Oracle® Fusion Applications Sales Implementation Guide 11g Release 7 (11.1.7) Part Number E20373-08 |
Home |
Contents |
Book List |
Contact Us |
Previous |
Next |
This chapter contains the following:
Oracle Fusion CRM Applications come secured using the industry standard for access control that is called role-based access control (RBAC). This topic discusses key aspects of the RBAC approach that are specific to an Oracle Fusion CRM implementation. You must review other documentation to understand how RBAC is designed to handle a broad range of security needs.
The RBAC standard supports the enforcement of user access control that is based on the role of the user within the organization rather than the user's individual identity. In RBAC, you assign users with roles that represent the job functions in your enterprise. These roles provide access both to the application functions that users need to perform their jobs as well as the permissions to access the data where they need to perform those functions.
Oracle Fusion Applications, including Oracle Fusion CRM, are secured with a predefined set of enterprise roles. This security reference implementation fulfills the needs of midsize horizontal enterprises, generally between 250 and 10,000 employees. To enable users to perform specific jobs in your CRM enterprise, you provision them with the appropriate enterprise roles. For example, when you provision sales managers with the sales manager job role, they can perform all their job duties, including managing sales teams and their forecasts, setting quotas, and managing sales leads and opportunities.
You can change this security reference implementation if the roles in your enterprise are different or if you want to accommodate expansion into vertical industries, such as health care, insurance, automobiles, or food manufacturing. Application patching does not affect your changes.
The following graphic provides an overview of the key components that determine what functions users can perform in the application (functional security) and on what data they can perform those functions (data security).
For Oracle Fusion CRM, the relevant security components are the following:
User
This document refers to security for human users, not background processes and other system users that are also secured with RBAC.
Autoprovisioning rules
Rules automatically provision users with enterprise roles that carry all the security settings that are appropriate for their duties. You can provision users based on their role in your organization and other factors, such as their status as an employee or contractor.
Enterprise roles
There are two types of enterprise roles:
Job roles
Job roles permit users to perform activities specific to their job. For example, providing users with the Sales Manager job role permits them to manage salespersons within the organization, follow up on leads, generate revenue within a territory, build a pipeline, manage territory forecasts, and assist salespersons in closing deals.
Abstract roles
Abstract roles permit users to perform functions that span the different jobs in the enterprise. For example, each user who is an employee must be provisioned with the Employee abstract role to be able to update their employee profile and picture. For CRM, you must also provision users with the Resource abstract role, this permits users to be assigned to work on leads, opportunities, and other CRM work.
Duty roles
Job and abstract roles permit users to carry out actions by virtue of the duty roles they include. For example, the Sales Manager job role includes the Sales Lead Follow Up Duty and the Quota Management Duty. The Sales Management Duty makes it possible for the managers to create and update a sales lead, qualify a sales lead, and convert a sales lead into an opportunity. The Quota Management Duty enables the management of sales territory quotas and territory quota formulas.
Functional security policies
Duty roles include functional security policies that provide access to user interface elements, Web services, tasks flows, and other functions. For example, a sales manager who has the Delete Opportunity functional policy can view and click the Delete button. Removing that policy removes the button from view.
A functional policy is made up of the duty role name and the Delete Opportunity functional privilege. The functional privilege specifies the application features that are being secured. In the security reference manuals, functional privileges are listed in the Privileges section.
Data security policies
Duty roles also include data security policies that specify which roles can perform an action under what conditions. For example, the Opportunity Sales Manager Duty includes a data security policy that specifies that sales managers can view opportunities if they are in the management chain or are members of the sales team on the opportunity.
Each data security policy represents an underlying SQL query. Oracle Fusion CRM Applications evaluate the query at run time, and permit access to data that meets the condition.
A data security policy is composed of the name of the duty where it applies, a data privilege, and a condition. A data privilege is the combination of the action users can take, the conditions under which they can carry them out, and the object they can act on. Data privileges are listed in the Data Security Policies section of the security reference manuals.
Note
Unlike other Oracle Fusion Applications, Oracle Fusion CRM Applications do not use data roles (not shown in this diagram) to provide users with data access. They rely strictly on data security policies.
Data roles, which inherit enterprise roles, are used in many Oracle Fusion Applications to restrict user access to a dimension of data, such as a business unit or a data reference set.
How enterprise roles work in practice is best illustrated with an example from the Sales Manager job role outlined in the following diagram:
A provisioning rule automatically provisions employee sales managers with the enterprise roles they need to do their jobs.
The rule provisions the Sales Manager job role and the Employee and Resource abstract roles.
The Sales Manager job role includes the Quota Viewing Duty and the Sales Manager Duty.
Duty roles inherit other duty roles. For example, the Sales Manager Duty inherits many other duty roles including the Marketing Lead Analysis Duty and the Opportunity Sales Manager Duty.
The duty roles are associated with functional security policies and data security policies. For example, the inherited Opportunity Sales Manager Duty comes with the following:
Functional security policies that specify which application pages and functions sales managers can access for deleting, assigning, closing, creating, and viewing an opportunity. For example, the view opportunity policy permits sales managers to view all UIs, Web services, and task flows that are related to opportunities.
Data security policies that specify what actions opportunity sales managers can take on what opportunities and under what conditions.
For example, opportunity sales managers can view all data related to opportunities where they are opportunity sales team members with view, edit, or full access.
The following diagram provides more detail about the composition of a policy. Each policy, such as the View Opportunity policy, is composed of a duty role name and a privilege:
The view opportunity functional security policy is composed of the duty name and the View Opportunity functional privilege.
The view opportunity data security policy is composed of the duty name, the View Opportunity data privilege, and a condition. It specifies that sales managers can view all data related to opportunities where they are an opportunity sales team member with view, edit, or full access.
Details about the available enterprise roles, duty roles, and policies in the security reference implementation are described in reference manuals organized by business process.
