ERP Cloud Financials Fusion Cash Management R11 (8) Security

ERP Cloud Financials
Fusion Cash Management R11

(8) Security
By Elaine Formenton Furtado

Product Manager, Fusion Applications
August, 2016
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 2
Fusion Cash Management – R11 Trainings
https://stbeehive.oracle.com/teamcollab/wiki/Fusion+Cash+Management+Trainings:Home
(2)
(1) (3)
Bank Statement
Bank Account Model External Transactions
Processing
(6)
(4) (5)
Cash Positioning and
Manual Reconciliation Auto Reconciliation
Forecasting
(7) (8) (9)

Bank Transfers & Cash Management SLA Setup for Cash
Ad Hoc Payments Security Management
Topics
1 Security Concepts…………………………………………………………….. 05
2 Security Console................................................................. 15
3 Cash Management Roles and Privileges............................... 24
4 Upgraded Customers: Points to Consider…………………………. 39
5 Securing Bank Accounts...................................................... 42
6 Use Case1: Securing Bank Accounts by Users and Roles...... 45
7 Use Case2: Customizing Roles.............................................. 55
8 Links & Documents.............................................................. 82
Security Concepts
Job Roles, Abstract Roles, Duty Roles…
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
Securing Oracle ERP Cloud R11
Roles Job Roles Abstract Roles Duty Roles
Application
External Roles Inheritance Privileges
Roles
Function Data Security

Security Console
Security Policies Policies
Security Concepts Job Roles
Abstract
Roles
Role Types
Duty
• Oracle ERP Cloud uses role-based access control (RBAC). Roles
• Access to functions and data are defined via roles, not user-by-user.
• Oracle ERP Cloud uses the following types of roles:
- Job Roles
• Represent jobs that users perform in an organization, e.g. Cash Manager.
Introduced by Simplified Role Hierarchy in Release 10:
 Enterprise Job Roles – Considered External roles. They are assigned to users.
 Application Job Roles – Predelivered Top-level role assigned for each Enterprise Job Role. Not assignable to users directly.
-Abstract Roles
• Represent people in the organization independent of the jobs they perform, e.g. Employee, Line Manager.
• Can be assigned to users.
- Duty Roles
• Logical collection of privileges that grant access to tasks that someone performs as part of a job, e.g. Cash Management
Administration, Bank Statement and Reconciliation.
• Not assignable to users directly.
Security Concepts
Job Roles
Job Roles represent the jobs that users perform in an organization.
Cash Manager
 Enterprise Job Roles - External Job Roles assigned to users directly. (CE_CASH_MANAGER_JOB)
 *Application Job Roles – Top-level Role assigned to an Enterprise Job Role.

• Application Job Roles can be assigned authorization policies, such as function security policies and data security policies.
• They are predelivered, have an ORA-prefix in their code and can be identified with the “(Application role)” appended to the title of the job name.
• Not assignable directly to users.
Cash Manager
In Security Console, the suffix (CE_CASH_MANAGER_JOB)
"(Application role)" is added
to the display name of the
application role
Cash Manager (Application Role)
(ORA_CE_CASH_MANAGER_JOB)
Note:
 *Starting in Release 10, the Application Job Role was introduced with the Simplified Role Hierarchy.
• Benefits: Ensure that role models are preserved over time, allowing Oracle Applications Cloud to introduce new features in an isolated model.
• During each upgrade, predefined roles are updated to the specifications for that release, so any customizations would be overwritten.
 You should never edit the Application roles directly. You should always make a copy and then edit the copy.
 For customers who upgraded from Release 10 or earlier, the usage of Enterprise Job Roles and Application Job Roles would only be relevant if those customers migrated to the Simplified Role Hierarchy in
Release 10 or Release 11.
Security Concepts
Abstract Roles
Abstract Roles represent people in the enterprise independently of the jobs they perform.
• You may assign abstract roles directly to users or Roles.

• You can create custom abstract roles to group users.
• All users are likely to have at least one abstract role that provides access to a set of standard functions.
Abstract roles can be assigned to Bank Accounts

and grant access to a group of users
Casey.Brown
Abstract Role Abstract Role Abstract Role

Job Role Abstract Role
Cash Manager Employee BofA Bank Account TD Bank Account North America Bank
Users Users Account Users
Abstract Role
Application Job Abstract Role Transactional Application Role
Role Functional Business Employee
Cash Manager Setups User Intelligence
Worker
Security Concepts
Duty Roles
Duty Roles represent a logical collection of privileges that grant access to tasks that someone performs as part of a job.
• They group multiple function security privileges.

• They can inherit aggregate privileges and other duty roles
Bank Statement and
• You can copy and edit them. Reconciliation
• You don't assign duty roles directly to users.
Subledger Subledger Maintain Reconcile Reconcile Bank Statement and Reconciliation Duty can
Accounting Accounting Bank Bank Bank access Business Unit For the Business Units that
Manager Reporting Statement Statement Statement interact with the Bank Accounts they are
authorized using Manage Payables Invoice (Data)
Manage Payables
Customer Account Customer Account Invoice
Inquiry Inquiry
Function Security Privileges
Post Journals
Submit Journal
Entries Report
Data Security Policies
Duty Roles and their privileges
Security Concepts
Function Security Policies
Function security controls access to user interfaces and actions needed to perform the tasks of a job.
Function security is a statement of what actions you can perform in which user-interface pages (relevant pages,
components like tabs, buttons, and scheduled jobs).
What Can
Users
access?
Privilege Grant Access?

