| Oracle® Retail Merchandising Implementation Guide Release 14.1 E56350-01 |
|
 Previous |
 Next |
Oracle Retail Application Security Roles Manager applies to Oracle Retail Sales Audit (ReSA) and Oracle Retail Allocation.
Most retailers have their security systems and groups defined and available for them to use. As part of the Oracle Retail application security set up, default enterprise roles/groups and their mappings to application roles are provided with every application. These enterprise roles/groups may not map one-to-one to retailers' security groups. Oracle Retail Application Security Roles Manager (RASRM) provides a way for retailers to modify the default enterprise roles so they map to their security groups. It also provides a way for the retailers to change the mappings of the enterprise roles/groups to the application roles.
The following diagram and descriptions present a high-level technical overview of RASRM.
The Oracle Retail Allocation and Oracle Retail Sales Audit (ReSA) applications have been designed to use RASRM. The Retail applications' installer installs RASRM as an application that can be invoked by a link in the host applications' global menu. When RASRM is invoked with this link it allows the user to modify the policies within the policy store relevant to the host application (for example, Oracle Retail Allocation).
Retail Application Security Roles Manager (RASRM) - This is the application that allows users to perform CRUD (Create, Read, Update, Delete) operations on policies within the Policy Store.
Policy Store - The repository for policies comprising one or more application stripes and code-based grants. Since the OPSS Management API is used to read from the policy store, the fact that the Policy Store may be file-based or database based etc, is irrelevant to RASRM. The API abstracts that deployment choice from RASRM.
The following is an explanation of Enterprise (or Job) Roles and Application (or Duty and Privilege) roles:
Job roles are called as such because they closely map to the jobs commonly found in most organizations.
Naming Convention: All retail Job role names end with' _JOB'.
Example: ALLOCATOR_JOB.
Duties are tasks or responsibilities one must do on a job.
Duty roles are roles that are associated with a specific duty or a logical grouping of tasks. Generally, the list of duties for a job is a good indicator of what duty roles should be defined.
Duties that you create should be self-contained and pluggable into any existing or new job role.
Naming Convention: All retail duty role names end with' _DUTY'.
Example: ALC_ALLOC_POLICY_MAINTENANCE_MANAGEMENT_DUTY.
RASRM is accessed from the drop down menu displayed when clicking on the logged-in administrator user ID located on the Retail application's global menu (see Figure 3-2, "RASRM User Menu"). The link launches RASRM's Role Mapping page which displays only the launching application's roles. The administrator can then perform role mapping for the application.
RASRM uses ADF security to implement functional security. The enforcement of functional security is delegated to the Fusion Middle Ware.
RASRM allows retailers to tailor Oracle Retail applications' default security models to their enterprise business model. This tool also helps retailers manage their Retail applications' security metadata. RASRM provides:
The ability to create new Application Roles (DUTY) through the Manage Roles Mapping task.
The ability for a retailer to change the default role mappings based on its business needs.
The ability for clients to backup the role mappings to a file in their local file system.
Export capability to facilitate the backup and migration of policies from one environment to another.
RASRM is enabled within an application. Users can access this application from the user menu option in the Global area of the main application page and is available only for users with the following job roles:
Table 3-1 RASRM Security Privileges
| Role | Duty | Privilege |
|---|---|---|
|
System Administrator |
Manage Duty Roles |
Create |
|
Delete |
||
|
Duplicate |
||
|
Export |
||
|
Select and Add |
||
|
Edit |
RASRM is accessed through an RASRM supported application. Attempting to access RASRM directly through the URL will result in an error.
Click the RASRM application link in the user menu.
A new tab window or browser window is launched (depending on your browser settings).
From the Retail enterprise platform default login screen (for non-single sign-on), enter your username and password.
RASRM consists of two main task flows used to fulfill the above mentioned business requirements.
Manage Duty Roles Task
Manage Roles Mapping Task
The Manage Duty Role task flow allows users to create or delete duties. Users can create a new duty role to map according to the retailers enterprise business model.
When a user clicks the manage duty role task flow from the regional area, it opens a new tab in the local area. A table is displayed with all the duties associated with the application. The table toolbar has the following action menu:
Add
Edit
Delete
Export to Excel
A quick search component is provided on the table toolbar to quickly look up any desired record.
The Add action is enabled at all times and allows you to add a new duty role.
From the Actions menu, select Add. The Add Duty Role dialog is displayed.
Enter a duty name and (optionally) a description for the new duty role and click OK.
Upon entering a name and moving to the Description field or when you click OK, RASRM performs a validation to prevent name duplication. If the name entered already exists, the following error message is displayed; A Duty with this name already exists. Enter a unique name. If the duty name is unique, the new duty is created.
