D96139GC10_les04

4 Overview of Security

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Objectives After completing this lesson, you should should be able to: • Understand the Cloud security methodology. • Plan your use of the security implementation.

• Identify the components of data security. • Discuss how roles can be assigned automatically or manually. • Explore the new Security Console to customize roles and users. • Review the audit reports and resources.


Oracle Financials Cloud: Enterprise Structures with General Ledger Implementation 4 - 2

Oracle Financial Cloud Security Methodology The Cloud security methodology can be summarized with the simple statement: “WHO can do WHAT on WHICH set of data.” • Who: The user. • What: Individual actions a user can perform. • Which: The set of data. Who

What

Which Data

General Accountant

Enter and po post jo journals

UK Le Ledger

Employees

View payslip

Employee’s own payslip only

General Accounting Manager

Create and ru run re reports

UK Le Ledger


•

•

•

Who: The user who performs perf orms functions in your company, such as an Accounts Payable supervisor. What: Individual actions a user can perform, such as the ability to approve a payables invoice. Which: The set of data that the user can perform the action on, such as payables invoices within your assigned business units.


Security Reference Implementation Oracle Financials Cloud comes with a predefined security reference implementation which consists of: • A baseline set of predefined predefined security definitions. – Job roles that closely match real-life jobs. –

Duty roles.

• A set of security components components which are: – Delivered with the offering or service. – Used to meet the business needs of most enterprises.


The security reference implementation covers all functions and actions that need to be secured. The security definitions were based on industry standards. Unless you have customized existing functions or added new functions, you shouldn’t have to create any new job or duty roles. The implementation includes: •

Complete set of job roles.

•

Duty roles and role hierarchy for each job role.

•

Privileges granted to each duty role.

•

Data security policies for each job role.

•

Policies that protect personally identifiable information.

•

Policies enforced across tools and access methods.

•

•

Policies related to segregation of duties that are reflected in the design of duties for the job role. Segregation of duties conflicts.


Points to Consider When Implementing the First Project • Define at least one implementation user using the t he Create Implementation Users task at the beginning of the project. • After implementing the first project, project, consider: – Data Access Sets: Define read and write access to entire GL ledgers and balancing segment (company) values of ledgers. – Segment Value Security: Controls access to individual segment values in your chart of accounts such as no access to Company 01, Dept. 100, or Salaries account.

Co

CC

Acct

I/C


The first implementation user is for creating only the initial enterprise structure and is not a real person in HCM. After the initial enterprise structure is complete, you can create additional users in HCM using the Manage Users or Import Worker Users tasks. Your users require that a business unit, legal entity, and other setup be added af ter the initial implementation. Planning is essential: •

•

•

Analyze the access requirements specific specific to your organization, understanding who needs access to what. Compare the requirements with the predefined roles in the security reference implementation, and decide which predefined roles m eet your requirements and can be used as-shipped, and which will require customizations to meet your requirements. Certain product areas, such as Accounts Payable and General Ledger, include multiple roles in the reference implementation. To c ompare accesses granted to each role, you can use the Compare Role feature in the Security Console.

Other segment value security considerations: •

•

For upgraded R11 customers, if you add or remove a BU or ledger, you must regenerate roles from that data role template. Consider having different users define roles and provision roles.


For On-Premises Implementations Only The Oracle Fusion Applications super user FAADMIN, by default, has all necessary access rights for implementing Oracle Fusion HCM and administering security. This access is provided by the following job roles: •

•

Application Implementation Consultant Consultant IT Security Manager

However, neither of these roles provides the required access f or creating and managing Oracle Fusion Applications users; therefore, the OIM system administrator must add the following two OIM roles to the IT Security Manager job role: •

Identity User Administrator, which carries user management entitlement.

•

Role Administrator, which carries role management entitlement.

Note: Assign Note: Assign the Xellerate Users organization to the IT Security Security Manager.


Function and Data Security Oracle Financials Cloud uses role-based access control (RBAC). • Your application is secure as delivered. • You give function and data access through roles that you assign to users. • Function security allows you to access: – A page or or a specific object. – Functionality within a page, including services, screens, and task flows.

• Data security consists of privileges conditionally granted as: – Data security policies carried by roles. – Human Capital Management (HCM) security profiles. p rofiles.


For example, a job role can enable users to work with journals. A data role that inherits the job role can provide access to the journal data within a ledger. The data role General General Accounting Manager Manager – US inherits functionality from the General Accounting Manager Manager job role, and it enables users to perform general ledger ledger duties in the US ledger.


Types of Roles Three role types can be assigned to users. These enterprise roles, also called external roles, are: • Enterprise Job roles: Represent jobs that users perform in an organization, such as Accounts Payable Manager. • Abstract roles: Represent people in the organization independent of the jobs they perform, such as employee or line manager. • Duty role: Logical collection of privileges that grant access to tasks that someone performs as part of a job, such as processing payables invoices or posting journals.


Assign these roles directly to users: •

•

Job roles: You can also create custom job roles. Abstract roles: All roles: All users are likely to have at least one abstract role that provides provides access to a set of standard functions, such as expense reporting or procurement. You can also create custom abstract roles.

Assign these roles to Job and Abstract roles, not not directly to users: •

Duty roles: You can also create custom duty roles.


Role Inheritance


Role inheritance is a key concept in the security model. The f igure illustrates the hierarchy of job and duty role inheritance, which are used as the building blocks in Oracle Cloud Security. •

•

•

Almost every role is a hierarchy or collection collection of other roles. -

Job and abstract roles inherit duty roles.

-

Duty roles can inherit other duty roles.

You can also assign privileges directly to job, abstract, and duty roles. When you assign job and abstract roles to users, they inherit all of the data and function security associated with those roles.


Oracle Fusion Inheritance Model


Roles are the building blocks of security. •

•

•

You can start at the bottom with duty roles, which you can combine with ot her duty roles. For example, you can combine a journal entry duty role with a journal reporting duty role. The job and abstract roles inherit duty roles. For example, the General Accountant job role can have one or more duty roles. The data roles inherit the job role and give the user access to specific data such as ledgers, asset books, or business units.


Security Example with Data Role Added


The diagram now shows Data Role added to secure Anita Kennedy to the UK Set of Data in the UK Ledger for her General Accountant Job role.


New Data Security for R11 NEW

Applicable to new customers customers only. • Does not use data role templates. • Assigns users directly to the job roles and to the appropriate appropriate data sets. • Uses the new Manage Data Access for Users page. Existing customers upgrading from previous releases: • Continue to utilize the old data role based model for their data security implementation. • Assign specific data sets, such as business business units, ledgers, warehouses, and so on. • Use data roles that were automatically generated by data role templates.


To access the Manage Data Access for Users page, navigate to Setup and Maintenance > Manage Data Access for Users task.


Assigning Data Scopes to Users for New Customers Only Use the Manage Data Access for Users task to assign users to data scopes. • Assign data scopes to users users by provisioned role. • Use the import capability to create a large number of assignments.

NEW


You use the Manage Data Access for Users task to assign users t o data scopes, like Business Units, Ledgers, and Asset Books. You can access this task f rom the Setup and Maintenance work area. You assign data scopes to users by role, and you c an only assign data scopes to roles a user has been provisioned. You can also import assignments from a spreadsheet. By clicking on the Authorize Data Access button in the Manage Manage Data Access page, you can download a spreadsheet which you can use to import the data assignments. You can prepare the data from another source, such as your legacy system, and populate the spreadsheet, and then import.


Oracle Identity Manager Operates in three modes: • Self-Service: You can manage your own roles and privileges. • Delegated Administration: Administration: You manage the roles and privileges of other users. • Advanced Administration: You can manage password policies policies and perform other system administrative functions.


•

•

Oracle Identity Manager (OIM) access is granted t o the predefined IT Security Manager role. Use Administration Mode in OIM to create users and provision roles. OIM opens by default to the self-service view. -

-

The title displays whether you are in Administration mode or Self-Service mode. To switch from Self-Service Mode to Administration Mode, click on the button in the upper right hand corner.


Creating Users • If you are not implementing Human Capital Management Management (HCM), use the Manage Users task to create users. The Manage Users task creates a minimal person record and a user account. • If you are implementing HCM, use the Hire an Employee task to create users instead. The Hire an Employee task creates the full person record as well as the user account. • Use the Create Implementation Users task to create implementation users without associating a person record. • Use a spreadsheet to import users from legacy applications to Oracle Financials Cloud using the Import Worker Users task. t ask.


