Understanding Oracle Cloud Access Control

Understanding
Oracle
Learning
Cloud Access
Control
MAY 15, 2020
TABLE OF CONTENTS
Understanding Access Control .................................................................... 5
Access Groups ............................................................................................ 5
Types of Access Groups ............................................................................................................. 5
How Access Groups Work ........................................................................... 6
Understanding Access Control Data Processing ......................................................................... 6
Create or Update Access Group.................................................................................................. 6
Local Access Groups ................................................................................. 13
Set System Wide Default Local Access Group ...........................................................................14
Define Access Rules ..................................................................................................................14
Set the Learning Item Default Access Group .............................................................................15
Named or Ad Hoc Access ..........................................................................................................16
Set Access Group Priorities ........................................................................................................17
Global Access Groups ............................................................................... 17
Find Global Access Groups ........................................................................................................18
Manage Global Access Groups ..................................................................................................18
View Global Access Groups .......................................................................................................18
Edit Global Access Groups .........................................................................................................19
Create Global Access Groups ....................................................................................................20
Associate Global Access Group to Learning Item ......................................................................20
2 Understanding Oracle Learning Cloud Access Control

Global Access Comparison Example .........................................................................................20
Recommended Steps to Transition from Local Access Groups to Global Access Groups .........21
Global Access Group Security Needs ........................................................................................21
Access Group ESS Job ..............................................................................................................21
Self-Service View Mode Override .............................................................. 21
Community Membership and View Mode .................................................. 26
Access List Management of Self-Service Learning Items .......................... 28
Follow Feature ........................................................................................... 30
Data Security Policy Based Access ........................................................... 30
Run ESS Job to Update User Permissions.................................................................................35
Additional Data Security condition examples ............................................. 35
Basic Method: Restricting Access to Catalog Items Using AOR.................................................35
Advanced Method: Restricting Access Using Constant Flex Field .............................................42
Advanced Method: Handling Learning Items by Instructors .......................................................43
Advanced Method: Handling Learning Items Based on Learning Item vs Current User Flex Field
Value. .........................................................................................................................................45
Understanding Access Control Enforcement Across All Access Types ..... 46

Note: In the images or examples included in this document regarding: user details, company names, addresses, emails, and/or
telephone numbers represent a fictitious sample of data (based upon made up data used in a demo environment). Any similarity to
actual persons, living or dead, is purely coincidental and not intended in any manner.

UNDERSTANDING ACCESS CONTROL
This white paper discusses how you can set up Access Control in Oracle Learning Cloud. Access Control determines who can access
what learning items.
There are two ways you can set up Access Control to achieve this:
 Use Access Groups - This functionality is specific to Oracle Learning Cloud and enables you to control access to leaning
items.
 Use Oracle HCM Cloud data security functionality – You can use data security policies to control access to learning items.
ACCESS GROUPS
Access groups define a set of rules at a learning item level. These rules determine:
 Whether an item is visible to learners, and the pre-assignment behavior in learner self-service;
 How much information displays to learners
 How they can engage with the learning item.
When you create an access group, you are essentially creating an “access list” of all learners who can view a learning item based on a
set of rules. “Access records” represent the individual learners who can view a learning item within the access list.
Access groups can be:
 Named – You can create a logical group of learners, based on selection criteria. These groups are evaluated on an
ongoing basis (at intervals that were determined during your implementation), and can account for organizational changes
and employee movement within the workforce structure. For example, you can define a named access group based on an
organization chart group. The access group rules are applied to new people moving into the group, and removed from the
people no longer in the group. (See Understanding Access Control Data Processing below for more details.)
 Ad hoc - You can create access records outside of access groups. These are called “ad hoc access records”. Ad hoc
access groups are defined once, and remain based on the same set of learners as at the time of the group's creation. You
can only manage these groups manually.
Types of Access Groups

There are two different types of access groups:
 Global Access Group - an access group that can be created once and then used across multiple learning items, utilizing
the same learner criteria (analysis object, org group, dynamic learner criteria, or other learning items) and access details.
 Local Access Group – a unique set of learners and access details that are specific to a learning item.

HOW ACCESS GROUPS WORK
Access Groups control the access and visibility of a learning item for a specific user. You can determine whether a learner can access a
learning item and the extent of information (Detail or Summary) about that learning item that can be viewed by members of an Access
Group.
These are some considerations about Access Groups:
 Access Groups apply only until a learner is assigned a learning. Access Group has no impact after a learning is assigned to a
learner.
 Access Groups are created and managed similar to learning records. They are stored as access records in the database, as a
relationship between the learner and the learning objects they can access.
 Access Groups can be created once and reused on various learning items. Or, they can be created once for a learning item.
 These settings are required to create and update access group records:
o OTBI security of “Run As” user if OTBI analysis is used to select learners
o Fusion Data Security (Choose Learner DSP) policy applied to the “Run As” user
 These conditions then apply to the learner selection criteria used for creating access groups, which can be from OTBI analysis,
Person Org Hierarchy, Person Criteria and Assignment Criteria.
 The access groups can be reconciled periodically (e.g. daily) to account for learners who fall in or out of the destinations they are
part of.
 There could be more than one access group set on a learning. The access is resolved where the access group with higher priority
supersedes the lower priority access group rule. The priority of access groups can be managed anytime.
Read on for a detailed explanation of how to create and manage aspects of access groups and how they affect the access to learning
items.
Understanding Access Control Data Processing

Access groups are evaluated based on three processes. One process is run dynamically during access group creation or update. The
other processes are run on an ongoing basis based on two jobs that are scheduled in the system.
Create or Update Access Group

When an access group is created or modified, the User creating the group can select the “Run As” User. This is the User whose data
security will be used to set the Access Group data security when it is created or modified.
There is a dynamic process called Generate a List of People from Analysis Report that is kicked off on access group save. This
process performs the following steps:

STEP 1: DETERMINE THE PERSON LIST
 What User Can Determine a Person List?
o Determines the user that has been identified in the “Run As” field on the Global Access Group.
 What Data Access does this User Have?
o Review this user and the OTBI data access that they have if using an analysis object.
o Review this user and the Choose Learner Access Data: Person Details Resource associated with this learner.
 Take the Intersection of the Data Access that this user has to determine the Target Person List
 Extract the Target Person List
STEP 2: RECONCILE THIS PERSON LIST WITH THE CURRENT LIST OF PEOPLE IN THE ACCESS LIST
The reconciliation will be done as the Run As User. The Target person list will be placed in a person list table and
compared/reconciled against the current access list on the learning item.
 Persons that are new in the person list will be added to the access list.
 Persons that have are no longer present in the person list will be removed from the access list.
Note: The Generate a List of People from Analysis Report is run dynamically on create/edit and this job cannot be
scheduled by the Administrator.

