Adobe Captivate - Oracledownload.oracle.com/ocomdocs/global/fusion_r11/fin/ERP... · Web viewSlide...

Adobe Captivate Wednesday, May 10, 2023

Slide 3 - Oracle ERP Cloud Service Release 11

Slide notes

Hello, my name is Alvin. Welcome to training for Release 11. In this session we will provide an overview on securing the Oracle ERP Cloud Service.

Notes

of 63


Slide 4 - Agenda

Slide notesIn this training, we will explain the basic concepts of Oracle ERP Cloud security, followed by tips and suggestions on what you need to consider to plan your security implementation.

We will go through the steps you need to setup security.

Next we will explain how you can customize security to meet your unique business requirements, and how you can manage security after the initial implementation.

Finally, we will discuss various reports that can help you audit your security setup.

Notes

of 63


Slide 5 - Introduction

Slide notesWe will begin with explaining the basic concepts of Oracle ERP Cloud security.

Notes

of 63


Slide 6 - Introduction

Slide notesOracle ERP Cloud’s security methodology can be summarized with the simple statement “WHO can do WHAT on WHICH set of data”.

The “WHO” is the user.

The “WHAT” are individual actions a user can perform, such as ability to manage payables invoice.

The “WHICH” set of data is the business units and ledgers that a user can perform actions on.

Notes

of 63


Slide 7 - Understanding Roles

Slide notesOracle ERP Cloud uses role-based access control (RBAC). Access to functions and data are defined via user roles, not directly against users.

Oracle ERP Cloud utilizes 3 types of roles:

Job roles represent the jobs that users perform in an organization. General Accountant and Accounts Payable Manager are examples of predefined job roles. You can also create custom job roles.

Abstract roles represent people in the enterprise independently of the jobs they perform. Some predefined abstract roles in Oracle ERP Cloud include Employee and Transactional Business Intelligence Worker. You can also create custom abstract roles. All users are likely to have at least one abstract role that provides access to a set of standard functions. You may assign abstract roles directly to users.

Duty roles represent a logical collection of privileges that grant access to tasks that someone performs as part of a job. Budget Review and Account Balance Review are examples of predefined duty roles. You can also create custom duty roles.

You don't assign duty roles directly to users.

Notes

of 63


Slide 8 - Understanding Role Inheritance

Slide notesRoles are linked together in hierarchies.

Job and abstract roles may inherit predefined or custom duty roles, either directly or indirectly.

Duty roles can inherit other duty roles.Job, abstract and duty roles can also be assigned privileges and aggregate privileges directly.

When you assign job and abstract roles to users, they inherit all of the data and function security associated with those roles

Notes

of 63


Slide 9 - Understanding Function & Data Security Policies

Slide notesFunction security privileges and data security policies are granted to job, abstract, or duty roles.

Each function security privilege secures the code resources that make up the relevant pages, page components like buttons, and scheduled jobs.

Each data security policy defines access by a role, to a business object, with a condition and for an action (called a data security privilege). For example, Accounts Payable Managers can manage payables invoices for the business units they are authorized, while Cash Managers can only view payables invoices for the business units associated to the bank accounts they are authorized.

An aggregate privilege combines function security privileges with related data security policies. For example, the aggregate privilege Manage Payables Period Status combines the function security privilege to manage accounting periods with a data security policy to manage payables accounting periods.

Notes

of 63


Slide 10 - Understanding External vs. Application Roles

Slide notesExternal Roles are roles that are assigned to users.

Application Roles are roles that can be assigned authorization policies, such as function security policies and data security policies.

Application Roles cannot be assigned to users, while External Roles cannot be assigned authorization policies.

As job roles and abstract roles are assignable to users, they are defined as external roles

Duty roles are defined as application roles

As job roles and abstract roles can also be assigned authorization policies, they are also created as application roles

Notes

of 63


Slide 11 - Summary

Slide notesTo recap, the statement “WHO can do WHAT on WHICH set of data” is implemented by assigning users, the WHO, to function security policies, the WHAT and data security policies, i.e. WHICH set of data, via roles

Notes

of 63


Slide 12 - Planning

Slide notesIn this section, we will discuss what you need to do to plan your security implementation.

