Sie sind auf Seite 1von 88

ERP Cloud Financials

Fusion Cash Management R11


(8) Security

By Elaine Formenton Furtado


Product Manager, Fusion Applications

August, 2016

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 2
Fusion Cash Management – R11 Trainings
https://stbeehive.oracle.com/teamcollab/wiki/Fusion+Cash+Management+Trainings:Home

(2)
(1) (3)
Bank Statement
Bank Account Model External Transactions
Processing

(6)
(4) (5)
Cash Positioning and
Manual Reconciliation Auto Reconciliation
Forecasting

(7) (8) (9)


Bank Transfers & Cash Management SLA Setup for Cash
Ad Hoc Payments Security Management

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 3
Topics
1 Security Concepts…………………………………………………………….. 05
2 Security Console................................................................. 15
3 Cash Management Roles and Privileges............................... 24
4 Upgraded Customers: Points to Consider…………………………. 39
5 Securing Bank Accounts...................................................... 42
6 Use Case1: Securing Bank Accounts by Users and Roles...... 45
7 Use Case2: Customizing Roles.............................................. 55
8 Links & Documents.............................................................. 82

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 4
Security Concepts
Job Roles, Abstract Roles, Duty Roles…

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
Securing Oracle ERP Cloud R11

Roles Job Roles Abstract Roles Duty Roles

Application
External Roles Inheritance Privileges
Roles

Function Data Security


Security Console
Security Policies Policies

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 6
Security Concepts Job Roles
Abstract
Roles
Role Types
Duty
• Oracle ERP Cloud uses role-based access control (RBAC). Roles
• Access to functions and data are defined via roles, not user-by-user.
• Oracle ERP Cloud uses the following types of roles:
- Job Roles
• Represent jobs that users perform in an organization, e.g. Cash Manager.
Introduced by Simplified Role Hierarchy in Release 10:
 Enterprise Job Roles – Considered External roles. They are assigned to users.
 Application Job Roles – Predelivered Top-level role assigned for each Enterprise Job Role. Not assignable to users directly.

-Abstract Roles
• Represent people in the organization independent of the jobs they perform, e.g. Employee, Line Manager.
• Can be assigned to users.

- Duty Roles
• Logical collection of privileges that grant access to tasks that someone performs as part of a job, e.g. Cash Management
Administration, Bank Statement and Reconciliation.
• Not assignable to users directly.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 7
Security Concepts
Job Roles
Job Roles represent the jobs that users perform in an organization.
Cash Manager
 Enterprise Job Roles - External Job Roles assigned to users directly. (CE_CASH_MANAGER_JOB)

 *Application Job Roles – Top-level Role assigned to an Enterprise Job Role.


• Application Job Roles can be assigned authorization policies, such as function security policies and data security policies.
• They are predelivered, have an ORA-prefix in their code and can be identified with the “(Application role)” appended to the title of the job name.
• Not assignable directly to users.

Cash Manager
In Security Console, the suffix (CE_CASH_MANAGER_JOB)
"(Application role)" is added
to the display name of the
application role
Cash Manager (Application Role)
(ORA_CE_CASH_MANAGER_JOB)

Note:
 *Starting in Release 10, the Application Job Role was introduced with the Simplified Role Hierarchy.
• Benefits: Ensure that role models are preserved over time, allowing Oracle Applications Cloud to introduce new features in an isolated model.
• During each upgrade, predefined roles are updated to the specifications for that release, so any customizations would be overwritten.
 You should never edit the Application roles directly. You should always make a copy and then edit the copy.
 For customers who upgraded from Release 10 or earlier, the usage of Enterprise Job Roles and Application Job Roles would only be relevant if those customers migrated to the Simplified Role Hierarchy in
Release 10 or Release 11.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 8
Security Concepts
Abstract Roles

Abstract Roles represent people in the enterprise independently of the jobs they perform.

• You may assign abstract roles directly to users or Roles.


• You can create custom abstract roles to group users.
• All users are likely to have at least one abstract role that provides access to a set of standard functions.

Abstract roles can be assigned to Bank Accounts


and grant access to a group of users

Casey.Brown

Abstract Role Abstract Role Abstract Role


Job Role Abstract Role
Cash Manager Employee BofA Bank Account TD Bank Account North America Bank
Users Users Account Users

Abstract Role
Application Job Abstract Role Transactional Application Role
Role Functional Business Employee
Cash Manager Setups User Intelligence
Worker

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 9
Security Concepts
Duty Roles
Duty Roles represent a logical collection of privileges that grant access to tasks that someone performs as part of a job.

• They group multiple function security privileges.


• They can inherit aggregate privileges and other duty roles
Bank Statement and
• You can copy and edit them. Reconciliation
• You don't assign duty roles directly to users.

Subledger Subledger Maintain Reconcile Reconcile Bank Statement and Reconciliation Duty can
Accounting Accounting Bank Bank Bank access Business Unit For the Business Units that
Manager Reporting Statement Statement Statement interact with the Bank Accounts they are
authorized using Manage Payables Invoice (Data)

Manage Payables
Customer Account Customer Account Invoice
Inquiry Inquiry
Function Security Privileges
Post Journals
Submit Journal
Entries Report
Data Security Policies

Duty Roles and their privileges

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 10
Security Concepts
Function Security Policies
Function security controls access to user interfaces and actions needed to perform the tasks of a job.
Function security is a statement of what actions you can perform in which user-interface pages (relevant pages,
components like tabs, buttons, and scheduled jobs).