Ongoing Person Evaluation and Reconciliation
People can fall in or out the destinations that are associated to the access group. For example, a new hire can come into an
Organization destination or a Person could fall off an analysis object. Therefore, there needs to be processes that are scheduled to
evaluate changes that are occurring within the organization and have impact on the access lists.
The first job process is scheduled to run for this evaluation and reconciliation process is the Evaluate Person IDs for Assignment
Rule. This job will:
 Determine the Person List – Determining the person list is dependent on the type of Destination that is used:
o Analysis Object, Organization and Person: Extract the persons that are in the destinations based on the User
that created the job.
o Note: it is critical to ensure that the user that is creating the job has elevated data security privileges (viewing
largest data set) so that there are not any issues with the data being limited during the evaluate process. It is in
the customer’s best interest to use a user that has access to all data, so data security issues do not arise and so
that this job performs very quickly because there is less data filtering needed.
o Learning Assignment Criteria and Person Criteria: Review the user that created the criteria and apply this
Users Choose Learner Access Data: Person Details Resource.

 Reconcile this list of Persons with the current list of people in the access list. Determining how to perform the
reconciliation is dependent on the type of Destination that is used:
o Analysis Object, Organization and Person:
 Determine what user should be used, this is the user that has been identified in the “Run As” field.
 Review this user and the Choose Learner Access Data: Person Details Resource associated with this
learner.
 Reconcile the persons that are in the destinations with the appropriate Choose Learner Access Data:
Person Details Resource applied.
o Learning Assignment Criteria and Person Criteria:
 Review the User that created the Criteria and apply this Users Choose Learner Access Data: Person
Details Resource.
Note: In a future release, we will be changing the way we handle Learning Assignment Criteria and Person Criteria in the reconciliation
list of a person’s job. We will use the Run As user like we have done for the analysis object and the organization and person.

EXAMPLE USE CASE
John Doe, our Learning Administrator would like to create a global access group and use an analysis object to create the access list.
John Doe has different data security setup across OTBI and Fusion.
 Analysis Object Created by Administrator that Shows all data in Business Units (BU A -> BU G)
 John Doe, has OTBI access but only has data access to BU A, and BU B
 John Doe in Fusion has data access to BU A, BU B and BU C
Let’s walk through the steps above to see what happens when John Doe creates an Access Group and then what happens if changes
are made to the global access group or to the destinations associated to the access group at a later point in time.
John Doe Creates an Access Group and Selects his User as the Run As User
Determine the Person List
Determine what user should be used, this is the User that has been identified in the “Run As” field. Take this Run As User and
determine what type of data access they have across OTBI and Fusion and then choose the most restrictive data set. In this case, the
Global Access Group will have an access list that contains people from Business Unit A and Business Unit B, which is the most
restrictive data set.
Review this user and the OTBI data access that they have if using an Analysis object.
 John Doe has access to Business Unit A and Business Unit B in OTBI
Review this user and the Choose Learner Access Data: Person Details Resource associated with this Learner in Fusion security.
 John Doe has access to Business Unit A, Business Unit B, and Business Unit C in Fusion
The final access list for the global access list will include persons from Business Unit A, and Business Unit B.

John Doe Edits an Access Group
John adds a new Analysis object to the Global Access Group. This analysis object has only the person Jane Doe in it, for simplicity
sake, and John has access to Jane’s person record in both OTBI and Fusion. Let’s also say at this time Ron Black leaves the company
so is no longer in Business Unit B.
 Analysis Object Created by Administrator that Shows all data in Business Units (BU A -> BU G)
 John Doe, has OTBI access but only has data access to BU A, and BU B and Jane Doe
 John Doe in Fusion has data access to BU A, BU B and BU C and Jane Doe
Because a change has been done to the Global Access Group the Generate a List of People from Analysis Report will run on edit
and determining the person list and the reconciling this list to update the access list will need to be done.
Determine the Person List
Determine what User should be Used, this is the User that has been identified in the “Run As” field. Take this Run As User and
determine what type of data access they have across OTBI and Fusion and then choose the most restrictive data set. In this case the
Global Access Group will have an access list that contains people from Business Unit A and Business Unit B and Jane, which is the
most restrictive data set.
Review this User and the OTBI data access that they have if using an Analysis object.
 John Doe has access to Business Unit A and Business Unit B in OTBI and Jane Doe
Review this User and the Choose Learner Access Data: Person Details Resource associated with this Learner in Fusion security.
 John Doe has access to Business Unit A, Business Unit B, and Business Unit C and Jane Doe in Fusion

The final data access temp table for the global access list will include persons from Business Unit A, and Business Unit B and Jane.
Reconcile the New list of Persons with the current list of people in the final data access temp table. Jane is a new person that is
identified in a new analysis object destination and Ron Black was in Business Unit B but has left the organization. The reconciliation
job will compare persons in the final data access temp table with persons that are currently in the global access group and reconcile the
two.
 Add persons to the access list if they do not exist, Jane is in the final data access temp table but she is not in the current
global access list. Jane will be added to the Global Access List.
 Remove persons from the access group if they do not exist. Ron is no longer in Business Unit B, so he is no longer in the final
data access temp table but he is in the current Global Access List. Ron will be removed from the Global Access List.
Ongoing Person Evaluation and Reconciliation – 1 week later BU A is no longer in the Analysis object and Business Unit B
has Person Z added and Jane removed.
The first job that is scheduled to run for this evaluation and reconciliation process is the Evaluate Person IDs for Assignment Rule.
Determine what User should be Used, this will be a User that has created the job, since this is an Analysis object, so let’s say they have
access to All Persons. Determine what type of data access this person has across OTBI and Fusion. In this case the Data Access set
will have BU A, BU B Jane and Person Z.