Manage Bank Account No
View Bank Account Yes
Maintain Bank Statement Yes
(Manually) Reconcile Bank Statement No
Submit Autoreconciliation Yes
Security Concepts
Data security is a statement of what action can be taken against which set of data.
A data security policy identifies the entitlement (the actions that can be made on logical business objects or
dashboards), the conditions that limit access, and the roles that can perform those actions.
Security Concepts
External Roles
Roles assigned to users
Assigned to directly
Role Inheritance External Roles
Enterprise Job Roles Abstract Roles

• Job and abstract roles inherit Application Roles
duty roles Roles that can be Inherit
assigned authorization
policies, such as
• Duty roles can inherit other duty function security
policies and data Application (Job)
roles security policies. Roles Duty Roles
• Job, abstract and duty roles can Inherit
also be assigned privileges and Duty Roles

aggregate privileges directly Grant privileges to Grant privileges to
Inherit
• When you assign job and abstract Data Security

Policies
Functional
Security Policies
roles to users, they inherit all of Duty Roles
Granted through Granted through
the data and function security
associated with those roles Privileges Privileges
Protect Protect
Database Resources Code Artifacts

Actions Act on (data: business objects, Actions Act on (pages, workflows,
tables) buttons, menus)
Security Overview Cash Management
Casey.Brown
Assigned to

Enterprise/External
Abstract Roles Cash Manager Employee
Job Roles
Inherit Inherit
Application Job Abstract Role Abstract Role
Transactional Application Role
Application Job Application Role Functional Employee
Cash Manager Business
Roles Roles Setups User Intelligence Worker
Inherit Duty Role Duty Role Privilege

Cash Management Manage
Time and Scheduled
Administration Labor Worker
Duty Roles Processes
Grant privileges to Grant privileges to Cash Manager Duty Role

inherits Bank Statement and
Privilege
permissions Reconciliation
Data Security Functional Maintain Bank Account Transfer
Policies Security Policies from these
roles Duty Role
Privilege
Cash Positioning
Granted through Granted through Manage Cash Positioning and
and Forecasting
Forecasting Transactions
Management
Privileges Privileges
Data Security Policy
Duty Role
Protect Protect FSCM Load Interface Policy Name
Administration Cash Positioning Privilege
and Forecasting View
Database Resources Code Artifacts Management Receivables
Actions Act on (data: business objects, Actions Act on (pages, workflows, Duty Role Activities
Duty can access
tables) buttons, menus) Payments Business Units
Disbursement
Administration
Security Console
Editing, Copying, Reviewing Roles…
Security Console
Be sure you see Roles:fscm.
Navigator > Tools > Security Console If not: Open the “Manage Administrator Profile Values” task from FSM.
Query Profile Display Name: Security Console Working App Stripe
(Profile Option Code: ASE_WORKING_APP_STRIPE). Set this to ‘fscm’.
Security Console icon
Application Role: ORA_CE_CASH_MANAGER_JOB

Enterprise Role: CE_CASH_MANAGER_JOB
Security Console
View External Roles
To expand the
hierarchy of any
inherited role,
Cash Manager inherits select it, right-
Cash Manager (Application click, and select
Role)
Expand
Security Console
View Application Roles
Zoom
in/Zoom out
You can also
use the
mouse wheel
to zoom in.
Privileges Drag the entire

(Function Security image in any
Privileges) direction.
Duty Roles
Application Job Roles
Security Console
View Roles
U signifies user,
R signifies role,
P signifies privilege, and
A signifies aggregate privilege.
If the image is smaller still, the
nodes are unlabeled.
Security Console
Edit Role > Basic Information, Functional Security Policies and more…
Security Console
Edit Role > Role Hierarchy
Security Console
Copy Role
• Copy top role: You copy only the role you have selected.
The source role has links to roles in its hierarchy, and the copy inherits links to the
original versions of those roles.
• Copy top role and inherited roles: You copy not only the role you have
selected, but also all of the roles in its hierarchy.
Your copy of the top role is connected to new copies of subordinate roles.
Security Console
Simulate Navigator
Cash Management Roles and Privileges
List of Predefined Roles and Privileges
CE Role Hierarchy
In fscm Cash Manager
(CE_CASH_MANAGER_JOB)
Cash Manager (Application Role) Transactional Business

Functional Setups User
(ORA_CE_CASH_MANAGER) Intelligence Worker
Bank Statement and Cash Management FSCM Load Cash Positioning and
Reconciliation Administration Forecasting Management Payments Disbursement
Interface Administration
(ORA_CE_BANK_STATEMENT_AND_RECONCILI (ORA_CE_CASH_MANAGEMENT_ADMINISTRA (ORA_CE_CASH_POSITION_AND_FORECAST_
ATION_DUTY) TION_DUTY) Administration MANAGEMENT_DUTY)
Subledger
Customer
Accounting
Account Inquiry
Manager
Subledger Disbursement Disbursement Subledger Subledger

Customer
Accounting Data Process Accounting Accounting
Account Inquiry
Reporting Management Management Manager Reporting
Cash Manager Cash Manager
In obi (CE_CASH_MANAGER_JOB) In hcm (CE_CASH_MANAGER_JOB)
Transactional Subledger Accounting Cash Management Transactional

