Setting Up Security for

Oracle ERP Cloud Session ID:

11063

Prepared by:
Zsolt Varga
PM & BA
AXIA Consulting
Remember to complete your evaluation for this session within the app!
April 8th, 2019
Solving Complex Business & Technology
Problems with Experience & Knowledge

Core Values…
Be Vested
Be Authentic AXIA Consulting (founded in 2005 and
Be There 100% employee owned) helps clients
Be Approachable identify and solve complex problems with
teams of experts averaging over 20 years
Be Honest of experience. AXIA is different than other
integrators because we do not “leverage”
a few highly experienced consultants with
Committed To Excellence less experienced resources.
Our client relationships start
with a project and turn into AXIA Oracle Service Offerings
lasting partnerships.
Implementations &
Oracle Consulting Mergers & Acquisitions
Functional Extensions
Local & Global
Delivering results for clients EBS Assessments &
in more than 54 countries Upgrades Client Advisory Services
Roadmap
over 6 continents.
About The Speaker
Zsolt Varga
▪ Project Manager
Senior Business Analyst
Employee Owner
▪ 12 years of Consulting Experience
▪ Extensive EBS FIN & ERP FIN Cloud Knowledge:
• General Ledger
• Subledger Accounting
• Cash Management
• Payables
• Procurement
• Receivables
• Order Management
• Inventory
• Tax
• Projects
• Fixed Assets
Session Objectives

• Enterprise Resource Planning Cloud

• Security Console & Functional Setup Manager
• Functional Security – Abstract, Job & Duty Roles, Privileges
• Data Security – Data Roles, Security Profiles & Data Access
• Auto-Provisioning
• CoA Segment Security & CVRs
• BI Permissions
Client & Project
Client Overview:
SCHELBY COUNTY SCHOOLS
• Tennessee’s largest school district
• Within 25 largest public school districts in US
• Over 200 schools
• Approx. 12000 employees
• Total budget: $1.34 Billion
• Founded in 1867
Project Overview:
ORACLE CLOUD HCM, FSCM & PBCS
• Implementation & Configuration
• Conversion & CEMLI
• Testing & Training
• Business Process Transformation & OCM
Navigation in Oracle Cloud
Navigation in Oracle Cloud
Navigation in Oracle Cloud

Home, Favorites and Recent Items,

Watchlist, Notifications
Security Console

IT Security Manager
Security Console > Single Sign-On
Security Console > Administration > Bridge for Active Directory
Functional Setup Manager

Here you will:

• manage Data Access
• set up Security Profiles
and assign to Data Roles
• implement Role
Provisioning Rules for
automation
• configure Security Rules
• create Cross Validation
Rules
Fusion Role Based Security
Oracle Cloud uses Role-Based Access Control (RBAC) that secures access in a “who
can do what on which functions or sets of data under what conditions” approach.
The "who" is the user.
The "what" are the abstract operations or entitlement to actions applied to
resources.
For example, view and edit are actions, and task flows or rows in data tables are
resources.
Entitlement secures access rights to application functions and data. Function
access entitlement is granted explicitly to duty roles. This implicitly grants the
function access to the job and abstract roles that inherit the duty roles. Data access
entitlement is granted implicitly to abstract and job roles through data security
policies on their inherited duty roles. Data access entitlement is granted explicitly
to a data role through a data security policy applied directly to the inherited job or
abstract role.
Fusion Role Based Security
Explicit entitlement names the specific function or data that the holder of the
entitlement is authorized to access.
Only duty roles hold explicit entitlement to functions. An entitlement to a function
allows one or more actions (update, create and view) applied to a resource (for
example task flow).
Data roles hold explicit entitlement to data. Data roles are entitled access to functions
through inherited role hierarchies.
Implicit entitlement names roles to which explicit entitlement is granted through a
role hierarchy.
Abstract, job, and data roles have implicit access to functions through duty roles that
they inherit.
Abstract, job, and duty roles have implicit access to data through data security policies.
Data is also secured implicitly with the underlying data model of the product family
records.
Roles & Privileges
Data roles combine a worker's job and the data that
users with the job must access.
Abstract roles represent a worker's role in the
"enterprise" independently of the job that you hire
the worker to do. These are for HCM, examples are
Employee, Contingent Worker and Line Manager.
Job roles represent the job that
you hire a worker to perform.
Aggregate privileges combine the
functional privilege for an individual
task or duty with the relevant data security policies.
Duty roles represent a logical grouping of functional
security privileges.
Users to Roles to Privileges

Example on how
the structure of
an assignment
looks like:
Roles & Privileges & Inheritance
Job Roles towards Privileges
Job Roles towards Roles or Privileges
Job Roles towards Privileges
Job Roles towards Privileges
Job Roles towards Users
Security Console > Administration
Custom Role Creation
Custom Role Creation

Unfortunately at the moment there is no job roles

export-import functionality in the system.
HCM Person & User

Trivial but to be able to sign in into Oracle Cloud applications, you will
need a User.
Also, as discussed earlier, Roles are assigned to Users.