Each of the enterprise roles provided by Oracle is composed of a hierarchy of other roles and duties. The following diagram displays a portion of the hierarchy for the Sales Manager job role from the Oracle Fusion Applications Sales Security Reference Manual as an illustration.
The Sales Manager job role inherits the Business Intelligence Applications Worker abstract role. This abstract role comes with the Business Intelligence Applications Analysis Duty that permits the viewing of business analysis reports.
The Sales Manager job role also inherits the Sales Manager duty role. All job roles include a top-level duty role with the same name as the job role. This top-level duty role is the container for all of the duty roles assigned to a job role. As a general rule, the permissions are attached to the duties at the lowest level of the hierarchy.
The top-level duty roles make it easier for you to create job roles of your own. For example, if you want to create a new job role because you want to give additional functionality to a special class of sales managers, then you can assign the top-level Sales Manager duty to the new job role to give the users all the same permissions as a regular sales manager and then add whatever additional duty roles you want. (For an example of how to do this task, see the Enabling Salespeople to Obtain Microsoft Outlook Access to All Sales Accounts: Worked Example help topic.)
This topic explains how the security reference implementation provided by Oracle determines who can access what opportunity information in your CRM organization.
Your CRM application data comes secured with Oracle's security reference implementation. The following diagram illustrates who can access what opportunity information:
Named agents in the diagram (A, B, and C) can access the opportunity because they have created it, are on the sales team, or own a territory related to the opportunity.
Unnamed agents (highlighted in yellow) cannot view the opportunity although they have the same manager as their peers who can view them.
Managers can view the opportunity because a salesperson in their management chain can view it.
This figure shows who in a sales hierarchy can access an opportunity:
You can see the opportunity in this figure if you do the following:
You create the opportunity.
Agent A can access the opportunity because she created it. When you create an opportunity, you are the initial owner.
You are on the opportunity sales team.
Agent B can access the opportunity because he is on the sales team.
You are the owner of the territory.
Agent C can access the opportunity because he is the owner of the NW territory.
The opportunity owner is your direct or indirect report in the resource hierarchy.
Sales managers who are higher up in the management chain can also see the opportunity because access is provided through the resource hierarchy. Agent C's manager can access the opportunity information, but agent C's colleagues cannot.
You can also access the opportunity if you are assigned to a territory for the sales account associated with the opportunity or if a territory is assigned to the revenue lines on the opportunity. (Revenue lines and sales accounts are not shown in this diagram).
Access differs between territory members and opportunity members:
An opportunity owner gets full access to the opportunity, which includes the ability to edit as well as add and remove team members.
Owners and members of territories assigned to the sales account of the opportunity get read-only access to the opportunity and are not added to the opportunity sales team.
Owners and members of territories assigned to the opportunity revenue lines are added as a distinct list of territories to the opportunity sales team. Owners and members of these territories get full access to the opportunity. Depending on a profile option, either only the owner or all the members of the territory are added as resources to the opportunity sales team. Regardless of the access level for these members as a resource on the opportunity team, they will always have full access.
Some access is not affected by the management hierarchy and membership in sales teams or territories. This special access includes:
Administrators: Administrators get access to opportunities and other objects. This access is based on their privileges, regardless of where the administrators are in the management hierarchy. Administrators do not have to be on the sales team or members of territories.
Deal Protection: Salespersons assigned to an opportunity retain the sales credit on an opportunity even if they are moved to another opportunity.
Team Selling: You can configure the application to allow salespersons to see all opportunities related to their sales accounts.
Setting up Oracle Fusion CRM security involves the use of multiple application components outlined in this topic. For example, you create duty roles and enterprise roles in separate Oracle Fusion Middleware applications and the rules to provision them in Oracle Human Capital Management (HCM). While you can access all of these application components from the Setup and Maintenance work area, understanding what components are used for what purpose and terminology differences in these applications will help you with your setup.
This diagram provides an overview of the key security setups and the application components that you use to configure them.
The following table provides an explanation of the application components:
Application Component |
What It Is Used For |
---|---|
Common CRM Setups |
Tasks such as creating resource roles and resource organizations are part of common CRM configuration tasks. |
Oracle Fusion Human Capital Management (HCM) |
Oracle Fusion HCM tasks permit you to manage CRM application users and create the rules that automatically provision users with the enterprise roles they need to do their jobs. |
Oracle Authorization Policy Manager (APM) |
You use Oracle Authorization Policy Manager to create duty roles and data security policies in a separate browser window. The Authorization Policy Manager is a separate Oracle Fusion Middleware application with many features that are not used in Oracle Fusion CRM. You can access this application from the Setup and Maintenance work area by using the Manage Duty Roles task. |
Oracle Identity Management (OIM) |
Use Oracle Identity Management to create new job and abstract roles for on-premise applications in a separate browser window. You can access this Oracle Fusion Middleware application from the Setup and Maintenance work area by using the Manage Job Roles task. OIM is a separate Oracle Fusion Middleware application with few features used by Oracle Fusion CRM. Because this application has not been extended to Oracle Sales and Marketing Cloud Service, you must ask your Service Administrator to create any new job roles for you. Note Creating a user in Oracle Identity Management is different from creating CRM application users in HCM. |
Application Access Controls Governor (AACG) |
The Governance, Risk, and Compliance Controls supports segregation of duties (SOD) using the Application Access Controls Governor. You can use the Application Access Controls Governor to manage application access controls designed to prevent conflicts of interest and potential fraud that could result from the duties you assign to job roles. For example, if you want to prevent the same users from being able to both create items and ship them to customers, then you can review the access controls provided by Oracle in the Segregation of Duties Policies Respected section of the security reference guides. When you assign incompatible duties to a job role that you are creating, the Application Access Controls Governor generates error messages and prevents the assignment. |
Lightweight Directory Access Protocol (LDAP) Store |
The security settings you create are stored in the Lightweight Directory Access Protocol (LDAP) store for quick access. If you are implementing Oracle Fusion CRM on premise, then you must ensure that you synchronize the LDAP store with any of the changes you make by using the Run User and Roles Synchronization Process task, available from the Setup and Maintenance work area. If you are implementing Oracle Fusion CRM in the Oracle Sales and Marketing Cloud Service, then this step is done for you. |
Oracle Fusion CRM applications use different terminology from Oracle Fusion Middleware applications. The key differences are described in the following table:
Oracle Fusion CRM Term |
Definition |
Equivalent Oracle Identity Management Term |
Equivalent Oracle Authorization Policy Manager Term |
---|---|---|---|
Job role |
Job roles permit users to perform activities required for their job. |
Role. You can distinguish preconfigured job roles by their technical names. Job roles include the term JOB at the end. |
External role. You can distinguish preconfigured job roles by their technical names. Job roles include the term JOB at the end. |
Abstract role |
Abstract roles permit users to perform functions that span the different jobs in the enterprise. |
Role. |
External role. |
Duty role |
Duty roles provide all the privileges for the actions required to carry out a job. |
Not applicable. |
Application role. Duty roles include the term DUTY at the end of the technical name. |
Users gain access to application functionality when you provision them with enterprise roles. Oracle provides you with the enterprise roles required for all the standard jobs in a CRM organization. This topic outlines the steps you must complete to provision users with the enterprise roles provided by Oracle and what additional steps you must complete if you are planning to make changes.