Functional Setups Cash Manager Transaction Analysis Transaction Analysis Functional Setups Cash Manager
Business Intelligence Business
User (Application Role) Duty Duty User (Application Role)
Worker Intelligence Worker
(Application Role) (Application Role)
Cash Bank Cash Positioning FSCM Load Payments Cash Positioning

Statement and Interface Disbursement BI Consumer and Forecasting
Management and Forecasting
Reconciliation Administration Administration Role Management
Administration Management
Application/Context
Cash Manager Cash Manager
In crm (CE_CASH_MANAGER_JOB) In IDCCS (CE_CASH_MANAGER_JOB)
Transactional Transactional
Functional Setups Cash Manager Functional Setups Cash Manager
(Application Role)
Business Business
User Intelligence Worker User (Application Role)
Intelligence Worker
Cash Management Cash Positioning Payments Upload Data for

Administration and Forecasting Disbursement Bank Statement
Management Administration Import
Enterprise Role / External Role - Cash Manager
CE_CASH_MANAGER_JOB
Security Console Authorization Policy Manager (APM)
Application Job Role – Cash Manager
ORA_CE_CASH_MANAGER_JOB
Application Job Role Cash Manager is a predefined Application Job Role (ORA_).
It protects and develops the company's liquid assets maximizing their use and return to the organization.
Job Role Duty Roles (in fscm) Role Code
Cash Manager
(Application Cash Management Administration ORA_CE_CASH_MANAGEMENT_ADMINISTRATION_DUTY
Role)
Bank Statement and Reconciliation ORA_CE_BANK_STATEMENT_AND_RECONCILIATION_DUTY
Cash Positioning and Forecasting

ORA_CE_CASH_POSITION_AND_FORECAST_MANAGEMENT_DUTY
Management
FSCM Load Interface Administration ORA_FUN_FSCM_LOAD_INTERFACE_ADMIN_DUTY
Payment Disbursement
ORA_IBY_PAYMENTS_DISBURSEMENT_ADMINISTRATION_DUTY
Administration
Duty Role – Cash Management Administration
ORA_CE_CASH_MANAGEMENT_ADMINISTRATION_DUTY
Cash Management Administration Role sets up system parameters, lookups, profile options, descriptive flexfields, Cash
Positionining and Forecasting options.
Manage Bank
Manage Bank Account
Manage Bank Branch
Manage Bank Statement Automatic Reconciliation Matching Rule Set
Manage Bank Statement Code
Manage Bank Statement Reconciliation Matching Rule
Manage Bank Statement Reconciliation Tolerance
Manage Bank Statement Transaction Creation Rule
Manage Cash Positioning and Forecasting Reports
Manage Cash Positioning and Forecasting Transaction Grouping
Manage Cash Transaction Type Mapping
Manage Parse Rule Set
Specify Cash Positioning and Forecasting Options
View Bank
View Bank Account
View Bank Branch
View Bank Statement Automatic Reconciliation Matching Rule Set
… and more…
Duty Role – Cash Management Administration
Business Object Policy Description Policy Store
Implementation
Trading Community Relationship A Cash Manager can view trading community relationship for all trading community relationships in Role: Cash Management Administration
the enterprise Privilege: View Trading Community Relationship (Data)
Resource: Trading Community Relationship
Duty Role – Bank Statement and Reconciliation
ORA_CE_BANK_STATEMENT_AND_RECONCILIATION_DUTY
Bank Statement and Reconciliation Role reconciles bank statements and transactions. Also manages setup information
for bank statement processing and reconciliation.

Import Bank Statement Reconciliation External Transaction
Maintain Bank Statement
Manage Bank Statement Autoreconciliation Exception
Manage Bank Statement and Reconciliation Activities
Manage Cash Management Infolets
Manage External Cash Transaction
Mark Bank Statement Reconciliation Reviewed
Process Electronic Bank Statement
Reconcile Bank Statement
Submit Autoreconciliation
Submit Bank Statement Report
Submit Bank Statement Transaction Creation Program
Submit Cash to General Ledger Reconciliation Report
View Bank Statement
View External Cash Transaction
View Payables Payment
View Receivables Receipt
Duty Role – Bank Statement and Reconciliation
Business Object Policy Description Policy Store Implementation
Payables Payment A Cash Manager can manage payables invoice for the business units that interact with the bank Role: Bank Statement and Reconciliation
accounts for which they are authorized Privilege: Manage Payables Invoice (Data)
Resource: Payables Payment
Receivables Miscellaneous Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Bank Statement and Reconciliation
accounts for which they are authorized Privilege: View Receivables Activities (Data)
Resource: Receivables Miscellaneous Receipt
Receivables Standard Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Bank Statement and Reconciliation
Resource: Receivables Standard Receipt
Duty Role – Cash Positioning and Forecasting Management
ORA_CE_CASH_POSITION_AND_FORECAST_MANAGEMENT_DUTY
Cash Positioning and Forecasting Management Role manages cash positioning and forecasting.

