................................................................................ 19
Table-1: Database Resource map ............................................................................ 19
3.3 Actions for Item EFF Attribute Group..................................................................... 22
3.4 Actions for Item Class ............................................................................................. 23
3.5 Actions for Item ........................................................................................................ 24
3.6 Person/Group+ Item Organization + Action .......................................................... 27
Illustrated Examples .............................................................................................................. 28
Example-1: Grant EFF View Action and EFF Edit Action for a Job Role for an Item
Class ................................................................................................................................ 28
Example-2: Grant EFF View Action for a Person limiting to a specific Item ID....... 32
Appendices ............................................................................................................................. 36
Appendix- A Navigating to Functional Area..................................................................... 36
Appendix- B Deploy Item Extensible Flexfields .............................................................. 38
Appendix- C List of Pre-defined Operational Attribute Actions...................................... 40
Appendix- D Navigating to Security Console .................................................................. 41
Appendix- E Navigating to Manage Database Resources and Policies ....................... 44
FAQs ....................................................................................................................................... 45
Reference ............................................................................................................................... 46
Glossary .................................................................................................................................. 47
About the Whitepaper ............................................................................................................ 48
Oracle Corporation............................................................................................................. 48
Author and Date ................................................................................................................. 48
Copyright Information ........................................................................................................ 48
Disclaimer ........................................................................................................................... 48
Trademark Information ...................................................................................................... 48
Introduction
Oracle Fusion Product Hub (hereinafter referred to as Product Hub) enables organizations to take control of their
product master data across their entire portfolio of applications. With Product Hub, product information is shared
across multiple systems and users, resulting in improved data accuracy, better decisions, and accelerated time to
market.
The primary objective of this white paper is to provide an overview of Product Hub’s data security. The Data
Security in conjunction with Function Security of Oracle Fusion Applications (herein after referred to as Fusion
Applications) enables customers to configure flexible security solutions for simple to very complex access controls
needs across multiple Item Organizations and Inventory Organizations (hereinafter referred as Item Organization).
Data Security in short is Who can do What to Which set of data."
Scope and Audience

Release
This document is applicable to the following releases
• Release- 18C and subsequent releases.
Scope
This document is a concept guide for users to help envisage implementation options for Data Security for Product
Hub business objects (Item Class and Items).
Access controls to Product Hub tasks/UIs are configured using Function Security features of Fusion Applications.
Function Security is not within the scope of this document.
Often Product Hub is deployed in conjunction with other Fusion Application applications and legacy applications.
Users should refer to documentation of the respective business applications.
Audience
This document is intended for users who are responsible for Product Hub security administration. It assumes that the
reader has a good understanding of:
• Oracle Fusion Application Security Concepts such as Function Security & Role Based Access Control
(RBAC)
• Product Hub functionalities and constructs such as Items, Item Class, Item EFFs and attributes groups.
• And can perform common navigation to UIs and tasks such as Search, Edit and save.
Pre-Requisite
Below are the pre-requisite for the purpose of this whitepaper
• Product Management Offering has been configured
• Navigation sections in this document details the Product Hub Tasks that need to be executed. Users should
ensure that they have the privileges to execute all the tasks.
For more details please consult Reference section.
Overview
Product Hub enables customers to build flexible, scalable, security solutions for complex access control
requirements for managing Product Information. Product Hub achieves this by interlocking Oracle Fusion
Applications Function Security with Product Hub’s Data Security and Item Organization.
At a conceptual level, Oracle Fusion Product Hub Data Security is built on four key dimensions. They are:
Who or Which Job Role for

Which Item Organization can perform
What Actions on
Which set of Product Hub business objects?
For example, user Eric Boyer (Who) or the job role Product Data Steward (Which Job Role) for Seattle branch
(Which Item Organization) is allowed to perform View Item Structure (What Actions) for Printer Item Class
(Which Set/subset of Product Hub objects).
Now let us further examine each of the said dimensions.
Dimension-A: Who or Which Job Role

A Product Hub user gains access privilege with in Product Hub based on any of the below grants.
a) Access Privileges assigned to a Job Role or Duty Role that has been inherited by the user directly
or indirectly.
b) Access Privileges assigned to the user as named individual (ex: Eric Boyer)
Dimension-B: Which Item Organization

Product Hub allows user to gains access to a one or more Item Organizations.
Dimension-C: What Actions

Each Product Hub Function has one or more pre-defined privileges. The privileges determine what Actions can
be performed for the functionality. For example ‘View Item Structure’ is an action that restricts users only to
view the Item Structure, but not edit it.
Product Hub also allows users to define custom data privileges for Item EFF Attribute Groups for View and or
Edit if needed. The pre-defined data privilege ‘None’ can be assigned to Item EFF Attribute Groups if Item EFF
Attribute Group does not require access control restrictions.
Dimension-D: Which Set of Product Hub Business Objects