Follow these steps if you want to provision users with the preconfigured enterprise roles provided by Oracle:
Create resource roles if the existing resource roles do not match the job titles in your organization.
Resource roles indicate the role the resource plays in the CRM organization. When you create users for Oracle Fusion CRM applications, you must specify their resource role, which appears as the job title of the person in the resource directory and in social applications, such as the Activity Stream.
You also use resource roles to trigger the provisioning rules you will set up in the next step.
Oracle supplies the resource roles that correspond to the preconfigured job roles. For example, Oracle includes the Sales Vice President and the Marketing Vice President resource roles, which correspond to the Sales VP and the Marketing VP job roles.
If your organization uses different titles, then you must create additional resource roles.
You can review a list of the existing resource roles and create additional resource roles by navigating to the Setup and Maintenance work area and searching for the Manage Resource Role Lookups task.
See the Creating Resource Roles: Worked Example help topic for step-by-step instructions on creating resource roles.
Create rules that automatically provision users with job roles and abstract roles.
When you create users, the provisioning rules automatically provision users based on the user resource role and employment status.
You must create the provisioning rules from the Setup and Maintenance work area, by using the Manage HCM Role Provisioning Rules task.
See the following help topics for information on best practices to create the rules and step-by-step instructions:
Rules to Automatically Provision Oracle Fusion CRM Users with Enterprise Roles: Explained
Creating Rules to Automatically Provision Enterprise Roles to Oracle Fusion CRM Users: Worked Example
You are now ready to create users.
The following steps will help you plan your security implementation if you decide to make changes to the preconfigured job roles and abstract roles provided by Oracle:
Review the enterprise roles provided by Oracle.
Details on the available job roles, abstract roles, duty roles, privileges, and data security roles are described in reference manuals organized by different business areas, such as sales, marketing, and partner relationship management.
If the jobs in your organization do not match the job roles provided by Oracle, then you can modify access for users by assigning them with multiple existing job roles or creating new job roles. Creating new job roles makes it possible for you to select which duty roles to include and, in some cases, to configure new data security policies that govern on what data those duty roles grant access to.
Create any additional job roles.
You create additional job roles in Oracle Identity Manager, an Oracle Fusion Middleware application, which can be accessed from the Setup and Maintenance work area by using the Manage Job Roles task.
Note
If you are implementing security in the Oracle Sales and Marketing Cloud Service, then you must request the Oracle provision administrator to create job roles for you because access to this functionality has not been extended to the Oracle Sales and Marketing Cloud Service.
Before creating job roles, review the hierarchy of job roles and duty roles in the security reference manuals. The hierarchy of duty roles is not visible when you view them in Oracle Identity Manager.
Each job role includes a top-level duty role with the same name, which inherits all the other duty roles. If you want to give additional functionality to a group of users, for example, sales managers, then assign the Sales Manager Duty role to the job role you are creating to inherit all the current permissions and data access, and then add whatever additional duty roles you needed.
Tip
Oracle Identity Manager uses different terminology from Oracle Fusion CRM. Job roles and abstract roles are referred to as roles.
Create duty roles and add them to the job roles that you created.
If you do create a job role, then use the Oracle Authorization Policy Manager, which is a separate Oracle Fusion Middleware application, to do the following:
Create a top-level duty role for the job role.
Add the duty roles that you want to inherit to that top-level duty role.
Associate the job role that you created with your duty role on the External Role Mapping tab.
Tip
Oracle Authorization Policy Manager uses different terminology from Oracle Fusion CRM. Duty roles are referred to as application roles and job roles as external roles. You can identify duty roles by the word DUTY at the end of their names.
You can access Oracle Authorization Policy Manager from the Setup and Maintenance work area using the Manage Duties task.
Detailed steps on how to create a job role and duty role are provided in the following help topic: Enabling Sales Representatives to Obtain Microsoft Outlook Access to All Sales Accounts: Worked Example.
The duty role that you create inherits all of the data security policies from the duty roles that you add. You can create additional data security policies if you want to change user access to specific data. For example, the predefined data security policies for the duty roles inherited by the Sales Representative Duty permit salespeople to view only sales accounts if they are on the sales account team. If you want to give salespeople access to all sales accounts, then you can create a data security policy. The same example, Enabling Sales Representatives to Obtain Microsoft Outlook Access to All Sales Accounts: Worked Example, provides the detailed steps.