Reconcile this list of Persons with the current list of people in the access list. Determining how to perform the reconciliation is
dependent on the type of destination that is used:
Review the user that should be used in Reconciliation. The user that should be used is the individual that is in the Run As field who is
John Doe. We will then use John Doe’s Choose Learner Access Data: Person Details Resource data privilege to determine what data
to reconcile. John Doe in Fusion has data access to BU A, BU B and BU C, and Jane Doe. Therefore, in the reconciliation process it
will ignore reconciling Person Z, even though this person exists in the initial data access.
LOCAL ACCESS GROUPS

Local Access Group rules are defined system-wide, per learning item, and per access group to provide you with the ability to configure
access as granularly as needed.

Set System Wide Default Local Access Group
The system-wide default rules are used as the learning item default rules for courses, specializations, and access groups when they are
created. Changes to the system level access rules do not affect learning item or access group rules that already exist. Define default
system-wide rules in the Setup area of Learning Cloud.
 In the My Client Group area, click Learning.
 Click Setup.
 Click Learning Item Default Attributes.
Define Access Rules

Access Rules define how much information displays to learners, and how they can engage with the learning item.
 Self-Service Details View Mode: Defines if the learning item is discoverable in self-service, and if so, the level of detail
displayed on the learning item’s details page to learners.
o No Access: The learning item is not discoverable and not included in search results.
o Details View: The learning item is discoverable, and on the item self-service details page learners see all the
available information. This setting is not supported for offerings.
o Summary View: The learning item is discoverable, and on the item self-service details page, most of the details
are hidden to the user.
 Created by Learner: Defines if learners must obtain an approval or not when registering into a learning item.
o Active: No approval needed and learners can register themselves directly.
o Requested: Approval will be triggered when learner request to register.

Two additional options appear when requested mode is selected
o Show learning request form: when selected, a form is presented to learners when requesting a learning item to
capture some information that can be used in the approval process
o Activate approved learner requests: when selected, the system will automatically active the assignment after
approval is obtained. When not selected, the assignment will remain in request approved status and require
manual activation by an administrator.
 Check box – Allow even if required prerequisites are not achieved. When selected, this option allows learners to register
or request the learning item, and his assignment will end up in a pending prerequisite status.
 Number of days to expire assignments in pending prerequisite status: enabled when the above option is selected, and
defines the number of days learners have to achieve the prerequisites before his assignment is cancelled by the system.
 Created by manager: defines if the manager’s assignment to his people must obtain approval or not.
o Active: No approvals needed and the manager’s assignment is activated automatically
o Requested: Approval will be triggered when the manager requests learning for his team. Same two options as for
learner request mode above
o Request Approved: No approval is triggered, but the assignment is created in a request approved status
requiring an administrator to manually activate it
 Only the additional Show learning request form option is available in this configuration
 For courses in a specialization: Option only available in setup and defines the default assignment mode (active or
requested) for courses in a specialization. This setup value is picked up by specializations by default and can be changed
per specialization
o Active: For courses access from specializations, force learners to active mode regardless of the configuration on
the course itself
o Requested: For courses access from specializations, force learners to request mode regardless of the
configuration on the course itself
o Inherit form Course: For courses access from specializations, respect the assignment mode defined on the
course
o Inherit from Specialization: For courses access from specializations, force learners to active or request mode per
the specialization configuration, regardless of the course configuration
A voluntary or required learning assignment on the item always provides full access to it and bypasses the access rules that are
defined. Additionally, when creating an offering, its default access rules are obtained from its parent course, not the system level rules.
Set the Learning Item Default Access Group

Learning item default access rules apply to all learners accessing a learning item prior to having an assignment on it.

These defaults are configurable from either the course, specialization or offering detail pages on the Learners tab, or on the Access or
Access Group sub tab via the Manage Default Access button. You can alter the access settings for an individual learning item, and
these settings apply to all learners who do not have an assignment on the item.
Named or Ad Hoc Access

Learning items can have named or just ad hoc access. (See Error! Reference source not found. above for additional details.)
Named access groups are accessible from the Access Groups sub tab, and represent a logical grouping or people with a specific set of
rules. You can select people in a variety of ways, similar to learning initiatives. The group or set of people defined in an access group
are evaluated on a continuous basis for changes. This is why named access groups are used to capture those group definition
changes, apply rules to new people, and remove rules for people no longer in that definition. Ad hoc access groups are created from
the access tab. While a logical group of people can be defined when creating an ad hoc access group, once created, they can only be
managed individually. Furthermore, ad hoc access groups only evaluate the learner selection at creation time and not continuously
afterwards; therefore, group criteria changes are not applied.

