CLOUDSEC1 SG

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J Oraclef er Cloud Applications:
h n n s
Vis on-tra
n Security Updates for
Release 12
Student Guide
CLOUDSEC1
January 2017
Learn more from Oracle University at education.oracle.com

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy
and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any
way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print,
display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express
authorization of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS

The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are
restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
a
Trademark Notice
) has
ฺ c om deฺ
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
on Gui
owners.
r s
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Contents
1 Oracle Cloud Applications: Security Updates for Release 12

Objectives 1-2
Security Model: Role-Based Access Control 1-3
Security Model: Job Roles 1-4
Security Model: Duty Roles 1-5
Security Model: Privileges 1-6
Security Model: Resources 1-7
a
Security Model: Data Security Policies 1-8
) has
om deฺ
Using Security Console 1-9
ฺ c
on Gui
Applications Security Enhancements: Overview 1-11
Improved Security Console 1-12 r s
User Account Management 1-13 p ea dent
Administrator Password Management 1-15
h a n@ Stu
a rd e this
User Password Management: Self-Service 1-16
v
User Account Locking
h n
1-17 u us
i s t o
k a ฺv nse
Enhanced Role Visualization 1-18
j in lice
Tabular Role Hierarchy View 1-19
(
i n ka able
Search in Role Hierarchy Visualization 1-20
u J fer
Username Generation Rules 1-21
i s h trans
n
Password Policies 1-22
V on-Notification Templates 1-23
nUpgrade-Safe Management of Factory Shipped Roles 1-25
Bridge for Microsoft Active Directory 1-27
User Password Changes Audit Report 1-30
Password Reset Process 1-31
Summary 1-33
iii
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
1
Oracle Cloud Applications:

Security Updates for Release 12
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Objectives
After completing this lesson, you should be able to:

• Explain the Oracle Security Model
• Discuss using the Security Console

• Examine the changes to the common security features for release 12
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Oracle Cloud Applications: Security Updates for Release 12 1 - 2

Security Model: Role-Based Access Control
• Users can have any number of roles.

• Roles grant access to functions and data.
• Functions and data that can be accessed Role

are determined by the combination of roles. HR Specialist
Vision Operations
Role
User Linda Swift
Employee
a
has
Role
Line Manager
)
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Security Model: Job Roles
• Job roles represent the job that you hire a worker to perform.
• Procurement Manager is an example of a predefined job role.
• You can create custom job roles.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
n u tab. us
Navigate to: Tools > Security Console >hRoles
ฺ v is e to
j i n ka cens
a ( le li
k
u Jin ferab
i s hn trans
V on-
n

Security Model: Duty Roles
• Duty roles represent logical groups of tasks that are performed in a job.
– Procurement manager has Buyer Duty Role.
– Buyer has Purchase Order Inquiry Duty Role.
• You can create custom duty roles.

• Job roles represent the job that you hire a worker to perform.
• You do not assign duty roles to users.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Security Model: Privileges
• Roles contain privileges.

• Privileges provide access to functionality in the application.
• Payables Invoice Processing Role contains the Manage Payable Invoices Privilege.
• You can assign privileges to roles.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Security Model: Resources
• Privileges contain resources.

• Resources represent various application artifacts.
• Tasks, menu items, buttons, regions, so on

• You cannot manage resources.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Security Model: Data Security Policies
• Data Security Policies:

– Control access to data
– Are granted to a role
• Components of a policy:
– Database Resource is the table where data is stored.
– Data Set is where access is granted.
– Condition is used to define the data set.
– Actions can be performed on the data.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Using Security Console
• Use the Security Console to implement, customize, and manage security.

• Create and edit custom roles, as well as create and manage user accounts.
• Access the Security Console through the Navigator menu, under Tools or from the
Welcome Springboard.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
You should use the Security Console to h n u
implement,
s
ucustomize and manage security.
v i s t o
In addition to creating and editing k ฺ
acustom e n se the Security Console has been enhanced to support
roles,
creating and managing user n
(jiaccounts.
licHowever, you cannot edit the functional and data security
a l e
ink erwith
policies that are associated
J a ba predefined role.
The Securityh n u ncan
Console s f be accessed via the Navigator menu, under Tools. Access to Security
ConsoleViiss granted
n - trathrough the predefined IT Security Manager role.
no users are provisioned using resource roles, for Oracle Sales Cloud recommended
Because Sales
practice is still to create users using the Manage Users task.

Using Security Console
• Select the Roles tab to manage roles.