Retrieve any security changes made in Oracle Identify Manager (stored in the Lightweight Directory Access Protocol (LDAP) store) so they are available for creating users.
Modifications to the reference become available only after the LDAP store is synchronized. The Oracle Sales and Marketing Cloud Service takes care of the synchronization for you. If you are implementing on premises, then you must run the synchronization process from the Setup and Maintenance work area using the Run User and Roles Synchronization Process task.
Follow the steps for implementing the preconfigured security described in the Implementing Security If You Plan to Use Enterprise Roles Provided by Oracle section.
This topic explains what happens if you omit the security setups and highlights the differences between implementing security on premises and in the Oracle Sales and Marketing Cloud Service.
If you plan to use only the preconfigured enterprise roles provided by Oracle, then you must:
Review the existing resource roles to see if they correspond to the titles of the different resources in the CRM organization, and create any additional resource roles you need.
Create the provisioning rules to automatically provision the required job roles and abstract roles.
If you are implementing on premises, then you must Synchronize the Lightweight Directory Access Protocol (LDAP) store by using the Run User and Roles Synchronization Process task from the Setup and Maintenance work area.
If you are implementing in the Oracle Sales and Marketing Service, then the process is run for you.
The following table highlights the differences between implementing security on premises and in the Oracle Sales and Marketing Cloud Service:
Task |
On Premises |
Oracle Sales and Marketing Cloud Service |
---|---|---|
Creating additional job roles |
You can create additional job roles from the Setup and Maintenance work area using the Manage Job Roles task. |
You must request the service administrator to create additional job roles. |
Synchronizing the LDAP store |
You must synchronize any changes to security by using the Run User and Roles Synchronization Process task from the Setup and Maintenance work area. |
This process is run for you. |
Siebel CRM and Oracle Fusion CRM implement different methods of securing access to application functionality and data. This topic outlines the mechanisms provided by Siebel CRM to control the privileges or resources that users are entitled to after they have accessed a Siebel application and been authenticated. For additional information on Siebel CRM security, see Siebel Security Guide on Oracle Technology Network.
Siebel CRM uses two primary access-control mechanisms:
View-level access control to manage the application functionality that a user can access
Record-level access control to manage the data items that are visible to each user on a view
In Oracle Fusion CRM, access to functionality is provided by assigning enterprise roles to users. In Siebel CRM, access to functionality is provided by assigning responsibilities to users.
Within each Siebel application, screens provide a broad area of functionality. A screen is composed of views, and the collection of views to which users have access determines the application functionality available to them. Access to views is determined by responsibilities.
Organizations are generally arranged around job functions, with employees being assigned one or more functions. In Siebel CRM, these job functions are called responsibilities. Each responsibility is associated with more or more views, which represent data and functionality needed for a job function. Each user must be assigned at least one responsibility to access the Siebel application.
Siebel Business Applications ship with many predefined responsibilities. However, you can also define any additional responsibilities that you require that correspond to the major job functions in your organization.
Record-level access control is used to assign permissions to individual data items within an application so that only authenticated users who need to view particular data records have access to that information. In Oracle Fusion CRM, access to data is primarily determined by the data security policies that apply to specific enterprise roles. In Siebel CRM, the access control mechanism that applies to a view determines the data records that a user sees in a view.
Siebel CRM uses the following types of record-level access control mechanisms:
Personal access control. Access to data associated with a user's Person record in the database is restricted to that user.
Position access control. Access to data that is specific to a job title is restricted to users assigned that job title, to their team members, or to their subordinates.
Organization access control. Employees assigned to a position within an organization are granted access to the data assigned to that organization.
Access-group access control. Access groups are used to control access to master data by diverse groups of individuals.
All-access control. All-access control provides access to all records in a view that has a valid owner. If a view applies all-access control, then all users with access to the view see the same data in the view.
Within Siebel CRM, views are based on business components and must use one of the view modes specified for the business component. A business component's view mode determines which access control mechanisms can be applied to the business component in any view. Applet and view properties also determine the data available in a view. Applet visibility properties define the business component on which a view is based, and a view's access control properties determine what access control mechanism is applied to the business component on which the view is based. For example, a business component might have personal or position access control available. The view access control property specifies which of these to use.
Follow the steps in this topic to create resource roles. Resource roles, for example, Sales Manager, Salesperson, or Vice President of Marketing, describe the role that a resource plays in the CRM organization and appear as job titles in the resource directory and in social applications, such as Activity Stream. Resource roles are also used to assign users with the enterprise roles they need to carry out the duties of their job.
After you create a resource role, you must create the appropriate provisioning rules to provision the user with the required enterprise roles. The resource role by itself is only a title.
Note
Common CRM resource roles are already set up for you. These are labeled as System roles in the application. To obtain a list, click Search in the Manage Resources page without entering any search criteria.
The Manage Resource Roles page appears.
The Create Resource Role page appears.
By creating rules using the Manage HCM Role Provisioning Rules task from the Setup and Maintenance work area, you can automatically provision users with all the enterprise roles they need for their job. These roles ensure the users have access to all the application functions and data they need to carry out their job duties. The rules automatically provision the users when they are created or move positions within your organization. If resources leave your company, the roles can be automatically removed so the resources can no longer access the application.
You must ensure that the rules you create assign Oracle Fusion CRM application users with:
One or more job roles required to perform their job in the organization.
If the users work in the CRM organization, then you must assign them the Resource abstract role. This role permits users to be assigned to sales teams, territories, and other CRM work.
If the users are employees, then you must also assign them with the Employee abstract role. If they are temporary workers, then you must instead assign them with the Contingent Worker abstract role.
In CRM, both abstract roles assure that users can update their personal profiles and other common tasks.
