fusion product hub training - oracledirect sales division : … · · 2015-06-05•abstract roles...
TRANSCRIPT
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Fusion Product Hub Training Fusion Product Hub Security
July 2014
Oracle Confidential – Internal/Restricted/Highly Restricted
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Role Based Access Control
User
Andrew Kelly
Role
Product Manager
Role
Employee
Access is provided via Roles
Role
Manager
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Fusion Security Model
WHO can do WHAT on WHICH set of data?
Function Security Search for Items Update/Edit Items
The Role e.g. Chief Product Manager Product Data Steward
Data Security Ability to access only items/data user or role has been granted
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts - Roles “Who” can do WHAT on WHICH set of data?
• Job Roles – Enterprise Roles
– Roles associated with the Job of an employee
– Very close to job titles
– Provisioned to a user on request
– Example: Product Manager, Warehouse Manager, Order Manager
• Abstract Roles
– Roles that come with the job
– Normally assigned by the system (based on user attributes) but can be provisioned to a user on request
– Example: Employee, Manager
5
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts - Function Security Who can do “WHAT” on WHICH set of data?
• Functions represent basic entry points / operations / secured resources that do not have any data context
• Examples: “Page X”, “Region Y”, “Button Z”
Function Security controls access to tasks
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts – Function Security Privileges
– Individual permissions to access pages, reports, actions, etc
– Also referred to as Entitlements
8
Monitor Item Work Area
Create Item
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts – Function Security Duty Roles
– Duties are tasks to be done on a job
– Duty roles – Application Roles that give access to pages, reports, actions through function privileges
– Designed to be pluggable into new or existing job roles
– Provisioned through job or abstract roles; never assigned directly to a user
9
Item Management Duty
Item Catalog Management Duty
Product Manager
Andrew Kelly
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts – Function Security Privilege - Role Association
Product Manager
(Job Role)
Item Management Duty
(Duty Role)
Manage Item
(Privilege)
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts – Function Security Role Inheritance
Duty role may inherit other duty roles from same application or from another application
Level 1 Role Level 2 Role Level 3 Role
Product Data Steward {Product Management Application,
Job}
Item Supplier Management Duty {Product Management Application,
Duty}
Item Management Duty {Product Management Application,
Duty} Party Information Inquiry Duty
{CRM Application Duty}
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts - Data Security Who can do WHAT on “WHICH” set of data?
• Business objects / documents hold sensitive data; the data needs to be secured
Example: Items
Role (Who) Auxiliary
Verb
Operation
(Can Do What)
Object Attribute Data Access
(on which set of data)
Worker
(Duty)
Can Manage Item Purchasing
Attributes
For the items they have
access to in item and
inventory organizations
Product
Manager
(Job)
Can Manage Item Costing
Attributes
For the items they have
access to in item and
inventory organizations
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts - Data Security
– Explicit (Indirect) using Data Roles
• Example: “Warehouse Manager– (D2) Seattle Distribution Center” provides Warehouse
Manager access to logistics data in Inventory Organization D2
• Explicitly provisioned to users
• Data roles are not predefined. Data roles can only be defined by customers, as they are data
dependent.
• Data role templates provide predefined structures for defining data roles.
– Implicit (Direct) using product specific access
• Data security is determined via product specific logic, and not by explicit provision of data roles
• Example: Product Managers can edit items belonging to specific item classes in specific
organizations.
13
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Key Concepts : Item Data Grants
User Job Role Duty Roles Item Class Item Data Grants
John Smith Product Data
Steward
Worker TABLETS
Create Item Class Item View Item Basic
Maintain Item Basic Item Batch Management Duty
User/Role Item Class Item Data Grants
Andrew Kelly TABLETS Create Item Class Item
View Item Basic Maintain Item Basic
Item Batch Management Duty TABLETS Create Item Class Item
View Item Basic Maintain Item Basic
Item data grants can be managed at Item Class Or Item Level. Item data grants are given to external or application roles or to specific users.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Product Management Roles - Tasks
CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract
Product / Job Role
Product: Product Model (EGP) Job Role: Product Manager
Tasks Available in ‘Item’ Work Area
Items:
Create Item Manage Items Create Item Structure Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers
Catalogs:
Manage Catalogs
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Product Management Roles - Tasks
CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract
Product/ Job Role
Product: Product and Catalog Management (EGO) Job Role: Product Manager
Tasks Available in ‘Item’ Work Area
Items:
Create Item Manage Items Create Item Structure Create Pack Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers
New Item Requests:
Create New Item Request Manage New Item Requests
Change Orders: Create Change Order Manage Change Orders
Catalogs: Manage Catalogs
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Product Management Roles - Tasks
Product/ Job Role
Product: Product Hub (EGI) Job Role: Product Data Steward
Tasks Available in ‘Item’ Work Area
Items:
Create Item Manage Items Create Item Structure Create Pack Manage Delete Groups Manage Trading Partner Items Manage Item Relationships Manage Manufacturers
New Item Requests:
Create New Item Request Manage New Item Requests
Change Orders: Create Change Order Manage Change Orders
Catalogs: Manage Catalogs
Item Batches: Create Item Batch Manage Item Batches Manage Source Systems
Setup and Maintenance
FSM: + Product Management Native Setup Tasks
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Glossary
Fusion E Business Suite
Job Role Top Level Menu Responsibility
Abstract Role Top Level Menu Responsibility
Data Role
Responsibility
Duty Role Sub Menu
Privilege Form Function
Permission Executable
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Managing Security
• Oracle Identity Manager (OIM)
– Manage Users • Employees are created via Human Capital Management (HCM)
– Manage Enterprise Roles – Job Roles and Data Roles
– Assign Enterprise Roles to Users
• Authorization Policy Manager (APM)
– View Users
– View Enterprise Roles Hierarchy
– Manage Application Roles (Duty Roles), Data Security Policies
– Manage Application Role Hierarchy
– Manage and run Data Role Templates
23
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Oracle Confidential – Internal/Restricted/Highly Restricted 25
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 26