• Select the User Accounts tab to manage user accounts.
• You can view role analytics, manage certificates, and manage Security Console
administration options.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
Navigate to: Tools > Security Console >hUsern u or Role
ustab.
i s t o
v Rolessetab to manage roles, and the User Accounts tab to
a ฺthe
cen
Within the Security Console, select
k
manage user accounts. (jin l i
a ble
ink ermanage
You can view roleJanalytics, a certificates, and manage Security Console administration
options. hnu n s f
Vis on-tra
n

Applications Security Enhancements: Overview
• Improved Security Console • Tabular Role Hierarchy View • Bridge for Microsoft Active
• User Account Management Directory
• Search in Role Hierarchy
Visualization • User Password Changes
• Administrator Password
Management Audit Report

• Username Generation Rules
• User Password Management • Password Policies • Password Reset
(Self-Service)
• Notification Templates
• User Account Locking
• Upgrade-Safe Management
• Enhanced Role Visualization of Factory Shipped Roles
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Improved Security Console
You can use a unified security administrator interface, combined with the ability to safely
upgrade the reference security implementation.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
Oracle Fusion Applications Security provides h n ua singleusconsole where IT Security Managers and
Administrators can perform various ฺ v
functions
to user lifecycle management, role definition,
is eincluding
n
security policy managementji(both kafunctional
c e nsand data), role hierarchy maintenance, username and
a ( and e i
lcertificate
i n k
password policy administration,
a b l management. The console enables users to simulate
n u J changes,
the effect of security
s f er to run security reports, and download a connector for integration with
V ish -tran
Microsoft Active Directory.
non will result in the following changes in functionality in the Security Console.
The new interface
• All User Account information including password changes and lock/unlock status are
managed in the security console.
• Roles are managed directly in the Security Console and are no longer managed within
Oracle Identity Manager or Authorization Policy Manager.
• Users can view, create, or modify roles without first selecting an application.
• Users cannot create or modify privileges. They can continue to grant privileges to roles.
• Users cannot create or modify resources.
• Users cannot grant resources directly to role. Resources are only granted to privileges.

User Account Management
• You can create and manage implementation user accounts within Oracle Fusion
Applications Security.
• You can assign roles to these user accounts.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
You can create and manage user accounts h n u
in Oracle
s Applications Security, and assign roles
uFusion
i s t o
to those user accounts.
k a ฺv nse
( j in licusing
Because Sales users are provisioned
e resource roles, for Oracle Sales Cloud the
recommended practice
i n kisa to create
a b leusers using the Manage Users task.
u J fer
i s h trans
n
V on-
n

User Account Management
You can search, retrieve, and manage user accounts automatically created for employees,
contingent workers, supplier contacts, or partner contacts.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
You can view and manage user accounts h n u us created for employees, contingent workers,
automatically
i s t o
k a ฺv nse
supplier contacts, or partner contacts.
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Administrator Password Management
As an administrator, you can:

• Manage passwords of other users using the Security Console
• Auto-generate or manually enter a password for a user account

• Define password lifecycle and complexity policies
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
Administrators can manage passwords of h n u usin Oracle Fusion Applications Security. You
other users
i s t o
auto-generate or manually enter a
k a ฺv nsfor
password e a user account.
n e
(ji le validated
The password will be automatically lic against the defined password complexity rules and
expiration policies. ink
a
u J ferab
i s hn trans
V on-
n

User Password Management: Self-Service
• You can manage your own user account password using the Security Console.
• The password will be automatically validated against the defined password lifecycle and
complexity policies.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

User Account Locking
• As an administrator, you can lock user accounts.

• If you lock a user account, you will be temporarily preventing the user from logging in
with that user account.
• You can unlock a locked user account.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
h n
You can temporarily inactivate a user account
u by locking
us that user account in Oracle Fusion
i s t o
k a ฺv a locked
Applications Security. You can unlock
n se user account.
n
(ji le lic e
a
J ink erab
h n u nsf
Vis on-tra
n

Enhanced Role Visualization
• View certain components of a role in the graphic visual.

• View the privileges, and aggregate privileges or roles assigned to a role.
• View the graph in full-screen mode and pan over a specific region in the graph.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Tabular Role Hierarchy View
• View role hierarchies in a tabular view.

• Switch between the graphic visualizer
view and the tabular view.
• Analyze using Tabular View of Direct

and Indirectly Assigned Privileges for a
Role.
• You can analyze using Tabular View of
Direct and Indirectly Assigned Users for
a Role.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
The data can be exported to Excel. h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Search in Role Hierarchy Visualization
• You can search and quickly locate security artifacts (nodes) in the role hierarchy
visualization.
• You can search for privileges, roles, or users in the visualization.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Username Generation Rules
• You can define the username generation rules used to auto-generate the username in
Oracle Fusion Applications Security.
• Username generation rules can be based on the user’s first and last names, email or
person number.
• You can choose to use a system generated username if the rule fails to generate a
username.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Password Policies
• You can define policies for password management.