As a best practice:
Create rules that provision the Resource abstract role and the job roles users need to perform their job based on the resource role assigned to them. Most resource roles will require just one job role, but some may have more than one. For example, the Sales and Marketing Vice President may require both the Sales VP and the Marketing VP job roles.
Create one rule that provisions all users who are employees (Person Type of Employee) with the Employee abstract role.
If you hire contractors, then create a separate rule to provision the Contingent Worker abstract role to all users with the Person Type of Contingent Worker.
For all rules you create, ensure that the privileges the users are granted are automatically removed when they are no longer with the company. You can do this by stipulating the condition that the rule apply only when the user has the Assignment Status of Active.
If you plan to create users to perform implementation tasks who are not resources in the CRM organization, then you must create a provisioning rule that is based not on the resource role but some other user attribute. For example, you can create a rule to provision the required Application Implementation Consultant and IT Security Manager job roles based on the user's job assignment.
The following figure provides an example of the rules you would create to provision employee users who are assigned the Sales Manager resource role:
Rule one assigns the Employee abstract role to users who are employees with an Assignment Status of Active.
Rule two assigns the Sales Manager job role and the Resource abstract role to users with the Sales Manager resource role and an Assignment Status of Active.
Follow the steps in this example to create rules that automatically provision Oracle Fusion CRM application users with the necessary enterprise roles. The provisioning is based on the resource role that you assign to a user.
In this example, you create a rule to provision users with the Sales Vice President resource role with the enterprise roles they need to perform their jobs.
The Manage HCM Role Provisioning page appears.
The Create Role Mapping page appears.
This additional condition ensures that the provisioned enterprise roles are automatically removed if the user is terminated.
Sales Vice President
Resource
Note
Each CRM resource who is an employee must be provisioned with both the Resource and Employee abstract roles. You must create a separate rule that assigns the required Employee abstract role to all users who are employees. You must always provision the Resource role along with the appropriate job roles. This provisioning ensures that the user can be assigned work in your CRM application.
This topic outlines concepts that will help you understand and plan the creation of Oracle Fusion CRM applications users.
The types of users that are available to you differs for Oracle Sales and Marketing Cloud Service implementations and on-premises implementations.
On-premises implementations can use Oracle Identity Manager, an Oracle Fusion Middleware application, to create and provision enterprise roles to implementation users outside Oracle Fusion CRM applications.
Oracle Sales and Marketing Cloud Service implementations do not have access to Oracle Identity Manager, so you must create and provision implementation users within Oracle Fusion CRM. The term setup users distinguishes the implementation users created from within the Oracle Fusion CRM applications from those created in Oracle Identity Manager.
The following table lists the different user types. Because permissions granted to users depend on the enterprise roles you assign them, you are not restricted to the user types listed in the table.
Type of User |
Description |
Available in On-Premises Implementations of Oracle Fusion CRM |
Available in the Oracle Sales and Marketing Cloud Service |
---|---|---|---|
Superuser (FAADMIN) |
The initial superuser who sets up the Oracle Fusion Applications environment. |
Yes, provided by Oracle after installation. |
No. |
Implementation Users |
The FAADMIN superuser can create other implementation users outside Oracle Fusion CRM applications using Oracle Identity Manager. These implementation users complete the enterprise setup required for Oracle Fusion Applications and are enabled to manage user security and carry out DBA tasks, such as environment maintenance as well as creating and managing user accounts. Implementation users are not created as employees or resources in Oracle Fusion CRM, so you cannot assign them CRM application job roles. They cannot view CRM transaction data or reports. Implementation users are provisioned with the following enterprise roles:
|
Yes. |
No. Oracle Sales and Marketing Cloud Service implementations do not have access to Oracle Identity Manager. |
Setup Users |
Users with the same privileges as implementation users but who are created within Oracle Fusion Applications, using the same Create User page that is used to create other application users. Setup users can perform all of the same implementation setups for your CRM implementation, including managing security, setting up other users, and editing enterprise information. Setup users are not created as resources in Oracle Fusion CRM and are not provisioned with the Resource abstract role, so you cannot assign them CRM application job roles and they cannot view CRM transaction data or reports. Setup users are provisioned with the following enterprise roles:
|
Setup users are not provided for on-premises implementations. If you want to create a setup user, then you must create a provisioning rule to provision enterprise roles based on a property other than the resource role. See the Creating Setup Users for Oracle Fusion CRM: Worked Example help topic for details. |
Oracle provides you with one initial user with the same access as a setup user based on the information you provided when you signed up with the service. If you want to create additional setup users, then you must create a provisioning rule to provision enterprise roles based on a property other than the resource role. See the Creating Setup Users for Oracle Fusion CRM: Worked Example help topic for details. |
Sales Administrators |
Sales administrators are CRM application users who are provisioned with the Sales Administrator job role. They can create other CRM application users, manage data import from legacy systems, and customize the application. Unlike setup users, sales administrator users can view CRM transactional data and reports. They cannot configure CRM application security or perform tasks related to the enterprise setup. Sales administrator users are provisioned with the following enterprise roles:
|
Yes. |
Yes. |
CRM Application Users |
Implementation users, setup users, and sales administrators can create CRM application users such as marketing managers and salespersons. Application users are provisioned using their role in the organization with the security settings they need to perform their jobs. They can perform only functional setup within the application, depending on their role. Application users are provisioned with the following enterprise roles:
|
Yes. On premises implementations can create application users in any of three ways:
|
Yes. Because the loader option is not available, Oracle Sales and Marketing Service Cloud implementations can create application users in one of two ways:
|
You can create Oracle Fusion CRM application users in multiple ways. You can:
Create users individually in the user interface
Use this method for creating implementation and sales administrator users and for creating application users unless the number of the number users you are creating is very large.
Import users from a file
Import users from a file using the file-based import feature only if you have a very large number. You cannot import implementation users because the import process requires you to import CRM resources.