Product Hub allows user to gains access to a specific Business Object or a set of attributes or an instance of a
Business Object. Below examples illustrate the various levels at which data access can be granted.
a) Root Item Class (Access granted at the highest parent level of Item Class)
b) Computer_Parts_and_Accessories (Access granted at an intermediate parent level of Item Class)
c) Printers - (granted at the lowest child Item Class )
d) View_Item_Asset – Access is granted to a pre-defined Operational Attribute Group.
e) Printer Specifications – Access is granted to an Item EFF attribute group defined by Item
Extensible Flexfields functionality.
f) Item # AS65006 (FasPrint-2245) (Access is granted to a specific item)
Summary
Product Hub determines user access to specific set of data based on Actions defined at Item Class level and or
Items level . It is nothing but Who can do What to Which set of data.".
Legend
Product Hub Security Concepts Map Oracle Fusion Product Hub
Oracle Fusion Applications
Logical relationships
1.4 Explicit Assignments
Function Security
1.3 Person for Product Hub 3.5
Function Security Data Security

2.1 Actions for Item
Job Role for Product Hub
Data Security
Item Operational Item level Item Revision Item
People Attributes EFF level EFF Supplier
Item/Inventory
Attributes Attributes level
Organization
EFF
Attribute
1.2
Function Security 3.6 3.4

Data Security
Duty Role for Product Hub Data Security
Person/Group + Item Organization + Actions for Item Class

Acton
Item Class People
1.1
Function Security
3.3
Function Privileges for Product Hub Data Security
Function Security
Actions for Item EFF Attribute Group

3.1 3.2
View Edit Data Translatable
Data Security Data Security Privileges Privileges Level
Actions for Product Hub Operational Actions for Item EFF

Attributes
Data Translatable
Level
Concept Components – Detailed
In this section, we will discuss each of the concept component blocks in the Product Hub Security Concepts Map.
Each of the concept components is represented as a block and is numbered and ordered in the logical
implementation sequence. However, users may tailor the implementation sequence to suit their business process
needs subject to the Product Hub/Fusion Applications constraints.
Common navigation steps have been detailed in various Appendices (as listed below) to avoid repetition.
How to Appendix
Navigate to Functional Area and Task Appendix-A
Deploy Item Extensible Flexfields Appendix- B
Navigate to Security Console Appendix-D
Navigate to Manage Database Resources and Policies Appendix-E
In most cases, each of the concept component blocks has a Product Hub task associated with it. However, there are
instances where the concept component block may not have any Product Hub task associated with it.
Let us look in to detail on each of the Data Security dimensions.
Dimension-A: Function Security for Product Hub
This part of the concept map covers the Tasks that are needed to secure the Functions (UI, Web Services and
schedulable jobs/resources) for a user. In Application Policy Management (APM), Functions are called as ‘Target’
1.1 Function Privileges for Product Hub

a) Description
Fusion Applications provides a set of pre-defined Function Privileges. The function privilege determines
which UI, Web Services or scheduled process a user can access based on the Duty Role or the Job Role
they are assigned to.
Please note that the pre-defined Function Privileges for Product Hub cannot be altered. Users can add new
custom Function Privileges as needed. Please refer to RBAC documentation.
Function Privileges can be assigned only to a Duty Role and never to a User or Job Role directly.
This is not a required step. This is mentioned in this document to help understand Function Security
concepts.
b) Navigation
Step-1: Navigate to the Security Console and click on Roles icon
Step-2: Search and view (if necessary) privileges of interest.
Search Object: Privileges
Privilege Name: Manage Item

c) Next Step
Please refer to 1.2 Duty Role for Product Hub
1.2 Duty Role for Product Hub
a) Description
Fusion Applications allows users to create Duty Roles which is made up of one or more Function Privileges
and/or one or more Duty Roles. Product Hub provides a set of pre-defined Duty Roles that meets most of
the common industry requirements.
Please note that the pre-defined Duty Roles for Product Hub can be altered as needed. If users need to add
custom Duty Role, please refer to RBAC if needed.
This is a not a required step if business needs can be met by using pre-defined Duty Roles.
b) Navigation
Search Object: Duty Roles
Privilege Name: Item Management
c) Next Step
Please refer to 1.3 Job Role for Product Hub
1.3 Job Role for Product Hub
a) Description
Fusion Applications allow users to create Job Roles made up of one or more Duty Roles or Job Roles.
Please note that the pre-defined Job Roles for Product Hub can be tailored as needed. If users need to add
custom Job Roles, please refer to RBAC.
b) Navigation
Search Object: Job Roles
Privilege Name: Product Data Steward
c) Next Step
Please refer to 1.4 Person for Product Hub
1.4 Person for Product Hub
a) Description
Fusion Applications allows users to create Users who can be assigned multiple Job roles or Duty Roles.
Please refer to RBAC for more details.
b) Navigation
Step-1: Navigate to the Security Console and click on Users icon
a) Best Practice
• Users may be created using Fusion Applications HCM Manage User Task.
• Users may be created using external LDAP systems as well.
Dimension-B: Item Organization for Product Hub
2.1 Item Organization

This part of the concept map covers the Tasks that are needed to define Item Organizations and Inventory
Organizations of the business.
a) Description
Product Hub allows users to create Item Organizations and Inventory Organizations. Items are
assigned to Item Organizations and transacted through Inventory Organizations.
For details, please refer to Oracle® Fusion Applications Enterprise Structures Concepts Guide
b) Navigation
• Setting up Item Organization
Step-A1: Navigate to the below Functional Area and execute the below Task
Functional Area: Item Organizations
Task: Manage Item Organizations
Step-A2: Search for the desired Item Organization. System displays Item Organization details.

