Oracle Cloud Security Model

Release 10

Vijay Kumar Kanaka Korupolu

Platform Technology Solutions (PTS)
Oracle Development
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 2

Objectives
After completing this session, you should be able to:
• Understand the functionality provided by Fusion Security Model
• Understand the roles delivered in the seeded security implementation

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 3

Oracle Cloud Security Model

WHO can do WHAT on

WHICH set of data?

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 4

Security Key Concepts
• In Oracle Fusion Applications:

– Role-based Access Control (RBAC): Grant function and data access to users
through the roles assigned to them, not to the users directly.
– Function Security: Provide users with access to pages in application user
interfaces and controls the actions that can be performed on those pages.
• Each function security privilege secures the code resources that make up the relevant UI page
– Data Security: Allow or restrict access to data in pages depending on policies,
conditions, masking, and encryption. Data security allows users to view data in
those pages
– Privacy: Secures data that should not be available to other individuals and
organizations, or data whose exposure and use is under the owner's control.

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Role Management Tools
• Oracle Identity Manager

OIM • Create Enterprise Roles

• Assign Roles to Users
• Task: Provision Roles To Implementation Users

• Authorization Policy Manager

APM • View, Create, Modify Duty Roles

• Create Policies
• Tasks : Manage duties

• Oracle Fusion Human Resource Management Application

HCM • Create Role Provisioning rules
• Create Users and provision roles

• Oracle Fusion Procurement Application

PRC • Create Procurement Agents

Oracle Confidential Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Roles
Key Concept

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 7

Types of Security Roles

Abstract Role: Generic Role not specific to a particular job.

• Roles associated with a user irrespective of job or job function
• Example: Employee, Manager, contingent Workers etc

Job Role: Roles associated with the Job of an employee

• Map closely with roles in most organizations and Provisioned to a user on request
• Example: Procurement Manager, Project Administrator

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Duty role: Defines the duties a user can perform. Also called as application role.
Duty roles cannot be provisioned directly to users, but are inherited by enterprise
roles to control access to applications.
• Example: Processing Payables Invoices , Posting Journals

Data Role: Specific to a job within a dimension of data, and augments the inherited
abstract, duty, or job roles with entitlement to access specific data.
• such as access for a procurement manager in a particular business unit (Or)
Processing Payables Invoice for a specific BU

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 9

 Job Role 1

Duty Role 1 Duty Role 2 Duty Role 3

P5

Duty Role 4
P6
P1 P2 P3 P4 Duty Role 5

Duty Roles are made up of

• Function Security Privileges (Entitlement) P7
• Data Security Policies (Action)

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 10

 Procurement Manager Procurement Manager
US Business Unit Germany Business Unit Data Role

====================================================================================
Procurement Job Role
Manager Job Role

Purchase Order Purchase Agreement Supplier Profile Duty Roles

Creation Duty Creation Duty Enquiry Duty

Search
Supplier Qualification
Supplier Privileges
Viewing Duty
Qualification
Create Cancel Create Transfer
Purchase Purchase Purchase BPA to
Order Order Agreement Supplier

View
Supplier Assessment
Supplier
Viewing Duty
Assessment

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

11
Fusion Automatically Creates Business Unit specific Roles

Data Role = Job + Data Access

Job Role

Procurement Manager Procurement Manager – Germany

Procurement Manager – US

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

• Job Role: Procurement Manager
• Duty Roles :
• Requisition Line Processing Management Duty
• Supplier Profile Inquiry Duty
– Supplier Qualification Viewing Duty
• Supplier Qualification Attachment Inquiry Duty
• Supplier Qualification Response Attachment Inquiry Duty
• Purchase Order Creation Duty
• Purchase Agreement Creation Duty
• Negotiation Viewing as Buyer Duty
• Payables Invoice Inquiry Duty
– Party Information Inquiry Duty

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 13

Task : Manage Duties

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 14

Privileges granted to duties of the job role Procurement Manager
• Requisition Line Processing Management Duty • Negotiation Viewing as Buyer Duty
– Change Requisition Line – Research Suppliers
– Grouping Reassign Requisition Line – Search Supplier Negotiation
– Return Requisition Line – View Supplier Negotiation
– Split Requisition Line – View Supplier Negotiation Response

• Supplier Qualification Viewing Duty • Purchase Agreement Creation Duty

– Search Supplier Qualification – Cancel Purchase Agreement
– View Supplier Qualification – Create Blanket Purchase Agreement Line
– Create Blanket Purchase Agreement Line from Catalog
• Purchase Order Creation Duty – Create Purchase Agreement
– Cancel Purchase Order – Transfer Blanket Purchase Agreement to Catalog
– Create Purchase Order Administrator
– Create Purchase Order Line from Catalog – Transfer Blanket Purchase Agreement to Supplier
– Create Purchase Order from Requisitions