What Can
Users
access?

Privilege Grant Access?


Manage Bank Account No
View Bank Account Yes
Maintain Bank Statement Yes
(Manually) Reconcile Bank Statement No
Submit Autoreconciliation Yes

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 11
Security Concepts
Data Security Policies
Data security is a statement of what action can be taken against which set of data.

A data security policy identifies the entitlement (the actions that can be made on logical business objects or
dashboards), the conditions that limit access, and the roles that can perform those actions.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 12
Security Concepts
External Roles
Roles assigned to users
Assigned to directly

Role Inheritance External Roles

Enterprise Job Roles Abstract Roles


• Job and abstract roles inherit Application Roles
duty roles Roles that can be Inherit
assigned authorization
policies, such as
• Duty roles can inherit other duty function security
policies and data Application (Job)
roles security policies. Roles Duty Roles

• Job, abstract and duty roles can Inherit

also be assigned privileges and Duty Roles


aggregate privileges directly Grant privileges to Grant privileges to
Inherit

• When you assign job and abstract Data Security


Policies
Functional
Security Policies
roles to users, they inherit all of Duty Roles
Granted through Granted through
the data and function security
associated with those roles Privileges Privileges

Protect Protect

Database Resources Code Artifacts


Actions Act on (data: business objects, Actions Act on (pages, workflows,
tables) buttons, menus)

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 13
Security Overview Cash Management
Casey.Brown

Assigned to

Job Role Abstract Role


Enterprise/External
Abstract Roles Cash Manager Employee
Job Roles

Inherit Inherit
Application Job Abstract Role Abstract Role
Transactional Application Role
Application Job Application Role Functional Employee
Cash Manager Business
Roles Roles Setups User Intelligence Worker

Inherit Duty Role Duty Role Privilege


Cash Management Manage
Time and Scheduled
Administration Labor Worker
Duty Roles Processes

Grant privileges to Grant privileges to Cash Manager Duty Role


inherits Bank Statement and
Privilege
permissions Reconciliation
Data Security Functional Maintain Bank Account Transfer
Policies Security Policies from these
roles Duty Role
Privilege
Cash Positioning
Granted through Granted through Manage Cash Positioning and
and Forecasting
Forecasting Transactions
Management
Privileges Privileges
Data Security Policy
Duty Role
Protect Protect FSCM Load Interface Policy Name
Administration Cash Positioning Privilege
and Forecasting View
Database Resources Code Artifacts Management Receivables
Actions Act on (data: business objects, Actions Act on (pages, workflows, Duty Role Activities
Duty can access
tables) buttons, menus) Payments Business Units
Disbursement
Administration

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 14
Security Console
Editing, Copying, Reviewing Roles…

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
Security Console
Be sure you see Roles:fscm.
Navigator > Tools > Security Console If not: Open the “Manage Administrator Profile Values” task from FSM.
Query Profile Display Name: Security Console Working App Stripe
(Profile Option Code: ASE_WORKING_APP_STRIPE). Set this to ‘fscm’.

Security Console icon

Application Role: ORA_CE_CASH_MANAGER_JOB


Enterprise Role: CE_CASH_MANAGER_JOB

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 16
Security Console
View External Roles

To expand the
hierarchy of any
inherited role,
Cash Manager inherits select it, right-
Cash Manager (Application click, and select
Role)
Expand

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 17
Security Console
View Application Roles

Zoom
in/Zoom out
You can also
use the
mouse wheel
to zoom in.

Privileges Drag the entire


(Function Security image in any
Privileges) direction.

Duty Roles
Application Job Roles

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 18
Security Console
View Roles

U signifies user,
R signifies role,
P signifies privilege, and
A signifies aggregate privilege.
If the image is smaller still, the
nodes are unlabeled.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 19
Security Console
Edit Role > Basic Information, Functional Security Policies and more…

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 20
Security Console
Edit Role > Role Hierarchy

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 21
Security Console
Copy Role
• Copy top role: You copy only the role you have selected.
The source role has links to roles in its hierarchy, and the copy inherits links to the
original versions of those roles.

• Copy top role and inherited roles: You copy not only the role you have
selected, but also all of the roles in its hierarchy.
Your copy of the top role is connected to new copies of subordinate roles.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 22
Security Console
Simulate Navigator

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 23
Cash Management Roles and Privileges
List of Predefined Roles and Privileges

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
CE Role Hierarchy
In fscm Cash Manager
(CE_CASH_MANAGER_JOB)

Cash Manager (Application Role) Transactional Business


Functional Setups User
(ORA_CE_CASH_MANAGER) Intelligence Worker

Bank Statement and Cash Management FSCM Load Cash Positioning and
Reconciliation Administration Forecasting Management Payments Disbursement
Interface Administration
(ORA_CE_BANK_STATEMENT_AND_RECONCILI (ORA_CE_CASH_MANAGEMENT_ADMINISTRA (ORA_CE_CASH_POSITION_AND_FORECAST_
ATION_DUTY) TION_DUTY) Administration MANAGEMENT_DUTY)

Subledger
Customer
Accounting
Account Inquiry
Manager

Subledger Disbursement Disbursement Subledger Subledger


Customer
Accounting Data Process Accounting Accounting
Account Inquiry
Reporting Management Management Manager Reporting

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 25
Cash Manager Cash Manager
In obi (CE_CASH_MANAGER_JOB) In hcm (CE_CASH_MANAGER_JOB)