• Setting up Inventory Organization
Step-B1: Navigate to the below Functional Area and execute the below Task
Functional Area: Inventory Organizations
Task: Manage Inventory Organizations
Step-A2: Search for the desired Inventory Organization. System displays Inventory Organization
details.
Dimensions-C&D: Data Security for Product Hub
This part of the concept map covers the Tasks that are needed to define the Data Security for Product Hub.
3.1 Actions for Product Hub Operational Attributes
a) Description
Product Hub allows users to secure Operational Attribute Groups. For example, Product Hub Action
‘Maintain Item Purchasing Group’ allows Principals (Person/Job Role/Duty Role) to manage attributes
related to Purchasing for an Item. Similarly the action, Maintain Item Receiving Group allows Principals
to manage receiving related attributes of Item.
These pre-defined Actions can be assigned in any combination to a Principal based on multiple factors as
explained in “3.6 Person/Group+ Item Organization + Action”)
Please note that the pre-defined Actions for Product Hub Operational Attributes cannot be altered.
For a complete list of pre-defined Actions please refer to Appendix- C List of Pre-defined Operational
Attribute Actions
b) Navigation
Step-1: Navigate to the Manage Database Resources and policies UI and search for the below Database
Resources
Object to be Searched for :EGP_SYSTEM_ITEMS_B
Step-2: Click ‘Edit’ and navigate to the ‘Actions’ tab. Review the available Actions for managing access
control for different segment of item data
c) Next Step
Please refer to “3.6 Person/Group+ Inventory/Item Organization + Action”
3.2 Actions for Item EFF
b) Description
Product Hub allows users to add additional custom attributes by using Item EFF (Item Extensible
Flexfields). The additional custom attributes are grouped into one or more Item EFF attribute groups.
Users can restrict access to an Item EFF Attribute Group by defining various Actions. The Actions, at this
stage are mere labels or tokens that a user can create. They do not carry any functional value until used in
the below concept components.
• 3.3 Actions for Item EFF Attribute Group

• 3.4 Actions for Item Class
• 3.5 Actions for Item
The following three factors should be considered while creating Item EFF Actions.
i. Action Type
ii. Translatability
iii. Data Level
Action Type
There are two types of Item EFF attribute group Actions (Action Type). One is View privilege (herein
after referred as EFF View Action) and the other is Edit privilege (herein after referred as EFF Edit
Action). Those Principals who inherit EFF View Action will be restricted to read only access to the
specific Item EFF Attribute Group while those who inherit EFF View Action and Edit privilege will
be able to read and also edit the values for the Item EFF Attribute Group.
Translatability
Each Item EFF attribute group is marked as Translatable -Yes/No. The attribute groups that are
translatable, can have values in multiple languages in addition to the mandatory English value. The
translatability characteristics determine on which database resource the Privileges for Item EFF is
created.
Data Level
The Item EFF attribute group can be associated to one or more of the following levels. The Data
Levels also determine on which database resource the Privileges for Item EFF is created
• Item
• Item Revision
• Item Supplier
Shown here are the database resources on which grants should be assigned based on the above
mentioned factors.
Table-1: Database Resource map

Action Translatable Data Level Database Resource Name
Type
View/Edit No Item Item Data Level - EGO_ITEM_EFF_B
View/Edit Yes Item Item Data Level Translatable - EGO_ITEM_EFF_VL
View/Edit No Item Revision Item Revision Data Level - EGO_ITEM_REVISION_EFF_B
View/Edit Yes Item Revision Item Revision Data Level Translatable - EGO_ITEM_REVISION_EFF_VL
View/Edit No Item Supplier Item Supplier Data Level - EGO_ITEM_SUPPLIER_EFF_B
View/Edit Yes Item Supplier Item Supplier Data Level Translatable - EGO_ITEM_SUPPLIER_EFF_VL

c) Navigation
Step-1: Navigate to the Manage Database Resources and Policies UI (Appendix - E) and search for the
below Database Resources
Object to be Searched for :EGO_ITEM_EFF_B
Step-2: Edit the searched object EGO_ITEM_EFF_B and navigate to the ‘Actions’ tab to add “Actions” of
your interest.