Maintain Ad Hoc Payments
Maintain Bank Account Transfer
Manage Cash Management Infolets
Manage Cash Positioning and Forecasting Reports
Manage Cash Positioning and Forecasting Transactions
Manage External Cash Transaction
Submit Cash Positioning and Forecasting Data Deletion
Submit Cash Positioning and Forecasting Data Extraction
Submit Cash Positioning and Forecasting Data Transfer
View Ad Hoc Payments
View Bank Account Transfer
View Bank Statement
View External Cash Transaction
View Payables Payment
View Receivables Receipt
… and more….
Duty Role – Cash Positioning and Forecasting Management
Business Object Policy Description/Condition Policy Store Implementation
Disbursement A Cash Manager can manage payments by business unit for the business units that interact with the Role: Cash Positioning and Forecasting Management
bank accounts for which they are authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Disbursement
Document Payable A Cash Manager can manage payments by business unit for the business units that interact with the Role: Cash Positioning and Forecasting Management
Resource: Document Payable
Payables Payment A Cash Manager can manage payables invoice for the business units that interact with the bank Role: Cash Positioning and Forecasting Management
accounts for which they are authorized Privilege: Manage Payables Invoice (Data)
Resource: Payables Payment
Payment Instruction A Cash Manager can manage payments by business unit for the business units that interact with the Role: Cash Positioning and Forecasting Management
Resource: Payment Instruction
Receivables Miscellaneous Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Cash Positioning and Forecasting Management
Resource: Receivables Miscellaneous Receipt
Receivables Standard Receipt A Cash Manager can view receivables activities for the business units that interact with the bank Role: Cash Positioning and Forecasting Management
Resource: Receivables Standard Receipt
Trading Community Relationship A Cash Manager can view trading community relationship for all trading community relationships in Role: Cash Positioning and Forecasting Management
Role: Disbursement Data Management
Disbursement A Cash Manager can manage disbursement by payment function for any customer refunds in the Role: Disbursement Data Management
payment process within the enterprise Privilege: Manage Disbursement by Payment Function (Data)
Resource: Disbursement
A Cash Manager can manage disbursement by payment function for any employee expenses in the
payment process within the enterprise
A Cash Manager can manage disbursement by payment function for any oracle fusion payables
documents in the payment process within the enterprise
Document Payable A Cash Manager can manage disbursement by payment function for any customer refunds in the Role: Disbursement Data Management
Resource: Document Payable
Payment Instruction A Cash Manager can manage disbursement by payment function for any customer refunds in the Role: Disbursement Data Management
Resource: Payment Instruction
Role: Disbursement Process Management
Disbursement A Cash Manager can manage payments by business unit for the business units for which they are Role: Disbursement Process Management
authorized Privilege: Manage Payments by Business Unit (Data)
Resource: Business Unit
Document Payable A Cash Manager can manage payments by business unit for the business units for which they are Role: Disbursement Process Management
Payment Instruction A Cash Manager can manage payments by business unit for the business units for which they are Role: Disbursement Process Management
Person Address A Cash Manager can report person address for all people in the enterprise Role: Disbursement Process Management
Privilege: Report Person Address (Data)
Resource: Person Address
Trading Community Organization A Cash Manager can view trading community organization for all organizations in the enterprise Role: Disbursement Process Management
Party Privilege: View Trading Community Organization (Data)
Resource: Trading Community Organization Party
Trading Community Party A Cash Manager can view trading community person for all people in the enterprise Role: Disbursement Process Management
Privilege: View Trading Community Person (Data)
Resource: Trading Community Party
Roles: Subledger Accounting Manager / Subledger Accounting Reporting
Ledger A Cash Manager can manage ledger for subledger for the posting ledgers for transactions that they are Role: Subledger Accounting Manager / Reporting
authorized. Privilege: Manage Ledger for Subledger (Data)
Resource: Ledger
Subledger Accounting Balance A Cash Manager can manage subledger accounting balance for the subsidiaries or management Role: Subledger Accounting Manager / Reporting
segment values whose account balance they manage Privilege: Manage Subledger Accounting Balance (Data)
Resource: Subledger Accounting Balance
Subledger Application A Cash Manager can manage subledger application for the owning oracle fusion accounting generating Role: Subledger Accounting Manager / Reporting
subledger application. Privilege: Manage Subledger Application (Data)
Resource: Subledger Application
Subledger Journal Entry A Cash Manager can manage subledger source transaction for the business units, cost organizations, Role: Subledger Accounting Manager / Reporting
asset books or legislative data groups, and the subledger applications for which they are authorized Privilege: Manage Subledger Source Transaction (Data)
Resource: Subledger Journal Entry
Subledger Source Transaction A Cash Manager can manage subledger source transaction for the business units, cost organizations, Role: Subledger Accounting Manager / Reporting
asset books or legislative data groups, and the subledger applications for which they are authorized Privilege: Manage Subledger Source Transaction (Data)
Resource: Subledger Source Transaction
Role: Customer Account Inquiry