Load user records into the database tables
If you are implementing CRM on premises and you are creating a large number of users, then you can load users into the application using a loader of your choice.
When you create CRM implementation and application users, you are accomplishing multiple tasks at the same time, depending on the type of user. The following table lists the tasks:
Task Accomplished |
CRM Application Users |
Setup User |
Description |
---|---|---|---|
Sends automatic e-mail notifications with user names and automatically generated temporary passwords |
Yes |
Yes |
The application sends the notifications to the user or to an administrator only once, either on creation or at a later time, depending on the setup. |
Provisions the enterprise roles that provide the security settings that users need to do their jobs |
Yes |
Yes |
Enterprise roles are provisioned based on the autoprovisioning rules you create as part of the security setup. |
Creates resources that can be assigned CRM work |
Yes |
No |
Only users created as resources can be assigned to sales teams and view reports. |
Creates the resource reporting hierarchy used by Oracle Fusion CRM for reporting, forecasting, and work assignment |
Yes |
No |
You create the hierarchy by specifying a manager for each resource. |
Creates resource records that users can update with personal information to complete a directory of your CRM organization |
Yes |
No |
Only resources have their information appear in the CRM directory. |
Creates the hierarchy of resource organizations |
Yes |
Not applicable |
Each resource is assigned to a resource organization. The application uses the resource reporting hierarchy to build a hierarchy of these organizations. |
Creates rudimentary employee records for use by Oracle Fusion HCM. |
Yes |
Yes |
All users you create in the user interface or by importing generate employee records. |
For each CRM user that you create, you must enter a unique e-mail address. By default, the application automatically sends an e-mail notification with the user name and temporary password to this address immediately after the user is created. Users then sign in and change their passwords.
If you do not want users to receive the notification e-mail right away because you are in the trial phase of your implementation project, then you can disable the automatic notification using the following steps:
Navigate to the Setup and Maintenance work area.
Search for the task Manage Enterprise HCM Information on the All Tasks tab of the Overview page.
Click the Go to Task button.
In the Enterprise page, click the Edit button, and select Update.
In the User and Role Provisioning Information region, set the Send User Name and Password option to No.
Click Done.
When users are ready to receive their temporary passwords, you can send all of the notifications at the same time, using the following steps:
In the Navigator menu, select Scheduled Processes under the Tools heading.
In the Scheduled Processes Overview page, click Schedule New Process.
In the Schedule New Process dialog box, make sure the Job option is selected for Type.
Enter Send User Name and Password E-Mail Notifications in the Name field.
Click OK.
In the Process Details window, click Submit.
Click Close.
Note
The Send User Name and Password E-Mail Notifications process sends the notification e-mail only to those users who have never been sent the notification. The process does not reset passwords or resend the notification.
Alternately, you can send a notification to an individual user:
While editing the user in the Create User or Edit User page, select the Send User Name and Password check box in the User Notification Preferences region.
The resource reporting hierarchy provides the basis for CRM data security. The resource reporting hierarchy need not mirror the formal reporting hierarchy, which is captured separately in the Oracle Fusion HCM application if it has been implemented.
Note
In Oracle Fusion CRM, you can have only one hierarchy reporting to one person.
You build a resource reporting hierarchy when you create CRM application users by specifying the manager for each user. If you are creating users one-by-one in the user interface, then you must start by creating the user at the top of the hierarchy and work your way down. If you are importing users using file-based import, then the order does not matter provided that all of your users are in the same file.
In Oracle Fusion CRM, you must assign each manager that you create as a user with his or her own resource organization. All direct reports who are individual contributors inherit their manager's organization.
In Oracle Fusion CRM, resource organizations serve a limited purpose. Their names appear in the application's Resource Directory, which users can access to obtain information about their coworkers, and in social media interactions. Resource organizations are not used for work assignment.
The following screen capture shows the Resource Directory, which is available on the application Navigator. The resource organization names appear under each person's title.
The application automatically builds a resource organization hierarchy, using the resource reporting structure.
Suppose, for example, that your CRM enterprise includes sales and marketing departments that report to the Executive VP of Sales and Marketing and its members as follows:
Mathew Fullerton, Executive VP Sales and Marketing
Bob Doyle, Sales VP
Mateo Lopez, Sales Manager
Gabrielle Lee, Sales Manager
Jillian Henderson, Sales Representative (reporting to Mateo Lopez)
Joseph Kerr, Sales Analyst (reporting to Gabrielle Lee)
A diagram of the reporting hierarchy looks like the following:
Now, also suppose that you create the following resource organizations and assign them to the managers.
Manager |
Assigned Resource Organization |
---|---|
Mathew Fullerton |
Sales and Marketing |
Bob Doyle |
Sales |
Lillian Jones |
Marketing |
Mateo Lopez |
Sales West |
Gabrielle Lee |
Sales East |
The application automatically builds the resource organization hierarchy, shown in the following figure, using the hierarchy of managers.
The resource organizations remain even if managers leave. You can reassign the resource organizations to their replacements.
The resource organization names do not have to reflect the names of departments. Departments are tracked along with employee records in the Oracle Fusion HCM application if it has been implemented. The resource organizations are not used in application security or to assign work to users. For example, you cannot include a resource organization on an opportunity sales team or as a territory owner.
When you create application users, you must include information that is used to create basic employee records for the Oracle Fusion HCM application. This requirement is part of the CRM application architecture. These records are used only if you are implementing this application now or plan to do so.