d) Next Step
3.3 Actions for Item EFF Attribute Group
e) Exceptions
If there is no custom Item EFF defined in the Product Hub or there is no need to secure access by Item EFF
Attribute group, this step can be ignored.
f) Best Practice
• Actions may be created using suitable self-explanatory naming convention. For example, suffix or
prefix with ‘view’ or ‘edit’ to indicate the type of Actions.
• Actions may be reused/shared across multiple Item EFF Attribute Groups. So , if an Item Class
has multiple Item EFF Attribute Groups defined and the Data Security standards allows users
access to multiple Item EFF Attribute Groups , then Actions may be reused. This will help reduce
maintenance.
3.3 Actions for Item EFF Attribute Group
a) Description
Product Hub allows users to add additional custom attributes by using Item Extensible Flexfields
functionality (herein after referred as Item EFF). The additional custom attributes are bundled into one or
more logical Item EFF attribute groups.
Each Item EFF Attribute Group may be Translation enabled and be assigned to one or more of the below
Data Levels
• Item
• Item Revision
• Item Supplier
An Item EFF Attribute Group can be secured for a specific EFF View Action and /or EFF Edit Action.
The UI provides a pick list of available Actions as per Table-1: Database Resource map
Note 1. If there is no requirement to restrict View Access, then EFF View Actions should be
assigned to ‘None’.
2. If there is no requirement to restrict Edit Access, then EFF Edit Actions should be
assigned to ‘ None’
b) Navigation
Step-1: Navigate to the below Functional Area and execute the below Task
Functional Area: Items
Task: Manage Item Attribute Groups and Attributes
Step-2: System displays the UI. Search for the Item EFF attribute group of interest. Or if it is a new Item
EFF Attribute Group, then create as needed
Step-3: Navigate to View Privilege field and assign EFF View Actions as needed.
Then Navigate to Edit Privilege field and assign Edit Actions as needed.
Translatable
Data Level View Privilege Edit Privilege
Task: Deploy Item Extensible Flexfields (Refer to Appendix- B)
c) Next Step
Please refer to 3.4 Actions for Item Class
d) Exceptions
Please note that this step can be ignored if there is no need for securing data by Item EFF Attribute Group.
System will default “None” as the action for both EFF View Action and EFF Edit Action. It means that all
users will have access to the specific Item EFF Attribute Group.
e) Best Practices
Please note that Data Security is granted to the Item EFF Attribute Group and not to the individual
attribute. This should be factored while designing Item EFF Attribute Group
3.4 Actions for Item Class
a) Description
Product Hub allows Principals to secure access to an Item Class for a specific Item Organization by
Operational Attribute Groups and its Item EFF Attribute Groups
Please note that the resulting set of Data Security privileges granted to an user on an Item Class in Item
Organization is a sum total of the below
i. Pre-defined Actions of the operational attributes granted to the user as a named individual for an
Item Organization on the Item Class directly or on any of its parent Item Classes.
ii. Pre-defined Actions of the operational attributes granted to the user’s Duty Role or Job Role for an
iii. EFF View Actions of the Item EFF Attribute Group granted to the user as a named individual for
an Item Organization on the Item Class directly or on any of its parent Item Classes.
iv. EFF View Actions of the Item EFF Attribute Group granted to the user’s Duty Role or Job Role for
v. EFF Edit Actions of the Item EFF Attribute Group granted to the user as a named individual for an
vi. EFF Edit Actions of the Item EFF Attribute Group granted to the user’s Duty Role or Job Role for
Note 1. Each privilege assignment valid for a specific period only.

2. If View privileges is assigned to None while defining an Item EFF Attribute Group
(Concept Component 3.3), then any user having access privilege to the Item Class for the
Organization have view access to the said Item EFF Attribute Group
3. If Edit privileges is assigned to None while defining an Item EFF Attribute Group
(Concept Component 3.3), then any user having access privilege to the Item Class for the
Organization have Edit access to the said Item EFF Attribute Group
4. Edit privileges are applied in conjunction with View privileges. Hence users must have
valid View privileges for the Edit privileges to take effect.
5. For Data Security purposes Privileges/Actions must be assigned for a Principal for each
Item Organization explicitly.
b) Navigation
Task: Manage Item Classes.
Step-2: System displays the Item Classes. Select the Item Class that requires being data secured and
navigating to the Security tab. Below screen shot explains as to how the example data maps to each
of the Product Hub Data Security Dimension.
Who or Which
Job Role
In this case it is
Which Item Organization
person named Eric
Boyer
Which Set of Product Hub Business Objects

