Customizing User Security
By Richard Bingham-Oracle on May 15, 2014
This posts brings together many resources on security to offer a practical article for customizing the security assignments of your Fusion Applications users. For a detailed explanation of how security works see Jani's post which provides a comprehensive Fusion Security overview. This post applies to both Oracle Cloud and On-Premises implementations.
Whilst covered in detail in other places, the principles you'll be working with on a daily basis is comprised of:
- Function Security - what features users can access. In a very simple summary two sentence definition, this is made up of Enterprise Roles as top level roles, under which Application Roles are contained, themselves implemented as Duty Roles and Abstract Roles. The Application Roles contain privileges through the grant of access to resources - code artifacts such as pages, menus, and buttons.
- Data Security - what data users can access. This is setup using Data Roles that are automatically associated with the Job Roles. They contain specific SQL predicates applied to database resources (tables) at run-time.
For more detail, see the references section below.
The Main Security Tools
As demonstrated in this video,
in addition to the many Fusion Applications pages (mostly in HCM) used for
managing users and setting up the related organization structures, you can also access the
underlying native security products, namely:
- Oracle Identity Management (OIM) - for creating new users and
ensuring their credentials (usernames, passwords, email etc) are valid.
Also includes managing the 'external' top level Enterprise Job Roles. This accesses the underlying Oracle Internet Directory (OID) product that implements the LDAP data repository standard.
- Oracle Authorization Policy Management (APM) - for managing function and data security. Includes all creation of Application Roles (duty/abstract) and assigning them policies with entitlement resource privileges (such as pages, menus, buttons etc). APM also stores all data roles and offers management of the associated criteria applied to the fusion database resources.
Checking Run-time Security
It's not always easy to single out the precise entitlement privilege that controls each-and-every button, menu item, or widget on a visually rich and powerful ADF page. That said there are some recommendations we can offer to try to help you decipher this:
- Consult the product-specific Security Reference Manuals (available under each tab) which details out the contents and hierarchy of the seeded security reference implementation, such as for Sales.
- Look in APM at the duty roles related to the feature of interest. Open the associated policies and look for those related to your purpose.
- Make a copy of a similar duty role, and assign it to your user (with old one revoked). Use a process of elimination, removing each entitlements in turn, logging back in and testing the access you have, until you hit upon the controlling definition.
- Depending on your deployment, you may also be able to dig into the underlying code artifacts and security repositories, as explained in our multi-part post on the topic, with articles for Page Composer, another for JDeveloper, and especially the final one on mapping security permissions to users and roles.
- Make use of embedded diagnostic scripts, Fusion Applications Auditing features, and other product-specific reports that often output security-related information and functional setup detail.
Creating Custom Security
Clearly the steps needed here depend on requirements, however the general process falls into the following three categories. Use the included resources to drill into more information on each.
1) Creating a custom job role by reusing exiting definitions
This is a relatively simple process, as illustrated by this video. In summary you create your Enterprise Role in OIM, then switch to APM to create an Application Role, and then map the two together. Then you select and add existing duty roles to your new Application Role. Finally you configure the data security by selecting the underlying resource and picking the access levels, optionally adding in any custom SQL conditions. Most of the work is done in the APM role policies table, as shown below:
2) Creating new roles for extensions to Fusion Applications.
This is a much more substantial challenge, and is only needed to support brand-new pages and functionality created by design-time development, since the extensive reference implementation provides reusable definitions for all existing objects and features. That said, there are always exceptions. The exact steps for defining complete custom security implementation for your extensions (i.e. new ADF taskflows) is beyond the scope of this article, however in principle it is not too dissimilar to the above steps, simply requiring creation of resources, entitlements, and policies for your new artifacts, and using the flexibility of reusable data templates for applying Data Security. For more on this invasive security development review the detailed material in the Fusion Applications Developers Guide - part 7.
3. Creating Security for Custom Objects in Application Composer
The following embedded video details out the options for applying both Function and Data security to custom objects created in Application Composer. It is embedded here as it's useful since it includes many of the generic steps in APM, however also illustrates the need to understand the database tables and columns underpinning the custom object functionality.
- Our YouTube channel with the Security playlist
- All security related blog posts from this site
- Concepts and principles further detailed out in the Security Guide and the Understand Security Guide
- The product Security Guides are under each tab from the documentation home, decomposing the reference implementation (i.e. seeded roles)
- For new Cloud deployments, refer to the essential Getting Started guides (e.g. HCM Cloud or Sales Cloud)
- Some related content also exists on both the Oracle Learning Library for both Oracle Cloud and security products, and the Fusion Functional Architecture teams blog