Transactional Subledger Accounting Cash Management Transactional


Functional Setups Cash Manager Transaction Analysis Transaction Analysis Functional Setups Cash Manager
Business Intelligence Business
User (Application Role) Duty Duty User (Application Role)
Worker Intelligence Worker
(Application Role) (Application Role)

Cash Bank Cash Positioning FSCM Load Payments Cash Positioning


Statement and Interface Disbursement BI Consumer and Forecasting
Management and Forecasting
Reconciliation Administration Administration Role Management
Administration Management

Application/Context
Cash Manager Cash Manager
In crm (CE_CASH_MANAGER_JOB) In IDCCS (CE_CASH_MANAGER_JOB)

Transactional Transactional
Functional Setups Cash Manager Functional Setups Cash Manager
(Application Role)
Business Business
User Intelligence Worker User (Application Role)
Intelligence Worker

Cash Management Cash Positioning Payments Upload Data for


Administration and Forecasting Disbursement Bank Statement
Management Administration Import

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 26
Enterprise Role / External Role - Cash Manager
CE_CASH_MANAGER_JOB
Security Console Authorization Policy Manager (APM)

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 27
Application Job Role – Cash Manager
ORA_CE_CASH_MANAGER_JOB
Application Job Role Cash Manager is a predefined Application Job Role (ORA_).
It protects and develops the company's liquid assets maximizing their use and return to the organization.

Job Role Duty Roles (in fscm) Role Code

Cash Manager
(Application Cash Management Administration ORA_CE_CASH_MANAGEMENT_ADMINISTRATION_DUTY
Role)

Bank Statement and Reconciliation ORA_CE_BANK_STATEMENT_AND_RECONCILIATION_DUTY

Cash Positioning and Forecasting


ORA_CE_CASH_POSITION_AND_FORECAST_MANAGEMENT_DUTY
Management

FSCM Load Interface Administration ORA_FUN_FSCM_LOAD_INTERFACE_ADMIN_DUTY

Payment Disbursement
ORA_IBY_PAYMENTS_DISBURSEMENT_ADMINISTRATION_DUTY
Administration

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 28
Duty Role – Cash Management Administration
ORA_CE_CASH_MANAGEMENT_ADMINISTRATION_DUTY
Cash Management Administration Role sets up system parameters, lookups, profile options, descriptive flexfields, Cash
Positionining and Forecasting options.
Function Security Privileges
Manage Bank
Manage Bank Account
Manage Bank Branch
Manage Bank Statement Automatic Reconciliation Matching Rule Set
Manage Bank Statement Code
Manage Bank Statement Reconciliation Matching Rule
Manage Bank Statement Reconciliation Tolerance
Manage Bank Statement Transaction Creation Rule
Manage Cash Positioning and Forecasting Reports
Manage Cash Positioning and Forecasting Transaction Grouping
Manage Cash Transaction Type Mapping
Manage Parse Rule Set
Specify Cash Positioning and Forecasting Options
View Bank
View Bank Account
View Bank Branch
View Bank Statement Automatic Reconciliation Matching Rule Set
… and more…

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 29
Duty Role – Cash Management Administration
Data Security Policies
Business Object Policy Description Policy Store
Implementation
Trading Community Relationship A Cash Manager can view trading community relationship for all trading community relationships in Role: Cash Management Administration
the enterprise Privilege: View Trading Community Relationship (Data)
Resource: Trading Community Relationship

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 30
Duty Role – Bank Statement and Reconciliation
ORA_CE_BANK_STATEMENT_AND_RECONCILIATION_DUTY
Bank Statement and Reconciliation Role reconciles bank statements and transactions. Also manages setup information
for bank statement processing and reconciliation.

Function Security Privileges


Import Bank Statement Reconciliation External Transaction
Maintain Bank Statement
Manage Bank Statement Autoreconciliation Exception
Manage Bank Statement and Reconciliation Activities
Manage Cash Management Infolets
Manage External Cash Transaction
Mark Bank Statement Reconciliation Reviewed
Process Electronic Bank Statement
Reconcile Bank Statement
Submit Autoreconciliation
Submit Bank Statement Report
Submit Bank Statement Transaction Creation Program
Submit Cash to General Ledger Reconciliation Report
View Bank Statement
View External Cash Transaction
View Payables Payment
View Receivables Receipt

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 31
Duty Role – Bank Statement and Reconciliation
Data Security Policies
Business Object Policy Description Policy Store Implementation
Payables Payment A Cash Manager can manage payables invoice for the business units that interact with the bank Role: Bank Statement and Reconciliation
accounts for which they are authorized Privilege: Manage Payables Invoice (Data)
Resource: Payables Payment
Receivables Miscellaneous Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Bank Statement and Reconciliation
accounts for which they are authorized Privilege: View Receivables Activities (Data)
Resource: Receivables Miscellaneous Receipt
Receivables Standard Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Bank Statement and Reconciliation
accounts for which they are authorized Privilege: View Receivables Activities (Data)
Resource: Receivables Standard Receipt

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 32
Duty Role – Cash Positioning and Forecasting Management
ORA_CE_CASH_POSITION_AND_FORECAST_MANAGEMENT_DUTY
Cash Positioning and Forecasting Management Role manages cash positioning and forecasting.