Notes

of 63


Slide 13 - Predefined Security Reference Implementation

Slide notesOracle ERP Cloud comes with a predefined security reference implementation, which consists of a set of predefined job roles that closely matches real life jobs like Accounts Payable Manager and General Accounting Manager, as well as a set of predefined duty roles.

These predefined job roles and the accesses they provide are documented in the Security Reference Manual. The Security Reference Manual can be accessed from cloud.oracle.com, under resources, documentation, applications.

Notes

of 63


Slide 14 - Matching Predefined Roles to Your Needs

Slide notesAfter understanding what roles are predefined in the security reference implementation, you should analyze the access requirements specific to your organization, understanding who needs access to what.

Once you have analyzed your requirements, compare them with the predefined roles in the security reference implementation, and decide which predefined roles meet your requirements and can be used as-shipped, and which predefined roles will require customizations to meet your requirements.

Certain product areas, such as Accounts Payable and General Ledger, include multiple roles in the reference implementation. To compare accesses granted to each role, you can use the Compare Role feature in the Security Console, which will be discussed later.

Notes

of 63


Slide 15 - Customizing Roles

Slide notesIf jobs exist in your enterprise that aren't represented in the security reference implementation, then you can create custom job roles. You can then add duty roles and privileges to custom job roles, as appropriate.

If the privileges for a predefined job role don't match the corresponding job in your enterprise, then you create a custom version of the role. If you copy the predefined role, then you can edit the copy to add or remove duty roles, function security privileges, and data security policies, as appropriate.

Notes

of 63


Slide 16 - Customizing Security – Best Practices

Slide notesWe recommend the following when you wish to make security customizations:

You must not customize predefined roles. You can identify these predefined roles by the ORA_ prefix in the Role Code field. During each upgrade, predefined roles are updated to the specifications for that release, so any customizations would be overwritten.

Instead, always make a copy of the predefined role. Then, edit the copy and save it as a custom role.

Making your changes in a copy of a predefined role means that you can always compare to and roll back to the delivered role.

After a maintenance update or upgrade, you can compare your customized copy to the updated predefined source role. You can see the updates to the predefined role and decide whether to incorporate them into your custom role.

Notes

of 63


Slide 17 - Implementing

Slide notesIn this section, we will cover the basic steps in implementing security for Oracle ERP Cloud.

Notes

of 63


Slide 18 - Implementing Security

Slide notesWe will discuss how to create users, and how to assigning roles and data scopes to users. Finally, we will show you how to create custom roles in case the predefined roles do not meet your business requirements.

Notes

of 63


Slide 19 - Creating Users

Slide notesDuring implementation, you can use the Create User task to create application users. By default, this task creates a minimal person record and a user account.

If you are implementing HCM in addition to Financials, you should use the Hire an Employee task to create application users. This task creates the full person record needed by HCM, such as job assignment, job code, department, manager, etc, as well as the user account itself. The Create User task is recommended only if HCM is not implemented.

Use the Create Implementation Users task to create implementation users. Implementation users are user accounts without the associating person record.

Notes

of 63


Slide 20 - Create User Task

Slide notesYou must first navigate to the manage Users page to create a user. You can go to the Setup and Maintenance work area and query the task “Manage Users,” or you can go to Navigator > My Team > Manage Users.

Under Personal Details, Enter the user's name. In the E-Mail field, enter the user's primary work e-mail. In the Hire Date field, enter the hire date for a worker. For other types of users, enter a user start date. You can't edit this date after you create the user.

Under User Details, You can enter a user name for the user. If you leave the User Name field blank, then the user name follows the enterprise default user-name format.

The Send user name and password option controls whether an e-mail containing the user name and a temporary password is sent when the account is created. This option is selected by default if these e-mails are enabled for the enterprise.

Under Employment Information, Select a Person Type value. Then select Legal Employer and Business Unit values.

Notes

of 63


Slide 21 - Create Implementation Users Task

Slide notesYou should use the Create Implementation Users task to create implementation users. This task accesses Oracle Identity Manager (OIM)

Select Create User under User.

Under Basic User Information and Account Settings, fill in the necessary information, such as the user’s first and last names, email address, user login name. Select an Organization and User Type from the list.

Click Save.