In this case, the Data Security has been granted at Item Class ‘Printer’
level. It means that Eric.Boyer will have same privileges to all items
of ‘Printer’ Item Class and all Items belonging to children Item Class
of ‘Printer’ Item Class
What Actions:
In this case, it is an ‘EFF Edit Action’ of an Item EFF attribute
Group that have been associated at Item Level

c) Next Step
Please refer to 3.5 Actions for Item
d) Exceptions
Please note that this step can be ignored if there is no custom Item EFF is defined in the environment or
there is no need to secure access by Item EFF Attribute group.
e) Best Practice
• Assigning privilege at Duty Role level may be considered to help reduce maintenance effort
compared to assigning privilege at Person level
• Assigning privilege at Job Role level may be considered to help reduce maintenance effort
compared to assigning privilege at Person level
3.5 Actions for Item
1) Description
Product Hub allows Principals to secure access to data to a specific Item for a specific Item Organization
by Operational Attribute Groups and its Item EFF Attribute Groups
Please note that the resulting set of Data Security privileges granted to an user on an Item in Item
Organization is a sum total of the below .
i. Pre-defined Actions of the operational attributes granted to the user as a named individual for an
Item Organization on the Item directly or on its Item Class on any of its parent Item Classes.
ii. Pre-defined Actions of the operational attributes granted to the user’s Duty Role or Job Role for
an Item Organization on the Item directly or on its Item Class on any of its parent Item Classes.
iii. EFF View Actions of the Item EFF Attribute Group granted to the user as a named individual for
iv. EFF View Actions of the Item EFF Attribute Group granted to the user’s Duty Role or Job Role
for an Item Organization on the Item directly or on its Item Class on any of its parent Item
Classes.
v. EFF Edit Actions of the Item EFF Attribute Group granted to the user as a named individual for
vi. EFF Edit Actions of the Item EFF Attribute Group granted to the user’s Duty Role or Job Role
for an Item Organization on the Item directly or on its Item Class on any of its parent Item
Classes.
Note 1. Each privilege assignment valid for a specific period only.

2. If View privilege has been set to ‘None’ while defining an Item EFF Attribute Group
(Concept Component 3.3), then any user with access privilege to the Item Class for the
Organization will have view access to the said Item EFF Attribute Group
3. If Edit privileges has been set to ‘None’ while defining an Item EFF Attribute Group
(Concept Component 3.3), then any user with access privilege to the Item Class for the
Organization will have Edit’ access to the said Item EFF Attribute Group
a) Navigation
Step-1: Navigate to work area
Task: Create Items. ??dave to verify???
Step-2: System displays the create Item UI.
Step-3: Create your items and click Save. Then, for the item, navigate to Item People tab and assign Data
Security.
Below screen shot explains as to how the example data maps to each of the Product Hub Data
Security Dimension.
Which Set of Product Hub Business Objects’
In this case, the Data Security has been granted to a
specific Item AS65007.
Who or Which Job

Role
In this case it is person
named Adam Jones
Which
Inventory
Organization’
What Actions’:
In this case, it is an ‘EFF Edit Actions’ as well as ‘EFF View Actions’ of an
Item EFF attribute Group that have been associated at Item Level.
Other Notes:
Below are additional observations
1. Anyone inheriting the Duty Role ‘EGP Product Manager’ has access privileges on this
item because they have been granted privilege at the ‘Root Item’ class level itself. Root
Item Class is parent of all Item Classes
2. Person Matt Smith has access privileges on this item because they have been granted
privilege at the ‘Printer’ Item Class level itself.
3.6 Person/Group+ Item Organization + Action
a) Description
This concept component is a phantom component. It has no task associated with it. It is included in the
concept map to help illustrate the logical relationships between the various dimensions.
Illustrated Examples
Below are some of the examples that illustrate the concepts.
Note 1. It is assumed that the example users have been granted the required Function Security
privileges. Hence the focus is on Product Hub’s Data Security privileges only.
Example-1: Grant EFF View Action and EFF Edit Action for a Job Role for an Item Class
Let us say a business wants to provide EFF View Action and EFF Edit Action to a Job Role ‘Data Steward for Office Machines’ to a custom Item EFF
attribute Group ‘Printer Specification’ which is a non-translatable, Item Level EFF. Below table provides step by step instruction as it relates to the
concept map diagram.
Step Step Description/Task/Key Screen Shots

# Data/Concept Component #
1 Step: Create
EFF_View_Printer_Speed
privilege
Navigation : Manage
Database Resources and
Policies UI (Appendix - E)
Key Data:
• Database Object Name:
EGO_ITEM_EFF_B
• Display Name : Item
Data Level -
EGO_ITEM_EFF_B
• Privileges:
o EFF_View_Printer_sp
eed
o EFF_Edit_Printer_spe
ed
Concept Component #: 3.2
2 Step: Create EFF attribute
Group and assign EFF View
Action and EFF Edit Action
Task : Manage Item Attribute
Groups and Attributes
Key Data:
• Display Name : Printer
Specifications
• Translatable : Unselected
• Name: Item
• View Privilege:
EFF_View_Printer_speed
• Edit Privilege:
EFF_Edit_Printer_speed
3 Step: Add EFF group to the