Function Security Privileges


Maintain Ad Hoc Payments
Maintain Bank Account Transfer
Manage Cash Management Infolets
Manage Cash Positioning and Forecasting Reports
Manage Cash Positioning and Forecasting Transactions
Manage External Cash Transaction
Submit Cash Positioning and Forecasting Data Deletion
Submit Cash Positioning and Forecasting Data Extraction
Submit Cash Positioning and Forecasting Data Transfer
View Ad Hoc Payments
View Bank Account Transfer
View Bank Statement
View External Cash Transaction
View Payables Payment
View Receivables Receipt
… and more….

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 33
Duty Role – Cash Positioning and Forecasting Management
Data Security Policies
Business Object Policy Description/Condition Policy Store Implementation
Disbursement A Cash Manager can manage payments by business unit for the business units that interact with the Role: Cash Positioning and Forecasting Management
bank accounts for which they are authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Disbursement
Document Payable A Cash Manager can manage payments by business unit for the business units that interact with the Role: Cash Positioning and Forecasting Management
bank accounts for which they are authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Document Payable
Payables Payment A Cash Manager can manage payables invoice for the business units that interact with the bank Role: Cash Positioning and Forecasting Management
accounts for which they are authorized Privilege: Manage Payables Invoice (Data)
Resource: Payables Payment
Payment Instruction A Cash Manager can manage payments by business unit for the business units that interact with the Role: Cash Positioning and Forecasting Management
bank accounts for which they are authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Payment Instruction
Receivables Miscellaneous Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Cash Positioning and Forecasting Management
accounts for which they are authorized Privilege: View Receivables Activities (Data)
Resource: Receivables Miscellaneous Receipt
Receivables Standard Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Cash Positioning and Forecasting Management
accounts for which they are authorized Privilege: View Receivables Activities (Data)
Resource: Receivables Standard Receipt
Trading Community Relationship A Cash Manager can view trading community relationship for all trading community relationships in Role: Cash Positioning and Forecasting Management
the enterprise Privilege: View Trading Community Relationship (Data)
Resource: Trading Community Relationship

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 34
Data Security Policies
Role: Disbursement Data Management
Business Object Policy Description Policy Store Implementation
Disbursement A Cash Manager can manage disbursement by payment function for any customer refunds in the Role: Disbursement Data Management
payment process within the enterprise Privilege: Manage Disbursement by Payment Function (Data)
Resource: Disbursement
A Cash Manager can manage disbursement by payment function for any employee expenses in the
payment process within the enterprise
A Cash Manager can manage disbursement by payment function for any oracle fusion payables
documents in the payment process within the enterprise
Document Payable A Cash Manager can manage disbursement by payment function for any customer refunds in the Role: Disbursement Data Management
payment process within the enterprise Privilege: Manage Disbursement by Payment Function (Data)
Resource: Document Payable
A Cash Manager can manage disbursement by payment function for any employee expenses in the
payment process within the enterprise
A Cash Manager can manage disbursement by payment function for any oracle fusion payables
documents in the payment process within the enterprise
Payment Instruction A Cash Manager can manage disbursement by payment function for any customer refunds in the Role: Disbursement Data Management
payment process within the enterprise Privilege: Manage Disbursement by Payment Function (Data)
Resource: Payment Instruction
A Cash Manager can manage disbursement by payment function for any employee expenses in the
payment process within the enterprise
A Cash Manager can manage disbursement by payment function for any oracle fusion payables
documents in the payment process within the enterprise

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 35
Data Security Policies
Role: Disbursement Process Management
Business Object Policy Description Policy Store Implementation
Disbursement A Cash Manager can manage payments by business unit for the business units for which they are Role: Disbursement Process Management
authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Business Unit
Document Payable A Cash Manager can manage payments by business unit for the business units for which they are Role: Disbursement Process Management
authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Business Unit
Payment Instruction A Cash Manager can manage payments by business unit for the business units for which they are Role: Disbursement Process Management
authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Business Unit
Person Address A Cash Manager can report person address for all people in the enterprise Role: Disbursement Process Management
Privilege: Report Person Address (Data)
Resource: Person Address
Trading Community Organization A Cash Manager can view trading community organization for all organizations in the enterprise Role: Disbursement Process Management
Party Privilege: View Trading Community Organization (Data)
Resource: Trading Community Organization Party
Trading Community Party A Cash Manager can view trading community person for all people in the enterprise Role: Disbursement Process Management
Privilege: View Trading Community Person (Data)
Resource: Trading Community Party

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 36
Data Security Policies
Roles: Subledger Accounting Manager / Subledger Accounting Reporting
Business Object Policy Description Policy Store Implementation
Ledger A Cash Manager can manage ledger for subledger for the posting ledgers for transactions that they are Role: Subledger Accounting Manager / Reporting
authorized. Privilege: Manage Ledger for Subledger (Data)
Resource: Ledger
Subledger Accounting Balance A Cash Manager can manage subledger accounting balance for the subsidiaries or management Role: Subledger Accounting Manager / Reporting
segment values whose account balance they manage Privilege: Manage Subledger Accounting Balance (Data)
Resource: Subledger Accounting Balance
Subledger Application A Cash Manager can manage subledger application for the owning oracle fusion accounting generating Role: Subledger Accounting Manager / Reporting
subledger application. Privilege: Manage Subledger Application (Data)
Resource: Subledger Application
Subledger Journal Entry A Cash Manager can manage subledger source transaction for the business units, cost organizations, Role: Subledger Accounting Manager / Reporting
asset books or legislative data groups, and the subledger applications for which they are authorized Privilege: Manage Subledger Source Transaction (Data)
Resource: Subledger Journal Entry
Subledger Source Transaction A Cash Manager can manage subledger source transaction for the business units, cost organizations, Role: Subledger Accounting Manager / Reporting
asset books or legislative data groups, and the subledger applications for which they are authorized Privilege: Manage Subledger Source Transaction (Data)
Resource: Subledger Source Transaction