The Access tab is also where the admin can find the expanded list of the named access groups and represents the full set of people
with access defined via named or ad hoc access groups.
Set Access Group Priorities

It is possible to define multiple named access groups, and each group may have overlapping sets of users. To resolve conflicting rules
between named access groups, each group has a priority defined. This determines the priority in which the rules are evaluated for a
given person to determine which rules will apply for them. Rules are applied as follows for a given learner accessing the learning item
prior to having an assignment on that item.
 Rules per the highest priority named access group that includes the learner
 If not included in any named access groups, then rules per the ad hoc access for that learner
 If no ad hoc access for this learner, then rules per the item’s default access rules
For example, let’s say there’s a sales group as priority 1 and a US employees group as priority 2. A person in both groups will have the
rules of the sales group applied, as that is the first priority, whereas a person only in the US employees group would get the rules of that
group applied. Rule evaluation priority also extends to ad hoc groups that have the lowest of the priorities and apply only if the person is
not included in any named access group.
GLOBAL ACCESS GROUPS

Global Access groups helps you to create large numbers of local access groups containing large numbers of people. With local access
groups, you have to duplicate the same destination (analysis object, org group, dynamic learner criteria, or other learning items) across
all of your learning items. This duplication has caused a massive spike in the number of records that are being stored in some of the
Oracle Learning Cloud core tables, which then causes certain scheduled jobs and features to perform at a non-optimal rate.
The key value proposition points for the global access group feature are:
 Streamline the creation of access control in Oracle Learning Cloud. You no longer need to create the same access group
with the same destination across multiple learning items. This will be very efficient for administrators because they can
create one global access group, and then associate it to multiple learning items.
 Reduce data growth in certain tables within Oracle Learning Cloud.
 Increase performance for features that utilize access control by minimizing the number of records that must be evaluated
for access.
 Increase performance in the jobs that reconcile access in Oracle Learning Cloud. Currently, jobs are scheduled to be run
on a schedule to determine if there are new people that need to be added to access or removed from access. If there is
one global access group vs. multiple local access groups per learning item, there are fewer records to review during the
reconciliation process.
 Improve the usability of the Follow feature so it is clear how to associate access on an object based on a parent object’s
access.

Find Global Access Groups
To access Global Access Groups, click the Global Access Groups tab on the Catalog Resources page.
You can use the search capability at the top of the page to find existing global access groups. You can use the common search
capabilities by clicking Advanced for more search fields. You can also add more columns to the Search Results table by clicking View.
Manage Global Access Groups

In the Search Results section, you can edit a global access group by clicking Edit, or by clicking the global access group to open view
mode. When you remove a global access group, you are prompted to confirm the action, and you are also notified if there are learning
items that the global access group is associated with.
View Global Access Groups

When you click on a link to view a global access group, the global access view mode opens. From this page, you are able to view the
global access group definition, which consists of the learning item number and configuration settings such as self-service and manager
settings, assignment modes, and prerequisite configurations.

You can toggle to view the access information, which will display the access list (all of the people associated to the global access
group). You can use the common search capabilities by clicking Advanced for more search fields. You can also add more columns to
the Search Results table by clicking View.
Edit Global Access Groups

You can open edit mode from the view global access group page, or you can select the Edit action from the global access group search
results page. Making edits affects all learning items that a global access group is associated with.
If you edit viewers for learners, organization chart groups, select learning assignments, worker criteria, and learning assignment criteria
the changes will occur synchronously. All learning items associated with the global access group are updated. The Generate a List of
People from Analysis Report job is called to process this change.
If you edit viewers on an analysis, the changes occur asynchronously after the scheduled job Evaluate Person IDs for Assignment Rule
runs. All learning items associated with the global access group are updated. When you change an asynchronous item, a message
displays to alert you that the changes are processed.
If you edit any basic information or the access details of the access group, the changes will occur synchronously.

Create Global Access Groups
To create a new global access group:
 On the Catalog Resources page, click the Global Access Groups tab.
 Click Create to create a new Global Access Group.
 Enter the details for the access group. The fields are the same as those used with the local access groups feature. (The
difference between the global access group and the local access group creation process is that global access groups
does not maintain pricing data, and it does not support using a learning item as a destination.)
Associate Global Access Group to Learning Item

When you associate a global access group to a learning item, the Generate a List of People from Analysis Report runs, and the people
associated to the global access group expand and become part of the access list on the learning item.
Global Access Comparison Example
 The table below shows an example of the difference in data volume when global access is used vs local access only. In
the example, the Learning Cloud had over 2900 local access groups defined for each learning item, and many of the
destinations were repetitive across these access groups. The administrators created learning items using a default access
of “no access” and then created an analysis object for 40,000 employees. They then created an access group on every
learning item with this 40,000-person analysis object to grant them access. This caused the data in the system to explode
due to all the records being created in the system. Groups Access Records Creation Reconciliation Impact
Local Access Groups – 2900
Global Access Group – 54 (53 Partner Groups and 1 Employee Group) Local Access Groups – 100 million rows
Global Access Group – 125,000 rows
(75K Partners and 50K Employees) Local Access Groups - Reconciliation has to Process 100 million rows
Global Access Groups – Reconciliation has to Process 125,000 rows

Recommended Steps to Transition from Local Access Groups to Global Access Groups
 Create a global access group that has the same destination of the local access you are replacing.
 Associate the global access group to the learning items that have the local access group you are replacing.
 Ensure that the global access group is at a higher priority than the local access group.
 Use the Access tab to validate that the expansion has occurred, and that the global access records are now present.
 Validate that access works with a set of users.
 Remove the local access group from learning item.
 Run the Expand and Reconcile Job.
 Validate that access works with set of users with the new global access group and the local access group removed.
Global Access Group Security Needs

Additional aggregate privileges have been added for administrators:
 View Global Access Groups - Allows administrators to view the Global Access tab, search and find Global Access
Groups, and view the Global Access Group details.
 Manage Global Access Groups - Allows administrators to create and edit global access groups.
These are the recommended steps to enable Global Access Groups in the system with these aggregate privileges:
 Add the View Global Access Group abstract role to the Administrators data role.
 Add Manage Global Access Group abstract role to the Administrators data role.
 Go to Workforce Structures, and update the description for the Administrator Data role to ensure that it reinitializes
successfully once it has been saved.
 Run Import User and Data Security Role job.
 Log out as the User, and log back in as the Administrator, and validate that the Administrator can View and Manage the
global access group.
Access Group ESS Job

Use the new Reconcile Access Groups job to reconcile global and local access groups. Previously, the Reconcile Dynamic
Assignments job reconciled local access groups, as well as initiatives, community assignments, and other dynamic assignments. There
are now two learning reconciliation jobs:
 Reconcile Access Groups – This job only reconciles local and global access groups. Recommended run frequency is
daily.
 Reconcile Dynamic Assignments – This job reconciles initiatives, community assignments, and other dynamic
assignments.
SELF-SERVICE VIEW MODE OVERRIDE

The follow feature has undergone a change for courses and specializations. This is configured using the view mode override setting or
course and specializations; courses in relation with the specialization where they are used and the community catalog they are part of.
This is similar to specializations that are part of a community.