Item Class and assign security
Task :
Key Data:
• Item Class : PrintersPOS
• Attribute Group: Printer
Specifications
• Page :Specifications
• Principal: Group
• Name: Data Steward for
Office Machines
• Organization:V1
• Start Date: Today’s date
• Action:
EFF_Edit_Printer_Speed
• Data Level: Item
4 Deploy Item EFF (Scheduled Refer to Appendix- B
Task).
5 Logout
6 Login as any user who has
inherited the job role Data
Steward for Office Machines.
Edit an item belonging to Item

Class: PrinterPOS.
Note that the user can View &
Edit Item EFF attribute Group
Printer Specifications.
Example-2: Grant EFF View Action for a Person limiting to a specific Item ID
Let us say a business wants to provide EFF view action to a specific user TING.HU to a custom Item EFF attribute Group Printer Specification. (A non-
translatable, Item Level EFF) even though user TING.HU does not have any access privilege to the Item Class Printer to which the specific Item
AS65000 belongs to. Below table provides step by step details as it relates to the concept map diagram
Step Step Description/Task/Key Screen Shot

1 Step: Create
privilege
Navigation : Manage Database
Resources and Policies UI
(Appendix - E)
Key Data:
• Database Object Name :
EGO_ITEM_EFF_B
• Display Name : Item Data
Level -
EGO_ITEM_EFF_B
• Privileges:
o EFF_View_Printer_s
peed
o EFF_Edit_Printer_sp
eed
2 Step: Create EFF attribute
Group and assign EFF View
Action and EFF Edit Action
Task : Manage Item Attribute
Groups and Attributes
Key Data:
• Display Name : Printer
Specifications
• Translatable : Unselected
• Name: Item
• View Privilege:
EFF_View_Printer_speed
• Edit Privilege:
EFF_Edit_Printer_speed
3 Step: Add EFF group to the

Item Class and verify that the
person does not have any
privilege at Item Class level.
Task :
Key Data:
• Item Class : Printers
• Attribute Group: Printer
Specifications
• Page :Specifications
• Principal: Person
• Name: TING.HU
• Organization:002
Note that TING.HU has no

privileges at the Printer Class
level
4 Deploy Item EFF (Scheduled Refer to Appendix- B

Task).
5 Step: Grant Privileges to
Ting.Hu to a specific Item
Task : Manage Items
Key Data:
• Item Class : Printers
• Item: AS65000
• Principal: Person
• Name: TING.HU
• Organization:002
• Start Date: Today’s date
• Actions:
6 Login as TING.HU
Edit item AS65000 for Item
organization 002. Note that
TING.HU can view Item EFF
attribute Group Printer
Specifications even though the
said user has no access
privilege to the Item Class at
all.
Data is not
editable
Appendices
Appendix- A Navigating to Functional Area
Oracle Fusion Applications provides an easy access to set up task by grouping them under Functional Areas.
Below are the steps for navigating to Functional Area
Step-1 :
From your home page, click on the Navigator
Step-2:
Click on Setup and Maintenance in the Others section
Step-3:
Chose the Offering of your interest.
Note 1. Please note that the list of Functional Areas available in the actual UI may differ from the above
screen shot based on the Offering choices available for your environment
Step-4:
Click on the Functional Area of your interest and then invoke the Task of your choice.
Appendix- B Deploy Item Extensible Flexfields
Whenever any change (other than security assignment to Principals) is made to Item EFF Attribute Group
or Item Class, ‘Deploy Item Extensible Flexfields’ task must be executed and completed successfully for
the change to take effect. Below are the relevant steps.
Step-1: Navigate to the below Functional Area (Appendix-A) and click on the below Task
Task: Deploy Item Extensible Flexfields
Step-2: Search for the below Business Object and click either Deploy Flexfield button. Deploy Offline
option is recommended if you have made too many changes to EFF configurations.
Name: Item Extended Attributes
Step-3: Ensure that the deployment is completed successfully.
Note As ‘Deploy Item EFF’ is a compute intensive operation, it may be

coordinated with System Administrators
Appendix- C List of Pre-defined Operational Attribute Actions
Product Hub provides a list of pre-defined privileges for Operational Attribute Groups as listed below.
Data Level Pre-defined Action Name