Attribute |
Definition |
On Premises |
Oracle Fusion Sales and Marketing Cloud Service |
---|---|---|---|
Person Type |
Enter either Employee or Contingent Worker, depending on whether the user you are creating is an employee or a contractor. The selection you make is used for provisioning either the Employee or the Contingent Worker abstract role. |
Enter either Employee or Contingent Worker. |
Enter either Employee or Contingent Worker. |
Legal Employer |
Enter the name of the legal entity that is the user's employer. |
Enter the name of the legal entity that you defined as part of the enterprise setup. |
Enter the legal entity that was set up for you based on the information you provided when you signed up with the service. |
Business Unit |
The business unit where your CRM applications are being used. All CRM applications must be implemented in the same business unit. |
Enter the business unit that you defined as part of enterprise setup. |
Enter the business unit that was set up for you based on the information you provided when you signed up with the service. |
This topic describes the different applications and application modules that you use when you create Oracle Fusion Customer Relationship Management (CRM) users. These include Oracle Fusion Human Capital Management (HCM), File-Based Data Import, Universal Messaging Service, and Oracle Identity Management, which is an Oracle Fusion Middleware application.
The following figure outlines the different application components that you use when you are creating and managing users:
Creating users
You can create CRM application users in one of three ways. Each method involves different application components.
To create users individually in the user interface, you select the Manage Users option in the application Navigator.
The Create User page is part of the Oracle Fusion HCM application, but you are not required to purchase or to implement Oracle Fusion HCM. The core Oracle Fusion HCM features that are required to create and manage CRM users are provided with Oracle Fusion CRM.
To import users from a file, use the tasks in the setup task group Define File-Based Data Import. You can search for this task group from the Setup and Maintenance work area. You can use the File-Based Data Import task group, which is described in a separate topic, to import many application objects, including customer records, opportunities, and leads.
If you are implementing CRM on premises, then you can also create users by importing them using a loader of your choice. To use a loader, select Data Import under the Customer Data Management heading in the Navigator menu, or use the Define Trading Community Import task list in the Setup and Maintenance work area.
Managing notifications
When you create users using any of these methods, you can automatically send an e-mail notification with the user name and temporary password. The e-mails are sent by the User Messaging Service, a part of the Oracle Service-Oriented Architectures Suite, which is a separate Oracle Fusion Middleware application. If you are implementing your CRM application on premises, then a superuser can also manage the notifications and the notification templates from the User Messaging Service application.
Managing users
When you create users, basic user information is copied to Oracle Identity Management, which is a separate Oracle Fusion Middleware application. If you are implementing CRM on premises, then you can use Oracle Identity Management for user management. For example, you can use Oracle Identity Management to reset user passwords and manage the enterprise roles that provision users with the security settings they require to carry out their duties. On premises implementations can use Oracle Identity Management to create implementation users, but not CRM application users.
The following table provides a breakdown by task or component:
Component or Application |
Description |
Navigation |
---|---|---|
Define File-Based Data Import task group |
Use the Define File-Based Data Import task group, which is a common component of Oracle Fusion Applications, to import users from a file. |
Navigate to the Setup and Maintenance work area and search for the Define File-Based Data Import task group. |
Oracle Fusion HCM |
Use the Manage Users task to create and manage user records. |
Select the Manage Users link in the Navigator.. |
User Messaging Service |
If you are implementing CRM on premises, then you can use this application to manage the e-mail server that sends notifications to users. The notifications contain the user names and temporary passwords. |
Sign in to the User Messaging Service as described in that application's documentation. |
Oracle Identity Management |
If you are implementing CRM on premises, then you can use Oracle Identity Management to create and manage job roles, as well as manage users and passwords. Although you can create users, you cannot create users as resources. This restriction means that you cannot create Oracle Fusion CRM application users in Oracle Identity Management alone. |
You can use the Manage Job Roles task from the Setup and Maintenance work area to start the application in a separate browser window. |
This topic provides an overview of how to create Oracle Fusion Customer Relationship Management (CRM) application users and their resource organizations.
This topic covers:
Creating the resource organization at the top of the CRM organizational hierarchy
Creating the resource organizations that you must assign to each manager
Creating the users
Before you create CRM users you must:
Make sure that all enterprise information has been set up.
Complete the security setup. Make sure you have all the resource roles, enterprise roles, and autoprovisioning rules you need for the users you are creating.
Before you can create resource organizations for your users, you must create the top-level organization in your hierarchy.
To create the top-level organization, do the following:
Create the top-level organization as you would create any other resource organization by using the Manage Sales and Marketing Organizations task from the Setup and Maintenance work area.
Specify the resource organization that you created as the top of your sales and marketing hierarchy by using the Manage Resource Organization Hierarchies task from the Setup and Maintenance work area.
For more information, see the Creating the Top Level of the CRM Resource Organization Hierarchy: Worked Example help topic.
If you are creating users individually in the user interface using the Create User page, then you can create the resource organizations while you are creating the users, or you can create them before using the Manage Sales and Marketing Organizations task from the Setup and Maintenance work area.
If you are importing users, then you must have the resource organizations created before you import any data.
Note
When creating resource organizations:
Do not use the name of the manager in the name of your resource organization because you can reassign the organization to a new manager if the current one changes or leaves.
Create a separate resource organization for each manager user. This requirement applies even if the managers work in the same organization.
For more information, see the Creating Resource Organizations for Oracle Fusion CRM: Worked Example help topic.
This section provides an overview of the different methods of creating Oracle Fusion CRM users:
To create users individually in the user interface:
Navigate to the Manager Users work area, which is available as a selection on the application's Navigator.
The Create User page, displays up to six regions, depending on your release version, your enterprise defaults, and the enterprise roles assigned to you. The following screen capture shows the page.
The following table describes the regions.