• Payables Invoice Inquiry Duty

– View Payables Invoice

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 15

Types of Security Roles

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

 Doris is hired…

For doing what all employees do

For doing the job she was hired for.. •Expense Reports
• Purchase Requisitioner

Data Roles Procurement Procurement

Manager - US Manager - Germany

Abstract
Job Procurement Role
Employee

Roles Manager

Duty Buyer Mgt PO Changes Duty Roles Enter Expenses Submit Expenses
Roles Duty Duty

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Create Business Unit

Job Role 1
Assign Job Role 2
Data Role 1
Requisitioning Role Template Abstract Role 1
(Job Role 1 for a BU)
Business Function .
.
Data Role 2
(Job Role 2 for a BU)
Assign Purchasing
Business Function
Data Role 3
(Abstract Role 1 for a BU)

Assign Invoicing
Business Function • A Role template is created for Each Business Function

• Assign Job Roles / Abstract Roles to Role Template

• When a Business Unit is created with specific business functions

the respective Data Roles will be generated automatically.

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 19

Create Business Unit and Assign Business Function

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 20

Task : Manage Duties -> To navigate to APM
Search - Role Templates

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 21

Role Template for Requisitioning Business Function

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 22

Roles (Abstract / Job) attached to a Role Template

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 23

Data Roles Generated for your Business Unit

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 24

Define Procurement Agents
Key Concept

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 25

Define Procurement Agents
• Grant Access to Procurement Actions and Documents
– Manage Requisitions
– Manage Purchase Orders
– Manage Purchase Agreements
– Manage Negotiations
– Manage Catalog Content
– Manage Suppliers
– Manage Approved Supplier List Entries
– Analysis Spend

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Purchase Order Agent Data Security
Agent assigned to
business unit

Agent allowed to manage purchase orders in

business unit

Grant access to other agents’

documents

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Key Product Features
Users and Security
Role-Based Access Control (RBAC) Pervasive Security
• Controls access to both function and data through • Security enforced across tools, technology
roles provisioned to users infrastructure, data, and information life cycle
• “Who can do what on which functions or sets of • Transparent Data Encryption (TDE) and Oracle
data“ Database Vault (ODV) protect data in transit and at rest
across the phases of deployment, installation, and
setup to archive and purge across databases
• Revocation of one security policy revokes all
Enforcement of Segregation of implementations across tools
Duties
• Role definitions respect SOD policies to prevent Predefined Roles
unethical, illegal or damaging activities
• Integrated with GRC’s Application Access Controls • Predefined job and abstract roles are provided
Governor (AACG) • You can easily extend the roles to suit your needs

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 28

 Secure OOTB: Secure Across Info Lifecycle

uthenti^(
Protect Data Database Operational Data DBA /
DBA Manager
in Motion with Protect Data from Vault
Network View and Alteration Select SALARY
X 
Encryption using as well as Insider from users;

Advanced Security Threat using Alter system.

X
Option Database Vault Alter table.. 
* Example roles and privs

Operational
Alter table …. DBA

Select SALARY from USERS;

Protect User and Sensitive Data Sensitive Data in cloned instance

at Rest by Encrypting Database LNAME SSN
Columns using
Transparent Data Encryption
SALARY protected by Data Masking
KING 123-45-6789
A0d$Gb)c $125,000
(_f@eM LNAME SSN SALARY
SCOTT 987-65-4321
A0dubLvc $229,500
Gf&@eP KING 111-11-1111 $99,000
SMITH 345-67-8912
%5#ROB-!9(2 $ 53,700
D$KfXa SCOTT 222-22-2222 $888,000
SMITH 333-33-3333 $77,000

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

SOD

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 30

Fusion Applications Security
How it compares…
• Yes, we externalized security to Fusion Middleware, LDAP and OPSS
• But we paid a lot of attention to the consistency in Fusion

E-Business Suite PeopleSoft

Job Role Top Level Menu Top Level Menu

Data Role Responsibility Employee ID + Role
Duty Role Sub Menu Role(s)
Privilege Form Function Permission Lists
Permission Executable Executable

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Security Reference Resources
• Oracle Applications Cloud Security Reference for Common Features
• Oracle Procurement Cloud Security Guide
• Oracle Fusion Middleware User's Guide for Oracle Identity Manager
• Oracle Global Human Resources Cloud Implementing Workforce Deployment

• NOTE: The listed documents are available in the Oracle Documentation Library, which you can
access from: http://docs.oracle.com/

Related Courses:
• Fusion Applications: Security Fundamentals

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Oracle Confidential Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |