Oracle Financial Cloud Security Methodology
Cloud security methodology can be summarized with the simple statement: “WHO can do WHAT on WHICH set of data.”
- Who: The user who performs functions in your company, such as an General Accountant.
- What: Individual actions a user can perform, such as the ability to enter and post journals.
- Which: The set of data that the user can perform the action on, such as general ledger journals with in your assigned ledger.
Security Reference Implementation
Oracle Financials Cloud comes with a predefined security reference implementation which consists of a baseline set of predefined security definitions and a set of security components which are delivered with the offering or service & used to meet the business needs of most enterprises.
The security reference implementation covers all functions and actions that need to be
secured. The security definitions were based on industry standards. Unless you have
customized existing functions or added new functions, you shouldn’t have to create any new job or duty roles. The implementation includes:
> Complete set of job roles.
> Duty roles and role hierarchy for each job role.
> Privileges granted to job and duty roles.
> Data security policies for each job role.
> Policies that protect personally identifiable information.
> Policies enforced across tools and access methods.
> Segregation of duties policies respected in the design of duties for the job role.
> Segregation of duties conflicts.
The First User
Define at least one implementation user using the Create Implementation Users task at the beginning of the project. The first implementation user is for creating only the initial enterprise structure and is not a real person in HCM. After the initial enterprise structure is complete, you can create additional users in HCM using the Manage Users or Import Worker Users tasks. Your users require that a business unit, legal entity, and other setup be added after the initial implementation. Planning is essential to:
> Analyze the access requirements specific to your organization, understanding who
needs access to what.
> Compare the requirements with the predefined roles in the security reference
implementation, and decide which predefined roles meet your requirements and can be
used as-shipped, and which will require customizations to meet your requirements.
> Certain product areas, such as Accounts Payable and General Ledger, include multiple
roles in the reference implementation. To compare accesses granted to each role, you
can use the Compare Role feature in the Security Console.
Function And Data Security
Oracle Financials Cloud uses role-based access control (RBAC). Your application is secure as delivered and you will provide function and data access through roles that you assign to users. Function security allows you to access:
> A page or a specific object.
> Functionality within a page, including services, screens, and task flows.
Data security consists of privileges conditionally granted as:
> Data security policies carried by roles.
> Human Capital Management (HCM) security profiles.
For example, a job role can enable users to work with journals. A data role in an upgraded
implementation that inherits the job role can provide access to the journal data within a ledger.
The data role General Accounting Manager – US inherits functionality from the General
Accounting Manager job role and it enables users to perform general ledger duties in the US ledger.
Types of Roles
Three role types can be assigned to users. These enterprise roles, also called external roles, are:
• Abstract roles: Represent people in the organization independent of the jobs they perform, such as employee or line manager.
• Data roles: Data roles is Combination of worker’s job and the Data/Security Profiles. You define the data scope of a Data role in one or more HCM security profiles. You define all HCM data roles locally and assign them directly to users.
Assign these roles directly to users:
• Job roles: You can also create custom job roles.
• Abstract roles: All users are likely to have at least one abstract role that provides access
to a set of standard functions, such as expense reporting or procurement. You can also
create custom abstract roles. In addition, the Employee role is important to assign to a
user as it allows users to submit ESS jobs, among other general functions that an
employee would have.
Assign these roles to Job and Abstract roles, not directly to users:
• Duty roles: You can also create custom duty roles.
Job Roles, Duty Roles and Privileges
Role inheritance is a key concept in the security model. The figure illustrates the hierarchy of job and duty role inheritance which are used as the building blocks in Oracle Cloud Security.
Almost every role is a hierarchy or collection of other roles.Job and abstract roles inherit duty roles and Duty roles can inherit other duty roles. You can also assign privileges directly to job, abstract, and duty roles. The diagram now shows Data Role added to secure User to the UK Set of Data in the UK Ledger for General Accountant Job role.
New Data Security in R12
Does not use data role templates
> Assigns users directly to the job roles and to the appropriate data sets.
> Uses the new Manage Data Access for Users page.
Security Console Replacing APM and OIM
The Security Console is an easy-to-use administrative interface that you access by selecting Tools -Security Console on the home page or from the Navigator. You use the Security Console for most role-management tasks. For example, use the Security Console to:
- Review predefined job, abstract, and duty roles.
- Create and manage custom job, abstract, and duty roles.
- Typically, you copy a predefined role and use it as the basis for a custom role.
- Review the roles assigned to users.
- Compare roles.
- Simulate the Navigator for a user or role.
Simplified experience for the IT Security Manager. Use Security Console for all tasks:
- User Account Management
- Role Management
- Edit, Copy, Compare, Simulate
- Functional and Data Security Policies
- Role Hierarchy Management
- User Name / Password policies
- User Lifecycle Management
- Certificate Management
To access the Manage Data Access for Users page, navigate to Setup and Maintenance > Manage Data Access for Users task. You use the Manage Data Access for Users task to assign users to data scopes, like Business Units, Ledgers, and Asset Books. You can access this task from the Setup and Maintenance work area.
You assign data scopes to users by role, and you can only assign data scopes to roles a user
has been provisioned.
You can also import assignments from a spreadsheet. By clicking on the Authorize Data
Access button in the Manage Data Access page, you can download a spreadsheet which you
can use to import the data assignments. You can prepare the data from another source, such as your legacy system, and populate the spreadsheet, then import.