This chapter covers the following topics:
Oracle Project Contracts security model includes the following three items:
Contract access security determines whether a user can view and/or update a certain contract document.
Contract function security determines the list of functions a user can perform on a certain contract document.
Contract attribute security determines the amount of information a user can retrieve from a certain contract document.
Contract role is the centerpiece of the Oracle Project Contracts security model. Each employee who is working on a contract document in Oracle Project Contracts must be assigned a role. Access security is determined by the role assignment. An employee must be assigned a role to a contract document in order to gain access. In addition, the same employee cannot be assigned to two different roles at the same time. A role also describes the list of functions and contract attributes a grantee can perform or access.
Contract access assignment can be explicitly to a contract document, implicitly through a program, or at the site level. Contract level assignment overrides any program level assignment for the same employee, which in turns overrides any site level assignment.
Site level assignments are useful for employees with similar access to all contract documents within an organization. Rather than setting up access to individual contract documents, site level assignments ensure access to all contract documents while reducing the amount of maintenance overhead. Program level assignments provide similar benefits for organizations that group contract documents into programs and have specific resources assigned to monitor all contract documents within one or more programs.
Use effective dates to manage temporary assignments and termination of assignments.
The following list of functions can be secured based on the contract role:
Project Contract Authoring
Project Contract Authoring : Submit Approval
Project Contract Authoring: Auto Create Deliverables
Project Contract Authoring: Activate Lines
Project Contract Versioning (Create New Version)
Deliverable Tracking System
Deliverable Tracking System: Update
Deliverable Tracking System: Initiate Planning
Deliverable Tracking System: Initiate Procurement
Deliverable Tracking System: Initiate Shipping
Deliverable-Based Billing
Deliverable-based Billing: Update
Contract Funding
Contract Change Requests: Update
Contract Change Requests: Change Status
Contract Change Requests: Workflow Change
Holds Management
Contract Communications
Contract Version Comparison
Contract Closeouts and Terminations
Print Contracts
Contract Function Security is controlled using the Action button in the Contract Organizer. Certain sub functions, such as Deliverable Tracking - Initiate Planning, are controlled within the relevant windows and workbenches.
Contract Attribute Security enables you to tailor the amount of information a user can retrieve and update for a specific contract document. You can specify the access level (edit, view, or none) for each attribute, a group of attributes, and a group of user-defined attributes. You can also specify the access level of all contract header/line related entities, such as articles, terms and conditions, and party and contact roles.
Currently, attribute security is available for contract headers and lines. Attribute security for deliverables will be available in a subsequent release.
In order to optimize the benefits of the security model, you should perform the following analysis before implementing the security model:
Identify different contract roles applicable to your implementation
For each role, identify access levels for all contract attributes
For each role, identify lists of allowable contract level functions
The list of allowable functions is captured as a single-level menu. Oracle Project Contracts creates two menus, Contract Administrator privileges and Program Manager privileges, as part of the installation. The menu Contract Administrator privileges include all eligible functions that can be assigned or protected via the security model. It can be used as a reference.
While you can modify the two menus to include or exclude some of the functions, we recommend that you define new menus to meet your specific business requirements.
Define Menus, Oracle Applications System Administrator's Guide
Define the necessary roles using the Define Roles window. Oracle Project Contracts creates two roles, Contract Administrator and Program Manager, as part of the installation.
Oracle Project Contracts only recognizes roles with role control Allow as Contract Member enabled. In addition, you must enable role-based security and specify the appropriate menu that captures the list of allowable functions.
Note: If you have Oracle Projects installed and implemented, verify the roles Contract Administrator and Program Manager have not been defined.
If you want to implement attribute level security, define the appropriate attribute access rules using the Rules tab in the Define Roles window. Attribute access rules can be defined for a single object (Headers, Lines), a group of attributes using attribute groups, or individual attributes. You can enable attribute security for both the system as well as user-defined attributes. However, you can only define access rules user-defined attributes at the attribute group (context) level; you cannot define access rules for individual user-defined attributes.
You also need to specify the default access level for the role. The default access level serves two purposes:
It is used as the default setting for attribute access rules
It is used to determine view/update privilege for all header and line related entities, such as articles, terms and conditions, and standard notes.
Note: If you want to allow updates to some of the header or line attributes for a particular role, set the default access level to Edit. Otherwise, the header and line block will be sent as View Only.
After you define the appropriate access rules for a contract role, freeze and compile the access rules. Compiling access rules will enable faster access for the attribute security settings.
Access rules can also be compiled using the concurrent program Compile Access Rules from Oracle Project Contracts.
Secured versions of the contract data views are generated dynamically based on the access rules definition. These secured views are used throughout Oracle Project Contracts to lookup contract data.
To generate the secured views, you need to use the concurrent program Generate Secured Views from Oracle Project Contracts.
Follow the above instructions to create new roles.
If you add a new user-defined attribute group (context), verify the access rules are properly defined, or that the default access level for each role properly handles the access security of the new user-defined attribute group.
After adding a new user-defined attribute group, recompile your access rules. Failure to do so may result in the user-defined attributes disappearing from the window after you have saved the data because of access rule violations, since the new attribute group is not accessible through any contract roles.
Once the setup steps are completed, you are ready to implement contract security.
Create and maintain site and program level assignments using the Contract Assignments window.
The Contract Assignments window can be secured using function security.
Create and maintain contract level assignments using the Contract Assignments window or via the Contract Authoring Workbench directly.
The Contract Assignments window can be secured using function security.
You need to have Edit privilege on the contract document, as specified by the default access level of the contract role you are assigned to, in order to create and maintain assignments via the Contract Authoring Workbench.
Since attribute security can only be processed at runtime after the user signs on and the contract document has been determined, the Contract Authoring Workbench dynamically hides attributes that are secured (access level of None) during its initialization routine. The secured information is still available internally.
If you utilize attribute security in your implementation, you should disable the Diagnostics feature from the Help Menu for general users. The Diagnostic feature can be used to examine internal application information such as values in a hidden field, which in turn can expose secured information to non-privileged users.
To disable the Diagnostics features, set the profile option Hide Diagnostics Menu Entry to Yes at the proper level.
User Profiles, Oracle Applications System Administrator's Guide
Oracle Applications Menus, Oracle Applications User's Guide
Oracle Applications Object Library provides standard function security through responsibility assignment. Contract Function Security provides a more granular level of assignment. As a result, users can access different contract documents with different function access assignments without switching responsibilities.
Oracle Applications Object Library continues to enforce responsibility based function security when you access Oracle Project Contracts. In order to ensure that all contract functions can be executed using the same responsibility, a special hidden submenu called OKE-Organizer Actions has been added to the Project Contract Super User and Project Contract User top menu. Include this submenu in any custom top menus you define for accessing Oracle Project Contracts.
Overview of Function Security, Oracle Applications System Administrator's Guide
You can only create a new contract document online through the Contract Authoring Wizard. The authoring wizard is a separate function that can be secured using standard function security. You can restrict privilege to create new contract documents by removing the function from the desired responsibility.