Customizing HTML Notes Security

This chapter covers the following topics:

Customizing Notes Security

With the continuous support of existing notes data security, all data access and updates in Notes developed for Common Application Calendar are based on the concept of HTML Notes Application Object Library (AOL) data security rules. This security concept allows implementors or system administrators to customize the security rules and then grant object level security to users with qualifying access privileges. In other words, the security rules restrict the data access only to appropriate users.

To customize Notes data security, it is necessary to first identify the following three grant components:

Once the grant components are identified, the administrator can start the granting process:

HTML Notes Security Overview

By leveraging the Application Object Library (AOL) data security model, the HTML Notes module provides a flexible mechanism for notes security access. This security model provides the ability to restrict data access to appropriate users through a specific authorization process.

For example, in the past, almost all users can create new notes, but now only the users who are granted access to the create note function would be able to create notes. The same theory can be applied to the creation or deletion of attachments, or note modifications.

With the new security model, based on the AOL security model, the HTML Notes module uses the concepts of objects, instances, and instance sets to further group all data in HTML Notes into different units or sets. The biggest unit is Notes that is considered as an object in AOL term. Within the object Notes, multiple notes can be grouped into different subsets (or object instance sets), such as all notes with status "private", all notes of type "offer", or all notes not of type "offer". Based on the definition of these subsets, a private note, or a note of type "offer" then becomes the smallest unit of the Notes object and is called the object instance.

With these data object concepts, information entered in HTML Notes can be further restricted to the data level, customized for your business needs, and then securely granted to resources and resource groups.

As HTML Notes security is based on the AOL security model, relevant AOL data security concept and terminology will be introduced first. How to customize the notes security is addressed later.

Note: Even if you define the data security rules in the HTML Notes module, these rules will not be enforced in the Forms-based Notes.

For detailed information on AOL data security framework, refer to the Oracle Application Object Library Security chapter in the Oracle E-Business Suite System Administrator's Guide - Security.

HTML Notes security uses the following AOL data security model concepts:

Steps for Customizing HTML Notes Security

After understanding of how data can be organized in HTML Notes based on the AOL security model, system administrators can further customize the HTML Notes security rules by granting users appropriate data access permissions using the concept of object instance sets.

To better explain how the customization can be done, use the following business scenario to lead you through the possible customization steps.

A company's Sales department wants sales managers to be able to create and delete confidential notes for their sales leads. These confidential notes will be of note type "Confidential" and should be invisible to normal sales representatives. In addition, only sales managers should be able to create and delete confidential notes.

To customize HTML Notes security which is, in other words, to create grants based on the business scenario. Before starting a new grant, the following three components should be identified first:

Once the grant components (who has what privileges to access which objects) are identified, the administrator can start the granting process:

Defining Object Instance Sets

Use an object instance set to specify a parameterized set of rows for the Notes object so that it can be granted to appropriate users.

An object instance set is a subset of data resided within an object, therefore an object must exist first before you are able to create an object instance set for that object.

Note: The creation of object instance set is metadata driven, all data required to ensure backward compatibility with current Note security model are seeded.

The Notes module uses two seeded objects, JTF_NOTES and JTF_NOTE_TYPES. Each object can be customized by creating object instance sets to provide users with specific sets of Notes data if necessary. For example, notes (JTF_NOTES object) can be customized to have different object instance sets, such as all confidential notes. Note types (JTF_NOTE_TYPES object) list of values (LOV) can also be customized for different users.

Based on our scenario, in order to grant sales managers the permission to create confidential notes, and ensure sales representatives cannot create confidential notes, the following object instance sets should be created for JTF_NOTES:

Additional object instance sets should be created for JTF_NOTE_TYPES so that sales manager, not sales representatives, can see the confidential note type. To do so, you can filter the list of available note types:

Use the following steps to define object instance sets.

Responsibility: Functional Developer

Tips: First locate the object that you want a new instance set created for, then enter necessary information for the set.

Prerequisites

Steps

  1. Navigate to Objects.

  2. Enter necessary search information in the Find Objects window to locate the JTF_NOTES and JTF_NOTE_TYPES objects. Search results should be listed after executing the search.

  3. Click the object name hyperlink for which you want the new instance set to be created from the search result to open the Find Object Instance Set window.

  4. Existing instance sets for the selected object are also listed here. Click Create Instance Set.

  5. Enter instance set detail information including instance set name, display name, description and predicate.

  6. Save your work.

Related Topics

For detailed information on how to define object instance sets, see Oracle E-Business Suite System Administrator's Guide - Security.

Defining Menus

A menu is a hierarchical arrangement of functions and menus of functions. If a grant just involves a single function, such as grant the create notes function (JTF_NOTE_CREATE) to a user, then there is no need to define menus. As mentioned earlier, the purpose of using menus is to reduce the administrative tasks. If multiple functions need to be given to a user, it is necessary to group them into a menu or menu structure.