Course
There are additional settings for access control of a course when it is a part of a specialization backing its activity or when it is added to
the catalog of any community. The course can use its own access settings or follow the access details defined for the specialization and
community. These settings can be seen on the Default Access pop-up accessed from Course -> Learners->Access/Access Groups-
>Manage Default Access under the Self-Service View Mode Override.
These two settings are available on a course and can be selected in under the Self-Service View Mode Override.
- When a Course Is Accessed from the Learning Community, Let the Learning Community Control Access and Visibility
For example, create a course with default access set to No Access and the Learning Community Access and Visibility is selected. In this case, learners
will not be able to search and browse the course from the learning catalog. However, for an open community, the course will be visible to all learners.
For a closed and secret community, the course will be visible for its members. Learners will also be able to browse and search for the course within the
community catalog.
- When a Course Is Accessed from Specialization, Let Specialization Control Access and Visibility
In this case the course will follow the rules assigned to the specialization if the course is an activity within the specialization.
For example, create a course with the default access set to No Access, and Let Specialization Control Access and Visibility is selected. The
specialization has default access as Detail View. In such a case, learners can search the specialization and complete the course backing the
specialization activity. The course will not be searchable directly in the catalog, however.
Specialization
Similarly, a specialization can be configured such that its access mode can be overridden by the community access settings when the
specialization is part of this community catalog. This setting is available on the Default Access pop-up accessed from Specialization ->
Learners->Access/Access Groups->Manage Default Access under the Self-Service View Mode Override.

- When a Specialization Is Accessed from a Learning Community, Let the Learning Community Control Access and
Visibility
The specialization will be available for browse and search within the community catalog.
The self-service view of the learning item page is affected by the View Mode defined for the learning item. The View Mode can have
three different values.
- Details View – shows detailed information about the learning item including DFFs, Prerequisites, Learning Outcomes, Price etc.
- Summary View – shows limited restricted information about the learning item.
- No Access – cannot be searched or browsed from self-service.
The self-service View Mode affects the information that is visible to learner of a learning item when accessed from self-service.
The View Mode becomes irrelevant when the learner has an Active assignment of the learning item, in which case learner will always
see Details View.
The visibility of a learning item is has different treatment in the Mobile Port and the Mobile First UIs of Learning Cloud. We will discuss
both here.

Self-Service View Mode in Mobile Port
In the mobile port UI, the specific attributes are indicated for Details View and Summary View for Course, Offering and Specialization.
Mobile Port Mobile First
Course Summary View Details View Summary View Details View
Title    
Syllabus   - 
Short Description   - 
Cover Art/ Branding   - 
Expected Effort   - 
DFF -  - 
Prerequisites -  - 
Learning Outcomes -  - 
Offering List   - 
Learning Outcomes -  - 
Price -  - 

Learning Item Mobile Port Mobile First
b Summary View Details View Summary View Details View
Title    
Description -  - 
Instructors -  - 
Offering Type   - 
Offering DFF -  - 
Offering Dates -  - 
Language   - 
Expected Effort -  - 
Language -  - 
Remaining Seats -  - 
Learning Item Mobile Port Mobile Port
Specialization Summary View Details View Summary View Details View
Title    
Short Description   - 
Cover Art/ Branding   - 
Description  - 
Sections -  - 
DFF -  - 
Section Activities -  - 

Self-Service View Mode in Mobile First
Details View shows all the learning item detail page sections and attributes within.
Summary View shows a message “Content restricted to members.” Learners need to enroll before they can see the complete details.
COMMUNITY MEMBERSHIP AND VIEW MODE

The visibility of a learning community is controlled by its Privacy and Membership. Privacy settings can be Open, Closed and Secret.
Privacy
The Privacy setting impacts the self-service experience of learner as follows:
Open - Learning community appears in search results, and anyone can view the content in this learning community.
Closed - Learning community appears in search results, but only members can view the content in this learning community.
Secret - Learning community appears in search results only for members of the community.

Membership
Membership can be set to Members, Required Member and Community Manager.
Once a learner becomes member of a learning community, the visibility becomes irrelevant and the access becomes the same as an
open community in self-service.
Membership controls what privilege members have with the community. Membership can be Community Manager, Member and
Required Member.
Community Managers can edit a learning community definition and create assignments. They can also add other members with any
level of community membership.
Required Members have access to the community catalog. Any required assignments get assigned to them depending on the
assignment settings. They can contribute to the community catalog if it is enabled.
Members can access learning from a catalog. They can contribute to the community catalog if it is enabled under privacy settings.

ACCESS LIST MANAGEMENT OF SELF-SERVICE LEARNING ITEMS
Access groups are not used with self-service created learning items Video, Tutorial and Self-Service Learning community.
In the case of self-service Video and Tutorial, the visibility is managed using the Privacy attribute which can be either open to everyone
or restricted via the Secret option to a selected list of people the user can add explicitly. In the current version it supports adding a
single user at a time. In such case, the learning item is visible in search results only for the specified list of users that acts as access
list. Note: Changes to Privacy or Access Lists do NOT affect Approvals.
Tutorial Privacy is defined as Open or Secret. In the case of Secret, the author of tutorial can select individual people who can view this
tutorial. Selecting privacy is required and this value defaults to Open.

Privacy for a self-service learning community can be Open, Closed and Secret.
 Open: appears in search results and anyone can view the content in this community.
 Closed: appears in search results but only members can view the content in this learning community.
 Secret: appears in search results only for the members of the community
The creator of a Learning community has Community Manager access by default. A Learning Community Manager can optionally be
added as a member. Learning Community Managers can define user access at the individual user level or at the group access level.
The member list shows the complete list of members currently in the community, either added directly, or as a result of group access
definition. Note: Self Service Learning Communities do not have Required Members unlike the admin community.