All newly created duties are reflected in the database, allowing them to be mapped to a role.
The Edit action is enabled when a duty role is selected. The Edit action is used to add or modify the description of an existing duty role.
The Delete action is enabled when you select a level that can be deleted from the database.
Only empty duty roles that do not contain any child duty or child privilege roles can be deleted. This is because a child privilege is associated with application code. Therefore, to delete the duty role, you must first remove all mappings between the duty and the child duties and privileges. If you attempt to delete a duty role without first removing the mapping, the following error message is displayed; You cannot delete duty because it has duties or privileges associated with it. Remove these mappings using Manage Roles Mapping task.
The Manage Roles Mapping task allows you to add or remove duties or privileges associated with a job role.
When you click the Manage Roles Mapping link, a new tab is opened in the local area that displays a tree table with the already associated roles of the respective application (that is, the source application from which RASRM was launched). You can then choose to perform the following actions:
Duplicate
Delete
Export to Excel
Select and Add
Remap
A quick search component is provided on the table toolbar to quickly look up any desired record.
The Duplicate action allows you to copy and paste existing job roles to create a new role. For example:
Within a retailer enterprise security system there are two security groups called Allocator_xyz and Assistant_ Allocator_xyz. By default, only the Allocator role is provided. The Assistant Allocator role is a trimmed down version of the Allocator role with fewer privileges. You can use the Duplicate action to copy the Allocator role and then edit the privileges of the new role.
Select the job role you want to duplicate.
From the Actions menu, select Duplicate. The Duplicate Role dialog is displayed.
Enter a name for the duplicated role and click OK.
Upon clicking OK or Tabbing out of the field, the New name is validated. The validation checks for a valid name in the enterprise security solution of the retailer. If it finds a match, then it allows the user to proceed. If the name is not valid, an error is displayed.
The Delete action is enabled when a duty or privilege role is selected.
When the user selects a duty or privilege role and clicks Delete, the user is prompted with a warning message. Click Yes and the selected role and all its associated role mappings are removed.
|
Note: The Delete action does not delete the role from the database, it only removes the mapping. |
|
Note: The RASRM 14.1 release has a known issue in the deletion of a duty role from a job role. When a duty role is deleted from a job role, that duty role gets deleted from all the job roles instead of just from that job role. See Oracle Retail Application Security Roles Manager Deleting a Duty Role from a Job Role (Doc ID 1942577.1) on My Oracle Support for more information. |
The Export to Excel action is enabled whenever you have the Manage Roles Mapping window open. This action allows you to export the Manage Roles Mapping list to a Microsoft Excel spreadsheet.
Select and Add is enabled when a job, duty, or privilege is selected. Select and Add allows you to do the following:
Add duty roles to job roles
Add duty and privilege roles to duty roles
Add privilege roles to privilege roles.
Select the job role to which you want to add a duty role.
From the Actions menu, select Select and Add. The Select and Add dialog is displayed.
The Select and Add dialog has selected job, duty, or privilege fields populated and a shuttle component for the user to select from all the available duties or privileges for the applications.
Select one or multiple duties and privileges and click OK to select and add them to the job role.
If you select a duty level then all the associated privileges with it are inherited to the job role. If a privilege is selected then only that privilege is added under the selected duty role.
|
Note: To add a new job role, the user should use the Duplicate feature. |
The Remap action is enabled when a job, duty, or privilege is selected. the Remap action is used to move mapping from one role to another role. During this process, a new role is created and all the associated roles beneath the previous role are moved into the new role, leaving the old role as an orphan or with other roles associated with it.
Select the role you want to remap.
From the Actions menu, select Remap. The Remap dialog is displayed.
Enter a Name and (optionally) a Description for the remapped role.
Upon clicking OK, the New name is validated. The validation checks for a valid name in the enterprise security solution of the retailer. If it finds a match, then it allows the user to proceed. If the name is not valid, an error is displayed.
Job roles are handled in a different manner. The owner of job role creation is the Enterprise manager so when a job role is selected and remapped it will just change the current mapping to the new mapping without creating any new job role to be left as an orphan. This validation should be done once the user enters the new name and clicks OK. If there is no matching record found an error is displayed.
The Backup Role Mappings option allows users to backup roles onto a system so that the same file can be used to load the customized role mappings onto another server. When the user clicks on this selection, a dialog is displayed where the user can enter in the desired backup location.
From the Manage Roles Mapping window, click the Backup button. The Backup Policies dialog is displayed.
Enter the Destination Folder in which to store your backed up role mappings and click OK.
If the backup is successful, a confirmation message is displayed.