Role: Customer Account Inquiry


Business Object Policy Description Policy Store Implementation
Party Tax Profile A Cash Manager can manage business unit party tax profile for the business units for which they are Role: Customer Account Inquiry
authorized Privilege: Manage Business Unit Party Tax Profile (Data)
Resource: Business Unit

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 37
Data Security Policies
Role: Customer Account Inquiry
Business Object Policy Description Policy Store Implementation
Tax Exemption A Cash Manager can manage tax exemption for the tax setup applicable to the business units for Role: Customer Account Inquiry
which they are responsible Privilege: Manage Tax Exemption (Data)
Resource: Business Unit
Trading Community Customer A Cash Manager can view customer account for all customer accounts in the enterprise Role: Customer Account Inquiry
Account Privilege: View Customer Account (Data)
Resource: Trading Community Customer Account
Trading Community Customer A Cash Manager can view customer account relationship for all customer account relationships in Role: Customer Account Inquiry
Account Relationship the enterprise Privilege: View Customer Account Relationship (Data)
Resource: Trading Community Customer Account Relationship
Trading Community Customer A Cash Manager can view customer account site for all customer account sites in the enterprise Role: Customer Account Inquiry
Account Site Privilege: View Customer Account Site (Data)
Resource: Trading Community Customer Account Site
Trading Community Customer A Cash Manager can view customer account site use for all customer account site uses in the Role: Customer Account Inquiry
Account Site Use enterprise Privilege: View Customer Account Site Use (Data)
Resource: Trading Community Customer Account Site Use
Trading Community Organization A Cash Manager can view trading community organization for all organizations in the enterprise Role: Customer Account Inquiry
Party Privilege: View Trading Community Organization (Data)
Resource: Trading Community Organization Party
Trading Community Party A Cash Manager can view trading community person for all people in the enterprise Role: Customer Account Inquiry
Privilege: View Trading Community Person (Data)
Resource: Trading Community Party
Trading Community Relationship A Cash Manager can view trading community relationship for all trading community relationships in Role: Customer Account Inquiry
the enterprise Privilege: View Trading Community Relationship (Data)
Resource: Trading Community Relationship

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 38
Upgraded Customers: Points to Consider
Instructions and documentation

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
Upgraded customers – Points to Consider
Associated Duty Roles and Privileges
Depending on whether you are a new Release 11 customer, an upgraded Release 11 customer that migrated to the Simplified Role Hierarchy in Release 10 or 11, or an upgraded
Release 11 customer that did not migrate to the Simplified Role Hierarchy, different security features apply to you. The following describes some of the high level differences
between these different types of customers.
Note: For more information on the Simplified Role
Hierarchy that was introduced in Release 10, see the
Upgrade Guide for Oracle Cloud Applications Security.

New customers will use the Manage Data Access for Users
page to explicitly assign users a data security context, such
as business unit, asset book, etc. and the security context
value, such as the specific business unit, asset book,
ledger, etc. for a job role that is already assigned to the
user.

Upgrade customers who migrated to the simplified role


hierarchy in Release 10 or 11 will also have the Application
Job Role assigned to their Enterprise job roles in order to
use all of the new Release 11 features.

Upgrade customers who did not migrate to the simplified


role hierarchy will also continue to use data roles and data
role templates. However, their Enterprise Job Roles will not
be linked to an Application job role, in which case, they will
not get any Release 11 new features secured by a new
privilege. These customers can choose to select the
individual privileges to enable the Release 11 features they
are interested in or migrate to the simplified role hierarchy.

For upgraded customers who did not migrate to the Simplified Reference Role Model as described in the Upgrade Guide for Oracle Cloud Applications Security Release 10
document, they will need to manually assign the associated duty role or privilege for those new features they want to uptake in Release 11.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 40
Upgraded customers – Points to Consider
Release 11 New Features – Cash Management
Feature Name Duty Role Role Code Privilege Title Privilege Name
Cash Management Dashboard Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Manage Cash Management Infolets ORA_CE_MANAGE_CASH_MANAGEMENT_INFOLET
MANAGEMENT_DUTY

Cash Positioning and Forecasting Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Manage Cash Positioning and Forecasting Transactions ORA_CE_MANAGE_CASH_POSITIONING_AND_FORECASTING_TRANSACTIONS
MANAGEMENT_DUTY

Cash Positioning and Forecasting Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Submit Cash Positioning and Forecasting Data Deletion ORA_CE_SUBMIT_CASH_POSITIONING_AND_FORECASTING_DATA_DELETION
Multidimensional Cube Updates MANAGEMENT_DUTY Submit Cash Positioning and Forecasting Data Extraction ORA_CE_SUBMIT_CASH_POSITIONING_AND_FORECASTING_DATA_EXTRACTION
Submit Cash Positioning and Forecasting Data Transfer ORA_CE_SUBMIT_CASH_POSITIONING_AND_FORECASTING_DATA_TRANSFER