FOLLOW FEATURE
The “Follow” feature has been removed from Learning Cloud because of this enhancement. In previous versions, when you created a
child learning item (such as an offering for a course), you were prompted to indicate whether you wanted to have the learning item to
“follow” the access control set on the parent item. This prompt is now gone. Instead, you can use a Global Access Group for both the
course and the offering.
However, you may not want an offering to follow the same access as the course. Maybe an offering on a course is only offered to C
level employees and the other offerings are available to everyone. In this case, the course would have an access group that allows
everyone and when the offering is created, they would create an access group for only the C level employees.
DATA SECURITY POLICY BASED ACCESS

Another option that can be used to set up access is by using data security policies.
In Oracle Learning Cloud, this is generally used to restrict access to items from the Learning Specialist user interface (Catalog, Catalog
Resources, and assignments).
In general, data security policies articulate the security requirement of "Who can do what with which set of data." A data security policy
identifies the entitlement (the actions that can be made on logical business objects), the roles that can perform those actions, and the
conditions that define the access. Conditions are readable WHERE clauses. The WHERE clause is defined in the data as an instance
set, and this is then referenced on a grant that also records the table name and required entitlement. In the below setup example, let’s
look at an Admin and a Learner and how we would set up a custom condition for a group of Administrators and a group of Learners.
Create a group of administrators that is only able to see learning Items that have been created by someone within their hierarchy, and
learners that can only see learning items that have a certain language code.

 Use an Oracle Learning Cloud Database Resource that currently exists in the Learning Cloud. You can use “WLF” as a
prefix in your search. In the illustration below, you can see the object names that are supported, and the descriptions of
each object. For the examples that we are going to configure, we are going to look at isolating Learning Items so we
would use the “WLF_LEARNING_ITEMS_F” object.
 Create database conditions. The condition defines the WHERE clause (what data can this action be done against).
Conditions can be created by a filter or a SQL predicate. In our example, we are going to create a condition with an SQL
predicate for the Administrator to analyze the Administrator’s hierarchy, and a condition with a simple filter for learners.
o Administrator: Create a Custom SQL predicate to indicate only learning items in their hierarchy can be
displayed.

EXISTS ((SELECT 1 from PER_ALL_ASSIGNMENTS_M A, PER_PERSONS P WHERE P.PERSON_ID =
A.PERSON_ID(+) AND TRUNC(SYSDATE) BETWEEN A.EFFECTIVE_START_DATE(+) AND
A.EFFECTIVE_END_DATE(+) AND A.EFFECTIVE_LATEST_CHANGE(+)='Y' AND A.ASSIGNMENT_TYPE IN
('E','C','N','P') AND P.PERSON_ID=&TABLE_ALIAS.ATTRIBUTION_ID AND ( P.PERSON_ID=(SELECT
NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) OR (( A.ASSIGNMENT_ID IS NULL ) OR (
A.ASSIGNMENT_ID IS NOT NULL AND EXISTS (SELECT 1 FROM PER_MANAGER_HRCHY_DN MH WHERE
MH.PERSON_ID=A.PERSON_ID AND TRUNC(SYSDATE) BETWEEN MH.EFFECTIVE_START_DATE AND
MH.EFFECTIVE_END_DATE AND MH.MANAGER_ID = (SELECT
NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND MH.MANAGER_TYPE = 'LINE_MANAGER'
) ))))UNION ALL SELECT 1 FROM PER_SHARE_INFORMATION SI WHERE SI.GRANTEE_PERSON_ID = (SELECT
NVL(HRC_SESSION_UTIL.GET_USER_PERSONID,-1) FROM DUAL) AND SI.PERSON_ID =
&TABLE_ALIAS.ATTRIBUTION_ID )
 Learner: Create a filter to indicate only learning items where the language code is equal to English (en-us).
 Actions: Actions should not need to be defined. They should already be seeded.

 Associate the created data security policy to the appropriate data roles.
 Administrator: Associate the newly created administrator condition to the Data role that has been created by the
administrator. In the example below, we are going to put the custom condition on the Manage Catalog Learning Offerings
Privilege by editing the data security policy associated to the data role. The custom data security policy condition selected
will only allow administrators to manage offering learning items that have been created by individuals in their hierarchy.
Listing of the Policy Names on the Data Role

 Modify the condition on the Manage Catalog Learning Offerings Privilege
 Learner: Associate the newly created Learner condition to the Data role that has been created by the Administrator. In the
below example we are going to put the custom condition on the View Catalog Learning Items in Self Service Privilege by
editing the data security policy. The custom data security policy condition selected will only allow Learners to view
learning items that have a language code equal to English (en-us).
 Modify the condition on the View Catalog Learning Items in Self Service Privilege

Run ESS Job to Update User Permissions
Back to home page, click on Tools/Scheduled Processes. Then click on “Schedule new process”. Make sure to run the following ESS
Job in the Scheduled Process panel: “Retrieve latest LDAP changes” .
ADDITIONAL DATA SECURITY CONDITION EXAMPLES

This section contains some additional examples that can be applied, and they are listed from common to more extreme cases.
 By AOR (Area of Responsibility)
 By constant value on DFF (Data Flex Field)
 By Person DFF vs Learning Item DFF
 Establish an instructor role
Basic Method: Restricting Access to Catalog Items Using AOR

This section describes a standard method to restrict the learning specialist visibility to a specific AOR, showing the learning specialist
only the data created by another person who happens to fit the criteria defined by his area of responsibility.
The simple model applied here is the following:
 User A created a course while he is part of Business Unit 1.

 User B is part of a different business unit, but has an AOR that also allows visibility on Business Unit 1.
 User B will see and act upon learning items created by User A.
For this, you need to add a general data policy at the role level (in this case it is preferable to have created a new role based on the
existing seeded roles).