Access the tasks above: •

•

•

•

Create Users: Navigate to: Setup and Maintenance > Manage Users > Create icon or on the Navigator > My Team > Manage Users > Create icon. Hire an Employee: On the Navigator > My Workforce > New Person > Tasks panel > Hire an Employee. This task creates the full person record needed by HCM, such as job assignment, job code, department, manager, etc., as well as the user account itself. Create Implementation Users: Navigate to: Setup and Maintenance > Create Implementation Users > Administration tab > Create User icon. Import Worker Users: Navigate to: Setup and Maintenance > Import Worker Users > Create Worker > Create Spreadsheet icon or on the Navigator > My W orkforce > Data Exchange > Tasks panel > Initiate Spreadsheet Load > Create Worker > Create Spreadsheet icon.

Note: The import process handles both user account creation and auto provisioning of roles.


Role Provisioning Tasks Roles can be provisioned (assigned) to users: • Manually provision roles to users using Oracle Identity Manager. • Automatically provision a role role to users by defining a relationship, called a role mapping, between the role and some conditions.


To manually provision roles, use the t he Create Implementation Users task from f rom Setup and Maintenance to access Oracle Identity Manager. Make sure you switch to Administration mode to assign roles to users. •

•

To assign a role to a specific user: -

Use the search box to search for the desired user.

-

Open the user and go to the Roles tab.

-

Click the Assign button to assign new roles to the user.

To assign the same role to multiple users: -

Search for the role.

-

Go to the Members tab.

-

Click the Assign button to assign multiple users to the same role.

Roles are automatically provisioned when one of the user's assignments matches all rolemapping conditions and the auto provision option is selected.


Using Role Mappings Create and manage role mapping rules. • Use the Manage Role Provisioning Rules task to t o create and manage role mapping rules. • If HCM is implemented, use the Manage HCM Role Provisioning Rules task instead. Set a role attached to a role mapping role to: • Requestable: Qualifying users can provision roles manually to other users. • Self-requestable: Users can request the role for themselves. • Auto-provision: The system will automatically assign roles to users when they meet all the conditions in the role mapping. This provision the role to all users who do not already have the role assigned. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Role Mappings allow you to automatically assign roles to users if they match the conditions specified in the Role Mappings. As users transfer departments or change jobs, the Role Mappings can automatically assign the correct roles to the users. Each role mapping rule is based on a set of att ributes that can be matched to a user’s assignment, such as Department, Job, and Location. For example, you may define a rule that limits role mapping to current employees of the Finance Department whose Job is Accounting Manager. Roles capture the nature of work intended to be perf ormed by the user. •

•

A range of security roles are granted to the new user. This enables users to access application flows that are crucial f or performing the tasks.

When the list of assigned security roles is populated, you can remove or add new roles as needed. Note: Auto-provision: Note: Auto-provision: Deprovisions roles immediately from users who are no longer eligible eligible for roles that they currently have.


Practice 4-1 to 4-3 Overview: Using User Security This practice covers the following f ollowing topics: • Practice 4-1: Defining role mapping. • Practice 4-2: Creating a user. • Practice 4-3: Creating an employee.



Customizing Roles If jobs exist in your enterprise that aren't represented in the security reference implementation: • Create custom job roles by copying existing roles. • Add duty roles and privileges privileges to custom job roles. If the privileges for a predefined job role don't match the corresponding job in your enterprise: • Create custom job roles by copying existing roles. • Add or remove duty roles, function security privileges, and data security policies.


Best Practices for Customizing Roles •

•

•

•

Do not customize predefined roles. These predefined roles begin with the ORA_ prefix in the Role Code field. During each upgrade, the upgrade process updates the predefined roles to the specifications for that release, so any customizations are overwritten. Always make a copy of the predefined predefined role. Then, edit the copy and save it as a custom role. Compare the copy of the predefined role with the new customized role and roll back t o the delivered role, if necessary. After a maintenance update or upgrade, upgrade, compare your customized copy to the updated updated predefined source role. You can see the updates to the predefined role and decide whether to incorporate those changes into your custom role.


The Security Console • Use to customize security. • Create and edit custom roles, but not predefined roles. • Can be accessed via the Navigator menu, under Tools. • Access granted through the IT Security Security Manager role.