Item Maintain Item Asset Maintenance Group
Item Maintain Item Attribute
Item Maintain Item Basic
Item Maintain Item Costing Group
Item Maintain Item General Planning Group
Item Maintain Item Inventory Group
Item Maintain Item Invoicing Group
Item Maintain Item Lead Times Group
Item Maintain Item MRP And MPS Group
Item Maintain Item Order Management Group
Item Maintain Item Pack
Item Maintain Item People
Item Maintain Item Physical Group
Item Maintain Item Primary Group
Item Maintain Item Process Manufacturing Group
Item Maintain Item Purchasing Group
Item Maintain Item Receiving Group
Item Maintain Item Revision
Item Maintain Item Service Group
Item Maintain Item Structure
Item Maintain Item Structure Group
Item Maintain Item Web Option Group
Item Maintain Item Work In Process Group
Item View Item Attribute
Item View Item Basic
Item View Item Pack
Item View Item Structure
Appendix- D Navigating to Security Console
Oracle Fusion Applications provides a Security Console to manage users and job roles, duty roles and privileges.
Below are the steps for navigating to the Security Console
Step-1
From your home page, click on Navigator icon
Step-2
Click on the Security Console icon
Product Hub displays the UI for managing Functional Security
Appendix- E Navigating to Manage Database Resources and Policies
Oracle Fusion Applications provides an UI to manage database resources and security policies. privileges. Below
are the steps for navigating to the Manage Database Resources and Policies UI
Step-1
Navigate to Security Console (Refer to Appendix-D)
Step-3
Click on the Administration icon and then Manage Database Resources button
Product Hub displays the Manage Database Resourced and Policies UI
FAQs
The below are some of the Frequently Asked Questions.
1) Is Fusion Application’s Data Security functionality ( Data Roles) is same as Data Security
functionality of Product Hub? Are they interchangeable?
No. They are different. They are designed to meet two different sets of security requirements. Data
Security functionality of Product Hub is specifically designed to meet Product Management industry
requirement. They are not interchangeable
2) Can I use Fusion Application’s Data Role Template to secure data access for Product Hub data?
No. Data Role Template is specifically designed to be used with Fusion Application’s Data Security
functionality only
3) When is ‘Deploy Item Extensible Flexfields’ necessary and when not necessary?
Any of the below changes require execution of Deploy Item Extensible Flexfields’
• Any Change to Item EFF attribute Group including
o attribute definition changes
o Action assignment changes to the Item EFF attribute Group
Any of the below changes does not require execution of Deploy Item Extensible Flexfields’
• Any EFF View Action assignment changes to a Principal at Item Class Or Items Level
• Any EFF EDIT Action assignment changes to a Principal at Item Class Or Items Level
4) If I need to grant EFF Edit Action to an user, do I need to grant EFF View Action also at the Item
EFF attribute Group level?.
Yes. Only if the users have EFF View Action, they can have EFF Edit Action.
5) If I assign Actions to a user at a parent Item Class Level after the children classes have been created,
will the change be automatically propagated to all the children Item Class and the Items?
Yes. Any Action rights changes for Item EFF at the Item Class level will be automatically propagated to all
the children classes and their items even if the Items have been created prior to the changes in the action.
For example , let us say on 01-Jan-YY an Item class ‘IC-XXXXX’ was created with unrestricted EFF
Actions rights by setting the EFF View Actions to none and EFF Edit Actions to none . Then many
children classes and items were created. They also inherit unrestricted EFF Actions rights from the parent ,
Let us say one month later on 01-Feb-YY, the said Item Class IC-XXXXX was assigned a specific
combination of EFF View Action and EFF Edit Action restricting the EFF action. This change will be
applied to all the existing data (Items, children item classes and the items of the children item classes) as
well as all the new data that will be created.
6) If I want to grant privilege to a user to a specific Item, should the user also be granted privilege at its
Item Class level?
No. Users can be granted action rights to a specific Item even if the user does not have access rights to its
Item Class or its parent Item Class.
7) Can I grant privilege to a user to an Item Class, excluding a specific Item within the Item Class.?
No. Users who have action rights to an Item Class have action rights to access all items belonging to the
item class or any of its children item classes
8) Do Actions granted to a user as ‘named individual’ level for an Item/Item Class override the Actions
granted granted to the user’s Duty Role/Job Roles for an Item/Item Class?
No. The resulting Actions will be a super set of Actions granted at differnt levels. Please refer to the below
for details.
3.4 Actions for Item Class
3.5 Actions for Items
9) Is there a pre-defined user name for configuring Function Security and Data Security?
Yes. Below is the details.
Pre-defined User Application Function

IT_SECURITY_MANAGER User Management
Fusion Duty Role Management
Job Role Management
Application_Implementation_Consultant Data Security
Reference
Below is a list of suggested reference documents.
Topic Reference Documents