Cash Positioning and Forecasting Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Manage Cash Positioning and Forecasting Reports ORA_CE_MANAGE_CASH_POSITIONING_AND_FORECASTING_REPORTS
Reports, including Smart View MANAGEMENT_DUTY
Reports

Specify Cash Positioning and Cash Management Administration ORA_CE_CASH_MANAGEMENT_ Specify Cash Positioning and Forecasting Options ORA_CE_SPECIFY_CASH_POSITIONING_AND_FORECASTING_OPTIONS
Forecasting Setup page ADMINISTRATION_DUTY

Manage Cash Positioning and Cash Management Administration ORA_CE_CASH_MANAGEMENT_ Manage Cash Positioning and Forecasting Transaction ORA_CE_MANAGE_CASH_POSITIONING_AND_FORECASTING_TRANSACTION_GR
Forecasting Transaction Grouping ADMINISTRATION_DUTY Grouping OUPING
Setup page

Bank Account Transfers Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Maintain Bank Account Transfer CE_MAINTAIN_BANK_ACCOUNT_TRANSFER
MANAGEMENT_DUTY View Bank Account Transfer CE_VIEW_BANK_ACCOUNT_TRANSFER

Ad Hoc Payments Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Maintain Ad Hoc Payments CE_MAINTAIN_AD_HOC_PAYMENTS
MANAGEMENT_DUTY View Ad Hoc Payments CE_VIEW_BANK_ACCOUNT_TRANSFER

Intraday Bank Statements Bank Statement and Reconciliation ORA_CE_BANK_STATEMENT_AND_ View Bank Statement CE_VIEW_BANK_STATEMENT_PRIV
RECONCILIATION_DUTY Maintain Bank Statement CE_MAINTAIN_BANK_STATEMENT_PRIV

Payments Setup Options for Cash Payments Disbursement Administration ORA_IBY_PAYMENTS_DISBURSEMENT_


Transactions ADMINISTRATION_DUTY

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 41
Securing Bank Accounts
Secure Banks by Users and Roles

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 42
Securing Bank Accounts
Account Access
Bank account security consists of Bank account access security & Bank account use security.

Business Unit Access


• Payables and Receivables account access is secured by business unit.
• One or more business units must be granted access before the bank account can be used by Payables and Receivables.
• Only business units that use the same ledger as the bank accounts owning legal entity can be assigned access.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 43
Securing Bank Accounts
Users and Role Security
• We can have the option to further secure the bank account so that it can only be used by certain users and roles.
• The default value to secure bank account by users and roles is No.
• In Payables and Receivables even if the secure bank account by users and roles is No, you must have the proper business unit assigned
to access a bank account.
• If the secure bank account by users and roles is set to Yes, the users or roles need to be assigned to the bank account to use it.

For securing Bank Accounts…

• Users need to manually be assigned to bank accounts.

• Abstract Custom Roles can be created to group users


and restrict access to bank accounts.

Casey.Brown

Abstract Role Abstract Role


Job Role Abstract Role
Abstract Role BofA Bank North America
Cash TD Bank
Employee Account Bank Account
Manager Account Users
Users Users

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 44
Use Case 1 – Securing Bank Accounts
Secure Bank Accounts by Users and Roles

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 45
Use Case 1 – Secure Bank Accounts by Users and Roles
In this example, we want to secure the Bank Accounts, restricting user access according to the following:
Elaine Furtado
has access to all Bank Accounts Casey Brown
•BofA-2014A Cannot access
•BofA-5186 BofA-204A, BofA-5186
•Citibank-1448 and Citibank-1448
Bank Accounts
John Operations
has access to Bank of America Accounts:
•BofA-204A
•BofA-5186

Bank Of America Citibank

BofA-204A BofA-5186 TD Citibank-1448


Bank Account

Custom Abstract Roles:


Abstract Role to grant access to Bank of America Bank Accounts (EF_BOFA_BANK_ACCOUNT_USERS)
Abstract Role to grant access to Citibank-1448 Bank Account (EF_CITIBANK-1448_BANK_ACCOUNT_USERS)

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 46
Use Case 1 – Security Steps

1 2 3 4

Create Roles and Assign Roles to Test Bank Account


Create Users Add Members Bank Account Security access

- Go to Task: Create Implementation - Create Abstract Roles representing - Go to Manage Bank Accounts task, - Create new Bank Statement or
Users (IT_SECURITY_MANAGER user the Group of Users that will have and Secure Bank Accounts. External Transaction and confirm that
as Administrator options) access for specific Bank Accounts. Bank account is secured by User.
- Assign Roles to grant access to users.

- Add members to these Roles.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 47
Oracle Identity Manager (OIM)

Step 1: Create New Users


Task: Create Implementation Users (User: IT_SECURITY_MANAGER)

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 48
Step 2: Create New Abstract Roles
Create group of users to restrict access to Bank Accounts

Oracle Identity Manager (OIM)

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 49
Reviewing Roles assigned to Users
Task: Create Implementation Users (IT_SECURITY_MANAGER)

John Operations is member of: BofA-204A


-Bank of America – Bank Account Users

BofA-5186

BofA-204A
Elaine Furtado is member of
-Bank of America – Bank Account Users
-Citibank-1148 – Bank Account Users BofA-5186

Citibank-1448

Casey Brown

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 50
Step 3: Assign Roles to Bank Accounts
Task: Manage Bank Accounts > Security
Bank Account Role Name Role Code Users
BofA-204A Bank of America – Bank Account Users EF_BOFA_BANK_ACCOUNT_USERS John Operations
Elaine Furtado
BofA-5186 Bank of America – Bank Account Users EF_BOFA_BANK_ACCOUNT_USERS John Operations
Elaine Furtado
Citibank-1448 Citibank-1448 – Bank Account Users EF_CITIBANK_1448_BANK_ACCOUNT_USERS Elaine Furtado

Secure Bank Account by


Assigning Users and
Roles to restrict access

Note: Non-Secured Bank Accounts will be visible to all users

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 51
Step 4: Test Bank Account Security access
Task: Create Bank Statement
Login as John Operations.

