Use Case 2: Secure Bank Accounts by Users and Roles

Use Case 2
Secure Bank Accounts by Users and Roles
In this example, John Operations will have most privileges associated with the Cash Manager job role.
However, for our business needs:
• He will not be able to manage or view Banks and Branches.
• He is able to view Bank Accounts, but he will not be able to create or modify an existing Bank Account.
John Operations
Manage Bank Manage Bank

Manage Banks
Branches Accounts
View Banks View Bank Branches

View Bank Accounts
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 56
Use Case 2 – Security Steps
1 2 3
Identify Roles and Copy and Edit Seeded Copy and Edit Seeded
Privileges Duty Role Application Role
- Review the Financials Security - Copy and Edit the predefined seeded - Copy and Edit the predefined seeded
Reference Manual in PDF format. Cash Management Administration Cash Manager (Application Role).
Duty Role.
- Identify which Roles and Privileges - Remove the Cash Management
are associated with the actions we - Remove or add privileges as desired. Administration Duty Role and Add the
want to restrict the user. new Duty Role created.
4 5 6
Copy and Edit Seeded Assign new External Test the Application
External Job Role Job Role to users
- Copy and Edit the predefined seeded - Assign the new External Job Role to - Log in as user that is a member of the
Cash Manager - External Job Role. your users. new External Job Role.
- Remove the assigned Cash Manager - Test the application.

(Application Role) and add the newly
created Application Role.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 57
Step 1: Identify Roles and Privileges
Oracle Financials Cloud Security Reference
The first step is to identify which Roles and Privileges are associated with the actions we want to restrict for
each user.
1. Review the Financials Security Reference Manual in PDF format: Oracle Financials Cloud Security
Reference
2. Find the Job Role that most closely matches the privileges you want to customize. (In our case, Job Role:
Cash Manager)
Step 1: Identify Roles and Privileges
Oracle Financials Cloud Security Reference
3. Skim the Duties that a Cash Manager can perform. Skim the Role Hierarchy.
4. Go to the Privileges section. This is the most important section to determine what individual privileges
roll up directly to the Cash Manager and other Duty Roles that are assigned to the Cash Manager.
5. Search by Bank, Bank Branch and Bank Account. (Refer to Slides 24-38 in this presentation to be more
familiar with Cash Management Duty Roles).
Duty Role: Cash Management Administration

Privileges:
Manage Bank, Manage Bank Account, Manage Bank Branch
View Bank, View Bank Account, View Bank Branch
Step 2: Copy and Edit Seeded Duty Role
Tools > Security Console
1. Log in to your application and open the Security Console.
2. Be sure you see Roles: fscm on the top left of the page.
If you do not see Roles: fscm, set the following profile option:
Open the “Manage Administrator Profile Values” task from FSM.