• These policies can define the duration for various password lifecycle events like
password expiration and password warning generation.
• You can set the complexity of generated passwords by choosing from a pre-defined list
of rules.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Notification Templates
• You can define custom notification templates for user account lifecycle events.
• You can use pre-defined notification templates.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
v a rd e this
These templates will be used to generate h n u usfor events like user account created, user
notifications
i s t o
password reset, and user password
k a ฺvexpirynwarning.
se
n
(ji le lic e
a
J ink erab
h n u nsf
Vis on-tra
n

Notification Templates
You can edit Notification Template Page.

a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Upgrade-Safe Management of Factory Shipped Roles
• You can identify a predefined (factory shipped) Oracle role when viewing the role.
• Predefined Oracle roles are locked and you cannot customize the Oracle delivered
functional and data security policies associated with these roles.
• You can add data security policies to these roles.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Upgrade-Safe Management of Factory Shipped Roles
Predefined Oracle roles are displayed in a different color in the graph visualizer.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Bridge for Microsoft Active Directory
Simplify Single Sign-On with Microsoft Active Directory by downloading and installing the
Active Directory Bridge from the Security Console.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

You can define the mapping attributes using the Active Directory Bridge User Attribute
Mappings Page.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Automatically synchronize user account information between Oracle Fusion Applications

Security and Microsoft Active Directory.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

User Password Changes Audit Report
• You can generate a report that lists password changes made by users.
• The report can be generated for changes made by specific users or for all changes
made during a specific period.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Password Reset Process
• The password reset flow has been changed in the current release.
• A notification email will be sent to the user who requests a password reset.
• The user will be required to click this link, within a specific period of time, to change the
password.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Password Reset Process
Replaces the previous flow where users were required to answer a series of challenge
questions to reset the password
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

Summary
In this lesson, you should have learned how to:

• Explain the Oracle Security Model
• Discuss using the Security Console

• Examine the changes to the common security features for release 12
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n

CLOUDSEC1 SG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CLOUDSEC1 SG

Uploaded by

Copyright:

Available Formats

Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ

Learn more from Oracle University at education.oracle.com

Restricted Rights Notice

U.S. GOVERNMENT RIGHTS

1 Oracle Cloud Applications: Security Updates for Release 12

Oracle Cloud Applications:

After completing this lesson, you should be able to:

• Discuss using the Security Console

Oracle Cloud Applications: Security Updates for Release 12 1 - 2

• Users can have any number of roles.

• Functions and data that can be accessed Role

Oracle Cloud Applications: Security Updates for Release 12 1 - 3

• You can create custom job roles.

Oracle Cloud Applications: Security Updates for Release 12 1 - 4

• You can create custom duty roles.

Oracle Cloud Applications: Security Updates for Release 12 1 - 5

• Roles contain privileges.

Oracle Cloud Applications: Security Updates for Release 12 1 - 6

• Privileges contain resources.

• Tasks, menu items, buttons, regions, so on

Oracle Cloud Applications: Security Updates for Release 12 1 - 7

• Data Security Policies:

Oracle Cloud Applications: Security Updates for Release 12 1 - 8

• Use the Security Console to implement, customize, and manage security.

Oracle Cloud Applications: Security Updates for Release 12 1 - 9

• Select the Roles tab to manage roles.

Oracle Cloud Applications: Security Updates for Release 12 1 - 10

Management Audit Report

Oracle Cloud Applications: Security Updates for Release 12 1 - 11

Oracle Cloud Applications: Security Updates for Release 12 1 - 12

Oracle Cloud Applications: Security Updates for Release 12 1 - 13

Oracle Cloud Applications: Security Updates for Release 12 1 - 14

As an administrator, you can:

• Auto-generate or manually enter a password for a user account

Oracle Cloud Applications: Security Updates for Release 12 1 - 15

Oracle Cloud Applications: Security Updates for Release 12 1 - 16

• As an administrator, you can lock user accounts.

• You can unlock a locked user account.

Oracle Cloud Applications: Security Updates for Release 12 1 - 17

• View certain components of a role in the graphic visual.

Oracle Cloud Applications: Security Updates for Release 12 1 - 18

• View role hierarchies in a tabular view.

• Analyze using Tabular View of Direct

Oracle Cloud Applications: Security Updates for Release 12 1 - 19

Oracle Cloud Applications: Security Updates for Release 12 1 - 20

Oracle Cloud Applications: Security Updates for Release 12 1 - 21

• You can define policies for password management.

Oracle Cloud Applications: Security Updates for Release 12 1 - 22

Oracle Cloud Applications: Security Updates for Release 12 1 - 23

You can edit Notification Template Page.

Oracle Cloud Applications: Security Updates for Release 12 1 - 24

• You can add data security policies to these roles.

Oracle Cloud Applications: Security Updates for Release 12 1 - 25

Oracle Cloud Applications: Security Updates for Release 12 1 - 26

Oracle Cloud Applications: Security Updates for Release 12 1 - 27

Oracle Cloud Applications: Security Updates for Release 12 1 - 28

Automatically synchronize user account information between Oracle Fusion Applications

Oracle Cloud Applications: Security Updates for Release 12 1 - 29

Oracle Cloud Applications: Security Updates for Release 12 1 - 30

Oracle Cloud Applications: Security Updates for Release 12 1 - 31

Oracle Cloud Applications: Security Updates for Release 12 1 - 32

In this lesson, you should have learned how to:

• Discuss using the Security Console