Create User Page Region |
Description |
---|---|
Personal Details |
You are required to enter the user's last name, hire date, and a unique e-mail address for the initial e-mail notification. |
User Details |
Enter the user name that the user will use to sign in. |
User Notification Preferences |
Select the option in this region if you want to send the user name and password to the user you are creating. This region appears only if you decided to turn off automatic notifications by setting the Send User Name and Password option to No while editing the enterprise information using the Manage Enterprise HCM Information task. |
Employment Information |
The information you enter in this region is used to create the basic employee record for use with the Oracle Fusion Human Capital Management (HCM) application. Only the required fields are relevant to CRM. |
Resource Information |
Make entries in this region if you are creating a CRM application user who is a CRM resource. Leave this region blank for setup users who are not members of the CRM organization. You must enter a resource role and a manager for every CRM application user, because access to application data depends on the resource hierarchy. For every user with a manager resource role, you must enter a resource organization. The resource role you select determines the job roles that the user will be assigned when you click the Autoprovision Roles button |
Roles |
Clicking the Autoprovision Roles button provisions the user with the enterprise roles that provide access to the application functions and data. If you are importing resources from a file, then the autoprovisioning is done automatically. |
To import users from a file:
Use the Manage File Import Activities task from the Setup and Maintenance work area, and create an import activity. To import users, you must select the Employee Resource object when creating the import activity. Before you can import users, you must:
Understand what attributes are required, and what values are permitted.
Create a mapping between the user data that you are importing and the attributes in the application.
Refer to Define File-Based Data Import topics for more information on how to import users and other data.
If you are implementing CRM on premises, then you can load user data into the application by using a loader of your choice.
Use the Import Worker Users task from the Setup and Maintenance work area.
This topic summarizes the main differences between creating users when you are implementing Oracle Fusion CRM on premises and in the Oracle Sales and Marketing Cloud Service.
The following table summarizes the main differences.
Feature |
On Premises |
Oracle Sales and Marketing Cloud Service |
---|---|---|
Using Oracle Identity Manager to create and manage users. |
Yes. |
No. |
Loading users directly into interface tables using a loader of your choice |
Yes. |
No. |
In Oracle Fusion CRM, you must assign a resource organization to each manager user that you create. All direct reports of that manager inherit the organization. You can create resource organizations before you create users according to the steps in this example.
The Manage Sales and Marketing Organization page appears.
The Create Organization: Select Creation Method page appears.
The Create Organization: Enter Basic Information page appears.
Specifying a usage determines whether the organization is visible when creating a sales manager or a marketing manager.
Use this example as a guide for creating the resource organization at the top of the resource organization hierarchy. You must complete this setup before you create users.
When you create users who are managers in the Oracle Fusion CRM organization, you must assign a resource organization to each of them. The application automatically builds a resource organization hierarchy for you from the management hierarchy that you create.
Before you can create the resource organizations for the managers, you must create the top-level resource organization in your hierarchy following the steps in this example.
Creating the top-level resource organization in the resource organization hierarchy involves the following:
Creating the resource organization
Specifying the organization as the top of your sales and marketing hierarchy
The Create Organization: Select Creation Method page appears.
This step identifies how the organization is being used.
The Manage Resource Organization Hierarchies page appears.
You will associate the resource organization you created with the predefined hierarchy type.
The Edit Organization Hierarchy Version page appears.
The Add Tree Node window appears.
The Search Node window appears.
The application returns you to the Edit Organization Hierarchy Version page.
Follow the steps in this example to create a setup user, an application user with the privileges to set up application security, make changes to the enterprise setup, create other users, and complete most setup tasks. Because setup users are not created as CRM resources, they cannot view CRM data or reports and cannot be assigned to sales teams and territories.
Setup users do not work in the CRM organization and so should not appear in the CRM application directory or be available as resources for assignment to sales teams. For this reason, you do not specify a resource role or any other resource information for this type of user.
To provision these users with the required Application Implementation Consultant and IT Security Manager job roles, you must create a provisioning rule that is triggered not by the resource role assigned to the user, but by some other attribute. In this example, you will trigger the rule on the user's job.
To create the setup user, you will:
Sign in as a user with implementation privileges. This can be another setup user.
Create the job that will trigger the rule, Customer Administrator in this example.
Synchronize the Lightweight Directory Access Protocol (LDAP) directory with any changes to the security setups by running a scheduled process.
The LDAP directory enables quick access by CRM Fusion Applications to security settings, so it is a good idea to update the directory to make sure it reflects all the latest security changes.
Create the provisioning rule to provision the required enterprise roles to users with the Customer Administrator job.
Create a rule to provision the Employee abstract role to all employee users. This is a one-time setup, so you can ignore this step if you created the rule previously.
Create the user.
To create the job:
The Manage Job page appears.
The Create Job: Details page appears.
To update the LDAP directory:
The Schedule New Process window appears.
To set up the provisioning rule that automatically assigns the appropriate enterprise roles:
The Manage HCM Role Provisioning page appears.
Application Implementation Consultant
IT Security Manager
You must create one rule to provision all users who are employees with the Employee abstract role. This is a one-time-only setup.
To create the provisioning rule for employees:
The Manage HCM Role Provisioning page appears.
To create the setup user:
The Manage Users page appears.
The Create User page appears.
Field |
Entry |
---|---|
Last Name |
Enter the user's last name. Entry is required. |
First Name |
Optionally, enter the user's first name. |
|
Enter a unique e-mail address. This e-mail address is used to send the initial notification to the user and can be changed later. |
If this region is not present in the page, then the notification will be sent automatically.
Field |
Entry |
---|---|
Person Type |
Select Employee. Do not select Contingent Workerbecause enterprise role provisioning is based on the employee's job, a field that appears only for employees. |
Legal Employer |
Select the legal employer created as part of enterprise setup. If you are implementing in the Oracle Sales and Marketing Cloud Service, then the legal employer was set up for you based on the information that you provided when you signed up for the service. |
Business Unit |
Select the business unit created as part of enterprise setup. If you are implementing in the Oracle Sales and Marketing Cloud Service, then the business unit was set up for you based on the information that you provided when you signed up for the service. |
Job |
Select the job you created earlier. |
The Roles region should now display the following roles:
Application Implementation Consultant
IT Security Manager
Employee