Fusion Applications Security Roles Related to Customization

In the Fusion Applications Extensibility Guide (section 1.3.1) there is a small section entitled “Understanding Role-Based Access to Tools” but only has a single paragraph mentioning that is required an “administrator” privilege, but has no more details than that. This post aims to explain more, with specific roles and details on what they control.  Please note, this doesn’t post does not cover the roles and privileges required for the technology customization components, such as for Enterprise Manager, WebLogic Console, Database, iDM components, and OBIEE. These core users and roles are all created during the provisioning process, and what we’re looking at here is just the Fusion Applications-related security roles.

Important Roles

Looking at the Common Security Reference Manual it is possible to identify some of the the seeded Fusion Applications duty roles related to customizations. These are obviously available for review in the administration console of Access Provisioning Manager (APM) and assigning to users in Oracle Identity Manager (OIM).

All the Fusion Application products have roles with names like “[product or feature] Administrator Duty” and these inherit many of the items listed below, however when these standard roles need tweaking then this list should prove useful.

Firstly there are two key roles for this type of work. The Application Developer Job Role, as the name suggests designed for most customization and development work. This would be useful for the I.T. development team, but overkill for most functional users. In addition the Application Administrator role secures customization features within a product family, including adjusting the User Interface Text and the Navigator menus.

In addition, the following roles control specific features and functions that should be assigned and allocated as the users tasks permit.

Core Application Setups (not including flexfields, lookups, messages etc)

  • Application Menu Customization Duty – For customizing the application menus using the task in Functional Setup Manager.
  • Application Help Text Administration Duty – For adding and managing custom help for all products.

Application Composer

  • CRM Application Administrator Duty - A consolidated duty role that allows an administrator to manage all setup duties and administer custom objects.
  • [CRM Product] Custom Objects Management Duty – For managing the custom objects in an Oracle Fusion [CRM Product].

UI / Pages

  • [Product Family] UI Customization Duty – Allows customization of [product family] application User Interface (i.e. Page Composer).
  • Page Composer Source View Access Duty – Duty role that allows access to Page Composers’ source view.
  • Application Sandbox Publish Duty – Allows access to the MDS Sandbox publication action.
  • Applications Sandbox Metadata Import Duty – Allows access to importing of sandbox metadata.

BI / Reports

  • Reports and Analytics Region Administration Duty - Allows for the select of reports to appear in the Reports and Analytics region of Oracle Fusion Applications work areas.
  • Business Intelligence Authoring Duty - Creates an author of Business Intelligence reports as presented in the online catalog. Includes Business Intelligence Applications, Business Intelligence Publisher, Real Time Decisions, Enterprise Performance Management and Business Intelligence Office.

Human Capital Management (HCM)

  • Workforce Business Processes Registration Duty – The role that provides access to the Register Workforce Business Processes page to identify composite business processes
  • Workforce Lifecycle Business Process Administration Duty -The role needed for setting up the launching of new composite business processes (BPM).

Usage Example in Page Composer

The following video from our YouTube channel illustrates how you can create UI customizations based on interrogating the current users security roles at run-time using an expression in Page Composer. Whilst security provisioning using role-based authorization remains the preferred option for ensuring change-proof function and data security, setting component properties based on the user role can be useful, especially for those non-CRM products where the choice of MDS layers does not include job role.


  • Oracle Fusion Applications Security Guide
  • Oracle Fusion Applications Security Hardening Guide
  • Oracle Fusion Applications Security Reference Manuals (common and per-product family)
  • Oracle Authorization Policy Manager Administrator’s Guide (Oracle Fusion Applications Edition)

Also note that each of the Product Family Implementation Guides has a chapter at the end related to customization, extension, and setup. These have some common content on such as sandboxes and page composer, plus some product-specific content that can include role information.


Post a Comment:
  • HTML Syntax: NOT allowed

Follow us on twitter Fusion Applications Extensibility, Customizations and Integration forum Fusion Applications Dev Relations YouTube Channel
This blog offers news, tips and information for developers building extensions, customizations and integrations for Oracle Fusion Applications.


« July 2016