Notes

of 63


Slide 22 - Using Oracle Identity Manager

Slide notesMake sure you are using the Administration Mode in OIM. The title will display whether you are in Administration mode or Self Service mode. To switch from Self-Service Mode to Administration Mode, click on the button in the upper right hand corner.

Notes

of 63


Slide 23 - Importing Users

Slide notesYou can import workers from legacy applications to Oracle ERP Cloud using the Import Worker Users task . You can access this task from the Setup and Maintenance work area. By enabling you to bulk-load existing data, this task is an efficient way of creating and enabling users of Oracle ERP Cloud.

The import process handles both user account creation and auto provisioning of roles

Notes

of 63


Slide 24 - Provisioning Roles to Users

Slide notesRoles provide user access to data and functions. Roles can be provisioned to users either manually or automatically.

You can manually provision roles to users using Oracle Identity Manager, or OIM in short.

To automatically provision a role to users, you define a relationship, called a role mapping, between the role and some conditions. A role can be provisioned to a user only when one of the user’s assignments matches all role-mapping conditions.

Roles will be automatically provisioned if the conditions in the role mapping are met, and the autoprovision option is selected.

Notes

of 63


Slide 25 - Manually Provision Roles to Users

Slide notesYou can use the Oracle Identity Manager, or OIM for short, to quickly assign roles to users.

Oracle Identity Manager access is granted to the predefined IT Security Manager role

You should use the Create Implementation Users or Manage Job Roles tasks from Setup and Maintenance to access Oracle Identity Manager. Make sure you switch to Administration mode to assign roles to users. By default, Oracle Identity Manager will be opened in Self-Service mode.

Notes

of 63



Slide notesUse the search box to search for the desired user. Open the user and go to the Roles tab. Here you can view roles that are currently assigned to the user. You can click the “Assign” button to assign new roles to the user.

To assign the same role to multiple users, you can instead search for the role, go to the Members tab, and click “Assign” button to assign multiple users to the same role.

Notes

of 63



Slide notesTo assign the same role to multiple users, you can instead search for the role, go to the Members tab, and click “Assign” button to assign multiple users to the same role.

Notes

of 63


Slide 28 - Creating and Managing Role Mapping

Slide notesIf you wish to enable automatic provision of roles, you need to create role mapping rules.

You can use the Manage Role Provisioning Rules task to create and manage role mapping rules. However, if HCM is implemented, you should use the Manage HCM Role Provisioning Rules task instead

Values in the Conditions section determine when the role mapping applies. For example, you may define a rule that limits role mapping to current employees of the Finance Department whose Job is Accounting Manager.

A role attached to a role mapping rule can be set as requestable, self-requestable, or auto-provisioned.

For requestable roles, qualifying users can provision the role to other users.

For self-requestable roles, qualifying users can request the role for themselves.

For auto-provision roles, qualifying users acquire the role automatically.

Notes

of 63


Slide 29 - Manage Role Mappings

Slide notesTo manage role provisioning rules, select the Setup and Maintenance and query the tasks Manage Role Provisioning Rules or Manage HCM Role Provisioning Rules.

You can either search for existing role mappings, or create a new one.

To create role mappings, go directly to the Search Results section of the page, click Create.

Notes

of 63


Slide 30 - Create Role Mappings

Slide notes

You enter a unique Mapping Name, then enter the condition values as needed. All conditions are optional.

In the Associated Roles section, click Add Row. In the Role Name field, search for and select the role that you're provisioning, then select one or more of the role-provisioning options.

Once again, for requestable roles, qualifying users can provision the role to other users.

For self-requestable roles, qualifying users can request the role for themselves.

For auto-provision roles, qualifying users acquire the role automatically.

Add more rows as appropriate. When finished, click Save and Close.

Notes

of 63


Slide 31 - Edit Role Mapping

Slide notesIf you want to edit an existing role mapping, enter the search criteria to find the rule, then click on the mapping name to open the Edit Role Mapping page, shown here.

Here, you can disable the mapping by setting the effective end date, modify conditions on the rule, or add / remove roles associated to this mapping.

Notes

of 63


Slide 32 - Assigning Data Scopes to Users

Slide notesYou use the Manage Data Access for Users task to assign users to data scopes, like Business Units, Ledgers, and Asset Books. You can access this task from the Setup and Maintenance work area.

You assign data scopes to users by role, and you can only assign data scopes to roles a user has been provisioned.