John Operations And he cannot


can access: access Citibank-
BofA-204A and 1448
BofA-5186

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 52
Step 4: Test Bank Account Security access
Task: Create Bank Statement
Login as Elaine Furtado.

Elaine Furtado can


access BofA-204A And she can access
and BofA-5186 Citibank-1448

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 53
Step 4: Test Bank Account Security access
Task: Create Bank Statement
Login as Casey Brown.

Casey Brown
cannot access: And he cannot
BofA-204A and access Citibank-
BofA- 5186 1448

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 54
Use Case 2 – Customizing Roles
Customize Duty Roles, Remove Privileges, Assign Custom Roles to Job Role

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 55
Use Case 2
Secure Bank Accounts by Users and Roles

In this example, John Operations will have most privileges associated with the Cash Manager job role.
However, for our business needs:
• He will not be able to manage or view Banks and Branches.
• He is able to view Bank Accounts, but he will not be able to create or modify an existing Bank Account.

John Operations

Manage Bank Manage Bank


Manage Banks
Branches Accounts

View Banks View Bank Branches


View Bank Accounts

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 56
Use Case 2 – Security Steps
1 2 3

Identify Roles and Copy and Edit Seeded Copy and Edit Seeded
Privileges Duty Role Application Role

- Review the Financials Security - Copy and Edit the predefined seeded - Copy and Edit the predefined seeded
Reference Manual in PDF format. Cash Management Administration Cash Manager (Application Role).
Duty Role.
- Identify which Roles and Privileges - Remove the Cash Management
are associated with the actions we - Remove or add privileges as desired. Administration Duty Role and Add the
want to restrict the user. new Duty Role created.

4 5 6

Copy and Edit Seeded Assign new External Test the Application
External Job Role Job Role to users

- Copy and Edit the predefined seeded - Assign the new External Job Role to - Log in as user that is a member of the
Cash Manager - External Job Role. your users. new External Job Role.

- Remove the assigned Cash Manager - Test the application.


(Application Role) and add the newly
created Application Role.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 57
Step 1: Identify Roles and Privileges
Oracle Financials Cloud Security Reference
The first step is to identify which Roles and Privileges are associated with the actions we want to restrict for
each user.
1. Review the Financials Security Reference Manual in PDF format: Oracle Financials Cloud Security
Reference
2. Find the Job Role that most closely matches the privileges you want to customize. (In our case, Job Role:
Cash Manager)

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 58
Step 1: Identify Roles and Privileges
Oracle Financials Cloud Security Reference
3. Skim the Duties that a Cash Manager can perform. Skim the Role Hierarchy.
4. Go to the Privileges section. This is the most important section to determine what individual privileges
roll up directly to the Cash Manager and other Duty Roles that are assigned to the Cash Manager.
5. Search by Bank, Bank Branch and Bank Account. (Refer to Slides 24-38 in this presentation to be more
familiar with Cash Management Duty Roles).

Duty Role: Cash Management Administration


Privileges:
Manage Bank, Manage Bank Account, Manage Bank Branch
View Bank, View Bank Account, View Bank Branch

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 59
Step 2: Copy and Edit Seeded Duty Role
Tools > Security Console
1. Log in to your application and open the Security Console.
2. Be sure you see Roles: fscm on the top left of the page.

If you do not see Roles: fscm, set the following profile option:

Open the “Manage Administrator Profile Values” task from FSM.


• Query Profile Display Name: Security Console Working App Stripe (ASE_WORKING_APP_STRIPE).
• Controls the App Stripe the user works on.
• Set to “fscm” either at site level, or for specific fscm users.

• Query Profile Display Name: Enable Data Security Policies and User Membership Edit (ASE_ROLE_MGMT_PREF)
• Preference to enable data security policies and user membership editing in Security console.
• Set to “Yes”.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 60
Step 2: Copy and Edit Seeded Duty Role
Tools > Security Console
3. Review the prefix and suffix of new copy roles

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 61
Step 2: Copy and Edit Seeded Duty Role
Tools > Security Console
4. From the Security Console, query the duty role Cash Management Administration because we need to
remove the privileges to Manage Bank, Manage Bank Branch, Manage Bank Account that are assigned to
the Cash Management Administration duty role.
5. Choose to Copy top role.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 62
Step 2: Copy and Edit Seeded Duty Role
Copy Role > Basic Information
6. Edit the Role name, Role Code, and Description.
7. Click Next

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 63
Step 2: Copy and Edit Seeded Duty Role
Copy Role > Functional Security Policies
8. Remove the privileges: Manage Bank, Manage Bank Account, Manage Bank Branch, View Bank, and
View Bank Branch.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 64
Step 2: Copy and Edit Seeded Duty Role
Copy Role > Role Hierarchy
9. You should see the following on the Role Hierarchy train stop.
10. Click Next and review the Summary and Impact Report.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 65
Step 2: Copy and Edit Seeded Duty Role
Tools > Security Console > Administration
11. Click Submit and Close. You will receive a Confirmation message.
12. You can go to the Administration page to view your submission.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 66
Step 2: Copy and Edit Seeded Duty Role
Compare Roles
 Compare the Seeded Duty Role with the Custom Duty Role newly created.