Before you start using the Security Console, set two profile options t hat govern the behavior of the Security Console in the Manage Administrator Profile Values task. •

•

Security Console Working App Stripe: Controls the App Stripe the user works on. Please set this profile option to fscm, either at the site level, or f or specific users with Security Console access. Enable Data Security Policies and User Membership Edits: Sets the preference to enable data security policies and user membership editing in Security Console. Set this profile option to Yes to enable both, at the site level, or for specific users.


The Security Console: Copy Feature Steps to use the Copy feature are: • Copy a role. • Modify the default role name, code, description. • Review, add, or remove function security privileges. • Review, edit, or remove data security s ecurity policies. • Review, add, or remove inherited roles. • Assign users to the target role. role. • Review the summary and impact. • Submit and Close.


The Copy feature in the Security Console enables you to: •

Set up default names in the Preferences section of the Security Console.

•

Review the code resources tied to each function funct ion security privilege. privilege.

Important: •

•

To add, edit, or remove data security policies, set the profile option Enable Data Security Policies and User Membership Edits to Yes, either at the site level or f or the current user. To assign users to this new role, set the prof ile option Enable Data Security Policies and User Membership Edits to Yes, either at the site level or for the current user.

Note: This option is only available to external roles, as you can only assign external roles to users.


The Security Console: Compare Roles Feature • Use to compare the function and data security policies granted between two roles. • Launch Compare Roles directly by clicking on the button or by choosing the Compare Roles option in the Search Results.


View: •

All comparison results.

•

Artifacts that only exist in either the first or the second role. role.

•

Artifacts that exist in both roles.

Choose to view only comparison results for: •

Function security policies.

•

Data security policies

•

Inherited roles, or combinations.


Additional Features Use the following icons on the left hand side of the page: • Roles: Copy, create, and compare roles. • Analytics: Examine data on roles. • Certificates: Review Certificates. • Administration: Save Preferences. Preferences.



Practice 4-4 Overview: Using the Security Console This practice covers the following f ollowing topics: • Copying a role. • Comparing a role.



Auditing Security The following audit reports are available: • User Role Membership Report: List of users and provisioned roles. • User and Role Access Audit Report: List of users and provisioned function and data accesses. • Inactive Users Report: List of inactive users.


User Role Membership Report: You can run the report for all users, or you can optionally f ilter the list of users by name, department, and location. User and Role Access Audit Report: Report can be run f or one user, all users, one role, or all roles. •

One User / All Users -

-

•

Separate report outputs show role hierarchy with privileges, tabular listing of privileges, and list of data security policies provisioned to the user. The All Users option results in one set of reports f or each user.

One Role / All Roles -

-

Separate report outputs show role hierarchy with privileges, tabular listing of privileges, and list of data security policies for a given role. The All Roles option results in one set of reports f or each role.


Inactive Users Report: Use this report to identify users who have not signed in for a period of time that you define. •

Run the Import User Login History process as a prerequisite.

•

Provide the inactivity period, in days, as a report parameter. The default is 30.

•

Optionally filter the list of users by name, department, location, and last activity date.

•

Shows all inactive users that match the criteria and the following data: -

Number of days that the user has been inactive

-

User’s username

-

Given name

-

Surname

-

Location and department

-

User’s status


Security Resources To review the roles and other components that make up the security reference implementation for your application, you can: • Access the security reference reference manuals (SRM). – Common – Service-specific

• Access the tasks available for managing managing roles, templates, and security policies. Security Reference for Oracle Financials Cloud

Securing Oracle ERP Cloud Security Reference for Common Features


Oracle Financial Security is applicable to the needs of midsized, horizontal enterprises generally between 250 and 10,000 employees. It can be changed or scaled to accommodate expansion into vertical industries such as health care, insurance, automobiles, or food manufacturing. For more resources on the Oracle Help Center, see: •

•

Oracle Financial Security Guides: http://docs.oracle.com/cloud/latest/financialscs_gs/docs.htm.. http://docs.oracle.com/cloud/latest/financialscs_gs/docs.htm Oracle Fusion Middleware Security Guides: http://docs.oracle.com/middleware/1221/cross/securedocs.htm.. http://docs.oracle.com/middleware/1221/cross/securedocs.htm


Summary In this lesson, you should have learned how to: • Understand the Cloud security methodology. • Plan your use of the security implementation.

• Identify the components of data security. • Discuss how roles can be assigned automatically or manually. • Explore the new Security Console to customize roles and users. • Review the audit reports and resources



D96139GC10_les04

Recommend Documents