You can use the import capability to create a large number of assignments.

Notes

of 63


Slide 33 - Create Data Access for Users

Slide notesTo create data assignments, you navigate to the Manage Data Access for Users page through Setup and Maintenance. Skip to the Search Results region and click the Add button. A Create Data Access for Users window will open up.

You then enter the user you wish to create data assignments for, the role which the data assignment is against, the security context you want to assign to the selected user and role and finally the data scope, or security context value.

You can use the add button to add more records, or the duplicate button to duplicate the values of another record so you can quickly assign a different security context value to the same user and role.

Once you are done, you can click Save and Close.

Notes

of 63


Slide 34 - Importing Data Access for Users

Slide notesIn addition to create assignments online, you can also import assignments from a spreadsheet. By clicking on the “Authorize Data Access” button, you can download a spreadsheet which you can use to import the data assignments. You can prepare the data from another source, such as your legacy system, and populate the spreadsheet.

Notes

of 63


Slide 35 - Customizing Security

Slide notesIn this section, we will explain how you can customize security to meet your business requirements

Notes

of 63


Slide 36 - Customizing Security

Slide notesYou should use the Security Console to customize security.

Using the Security Console, you can create custom roles from scratch, or copy from another role, or edit a custom role. However, you cannot edit a predefined role.

Security Console can be accessed via the Navigator menu, under Tools. Access to Security Console is granted through the predefined IT Security Manager role

Notes

of 63


Slide 37 - Customizing Security – Before You Start

Slide notesBefore you start using Security Console, there are 2 profile options that govern the behavior of the Security Console.

The profile Security Console Working App Stripe controls the App Stripe the user works on. Please set this profile option to “fscm”, either at the site level, or for specific users with Security Console access.

The profile Enable Data Security Policies and User Membership Edit sets the preference to enable data security policies and user membership editing in Security Console. Please set this profile option to “yes” to enable both, at the site level, or for specific users.

You can set profile values using the “Manage Administrator Profile Values” task.

Notes

of 63


Slide 38 - Security Console – Getting Started

Slide notesOnce you open the Security Console, you first need to find your desired role you wish to view, edit, or copy.

Start typing in the search box. As you type, matches will be shown automatically.

Once you have found the desired role, click on it to open the role in the search results. The role will also be shown in the Visualizer so you can browse the content.

Notes

of 63


Slide 39 - Copy Role

Slide notesYou can create a custom role by copying the setup from another role. You must first select a role before initiating a copy.

The Copy option is available from either the Search Results, or from the right-click menu on a role in the Visualizer.

The copied role will carry the same function and data security policies as the source role.

You have the option to copy just the top role, which will inherit all the roles from the source role, or top role and inherited roles, which will result in a copy of not just the top role but all the inherited roles as well.

Once you initiate the copy process, you will have a chance to review the function and data security policies, as well as inherited roles, from the source role and make changes before finalizing the copy.

Notes

of 63


Slide 40 - Copy Role – Basic Information

Slide notesThis is the first step of the copy role process. Here, you can modify the defaulted role name, and role code. You can also modify the role description.

You can setup default names in the Preferences section of the Security Console

Notes

of 63


Slide 41 - Copy Role – Function Security Policies

Slide notesNext, under Function Security Policies, you can review the function security privileges that are assigned to the source role, to be copied to the target role.

You can also review the code resources tied to each privilege.

You can add or remove function security privileges from the target role here.

This option is only available when you make a copy of an application role, as function security policies cannot be created against an external role.

Notes

of 63


Slide 42 - Copy Role – Data Security Policies

Slide notesNext, under Data Security Policies, you can review the data security policies that are assigned to the source role, to be copied to the target role.

You can edit or remove data security policies from the target role that are copied from the source role, or create new data security policies under the target role.

Remember, to add, edit, or remove data security policies here, the profile option Enable Data Security Policies and User Membership Edit needs to be set to Yes, either at the site level or for the current user.

Notes

of 63


Slide 43 - Copy Role – Role Hierarchy

Slide notesNext, under Role Hierarchy, you can review the role hierarchies of the source role, to be copied to the target role.

You can add or remove inherited roles from the target role here.

Notes

of 63


Slide 44 - Copy Role – Users

Slide notesUnder Users, you can assign users to the target role.

This option is only available to external roles, as you can only assign external roles to users

Remember, to assign users to this new role here, the profile option Enable Data Security Policies and User Membership Edit must be set to Yes, either at the site level or for the current user.

Notes

of 63


Slide 45 - Copy Role – Summary and Impact

Slide notesUnder Summary and Impact, you can review the additions and deletions you have made to the artifacts associated with the target role.

Once you have reviewed the information, you should click Submit and Close. Click Cancel if you wish to cancel the current copy request.

Notes

of 63


Slide 46 - Compare Roles

Slide notesYou can use Compare Role to compare the function and data security policies granted to 2 roles.

The Compare Role feature is available from the Security Console. You can launch “Compare Role” directly by clicking on the button, or by choosing the “Compare Role” option in the Search Results.

By selecting “Compare Roles” after selecting a role, that role will be prefilled

Notes

of 63


Slide 47 - Compare Roles

Slide notesYou have the option to view all comparison results, artifacts that only exist in either the first or the second role, artifacts that exist in both roles

You can also choose to view only comparison results for function security policies, data security policies, inherited roles, or combinations.

Notes

of 63


Slide 48 - Create Custom Role

Slide notesYou can also use the Security Console to create a custom role from scratch. Click on the Create Role button to initiate the create role process

Notes

of 63


Slide 49 - Create Role

Slide notesThe Create Role process is similar to the Copy Role process.

First you enter the basic information regarding the role. For Role Source, choose External Role if you wish to assign this role to users, or Application Role is you wish this role to act like a custom duty role.

Once you enter the basic information, you can add functional and data security policies, and inherited roles, to create the custom role.

Notes

of 63


Slide 50 - Creating Data Security Policies for User Data Assignments

Slide notesData security policies that derive the individual user’s data assignments based on assignment records as managed via the Manage Data Access UI require specific conditions to be used.

The following 2 slides include the conditions to be used for different data security contexts.

The new data security policies must be created against the job roles that are assigned to the users, and cannot be created against duty roles.

Notes

of 63


Slide 51 - Data Security Conditions for Direct Accesses

Slide notesHere is a list of Database Resources and the corresponding Condition that should be used to derive data assignments.

For example, if you need a data security policy to return a list of business units a user is explicitly authorized using the Manage Data Access for Users UI, you need to create a data security policy for the Business Unit database resource with the condition “Access the business units for which the user is explicitly authorized”.

Notes

of 63


Slide 52 - Data Security Conditions for Derived Accesses

Slide notesThere are cases where you may need to derive access to a database resource based on user’s assignments to another resource, for example, derive access to ledgers based on a user’s business unit assignments. The following are examples of cases for the seeded roles and the corresponding conditions that are used.

For example, if you need a data security policy to return a list ledgers a user is authorized based on one’s assignment to business units using the Manage Data Access for Users UI, you need to create a data security policy for the Ledger database resource with the condition “Access the ledger for table GL_LEDGERS for the ledgers derived from business units for which they are authorized”.

Notes

of 63


Slide 53 - Managing Security

Slide notesIn this section, we will explain how you can manage security after initial implementation.

Notes

of 63


Slide 54 - Managing Users

Slide notesYou may need to make changes to an existing user account. You can use the Manage Users task to manage user accounts.

Manage Users task allows you to edit user account details, add to or remove roles from a user, and reset the user’s password.

Users can also request new roles, and reset password themselves by selecting About Me - My Account from the home page.

Role assignments using either the Manage Users task or My Account are subject to role provisioning rules.

Notes

of 63


Slide 55 - Managing Implementation Users

Slide notesYou should use Oracle Identity Manager to make changes to existing implementation users.

Make sure you are using the Administration Mode in Oracle Identity Manager.

In the Search Box, select Users, and then search for the desired user. Once you’ve found the desired user, open the user to make changes

Notes

of 63


Slide 56 - Managing Role Assignments for Users

Slide notesYou should use Oracle Identity Manager to manage a user’s role assignment.

Open Oracle Identity Manager in Administration Mode, search for the user, and open the Roles tab.

Roles currently assigned to the selected user are shown.

You can assign additional roles by clicking on the “Assign” button, or select an assigned role and click “Revoke” to revoke this role from the user.

Similar to initially assigning roles to users, if you want to manage multiple user-role assignments for the same role, you can instead search for the role, go to the “Members” tab, view, assign, or revoke multiple users against the same role.

Notes

of 63


Slide 57 - Managing Data Access for Users

Slide notesUse the Manage Data Access for Users task to manage data scope assignments

You can search for assignments for a single user or a single role.

In the search results, you can further filter the results, or export the results to Excel. You can also authorize additional data accesses here.

Notes

of 63


Slide 58 - Managing Roles

Slide notesYou can use the Security Console to edit a role.

The Edit option is available from either the Search Results, or from the right-click menu on a role in the Visualizer.

You should only edit custom roles; you should not edit predefined roles. Changes to predefined roles will reset during the next system upgrade.

Notes

of 63


Slide 59 - Edit Role Process

Slide notesOnce you are in the Edit Role process, you go through steps similar to the Copy Role and Create Role process. You can review and edit function security policies, data security policies, role hierarchy and users, when applicable.

You can skip to the sections you wish to edit by clicking on the corresponding stops in the train.

Once you have completed your changes, go to Summary and Impact Report, review the changes, then click Save and Close.

Notes

of 63


Slide 60 - Auditing Security

Slide notes

Notes

of 63


Slide 61 - Auditing Security

Slide notesOracle ERP Cloud includes several reports that provide auditing information for security information.

There is a report that documents roles provisioned to users, one that documents roles, privileges, and data security policies provisioned to users, and one that identifies users who have not signed in for a period of time that you define.

Notes

of 63


Slide 62 - User Role Membership Report

Slide notesThe User Role Membership Report documents roles provisioned to users.

Report can be run for all users, or you can optionally filter the list of users by name, department, and location.

Run the User Role Membership Report as a scheduled process. Use the Scheduled Processes work area available from the Navigator.

Notes

of 63


Slide 63 - User and Role Access Audit Report

Slide notesThe User and Role Access Audit Report documents roles, privileges, and data security policies provisioned to users.

Report can be run for one user or all users, and for one role or all roles.

Run the User and Role Access Audit Report as a scheduled process. Use the Scheduled Processes work area available from the Navigator.

If you select an individual user, the process returns one file documenting data security policies that apply to the selected user, one file that documents functional security for the selected user, depicting hierarchical relationships among security artifacts, and one file that documents functional security for the selected user, in a flattened, tabular format.

If you select all users, the process returns multiple files, one for each user, that documents data security and hierarchical function security similar in formats to the individual user reports. In addition, a single comma-separated-values file that documents functional security for all users in a flattened, tabular format will also be generated.

If you select an individual role, the process returns one file documenting data security policies that apply to the selected role, one file that documents functional security for the selected role, depicting hierarchical relationships among security artifacts, and one file that documents functional security for the selected role, in a flattened, tabular format.

If you select all roles, the process returns multiple files, one for each role, that documents data security and hierarchical function security similar in formats to the individual role reports. In addition, a single comma-separated-values file that documents functional security for all role in a flattened, tabular format will also be generated.

Notes

of 63


Slide 64 - Inactive Users Report

Slide notesThe Inactive Users Report identifies users who have not signed in for a period of time that you define. Run the report as a scheduled process. Use the Scheduled Processes work area, available from the Navigator.

As a prerequisite, you need to run the Import User Login History process first.

As you run the process that generates the Inactive Users Report, Define the inactivity period, in days. The default value is 30. Filter the users who may be included in the report, by name, department, location, or last-activity start or end date. The use of these parameters is optional.

The process returns a file that provides the following information about each inactive user: the number of days the user has been inactive; the user's user name, given name, surname, location, and department; and the user’s status.

Notes

of 63


Slide 65 - Additional Information

Slide notesI hope you find the information covered in this training useful.

For additional information, please refer to the security related documentations available on docs.oracle.com, using the link here.

This concludes this presentation, thank you for listening. You can easily pause and rewind any of these slides if you require additional time to take in the detail.

Notes

of 63

Adobe Captivate - Oracledownload.oracle.com/ocomdocs/global/fusion_r11/fin/ERP... · Web viewSlide...

Documents

Transcript of Adobe Captivate - Oracledownload.oracle.com/ocomdocs/global/fusion_r11/fin/ERP... · Web viewSlide...