CREATE SECURITY PROFILE FOR THE ROLE
 In Setup and Maintenance, search and select “Assign Security Profile to Role”
 Find the role on which you want to restrict access
 In the various parts, either select an existing security profile of your choice, or create new ones

If you select a restriction by AOR, you are asked to define that AOR. The illustration below shows the Responsibility Type as Learning
representative, and the Scope of Responsibility as Business Unit.
 Submit your new policy on the role.
 Verify changes.
 Assign this role to a user.
Return to the security console. View the role to see that in the Data Policies applied, it has now been filled up with different data policies
on different privileges.

The illustration below shows that each privilege under that role now is subject to an SQL-based filter condition that applies each time a
learning specialist tries to search for a specific item in Learning Cloud. This is the case when data security is applied to a specific role
from Setup and Maintenance, so it facilitates the SQL condition.
You can customize this per privilege, and on each you can apply a different security policy if available. This means each privilege
identified in a role can hold its own predifined condition. (For example, Course view and creation could be Global, but Offering View and
Creation could be AOR-based).
If you want more details on how that policy works, you can go directly in the Administration panel of the security console and click
Manage Database Resources.

 Search for “WLF” on Object Name filter, and pick WLF_LEARNING_ITEMS_F up.
 Click Edit.
 When the resource opens, select the Conditions tab.
 Look for the custom policy you created before.
 Select it, and click Edit.

When you click Edit, you can see the SQL predicate that was generated by the system upon the policy creation. Keep in mind the more
complex the query becomes, the more impactful it will be upon UI search performance and OTBI reports.
VERIFY AOR OF THE SELECTED USER(S)
Make sure the user has the right AOR and AOR criteria set up (here, by business unit).
Once it has successfully run, use the user to whom you added that custom role. In the offering search, notice that you cannot find any
other offering existing in the catalog:

It is the same for courses.
However, users can create their own courses, and they will see all courses created by users who are part of the business unit covered
by the same AOR.

When creating assignments for a course, users can only target people from their AOR. In the following illustration, it is based on
business unit.
Advanced Method: Restricting Access Using Constant Flex Field

This example shows how to segregate catalog access on the learning specialist user interface, based on the constant value of a flex
field at learning item level. This constant data can be replaced by a list of value if required.
It works better when segregating the catalog by learning item criteria (like a catalog category) rather than by criteria related to the
current page user.

SQL Predicate Example:
&TABLE_ALIAS.LEARNING_ITEM_ID IN (SELECT c.learning_item_id
FROM WLF_LI_COURSES_F c
WHERE c.CRS_ATTRIBUTE1 ='Compliance' and c.CRS_ATTRIBUTE1 is not null)
Next, perform the same changes as the ones described in the above chapter to apply this condition to the role. This newly created
condition can be applied as an exception to the following privileges depending on the desired effect.
 Manage Catalog Learning Specializations
 Manage Catalog Learning Courses
 Manage Catalog Learning Offerings
 View Catalog Learning Items by Administrator
Make sure to run the Retrieve Latest LDAP Changes scheduled process.
Advanced Method: Handling Learning Items by Instructors

The following SQL Predicate example should be used when there is a need for a specific instructor role, where instructor should be only
allowed to see a set of courses and offerings where he/she is designated as part of the course instructors.
SQL Predicate Example:
EXISTS
/*for course search*/
SELECT 1
FROM wlf_learning_items_f itm,
WLF_ACCESS_PERMISSIONS_F prms,
WLF_ASSIGNMENT_RECORDS_F recs
WHERE itm.learning_item_id = recs.learning_item_id
AND recs.EVENT_TYPE ='ORA_LI_INSTRUCT'
AND recs.ACCESS_PERMISSION_ID = prms.ACCESS_PERMISSION_ID
AND prms.INSTRUCTOR_ACCESS_MODE = 'Y'
AND recs.LEARNER_ID = HRC_SESSION_UTIL.GET_USER_PERSONID
AND itm.learning_item_id = QRSLT.learning_item_id
AND itm.learning_item_type = 'ORA_COURSE'
AND TRUNC(sysdate) BETWEEN itm.effective_start_date AND itm.effective_end_date

AND TRUNC(sysdate) BETWEEN prms.effective_start_date AND prms.effective_end_date
AND TRUNC(sysdate) BETWEEN recs.effective_start_date AND recs.effective_end_date
UNION
/*for offering search look for primary instructor */
SELECT 1
FROM wlf_learning_items_f itm,
wlf_li_classes_f c,
wlf_instructor_resources r
WHERE c.primary_instructor_ID = r.instructor_id
AND r.person_id = HRC_SESSION_UTIL.GET_USER_PERSONID
AND itm.learning_item_id = QRSLT.learning_item_id
AND itm.learning_item_type = 'ORA_CLASS'
AND itm.learning_item_id = c.learning_item_id
AND TRUNC(sysdate) BETWEEN c.effective_start_date AND c.effective_end_date
UNION
/*for anything other then course/offering search*/
SELECT 1
FROM wlf_learning_items_f itm
WHERE itm.learning_item_id = QRSLT.learning_item_id
AND itm.learning_item_type NOT IN ('ORA_COURSE','ORA_CLASS')
);
Then perform the same changes as the ones described in the above chapter to apply this condition to the role. This newly created
condition can be applied as an exception to the following privileges depending on the desired effect.
 Manage Catalog Learning Specializations
 Manage Catalog Learning Courses
 Manage Catalog Learning Offerings
 View Catalog Learning Items by Administrator