In our scenario, sales mangers require the following functions in a menu format:

In addition, create another menu for sales representatives including the following functions:

Responsibility: System Administrator.

Steps

  1. Navigate to Application, Menu.

  2. Enter the menu name that describes the purpose of your menu, such as "SalesMan" or "Salesrep" in the Menu and User Menu Name fields.

    The User Menu Name is used when a responsibility calls a menu or when one menu calls another.

  3. Select an appropriate menu type and enter description information:

    • Standard. For menus that would be used in the Navigator form

    • Tab. For menus used in self service applications tabs

    • Security. For menus that are used to aggregate functions for data security or specific function security purposes, but would not be used in the Navigator form

  4. Enter required functions for this menu including:

    • Sequence. Enter an integer here.

    • Navigation prompt. Enter a user-friendly, intuitive prompt your menu displays for this menu entry. This menu prompt appears in the hierarchy list of the Navigator window.

    • Submenu name. Enter a submenu name if applies. This calls another menu and allows users to select menu entries from that menu.

    • Function name and description. Enter a function name that you wish to include in the menu. Descriptions appear in a field at the top of the Navigate window when a menu entry is highlighted.

    • The Grant check box. This should always be checked which indicates that this function is automatically enabled for the user. If this is not checked, then the function must be enabled using additional data security rules.

  5. Click View Tree... to see menu's hierarchical structure.

Related Topics

Refer to Oracle E-Business Suite System Administrator's Guide - Security for more information regarding how to define a menu.

Disabling Existing Grants

The purpose of disabling existing grants is to make sure that all seeded global grants are revoked so that they don't interfere with the new grants. To disable a grant, you can set an end date for the grant, instead of deleting it completely.

Responsibility: Functional Administrator

Steps

  1. Navigate to Grants.

  2. Search the existing grants that you want to disable by entering search criteria in the Search Grants window.

  3. Click Go to retrieve the grants that match your search criteria.

  4. Select the grant that you want to disable from the search result.

  5. Set an end date in the Context window and click Finish to disable the grant.

Related Topics

For more information on how to disable existing grants, see Oracle E-Business Suite System Administrator's Guide - Security.

Adding New Grants

A new grant must take place when there is a need to authorize access privileges for a user so that the user can perform certain functions, or to have more specific actions on a designated instance set. Therefore, based on the data access levels, there are two types of grants: Function Grants (such as "Administrator" menu) and Data Grants (such as the note type LOV data)

For function grant, it applies to all objects and consists of the following windows:

  1. Grantee: There are three grantee types appeared in radio buttons. Only one of them should be selected as a grantee.

    • All users (global)

    • Group of users (group)

    • Single user (user)

      In the case of a group or a single user is selected, the corresponding group or user name should be further identified. The selected grantee will be validated against WF_ROLES table.

  2. Function Set: A function set (or a menu) can be selected from the LOV so that an appropriate function set can be granted to a specified grantee.

  3. Context: The screen provides grant attributes information including organization, responsibility, start and end dates, program name, and program tag fields. This is the place where a grant can be disabled by entering an end date.

For data grant, a specific object and instance set information need to be further identified. It consists of the following windows in a sequential order:

  1. Object: A specific object name needs to be specified for this grant.

  2. Grantee: Like the function grant, grantee can be a user, a group, or all users.

  3. Function Set: Like the function grant, a function set needs to be specified in order to authorize it to a specified grantee.

  4. Data Set: There are three types of instance. Only one of them should be selected:

    • All rows of the object (global): When it is selected, the Data Set Details window will be skipped and you are directed to the Context window.

    • A specific row of the object (instance)

    • A parameterized set of rows (instance set): When it is selected, the instance set name needs to be further identified.

  5. Data Set Details: In the case of instance or instance set is selected in the Data Set window, more data or data set details will be displayed in this window. If instance is selected, then this page will have associated primary key values displayed. If instance set is selected, then this page will have parameter columns displayed with the associated predicate information for the selected instance set.

  6. Context: Like the function grant, additional grant attributes can be addressed here. Use the end date field to revoke a grant.

Based on the scenario we have, the following grants need to be authorized:

Use the following steps to add a new grant. Detailed information on how to add new grants, see Oracle E-Business Suite System Administrator's Guide.

Responsibility: Functional Administrator

Steps

  1. Navigate to Grants, Create Grant.

  2. Enter grant name, description, and effective end date information.

  3. In the Security Context region, select the Group of Users from the LOVs for the Grantee Type field. Additionally, specify appropriate operating unit and responsibility information.

    In the Data Security region, select JTF_NOTES as the object name.

  4. In the Create Grant: Select Object Data Context page, select “Instance Set” in the Data Context Type field for JTF Notes Object. Select "JTF_SALES_NOTES" or "JTF_SALES_NOTETYPES" for the Instance Set field.

  5. In the Create Grant: Define Object Parameters and Select Set page, Select “JTF Notes Creator” as the set name.

  6. In the Create Grant: Review and Finish page, review the information and click the Finish button.