Party Tax Profile A Cash Manager can manage business unit party tax profile for the business units for which they are Role: Customer Account Inquiry
authorized Privilege: Manage Business Unit Party Tax Profile (Data)
Role: Customer Account Inquiry
Tax Exemption A Cash Manager can manage tax exemption for the tax setup applicable to the business units for Role: Customer Account Inquiry
which they are responsible Privilege: Manage Tax Exemption (Data)
Trading Community Customer A Cash Manager can view customer account for all customer accounts in the enterprise Role: Customer Account Inquiry
Account Privilege: View Customer Account (Data)
Resource: Trading Community Customer Account
Trading Community Customer A Cash Manager can view customer account relationship for all customer account relationships in Role: Customer Account Inquiry
Account Relationship the enterprise Privilege: View Customer Account Relationship (Data)
Resource: Trading Community Customer Account Relationship
Trading Community Customer A Cash Manager can view customer account site for all customer account sites in the enterprise Role: Customer Account Inquiry
Account Site Privilege: View Customer Account Site (Data)
Resource: Trading Community Customer Account Site
Trading Community Customer A Cash Manager can view customer account site use for all customer account site uses in the Role: Customer Account Inquiry
Account Site Use enterprise Privilege: View Customer Account Site Use (Data)
Resource: Trading Community Customer Account Site Use
Trading Community Organization A Cash Manager can view trading community organization for all organizations in the enterprise Role: Customer Account Inquiry
Party Privilege: View Trading Community Organization (Data)
Resource: Trading Community Organization Party
Trading Community Party A Cash Manager can view trading community person for all people in the enterprise Role: Customer Account Inquiry
Privilege: View Trading Community Person (Data)
Resource: Trading Community Party
Trading Community Relationship A Cash Manager can view trading community relationship for all trading community relationships in Role: Customer Account Inquiry
Upgraded Customers: Points to Consider
Instructions and documentation
Upgraded customers – Points to Consider
Associated Duty Roles and Privileges
Depending on whether you are a new Release 11 customer, an upgraded Release 11 customer that migrated to the Simplified Role Hierarchy in Release 10 or 11, or an upgraded
Release 11 customer that did not migrate to the Simplified Role Hierarchy, different security features apply to you. The following describes some of the high level differences
between these different types of customers.
Note: For more information on the Simplified Role
Hierarchy that was introduced in Release 10, see the
Upgrade Guide for Oracle Cloud Applications Security.
New customers will use the Manage Data Access for Users
page to explicitly assign users a data security context, such
as business unit, asset book, etc. and the security context
value, such as the specific business unit, asset book,
ledger, etc. for a job role that is already assigned to the
user.
Upgrade customers who migrated to the simplified role

hierarchy in Release 10 or 11 will also have the Application
Job Role assigned to their Enterprise job roles in order to
use all of the new Release 11 features.
Upgrade customers who did not migrate to the simplified

role hierarchy will also continue to use data roles and data
role templates. However, their Enterprise Job Roles will not
be linked to an Application job role, in which case, they will
not get any Release 11 new features secured by a new
privilege. These customers can choose to select the
individual privileges to enable the Release 11 features they
are interested in or migrate to the simplified role hierarchy.
For upgraded customers who did not migrate to the Simplified Reference Role Model as described in the Upgrade Guide for Oracle Cloud Applications Security Release 10
document, they will need to manually assign the associated duty role or privilege for those new features they want to uptake in Release 11.
Upgraded customers – Points to Consider
Release 11 New Features – Cash Management
Feature Name Duty Role Role Code Privilege Title Privilege Name
Cash Management Dashboard Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Manage Cash Management Infolets ORA_CE_MANAGE_CASH_MANAGEMENT_INFOLET
MANAGEMENT_DUTY
Cash Positioning and Forecasting Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Manage Cash Positioning and Forecasting Transactions ORA_CE_MANAGE_CASH_POSITIONING_AND_FORECASTING_TRANSACTIONS
MANAGEMENT_DUTY
Cash Positioning and Forecasting Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Submit Cash Positioning and Forecasting Data Deletion ORA_CE_SUBMIT_CASH_POSITIONING_AND_FORECASTING_DATA_DELETION
Multidimensional Cube Updates MANAGEMENT_DUTY Submit Cash Positioning and Forecasting Data Extraction ORA_CE_SUBMIT_CASH_POSITIONING_AND_FORECASTING_DATA_EXTRACTION
Submit Cash Positioning and Forecasting Data Transfer ORA_CE_SUBMIT_CASH_POSITIONING_AND_FORECASTING_DATA_TRANSFER
Cash Positioning and Forecasting Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Manage Cash Positioning and Forecasting Reports ORA_CE_MANAGE_CASH_POSITIONING_AND_FORECASTING_REPORTS
Reports, including Smart View MANAGEMENT_DUTY
Reports
Specify Cash Positioning and Cash Management Administration ORA_CE_CASH_MANAGEMENT_ Specify Cash Positioning and Forecasting Options ORA_CE_SPECIFY_CASH_POSITIONING_AND_FORECASTING_OPTIONS
Forecasting Setup page ADMINISTRATION_DUTY
Manage Cash Positioning and Cash Management Administration ORA_CE_CASH_MANAGEMENT_ Manage Cash Positioning and Forecasting Transaction ORA_CE_MANAGE_CASH_POSITIONING_AND_FORECASTING_TRANSACTION_GR
Forecasting Transaction Grouping ADMINISTRATION_DUTY Grouping OUPING
Setup page
Bank Account Transfers Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Maintain Bank Account Transfer CE_MAINTAIN_BANK_ACCOUNT_TRANSFER
MANAGEMENT_DUTY View Bank Account Transfer CE_VIEW_BANK_ACCOUNT_TRANSFER
Ad Hoc Payments Cash Positioning and Forecasting Management ORA_CE_CASH_POSITION_AND_FORECAST_ Maintain Ad Hoc Payments CE_MAINTAIN_AD_HOC_PAYMENTS
MANAGEMENT_DUTY View Ad Hoc Payments CE_VIEW_BANK_ACCOUNT_TRANSFER
Intraday Bank Statements Bank Statement and Reconciliation ORA_CE_BANK_STATEMENT_AND_ View Bank Statement CE_VIEW_BANK_STATEMENT_PRIV
RECONCILIATION_DUTY Maintain Bank Statement CE_MAINTAIN_BANK_STATEMENT_PRIV
Payments Setup Options for Cash Payments Disbursement Administration ORA_IBY_PAYMENTS_DISBURSEMENT_