Removed
Privileges

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 67
Step 3: Copy and Edit Seeded Application Job Role
Tools > Security Console >

Now we need to copy the seeded Application Job Role, Cash Manager (Application Role), and in the copy,
replace the Cash Management Administration with the one we just created (EF Cash Management
Administration Custom)

1. From the Roles: fscm page, query Cash Manager and be sure to pick the one that has the “(Application
Role)” appended :

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 68
Step 3: Copy and Edit Seeded Application Job Role
Tools > Security Console > Copy Role

2. Copy the job role and choose Copy top role.


3. Edit the Role Name, Role Code, and Description.
4. Click Next

COPY ROLE

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 69
Step 3: Copy and Edit Seeded Application Job Role
Copy Role > Role Hierarchy
5. In the Role Hierarchy page, delete the Cash Management Administration duty role.
6. Then click the Add Role button to assign the newly created duty role.
7. Just query the name, then click the Add Role Membership button.

ADD ROLE

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 70
Step 3: Copy and Edit Seeded Application Job Role
Copy Role > Role Hierarchy
8. Review Role Hierarchy. It should look like below.
9. Click Next. Review Summary and Impact Report. Submit and Close.

Custom Application Job Role

Custom Duty Role

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 71
Step 3: Copy and Edit Seeded Application Job Role
Compare Roles

 Compare the Seeded Application Job Role with the Custom Application Job role newly created.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 72
Step 4: Copy and Edit Seeded External Job Role
Tools > Security Console > Copy Role
1. Query Cash Manager Job role that does NOT have Application Role appended (CE_CASH_MANAGER_JOB)
2. Copy it selecting the Copy top role and inherited roles option.
3. Update the Role Name, Role Code and Description.
4. Click Next > Next.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 73
Step 4: Copy and Edit Seeded External Job Role
Copy Role > Role Hierarchy
5. In the Role Hierarchy page, delete the assigned Cash Manager Application Role and add your newly
created one by clicking the Add Role > Add Role Membership buttons.

ADD ROLE

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 74
Step 4: Copy and Edit Seeded External Job Role
Copy Role > Role Hierarchy
6. Review Role Hierarchy. It should look like below.
7. Click Next.

Custom Application Job Role

Custom External Job Role

Custom Duty Role

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 75
Step 4: Copy and Edit Seeded External Job Role
Copy Role > Summary and Impact Report
8. Review Summary and Impact Report. Submit and Close.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 76
Step 4: Copy and Edit Seeded External Job Role
Review External Role in APM

Note: In our Use Case, we


have created a new Duty
Role, Application Role and
External Role for fscm
context/application.

If you want to customize the


security for another
application, you will need to
perform the same steps for
obi, hcm, etc. using Security
Console, or change the
Application Role Mapping
directly in APM.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 77
Step 5: Assign the New External Job Role to Your User
Task: Create Implementation User
1. Query an existing user from OIM using the task called “Create Implementation Users”
2. Click the Roles tab and remove the existing External Role Cash Manager
3. Assign your newly created role and Close OIM.
4. Run the Retrieve Latest LDAP Changes process.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 78
Step 6: Test the application
Log in as John.Operations

 Note: John.Operations cannot access Manage Banks and Manage Bank Branches tasks as expected:

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 79
Step 6: Test the application
Log in as John.Operations
 John.Operations is able to view and edit existing Bank Accounts.
 As expected, he cannot create new Accounts. Add button is grayed out.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 80
Customizing Security
Best Practices
We recommend the following when you wish to make security customizations:
 You must not customize predefined roles. You can identify these predefined roles by the ORA_ prefix in
the Role Code field. During each upgrade, predefined roles are updated to the specifications for that
release, so any customizations would be overwritten.
 Instead, always make a copy of the predefined role. Then, edit the copy and save it as a custom role.
 Making your changes in a copy of a predefined role means that you can always compare to and roll
back to the delivered role.
 After a maintenance update or upgrade, you can compare your customized copy to the updated
predefined source role. You can see the updates to the predefined role and decide whether to
incorporate them into your custom role.
 You can best compare roles using the Security Console.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 81
Additional Information, Docs & Links
CE Training Wiki, Security Reference Manual, Oracle docs and more…

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 82
Additional Information, Docs & Links
Security Documents
Security Related documents can be accessed via docs.oracle.com:

Content of each predefined job role and duty role is


documented in the Security Reference Manuals
–You can access the security reference manual on
docs.oracle.com > Cloud > Applications > Financials >
Secure> Review Reference Guides

You can find CE Roles, Role Hierarchy, Privileges and Data


Policies in Security Reference for Oracle Financials Cloud

Upgrade Guide for Oracle Cloud Applications Security Release 10 document

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 83
Additional Information, Docs & Links
Trainings & Release Readiness

CE Training Wiki page


Release 11 - ERP Release Readiness
Release 11 - What's new

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 84
Additional Information, Docs & Links
Youtube Videos

How to Copy a Role Using the Security Console


How to Compare Roles Using the Security Console
How to Modify a Financials Role
Creating the Role-Provisioning Rule for Setup Users

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 85
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 86
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 87