fusion product hub training - oracledirect sales division : … · · 2015-06-05•abstract roles...

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Fusion Product Hub Training Fusion Product Hub Security

July 2014

Oracle Confidential – Internal/Restricted/Highly Restricted


Role Based Access Control

User

Andrew Kelly

Role

Product Manager

Role

Employee

Access is provided via Roles

Role

Manager


Fusion Security Model

WHO can do WHAT on WHICH set of data?

Function Security Search for Items Update/Edit Items

The Role e.g. Chief Product Manager Product Data Steward

Data Security Ability to access only items/data user or role has been granted


Key Concepts - Roles “Who” can do WHAT on WHICH set of data?

• Job Roles – Enterprise Roles

– Roles associated with the Job of an employee

– Very close to job titles

– Provisioned to a user on request

– Example: Product Manager, Warehouse Manager, Order Manager

• Abstract Roles

– Roles that come with the job

– Normally assigned by the system (based on user attributes) but can be provisioned to a user on request

– Example: Employee, Manager

5


Key Concepts - Function Security Who can do “WHAT” on WHICH set of data?

• Functions represent basic entry points / operations / secured resources that do not have any data context

• Examples: “Page X”, “Region Y”, “Button Z”

Function Security controls access to tasks


Key Concepts – Function Security Privileges

– Individual permissions to access pages, reports, actions, etc

– Also referred to as Entitlements

8

Monitor Item Work Area

Create Item


Key Concepts – Function Security Duty Roles

– Duties are tasks to be done on a job

– Duty roles – Application Roles that give access to pages, reports, actions through function privileges

– Designed to be pluggable into new or existing job roles

– Provisioned through job or abstract roles; never assigned directly to a user

9

Item Management Duty

Item Catalog Management Duty

Product Manager

Andrew Kelly


Key Concepts – Function Security Privilege - Role Association

Product Manager

(Job Role)

Item Management Duty

(Duty Role)

Manage Item

(Privilege)


Key Concepts – Function Security Role Inheritance

Duty role may inherit other duty roles from same application or from another application

Level 1 Role Level 2 Role Level 3 Role

Product Data Steward {Product Management Application,

Job}

Item Supplier Management Duty {Product Management Application,

Duty}

Item Management Duty {Product Management Application,

Duty} Party Information Inquiry Duty

{CRM Application Duty}


Key Concepts - Data Security Who can do WHAT on “WHICH” set of data?

• Business objects / documents hold sensitive data; the data needs to be secured

Example: Items

Role (Who) Auxiliary

Verb

Operation

(Can Do What)

Object Attribute Data Access

(on which set of data)

Worker

(Duty)

Can Manage Item Purchasing

Attributes

For the items they have

access to in item and

inventory organizations

Product

Manager

(Job)

Can Manage Item Costing

Attributes

For the items they have

access to in item and

inventory organizations


Key Concepts - Data Security

– Explicit (Indirect) using Data Roles

• Example: “Warehouse Manager– (D2) Seattle Distribution Center” provides Warehouse

Manager access to logistics data in Inventory Organization D2

• Explicitly provisioned to users

• Data roles are not predefined. Data roles can only be defined by customers, as they are data

dependent.

• Data role templates provide predefined structures for defining data roles.

– Implicit (Direct) using product specific access

• Data security is determined via product specific logic, and not by explicit provision of data roles

• Example: Product Managers can edit items belonging to specific item classes in specific

organizations.

13


Key Concepts : Item Data Grants

User Job Role Duty Roles Item Class Item Data Grants

John Smith Product Data

Steward

Worker TABLETS

Create Item Class Item View Item Basic

Maintain Item Basic Item Batch Management Duty

User/Role Item Class Item Data Grants

Andrew Kelly TABLETS Create Item Class Item

View Item Basic Maintain Item Basic

Item Batch Management Duty TABLETS Create Item Class Item

View Item Basic Maintain Item Basic

Item data grants can be managed at Item Class Or Item Level. Item data grants are given to external or application roles or to specific users.


Product Management Roles - Tasks

CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract

Product / Job Role

Product: Product Model (EGP) Job Role: Product Manager

Tasks Available in ‘Item’ Work Area

Items:

Create Item Manage Items Create Item Structure Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers

Catalogs:

Manage Catalogs



CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract

Product/ Job Role

Product: Product and Catalog Management (EGO) Job Role: Product Manager


Items:

Create Item Manage Items Create Item Structure Create Pack Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers

New Item Requests:

Create New Item Request Manage New Item Requests

Change Orders: Create Change Order Manage Change Orders

Catalogs: Manage Catalogs



Product/ Job Role

Product: Product Hub (EGI) Job Role: Product Data Steward


Items:

Create Item Manage Items Create Item Structure Create Pack Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers

New Item Requests:

Create New Item Request Manage New Item Requests

Change Orders: Create Change Order Manage Change Orders

Catalogs: Manage Catalogs

Item Batches: Create Item Batch Manage Item Batches Manage Source Systems

Setup and Maintenance

FSM: + Product Management Native Setup Tasks


Glossary

Fusion E Business Suite

Job Role Top Level Menu Responsibility

Abstract Role Top Level Menu Responsibility

Data Role

Responsibility

Duty Role Sub Menu

Privilege Form Function

Permission Executable


Managing Security

• Oracle Identity Manager (OIM)

– Manage Users • Employees are created via Human Capital Management (HCM)

– Manage Enterprise Roles – Job Roles and Data Roles

– Assign Enterprise Roles to Users

• Authorization Policy Manager (APM)

– View Users

– View Enterprise Roles Hierarchy

– Manage Application Roles (Duty Roles), Data Security Policies

– Manage Application Role Hierarchy

– Manage and run Data Role Templates

23


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Oracle Confidential – Internal/Restricted/Highly Restricted 25

fusion product hub training - oracledirect sales division : … · · 2015-06-05•abstract roles...

Documents