Transactions ADMINISTRATION_DUTY
Securing Bank Accounts
Secure Banks by Users and Roles
Account Access
Bank account security consists of Bank account access security & Bank account use security.
Business Unit Access

• Payables and Receivables account access is secured by business unit.
• One or more business units must be granted access before the bank account can be used by Payables and Receivables.
• Only business units that use the same ledger as the bank accounts owning legal entity can be assigned access.
Users and Role Security
• We can have the option to further secure the bank account so that it can only be used by certain users and roles.
• The default value to secure bank account by users and roles is No.
• In Payables and Receivables even if the secure bank account by users and roles is No, you must have the proper business unit assigned
to access a bank account.
• If the secure bank account by users and roles is set to Yes, the users or roles need to be assigned to the bank account to use it.
For securing Bank Accounts…
• Users need to manually be assigned to bank accounts.
• Abstract Custom Roles can be created to group users

and restrict access to bank accounts.
Casey.Brown
Abstract Role Abstract Role

Abstract Role BofA Bank North America
Cash TD Bank
Employee Account Bank Account
Manager Account Users
Users Users
Use Case 1 – Securing Bank Accounts
Secure Bank Accounts by Users and Roles
Use Case 1 – Secure Bank Accounts by Users and Roles
In this example, we want to secure the Bank Accounts, restricting user access according to the following:
Elaine Furtado
has access to all Bank Accounts Casey Brown
•BofA-2014A Cannot access
•BofA-5186 BofA-204A, BofA-5186
•Citibank-1448 and Citibank-1448
Bank Accounts
John Operations
has access to Bank of America Accounts:
•BofA-204A
•BofA-5186
Bank Of America Citibank
BofA-204A BofA-5186 TD Citibank-1448

Bank Account
Custom Abstract Roles:

Abstract Role to grant access to Bank of America Bank Accounts (EF_BOFA_BANK_ACCOUNT_USERS)
Abstract Role to grant access to Citibank-1448 Bank Account (EF_CITIBANK-1448_BANK_ACCOUNT_USERS)
Use Case 1 – Security Steps
1 2 3 4
Create Roles and Assign Roles to Test Bank Account

Create Users Add Members Bank Account Security access
- Go to Task: Create Implementation - Create Abstract Roles representing - Go to Manage Bank Accounts task, - Create new Bank Statement or
Users (IT_SECURITY_MANAGER user the Group of Users that will have and Secure Bank Accounts. External Transaction and confirm that
as Administrator options) access for specific Bank Accounts. Bank account is secured by User.
- Assign Roles to grant access to users.
- Add members to these Roles.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 47
Oracle Identity Manager (OIM)
Step 1: Create New Users

Task: Create Implementation Users (User: IT_SECURITY_MANAGER)
Step 2: Create New Abstract Roles
Create group of users to restrict access to Bank Accounts
Oracle Identity Manager (OIM)
Reviewing Roles assigned to Users
Task: Create Implementation Users (IT_SECURITY_MANAGER)
John Operations is member of: BofA-204A

-Bank of America – Bank Account Users
BofA-5186
BofA-204A
Elaine Furtado is member of
-Bank of America – Bank Account Users
-Citibank-1148 – Bank Account Users BofA-5186
Citibank-1448
Casey Brown
Step 3: Assign Roles to Bank Accounts
Task: Manage Bank Accounts > Security
Bank Account Role Name Role Code Users
BofA-204A Bank of America – Bank Account Users EF_BOFA_BANK_ACCOUNT_USERS John Operations
Elaine Furtado
BofA-5186 Bank of America – Bank Account Users EF_BOFA_BANK_ACCOUNT_USERS John Operations
Elaine Furtado
Citibank-1448 Citibank-1448 – Bank Account Users EF_CITIBANK_1448_BANK_ACCOUNT_USERS Elaine Furtado
Secure Bank Account by

Assigning Users and
Roles to restrict access
Note: Non-Secured Bank Accounts will be visible to all users
Step 4: Test Bank Account Security access
Task: Create Bank Statement
Login as John Operations.
John Operations And he cannot

can access: access Citibank-
BofA-204A and 1448
BofA-5186
Login as Elaine Furtado.
Elaine Furtado can

access BofA-204A And she can access
and BofA-5186 Citibank-1448
Login as Casey Brown.
Casey Brown
cannot access: And he cannot
BofA-204A and access Citibank-
BofA- 5186 1448
Use Case 2 – Customizing Roles
Customize Duty Roles, Remove Privileges, Assign Custom Roles to Job Role
Use Case 2
Secure Bank Accounts by Users and Roles
In this example, John Operations will have most privileges associated with the Cash Manager job role.
However, for our business needs:
• He will not be able to manage or view Banks and Branches.
• He is able to view Bank Accounts, but he will not be able to create or modify an existing Bank Account.
John Operations
Manage Bank Manage Bank