Advanced Method: Handling Learning Items Based on Learning Item vs Current User Flex Field Value.
This method will be used in more extreme cases of scenario where security by AOR or by learning item flex field alone is not either
strong or flexible enough. The use case covered here will work as follows:
When an administrator searches for a learning item, the system will filter out the learning item result entries which do NOT contain a
specific value in a flex field.
This flex field value needs to be the same as the value of another flex field from the current user person profile value. A similar method
could be used on the Learner’s role.
 User A has ABCD value in his profile designated flex field.
 User B has EFGH value in his profile designated flex field.
 User D creates a learning item and adds ABCD in the flex field of the learning item.
 User A will be able to find the learning item because both his profile flex field and the learning item flex field values are matching.
 User B will not be able to find the learning item (unless the flex field value of this course changes to EFGH or his own profile flex
field changes to ABCD)
The SQL predicate demonstrated here needs to be implemented just like in the above example, by creating a custom condition that will
later on be applied to a specific privilege of a specific role:
EXISTS
/* Course Search page */
SELECT 1
FROM FUSION.WLF_LEARNING_ITEMS_F T
WHERE TRUNC(SYSDATE) BETWEEN T.EFFECTIVE_START_DATE AND T.EFFECTIVE_END_DATE
AND T.LEARNING_ITEM_ID =
QRSLT.LEARNING_ITEM_ID
AND T.CO_ATTRIBUTE1 = 'BU1'
AND T.learning_item_type = 'ORA_COURSE'
UNION
/*Anything other then course search*/
SELECT 1 FROM wlf_learning_items_f T
WHERE T.learning_item_id = QRSLT.learning_item_id
AND TRUNC(SYSDATE) BETWEEN T.EFFECTIVE_START_DATE AND T.EFFECTIVE_END_DATE
AND T.learning_item_type not in ('ORA_COURSE')

Note: The flex fields referenced here as placeholders, and the flex field column name might vary from one instance to another.
UNDERSTANDING ACCESS CONTROL ENFORCEMENT ACROSS ALL ACCESS TYPES

A learning item can have a combination of access control types applied to it when a learner is attempting to access the learning item.
The following access control types can influence the access behavior:
 Data security
 Access records
 Assignments
Access enforcement is evaluated in the following priority order:
1. Data Security - Data security trumps all the other types of access. If through data security learners don’t have the authority to
view the learning item, they will not be able to view the learning item and the other access control types are not evaluated.
2. Assignment Records - Assignments trump access records. If a learner has access to an item via data security, and they have
a required or voluntary assignment, then the access record control type does not need to be evaluated.
a. Required or Voluntary Assignment – If a learner has a required or voluntary assignment then they can access the
learning item even though they are not granted access via an access record.
b. Recommended by an Administrator - If a learner has a recommended assignment then they can access the learning
item even though they are not granted access via an access record. Recommended assignments by the learner’s
manager or via Self-Service recommendations do not override access records.
3. Access Records: If learners don’t have access to the learning item because the learning item is set to no access by default
and they do not have a corresponding learning access record, then they will not have access.

ORACLE CORPORATION
Worldwide Headquarters
500 Oracle Parkway, Redwood Shores, CA 94065 USA
Worldwide Inquiries
TELE + 1.650.506.7000 + 1.800.ORACLE1

FAX + 1.650.506.7200
oracle.com
CONNECT W ITH US
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at oracle.com/contact.
blogs.oracle.com/oracle facebook.com/oracle twitter.com/oracle
Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are
subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks
of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0520
White Paper Understanding Oracle Learning Cloud Access Control
May 2020
Author: Oracle Learn Cloud Product Management
Contributing Authors:

Understanding Oracle Cloud Access Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding Oracle Cloud Access Control

Uploaded by

Copyright:

Available Formats

Understanding

Understanding Access Control .................................................................... 5

Access Groups ............................................................................................ 5

Types of Access Groups ............................................................................................................. 5

How Access Groups Work ........................................................................... 6

Understanding Access Control Data Processing ......................................................................... 6

Create or Update Access Group.................................................................................................. 6

Local Access Groups ................................................................................. 13

Set System Wide Default Local Access Group ...........................................................................14

Define Access Rules ..................................................................................................................14

Set the Learning Item Default Access Group .............................................................................15

Named or Ad Hoc Access ..........................................................................................................16

Set Access Group Priorities ........................................................................................................17

Global Access Groups ............................................................................... 17

Find Global Access Groups ........................................................................................................18

Manage Global Access Groups ..................................................................................................18

View Global Access Groups .......................................................................................................18

Edit Global Access Groups .........................................................................................................19

Create Global Access Groups ....................................................................................................20

Associate Global Access Group to Learning Item ......................................................................20

2 Understanding Oracle Learning Cloud Access Control

Global Access Group Security Needs ........................................................................................21

Access Group ESS Job ..............................................................................................................21

Self-Service View Mode Override .............................................................. 21

Community Membership and View Mode .................................................. 26

Access List Management of Self-Service Learning Items .......................... 28

Follow Feature ........................................................................................... 30

Data Security Policy Based Access ........................................................... 30

Run ESS Job to Update User Permissions.................................................................................35

Additional Data Security condition examples ............................................. 35

Basic Method: Restricting Access to Catalog Items Using AOR.................................................35

Advanced Method: Restricting Access Using Constant Flex Field .............................................42

Advanced Method: Handling Learning Items by Instructors .......................................................43

Understanding Access Control Enforcement Across All Access Types ..... 46

3 Understanding Oracle Learning Cloud Access Control

4 Understanding Oracle Learning Cloud Access Control

Access groups can be:

Types of Access Groups

5 Understanding Oracle Learning Cloud Access Control

These are some considerations about Access Groups:

Understanding Access Control Data Processing

Create or Update Access Group

6 Understanding Oracle Learning Cloud Access Control

 What User Can Determine a Person List?

 What Data Access does this User Have?

 Extract the Target Person List

7 Understanding Oracle Learning Cloud Access Control

8 Understanding Oracle Learning Cloud Access Control

9 Understanding Oracle Learning Cloud Access Control

Determine the Person List

10 Understanding Oracle Learning Cloud Access Control

Determine the Person List

11 Understanding Oracle Learning Cloud Access Control

12 Understanding Oracle Learning Cloud Access Control

LOCAL ACCESS GROUPS

13 Understanding Oracle Learning Cloud Access Control

 In the My Client Group area, click Learning.

 Click Learning Item Default Attributes.

Define Access Rules

14 Understanding Oracle Learning Cloud Access Control

Set the Learning Item Default Access Group

15 Understanding Oracle Learning Cloud Access Control

Named or Ad Hoc Access