So basically our prerequisite setups for assignments are:

• Home > My Team or My Client Groups > New Person > Tasks >
Add a Pending Worker
• Home > Tools > Security Console > Users >
Add User Account

Of course, you can use HCM Data Loader or Import Worker Users.
Users
Add Roles to Users
Add Roles to Users

Unfortunately at the
moment there is no
user to job role
assignments export-
import functionality in
the system.

However, there is a
self-requesting
functionality, if you
allow users to manage
their own accounts.
Processes

There are certain processes that have to be run and then also
scheduled recurringly to keep your system in sync:
• Run User and Roles Synchronization Process
• Import Users and Roles into Application Security
• (There are further %LDAP% programs in Scheduled Processes)

These 2 main processes make sure that setups are the same in LDAP
(Lightweight Directory Access Protocol), policy store, Applications Core
Grant schema and Oracle Fusion Applications Security tables. This
results that your system and Security Console are fast and reliable.
Submit Processes & Manage Applications Security Preferences
Data Roles & Security Profiles

This functionality can be used mainly for HCM custom Data Roles
creation to grant or restrict data access via Security Profiles.
Data Roles
Data Roles
Security Profiles

Examples of usage:
• Organization SP works with HCM Dept
Tree or Org Tree or Org Classification or
specific Dept(s) or Org(s).
• Country SP uses Territories or Countries.
• Position, Document Type and Person SPs
are definitely HCM oriented.

First two examples work

for ERP Cloud as well…
Data Access
Manage Data Access for Users
Users, Roles & Security Context

Security Context:
Create Data Access in Spreadsheet (ADFdi)

Your Spreadsheet is
based on your Search.

Authorize Data Access tab

shows missing setups.

You can fill in Security

Context Value for these
lines or even create new
lines.
Create Data Access in Spreadsheet (ADFdi)

View Data Access tab

shows existing setups.

You can use these as

examples.

Data Access cannot be

Auto-Provisioned.
Manage Data Access Set

• Full Ledger or Primary BSV

• Ledger or Ledger Set
• Read and Write or Read Only
Auto-Provisioning

Home > Setup and Maintenance > Financials >

Manage HCM Role Provisioning Rules
Role Mapping Rules

As the setup name

hints to you, HCM
related objects can
be used, like Job,
Position, Location,
Department, etc.
and you can work
with BU.
Role Provisioning Rules

Roles are directly assigned to Users.

Roles are not assigned to Jobs or Positions.
This automation helps to create these Role
to User assignments based on Conditions.
This functionality works well for HCM
Cloud but has limitations for ERP Cloud.
Maintenance effort for these Rules should
be assessed and compared to the effort of
handling assignments manually.
 CoA Segment Security

Home >
Setup and Maintenance >
Financials >
Manage Chart of Accounts Value Sets
Security enabled Value Set

After you
enabled security,
entered Data Security
Resource Name and
clicked Save…

You can
Edit Data Security
Edit Data Security – Conditions
Edit Data Security – Conditions

Conditions let you define

your segment value
inclusions, exclusions
ranges, etc.

You can even work with

Tree Operators…
Edit Data Security – Policies

You can use Policies

to link
Roles to Conditions
(in which you
earlier specified
your Segments)
Edit Data Security – Policies
Cross Validation Rules
CVR Condition & Validation Filters

Use Conditions for restriction and Validations for exception (within restriction)
CVR Error Message
Create CVRs in Spreadsheet (ADFdi)
Business Intelligence Permissions
BI Report Assignments

Assign Reports to
Roles and/or Users
and set Permissions…
BI Permissions

Modify Permissions
for
Report to Member
assignments…

Choose from
options or
customize…
Thank you!
April 8

April 10

April 11

…and do not forget to visit our booth! :-)

 Q&A
[email protected]

Session ID:
11063

Remember to complete your evaluation for this session within the app!