Function Security/ Oracle Fusion Application - Fusion Security - "User - Role
Role Based Access Controls Administration" (Doc ID 1631632.2)
(RBAC)
Oracle Fusion Product Hub http://docs.oracle.com/cloud/latest/scmcs_gs/FAPIM/toc.htm
constructs
http://docs.oracle.com/cloud/latest/scmcs_gs/OAPMT/toc.htm
Oracle® Fusion Applications http://docs.oracle.com/cd/E37017_01/doc.1115/e22899.pdf
Enterprise Structures Concepts
Guide
Pre-defined Duty Roles/Job Security Reference for Product Information Management and Cost
Roles Management
Glossary
• Action
Product Hub offers two types of Actions. They are View and Edit. They are also known as privileges.
Those who have EFF View Action can only view the attributes. Those who have EFF Edit Action can
only make changes to the attributes.
• Action Rights
Same as Action. It determines what kind of Actions a Principal can perform.
• EFF Action
• Product Hub offers two types of Actions on Item EFF Attribute Groups. They are View and Edit on a
specific Item EFF Attribute Group. They are also known as View privileges (EFF View Action) and
Edit privileges (EFF Edit Action).
• EFF Edit Action
• EFF Edit Action allows users to update data for attributes of a specific EFF Attribute Group. Please
note EFF View Action privilege for an EFF Attribute Group is pre-requisite for EFF Edit Action.
• EFF View Action
• EFF View Action allows users to view data for attributes of a specific EFF Attribute Group.
• Data Security
This is functionality of Oracle Fusion Product Hub that allows users access to a specific attribute group
(Operational/EFF) via an Item Class or an Item
• Function Security
This is functionality of Oracle Fusion Applications that allows users access to a UI (Ex: Create Item,
Manage Users) or scheduled process.
• Fusion Applications
Oracle Fusion Applications is referred in this document as Fusion Applications.
• Item Organizations
The Item Organizations should be Item Organizations or Inventory organizations
• Product Hub
Oracle Fusion Product Hub is referred in this document as Product Hub
• Principal
This is an actor who is granted privilege to access in Product Hub Data Security. Principal can be an
individual (as indentified by his/her login id) or a Duty Role/Job Role
• Privilege/Action
This refers to what Actions (View/Edit) a principal can perform on a specific attribute group
(Operational/EFF)
• RBAC
Role Based Access Control (RBAC) is a security functionality of Fusion Applications
• Scheduled Process
They are also known as ESS jobs. Scheduled jobs are Fusion Applications processes that can be
executed asynchronously in the background
• Target
This is a term used in APM to denote Task Flow (UI) , web service, functional privileges.
• User
Login user of Product Hub
About the Whitepaper
Oracle Corporation
Author and Date

Dave Prasad, 16-Dec-2015
(Principal Product Manager, Oracle Fusion Product Hub)
Copyright Information
Copyright © 2005, 2006 Oracle. All rights reserved.
Disclaimer
This document in any form, software or printed matter, contains proprietary information that is the exclusive
property of Oracle. Your access to and use of this confidential material is subject to the terms and conditions of your
Oracle Software License and Service Agreement, which has been executed and with which you agree to comply.
This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone
outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can
it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.
This document is for informational purposes only and is intended solely to assist you in planning for the
implementation and upgrade of the product features described. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. The development, release, and
timing of any features or functionality described in this document remains at the sole discretion of Oracle.
Due to the nature of the product architecture, it may not be possible to safely include all features described in this
document without risking significant destabilization of the code.
Trademark Information
Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

SCM PIM Security WhitePaper Fusion V1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SCM PIM Security WhitePaper Fusion V1

Hochgeladen von

Copyright:

Verfügbare Formate

White Paper

Using Data Security Features

Date Author Version Change Reference

16-Dec-15 Dave Prasad V0

Ganesh Tirtur Director, PIM Data Hub Customer Success

Name Role Status Version Reviewed Date Reviewed Comments

Name Role Status Version Approved Date Approved Comments

Data Security in short is Who can do What to Which set of data."

Scope and Audience

For more details please consult Reference section.

Who or Which Job Role for

Now let us further examine each of the said dimensions.

Dimension-A: Who or Which Job Role

Dimension-B: Which Item Organization

Dimension-C: What Actions

Dimension-D: Which Set of Product Hub Business Objects

Product Hub Security Concepts Map Oracle Fusion Product Hub

Oracle Fusion Applications

1.4 Explicit Assignments

1.3 Person for Product Hub 3.5

Function Security Data Security

Function Security 3.6 3.4

Person/Group + Item Organization + Actions for Item Class

Actions for Item EFF Attribute Group

Actions for Product Hub Operational Actions for Item EFF

1.1 Function Privileges for Product Hub

2.1 Item Organization

3.1 Actions for Product Hub Operational Attributes

• 3.3 Actions for Item EFF Attribute Group

Table-1: Database Resource map

Data Level View Privilege Edit Privilege

3.4 Actions for Item Class

Note 1. Each privilege assignment valid for a specific period only.

Which Set of Product Hub Business Objects

3.5 Actions for Item

Note 1. Each privilege assignment valid for a specific period only.

Who or Which Job

Step Step Description/Task/Key Screen Shots

Concept Component #: 3.3

3 Step: Add EFF group to the

Concept Component #: 3.4

4 Deploy Item EFF (Scheduled Refer to Appendix- B

Edit an item belonging to Item

Step Step Description/Task/Key Screen Shot

Concept Component #: 3.3

3 Step: Add EFF group to the

Note that TING.HU has no

Concept Component #: 3.4

4 Deploy Item EFF (Scheduled Refer to Appendix- B

Concept Component #: 3.5

Note As ‘Deploy Item EFF’ is a compute intensive operation, it may be

Data Level Pre-defined Action Name

Product Hub displays the Manage Database Resourced and Policies UI

Pre-defined User Application Function

Topic Reference Documents

Author and Date

Das könnte Ihnen auch gefallen