• Query Profile Display Name: Security Console Working App Stripe (ASE_WORKING_APP_STRIPE).
• Controls the App Stripe the user works on.
• Set to “fscm” either at site level, or for specific fscm users.
• Query Profile Display Name: Enable Data Security Policies and User Membership Edit (ASE_ROLE_MGMT_PREF)
• Preference to enable data security policies and user membership editing in Security console.
• Set to “Yes”.
3. Review the prefix and suffix of new copy roles
4. From the Security Console, query the duty role Cash Management Administration because we need to
remove the privileges to Manage Bank, Manage Bank Branch, Manage Bank Account that are assigned to
the Cash Management Administration duty role.
5. Choose to Copy top role.
Copy Role > Basic Information
6. Edit the Role name, Role Code, and Description.
7. Click Next
Copy Role > Functional Security Policies
8. Remove the privileges: Manage Bank, Manage Bank Account, Manage Bank Branch, View Bank, and
View Bank Branch.
Copy Role > Role Hierarchy
9. You should see the following on the Role Hierarchy train stop.
10. Click Next and review the Summary and Impact Report.
Tools > Security Console > Administration
11. Click Submit and Close. You will receive a Confirmation message.
12. You can go to the Administration page to view your submission.
Compare Roles
 Compare the Seeded Duty Role with the Custom Duty Role newly created.
Removed
Privileges
Step 3: Copy and Edit Seeded Application Job Role
Tools > Security Console >
Now we need to copy the seeded Application Job Role, Cash Manager (Application Role), and in the copy,
replace the Cash Management Administration with the one we just created (EF Cash Management
Administration Custom)
1. From the Roles: fscm page, query Cash Manager and be sure to pick the one that has the “(Application
Role)” appended :
Tools > Security Console > Copy Role
2. Copy the job role and choose Copy top role.
3. Edit the Role Name, Role Code, and Description.
4. Click Next
COPY ROLE
5. In the Role Hierarchy page, delete the Cash Management Administration duty role.
6. Then click the Add Role button to assign the newly created duty role.
7. Just query the name, then click the Add Role Membership button.
ADD ROLE
8. Review Role Hierarchy. It should look like below.
9. Click Next. Review Summary and Impact Report. Submit and Close.
Custom Application Job Role
Custom Duty Role
Compare Roles
 Compare the Seeded Application Job Role with the Custom Application Job role newly created.
Step 4: Copy and Edit Seeded External Job Role
Tools > Security Console > Copy Role
1. Query Cash Manager Job role that does NOT have Application Role appended (CE_CASH_MANAGER_JOB)
2. Copy it selecting the Copy top role and inherited roles option.
3. Update the Role Name, Role Code and Description.
4. Click Next > Next.
5. In the Role Hierarchy page, delete the assigned Cash Manager Application Role and add your newly
created one by clicking the Add Role > Add Role Membership buttons.
ADD ROLE
6. Review Role Hierarchy. It should look like below.
7. Click Next.
Custom Application Job Role
Custom External Job Role
Custom Duty Role
Copy Role > Summary and Impact Report
8. Review Summary and Impact Report. Submit and Close.
Review External Role in APM
Note: In our Use Case, we

have created a new Duty
Role, Application Role and
External Role for fscm
context/application.
If you want to customize the

security for another
application, you will need to
perform the same steps for
obi, hcm, etc. using Security
Console, or change the
Application Role Mapping
directly in APM.
Step 5: Assign the New External Job Role to Your User
Task: Create Implementation User
1. Query an existing user from OIM using the task called “Create Implementation Users”
2. Click the Roles tab and remove the existing External Role Cash Manager
3. Assign your newly created role and Close OIM.
4. Run the Retrieve Latest LDAP Changes process.
Step 6: Test the application
Log in as John.Operations
 Note: John.Operations cannot access Manage Banks and Manage Bank Branches tasks as expected:
Step 6: Test the application
Log in as John.Operations
 John.Operations is able to view and edit existing Bank Accounts.
 As expected, he cannot create new Accounts. Add button is grayed out.
Customizing Security
Best Practices
We recommend the following when you wish to make security customizations:
 You must not customize predefined roles. You can identify these predefined roles by the ORA_ prefix in
the Role Code field. During each upgrade, predefined roles are updated to the specifications for that
release, so any customizations would be overwritten.
 Instead, always make a copy of the predefined role. Then, edit the copy and save it as a custom role.
 Making your changes in a copy of a predefined role means that you can always compare to and roll
back to the delivered role.
 After a maintenance update or upgrade, you can compare your customized copy to the updated
predefined source role. You can see the updates to the predefined role and decide whether to
incorporate them into your custom role.
 You can best compare roles using the Security Console.

Use Case 2: Secure Bank Accounts by Users and Roles

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Use Case 2: Secure Bank Accounts by Users and Roles

Uploaded by

Copyright:

Available Formats

Use Case 2

Secure Bank Accounts by Users and Roles

Manage Bank Manage Bank

View Banks View Bank Branches

- Remove the assigned Cash Manager - Test the application.

Duty Role: Cash Management Administration

Open the “Manage Administrator Profile Values” task from FSM.

Custom Application Job Role

Custom Duty Role

Custom Application Job Role

Custom External Job Role

Custom Duty Role

Note: In our Use Case, we

If you want to customize the

You might also like