Manage Banks
Branches Accounts
View Banks View Bank Branches

View Bank Accounts
Use Case 2 – Security Steps
1 2 3
Identify Roles and Copy and Edit Seeded Copy and Edit Seeded
Privileges Duty Role Application Role
- Review the Financials Security - Copy and Edit the predefined seeded - Copy and Edit the predefined seeded
Reference Manual in PDF format. Cash Management Administration Cash Manager (Application Role).
Duty Role.
- Identify which Roles and Privileges - Remove the Cash Management
are associated with the actions we - Remove or add privileges as desired. Administration Duty Role and Add the
want to restrict the user. new Duty Role created.
4 5 6
Copy and Edit Seeded Assign new External Test the Application
External Job Role Job Role to users
- Copy and Edit the predefined seeded - Assign the new External Job Role to - Log in as user that is a member of the
Cash Manager - External Job Role. your users. new External Job Role.
- Remove the assigned Cash Manager - Test the application.

(Application Role) and add the newly
created Application Role.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 57
Step 1: Identify Roles and Privileges
Oracle Financials Cloud Security Reference
The first step is to identify which Roles and Privileges are associated with the actions we want to restrict for
each user.
1. Review the Financials Security Reference Manual in PDF format: Oracle Financials Cloud Security
Reference
2. Find the Job Role that most closely matches the privileges you want to customize. (In our case, Job Role:
Cash Manager)
Step 1: Identify Roles and Privileges
Oracle Financials Cloud Security Reference
3. Skim the Duties that a Cash Manager can perform. Skim the Role Hierarchy.
4. Go to the Privileges section. This is the most important section to determine what individual privileges
roll up directly to the Cash Manager and other Duty Roles that are assigned to the Cash Manager.
5. Search by Bank, Bank Branch and Bank Account. (Refer to Slides 24-38 in this presentation to be more
familiar with Cash Management Duty Roles).
Duty Role: Cash Management Administration

Privileges:
Manage Bank, Manage Bank Account, Manage Bank Branch
View Bank, View Bank Account, View Bank Branch
Step 2: Copy and Edit Seeded Duty Role
Tools > Security Console
1. Log in to your application and open the Security Console.
2. Be sure you see Roles: fscm on the top left of the page.
If you do not see Roles: fscm, set the following profile option:
Open the “Manage Administrator Profile Values” task from FSM.

• Query Profile Display Name: Security Console Working App Stripe (ASE_WORKING_APP_STRIPE).
• Controls the App Stripe the user works on.
• Set to “fscm” either at site level, or for specific fscm users.
• Query Profile Display Name: Enable Data Security Policies and User Membership Edit (ASE_ROLE_MGMT_PREF)
• Preference to enable data security policies and user membership editing in Security console.
• Set to “Yes”.
3. Review the prefix and suffix of new copy roles
4. From the Security Console, query the duty role Cash Management Administration because we need to
remove the privileges to Manage Bank, Manage Bank Branch, Manage Bank Account that are assigned to
the Cash Management Administration duty role.
5. Choose to Copy top role.
Copy Role > Basic Information
6. Edit the Role name, Role Code, and Description.
7. Click Next
Copy Role > Functional Security Policies
8. Remove the privileges: Manage Bank, Manage Bank Account, Manage Bank Branch, View Bank, and
View Bank Branch.
Copy Role > Role Hierarchy
9. You should see the following on the Role Hierarchy train stop.
10. Click Next and review the Summary and Impact Report.
Tools > Security Console > Administration
11. Click Submit and Close. You will receive a Confirmation message.
12. You can go to the Administration page to view your submission.
Compare Roles
 Compare the Seeded Duty Role with the Custom Duty Role newly created.
Removed
Privileges
Step 3: Copy and Edit Seeded Application Job Role
Tools > Security Console >
Now we need to copy the seeded Application Job Role, Cash Manager (Application Role), and in the copy,
replace the Cash Management Administration with the one we just created (EF Cash Management
Administration Custom)
1. From the Roles: fscm page, query Cash Manager and be sure to pick the one that has the “(Application
Role)” appended :
Tools > Security Console > Copy Role
2. Copy the job role and choose Copy top role.

3. Edit the Role Name, Role Code, and Description.
4. Click Next
COPY ROLE
5. In the Role Hierarchy page, delete the Cash Management Administration duty role.
6. Then click the Add Role button to assign the newly created duty role.
7. Just query the name, then click the Add Role Membership button.
ADD ROLE
8. Review Role Hierarchy. It should look like below.
9. Click Next. Review Summary and Impact Report. Submit and Close.
Custom Application Job Role
Custom Duty Role
Compare Roles
 Compare the Seeded Application Job Role with the Custom Application Job role newly created.
Step 4: Copy and Edit Seeded External Job Role
Tools > Security Console > Copy Role
1. Query Cash Manager Job role that does NOT have Application Role appended (CE_CASH_MANAGER_JOB)
2. Copy it selecting the Copy top role and inherited roles option.
3. Update the Role Name, Role Code and Description.
4. Click Next > Next.
5. In the Role Hierarchy page, delete the assigned Cash Manager Application Role and add your newly
created one by clicking the Add Role > Add Role Membership buttons.
ADD ROLE
6. Review Role Hierarchy. It should look like below.
7. Click Next.
Custom Application Job Role
Custom External Job Role
Custom Duty Role
Copy Role > Summary and Impact Report
8. Review Summary and Impact Report. Submit and Close.
Review External Role in APM
Note: In our Use Case, we

have created a new Duty
Role, Application Role and
External Role for fscm
context/application.
If you want to customize the

security for another
application, you will need to
perform the same steps for
obi, hcm, etc. using Security
Console, or change the
Application Role Mapping
directly in APM.
Step 5: Assign the New External Job Role to Your User
Task: Create Implementation User
1. Query an existing user from OIM using the task called “Create Implementation Users”
2. Click the Roles tab and remove the existing External Role Cash Manager
3. Assign your newly created role and Close OIM.
4. Run the Retrieve Latest LDAP Changes process.
Step 6: Test the application
Log in as John.Operations
 Note: John.Operations cannot access Manage Banks and Manage Bank Branches tasks as expected:
Step 6: Test the application
Log in as John.Operations
 John.Operations is able to view and edit existing Bank Accounts.
 As expected, he cannot create new Accounts. Add button is grayed out.
Customizing Security
Best Practices
We recommend the following when you wish to make security customizations:
 You must not customize predefined roles. You can identify these predefined roles by the ORA_ prefix in
the Role Code field. During each upgrade, predefined roles are updated to the specifications for that
release, so any customizations would be overwritten.
 Instead, always make a copy of the predefined role. Then, edit the copy and save it as a custom role.
 Making your changes in a copy of a predefined role means that you can always compare to and roll
back to the delivered role.
 After a maintenance update or upgrade, you can compare your customized copy to the updated
predefined source role. You can see the updates to the predefined role and decide whether to
incorporate them into your custom role.
 You can best compare roles using the Security Console.
Additional Information, Docs & Links
CE Training Wiki, Security Reference Manual, Oracle docs and more…
Security Documents
Security Related documents can be accessed via docs.oracle.com:
Content of each predefined job role and duty role is

documented in the Security Reference Manuals
–You can access the security reference manual on
docs.oracle.com > Cloud > Applications > Financials >
Secure> Review Reference Guides
You can find CE Roles, Role Hierarchy, Privileges and Data

Policies in Security Reference for Oracle Financials Cloud
Upgrade Guide for Oracle Cloud Applications Security Release 10 document
Trainings & Release Readiness
CE Training Wiki page

Release 11 - ERP Release Readiness
Release 11 - What's new
Youtube Videos
How to Copy a Role Using the Security Console

How to Compare Roles Using the Security Console
How to Modify a Financials Role
Creating the Role-Provisioning Rule for Setup Users
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Sprache

Willkommen bei Scribd!

ERP Cloud Financials Fusion Cash Management R11 (8) Security

Hochgeladen von

Dokumentinformationen

Beschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Beschreibung:

Copyright:

Verfügbare Formate

ERP Cloud Financials Fusion Cash Management R11 (8) Security

Originaltitel:

Hochgeladen von

Beschreibung:

Copyright:

Verfügbare Formate

Verwandte Titel

ERP Cloud Financials

Fusion Cash Management R11

By Elaine Formenton Furtado

(7) (8) (9)

Roles Job Roles Abstract Roles Duty Roles

Function Data Security

 *Application Job Roles – Top-level Role assigned to an Enterprise Job Role.

• You may assign abstract roles directly to users or Roles.

Abstract roles can be assigned to Bank Accounts

Abstract Role Abstract Role Abstract Role

• They group multiple function security privileges.

Duty Roles and their privileges

Privilege Grant Access?

Role Inheritance External Roles

Enterprise Job Roles Abstract Roles

• Job, abstract and duty roles can Inherit

also be assigned privileges and Duty Roles

• When you assign job and abstract Data Security

Database Resources Code Artifacts

Job Role Abstract Role

Inherit Duty Role Duty Role Privilege

Grant privileges to Grant privileges to Cash Manager Duty Role

Security Console icon

Application Role: ORA_CE_CASH_MANAGER_JOB

Privileges Drag the entire

Cash Manager (Application Role) Transactional Business

Subledger Disbursement Disbursement Subledger Subledger

Transactional Subledger Accounting Cash Management Transactional

Cash Bank Cash Positioning FSCM Load Payments Cash Positioning

Cash Management Cash Positioning Payments Upload Data for

Job Role Duty Roles (in fscm) Role Code

Bank Statement and Reconciliation ORA_CE_BANK_STATEMENT_AND_RECONCILIATION_DUTY

Cash Positioning and Forecasting

FSCM Load Interface Administration ORA_FUN_FSCM_LOAD_INTERFACE_ADMIN_DUTY

Function Security Privileges

Function Security Privileges

Role: Customer Account Inquiry

Upgrade customers who migrated to the simplified role

Upgrade customers who did not migrate to the simplified

Payments Setup Options for Cash Payments Disbursement Administration ORA_IBY_PAYMENTS_DISBURSEMENT_

Business Unit Access

For securing Bank Accounts…

• Users need to manually be assigned to bank accounts.

• Abstract Custom Roles can be created to group users

Abstract Role Abstract Role

Bank Of America Citibank

BofA-204A BofA-5186 TD Citibank-1448

Custom Abstract Roles:

Create Roles and Assign Roles to Test Bank Account

- Add members to these Roles.

Step 1: Create New Users

Oracle Identity Manager (OIM)

John Operations is member of: BofA-204A

Secure Bank Account by

Note: Non-Secured Bank Accounts will be visible to all users

John Operations And he cannot