Oracle Fusion Role-Based Access Control and Function & Data Security

Role-Based Access Control

Access to system resources is granted to users through the roles assigned to them, not to the users directly. Roles provide access to functions and data.

The Oracle Fusion Applications security approach includes abstract, job, duty, and data roles. Abstract roles group users without respect to specific jobs, such as all employees or all managers. Job roles group users in adherence to the principle of least privilege by granting access only in support of the duties likely to be performed, such as the job of Accounts Payable Manager. Duty roles define the duties of a job as entitlement to perform a particular action, such as processing payables invoices. Data roles group users who have functional access through a particular job role with access to a particular dimension of data, such as invoices relevant only to their business unit, or based on Human Capital Management (HCM) security profiles, such as employees who work in departments in a particular country, line of business, or division.

Abstract, job, and data roles are implemented as enterprise roles in Oracle Fusion Middleware so they can be shared across the enterprise. Duty roles are implemented as application roles in Oracle Fusion Middleware so they can be defined within applications.

Function and Data Security

Functions and data are inaccessible to users unless they are provisioned with the roles necessary to gain access. Function security provides users with access to pages in application users interfaces and actions that can be performed there. Data security allows users to see data in those pages. Some data is not secured, in which case access to a user interface page gives unrestricted access to the data that is accessible from that page. For example, some setup data such as Receivables Receipt Method and Payment Method is not secured, and some transaction data such as Receivables Customer Profile is not secured. Archive data such as Receivables Archive is also not secured.

Enterprise roles inherit application roles that provide the enterprise roles with access to application functions and data. Roles are grouped hierarchically to reflect lines of authority and responsibility. The figure shows user access to functions and data determined by roles arranged in hierarchies and provisioned to the user.

Duty roles carry entitlement to actions on functions and data. An example of a duty role is the Payables Invoice Processing Duty. Job and abstract roles inherit duty roles that determine the access to functions appropriate to the job. For example, the job role Accounts Payable Manager inherits the Payables Invoice Processing Duty.

Data security policies may grant actions on data to enterprise or duty roles. The condition of a data security policy determines if the access is explicit, such as all invoices of a particular business unit, or implicit, such as all invoices in the business unit to which a user is assigned. Job and abstract roles inheriting duty roles for which data security policies are defined grant implicit data access.

Data roles inherit abstract or job roles or both, and are granted explicit access to data. For example, a job role might give view access to the functions needed to access invoices, but a data role that inherits the job role gives view access to the invoices data within a business unit, such as the data role Accounts Payable Manager - US which inherits the job role Accounts Payable Manager for performing accounts payable duties against the US business unit.

Authorization Policy Manager (APM) is available in Oracle Fusion Applications through integration with Oracle Identity Management (OIM). Authorization policy management involves managing duty roles, data role templates, and data security policies, as well as previewing data roles generated based on data role templates.



Please provide your valuable feedback ............