Professional Documents
Culture Documents
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J Oraclef er Cloud Applications:
h n n s
Vis on-tra
n Security Updates for
Release 12
Student Guide
CLOUDSEC1
January 2017
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy
and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any
way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print,
display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express
authorization of Oracle.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
on Gui
owners.
r s
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Contents
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
iii
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
1
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Objectives
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Role
User Linda Swift
Employee
a
has
Role
Line Manager
)
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• Job roles represent the job that you hire a worker to perform.
• Procurement Manager is an example of a predefined job role.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
n u tab. us
Navigate to: Tools > Security Console >hRoles
ฺ v is e to
j i n ka cens
a ( le li
k
u Jin ferab
i s hn trans
V on-
n
• Duty roles represent logical groups of tasks that are performed in a job.
– Procurement manager has Buyer Duty Role.
– Buyer has Purchase Order Inquiry Duty Role.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• Payables Invoice Processing Role contains the Manage Payable Invoices Privilege.
• You can assign privileges to roles.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• Components of a policy:
– Database Resource is the table where data is stored.
– Data Set is where access is granted.
– Condition is used to define the data set.
– Actions can be performed on the data.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• Access the Security Console through the Navigator menu, under Tools or from the
Welcome Springboard.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
You should use the Security Console to h n u
implement,
s
ucustomize and manage security.
v i s t o
In addition to creating and editing k ฺ
acustom e n se the Security Console has been enhanced to support
roles,
creating and managing user n
(jiaccounts.
licHowever, you cannot edit the functional and data security
a l e
ink erwith
policies that are associated
J a ba predefined role.
The Securityh n u ncan
Console s f be accessed via the Navigator menu, under Tools. Access to Security
ConsoleViiss granted
n - trathrough the predefined IT Security Manager role.
no users are provisioned using resource roles, for Oracle Sales Cloud recommended
Because Sales
practice is still to create users using the Manage Users task.
• You can view role analytics, manage certificates, and manage Security Console
administration options.
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
Navigate to: Tools > Security Console >hUsern u or Role
ustab.
i s t o
v Rolessetab to manage roles, and the User Accounts tab to
a ฺthe
cen
Within the Security Console, select
k
manage user accounts. (jin l i
a ble
ink ermanage
You can view roleJanalytics, a certificates, and manage Security Console administration
options. hnu n s f
Vis on-tra
n
• Improved Security Console • Tabular Role Hierarchy View • Bridge for Microsoft Active
• User Account Management Directory
• Search in Role Hierarchy
Visualization • User Password Changes
• Administrator Password
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
You can use a unified security administrator interface, combined with the ability to safely
upgrade the reference security implementation.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
Oracle Fusion Applications Security provides h n ua singleusconsole where IT Security Managers and
Administrators can perform various ฺ v
functions
to user lifecycle management, role definition,
is eincluding
n
security policy managementji(both kafunctional
c e nsand data), role hierarchy maintenance, username and
a ( and e i
lcertificate
i n k
password policy administration,
a b l management. The console enables users to simulate
n u J changes,
the effect of security
s f er to run security reports, and download a connector for integration with
V ish -tran
Microsoft Active Directory.
non will result in the following changes in functionality in the Security Console.
The new interface
• All User Account information including password changes and lock/unlock status are
managed in the security console.
• Roles are managed directly in the Security Console and are no longer managed within
Oracle Identity Manager or Authorization Policy Manager.
• Users can view, create, or modify roles without first selecting an application.
• Users cannot create or modify privileges. They can continue to grant privileges to roles.
• Users cannot create or modify resources.
• Users cannot grant resources directly to role. Resources are only granted to privileges.
• You can create and manage implementation user accounts within Oracle Fusion
Applications Security.
• You can assign roles to these user accounts.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
You can create and manage user accounts h n u
in Oracle
s Applications Security, and assign roles
uFusion
i s t o
to those user accounts.
k a ฺv nse
( j in licusing
Because Sales users are provisioned
e resource roles, for Oracle Sales Cloud the
recommended practice
i n kisa to create
a b leusers using the Manage Users task.
u J fer
i s h trans
n
V on-
n
You can search, retrieve, and manage user accounts automatically created for employees,
contingent workers, supplier contacts, or partner contacts.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
You can view and manage user accounts h n u us created for employees, contingent workers,
automatically
i s t o
k a ฺv nse
supplier contacts, or partner contacts.
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
Administrators can manage passwords of h n u usin Oracle Fusion Applications Security. You
other users
i s t o
auto-generate or manually enter a
k a ฺv nsfor
password e a user account.
n e
(ji le validated
The password will be automatically lic against the defined password complexity rules and
expiration policies. ink
a
u J ferab
i s hn trans
V on-
n
• You can manage your own user account password using the Security Console.
• The password will be automatically validated against the defined password lifecycle and
complexity policies.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n
You can temporarily inactivate a user account
u by locking
us that user account in Oracle Fusion
i s t o
k a ฺv a locked
Applications Security. You can unlock
n se user account.
n
(ji le lic e
a
J ink erab
h n u nsf
Vis on-tra
n
• View the graph in full-screen mode and pan over a specific region in the graph.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
The data can be exported to Excel. h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• You can search and quickly locate security artifacts (nodes) in the role hierarchy
visualization.
• You can search for privileges, roles, or users in the visualization.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• You can define the username generation rules used to auto-generate the username in
Oracle Fusion Applications Security.
• Username generation rules can be based on the user’s first and last names, email or
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
person number.
• You can choose to use a system generated username if the rule fails to generate a
username.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• You can set the complexity of generated passwords by choosing from a pre-defined list
of rules.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• You can define custom notification templates for user account lifecycle events.
• You can use pre-defined notification templates.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
s a
)h a
m
co ideฺ
n ฺ
a r so t Gu
p e den
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
These templates will be used to generate h n u usfor events like user account created, user
notifications
i s t o
password reset, and user password
k a ฺvexpirynwarning.
se
n
(ji le lic e
a
J ink erab
h n u nsf
Vis on-tra
n
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• You can identify a predefined (factory shipped) Oracle role when viewing the role.
• Predefined Oracle roles are locked and you cannot customize the Oracle delivered
functional and data security policies associated with these roles.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Predefined Oracle roles are displayed in a different color in the graph visualizer.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Simplify Single Sign-On with Microsoft Active Directory by downloading and installing the
Active Directory Bridge from the Security Console.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
You can define the mapping attributes using the Active Directory Bridge User Attribute
Mappings Page.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• You can generate a report that lists password changes made by users.
• The report can be generated for changes made by specific users or for all changes
made during a specific period.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
• The password reset flow has been changed in the current release.
• A notification email will be sent to the user who requests a password reset.
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
• The user will be required to click this link, within a specific period of time, to change the
password.
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
Replaces the previous flow where users were required to answer a series of challenge
questions to reset the password
Unauthorized reproduction or distribution prohibitedฺ Copyright© 2016, Oracle and/or its affiliatesฺ
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n
a
) has
ฺ c om deฺ
r s on Gui
p ea dent
h a n@ Stu
v a rd e this
h n u us
i s t o
k a ฺv nse
( j in lice
i n ka able
u J fer
i s h trans
n
V on-
n