Tuesday Dec 04, 2012

How to Modify Data Security in Fusion Applications




The reference implementation in Fusion Applications is designed with built-in data security on business objects that implement the most common business practices.  For example, the “Sales Representative” job has the following two data security rules implemented on an “Opportunity” to restrict the list of Opportunities that are visible to an Sales Representative:

  • Can view all the Opportunities where they are a member of the Opportunity Team
  • Can view all the Opportunities where they are a resource of a territory in the Opportunity territory team

While the above conditions may represent the most common access requirements of an Opportunity, some customers may have additional access constraints.
This blog post explains:

  1. How to discover the data security implemented in Fusion Applications.
  2. How to customize data security
  3. Illustrative example.

a.) How to discover seeded data security definitions


The Security Reference Manuals explain the Function and Data Security implemented on each job role.  Security Reference Manuals are available on Oracle Enterprise Repository for Oracle Fusion Applications.
The following is a snap shot of the security documented for the “Sales Representative” Job. The two data security policies define the list of Opportunities a Sales Representative can view.

Here is a sample of data security policies on an Opportunity.

Business Object

Policy Description

Policy Store Implementation

Opportunity

A Sales Representative can view opportunity where they are a territory resource in the opportunity territory team

Role: Opportunity Territory Resource Duty
Privilege: View Opportunity (Data)
Resource: Opportunity


A Sales Representative can view opportunity where they are an opportunity sales team member with view, edit, or full access

Role: Opportunity Sales Representative Duty
Privilege: View Opportunity (Data)
Resource: Opportunity

Description of Columns


Column Name

Description

Policy Description

Explains the data filters that are implemented as a SQL Where Clause in a Data Security Grant

Policy Store Implementation

Provides the implementation details of the Data Security Grant for this policy.
In this example the Opportunities listed for a “Sales Representative” job role are derived from a combination of two grants defined on two separate duty roles at are inherited by the Sales Representative job role.

b.) How to customize data security


Requirement 1:
Opportunities should be viewed only by members of the opportunity team and not by all the members of all the territories on the opportunity.

Solution:
Remove the role “Opportunity Territory Resource Duty” from the hierarchy of the “Sales Representative” job role.
Best Practice:
Do not modify the seeded role hierarchy.
Create a custom “Sales Representative” job role and build the role hierarchy with the seeded duty roles.

Requirement 2:
Opportunities must be more restrictive based on a custom attribute that identifies if a Opportunity is confidential or not.
Confidential Opportunities must be visible only the owner of the Opportunity.

Solution:
Modify the (2) data security policy in the above example as follows:
A Sales Representative can view opportunity where they are a territory resource in the opportunity territory team and the opportunity is not confidential.
Implementation of this policy is more invasive. The seeded SQL where clause of the data security grant on “Opportunity Territory Resource Duty” has to be modified and the condition that checks for the confidential flag must be added.
Best Practice:
Do not modify the seeded grant.
Create a new grant with the modified condition.
End Date the seeded grant.


c.) Illustrative Example (Implementing Requirement 2)


A data security policy contains the following components:

  • Role
  • Object
  • Instance Set
  • Action

Of the above four components, the Role and Instance Set are the only components that are customizable. Object and Actions for that object are seed data and cannot be modified.
To customize a seeded policy, “A Sales Representative can view opportunity where they are a territory resource in the opportunity territory team”,

  1. Find the seeded policy
  2. Identify the Role, Object, Instance Set and Action components of the policy
  3. Create a new custom instance set based on the seeded instance set.
  4. End Date the seeded policies
  5. Create a new data security policy with custom instance set

c-1: Find the seeded policy


Step 1:
1. Find the Role
2. Open
3. Find Policies


dif1.jpg


Step 2:

  1. Click on the Data Security Tab
  2. Sort by “Resource Name”
  3. Find all the policies with the “Condition” as “where they are a territory resource in the opportunity territory team

dif2.jpg

In this example, we can see there are 5 policies for “Opportunity Territory Resource Duty” on Opportunity object.


Step 3:

Now that we know the policy details, we need to create new instance set with the custom condition.
All instance sets are linked to the object.

  1. Find the object using global search option. Open it and click on “condition” tab
  2. Sort by Display name
  3. Find the Instance set
  4. Edit the instance set and copy the “SQL Predicate” to a notepad.
  5. Create a new instance set with the modified SQL Predicate from above by clicking on the icon as shown below.

dif2.jpg

Step 4:


End date the seeded data security policies on the duty role and create new policies with your custom instance set.

  1. Repeat the navigation in step
  2. Edit each of the 5 policies and end date them

dif2.jpg

3. Create new custom policies with the same information as the seeded policies in the “General Information”, “Roles” and “Action” tabs.

4. In the “Rules” tab, please pick the new instance set that was created in Step 3.

dif2.jpg


About

This blog shares with the broader Fusion Applications community instructional material in the areas of Enterprise Structures, Extensibility, Integration and Security with the a focus on implementation. This blog is updated by the Fusion Applications Implementation Solutions Task force, part of the Fusion Applications Fusion Architecture organization.

Search

Categories
Archives
« December 2012 »
SunMonTueWedThuFriSat
      
1
2
3
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today