| Oracle® Retail Merchandising Security Guide Release 15.0 E65442-01 |
|
 Previous |
 Next |
This chapter provides information about application administrative tasks related to security. How to manage users and roles as well as some other common application administrative tasks such as secure credential management and logging are discussed.
The following topics are covered in this chapter:
ReIM has several predefined application roles:
Accounts Payable Specialist
Finance Manager
Buyer
Corporate Inventory Control Analyst
ReIM Application Administrator
These application roles are predefined in the application's security descriptors and users are mapped from their respective enterprise roles through the configured WebLogic Security Providers. Typically, the deployment will use Oracle Internet Directory as the Security Provider and enterprise roles will exist as user groups in the LDAP. By default, WebLogic maps enterprise roles to application roles of the same name. Therefore, any LDAP users that should be considered for ReIM processing should be made a member of one of these groups.
As the name suggests, the Application Administrator role has the highest level of privileges whereas all other user roles will have a predefined subset of privileges. Avoid assigning all users to the Application Administrator role. This will grant users more privileges than is required.
The privileges and duties that comprise ReIM's application roles are as follows:
Table 16-1 Privileges
| Name | Description |
|---|---|
|
Search Documents Priv |
A privilege for searching for documents. |
|
Maintain Documents Priv |
A privilege for creating and editing documents. |
|
Delete Documents Priv |
A privilege for deleting documents. |
|
View Documents Priv |
A privilege for viewing documents. |
|
Pay Invoice Manually Priv |
A privilege to allow user to pay an invoice before matching the invoice. |
|
EDI Maintenance Priv |
A privilege for allowing a user to fix EDI errors. |
|
Reverse Debit Memo Priv |
A privilege for allowing a user to reverse a Debit Memo. |
|
Create Credit Note from CNR Priv |
A privilege for allowing a user to create a credit note from a credit note request. |
|
Void Credit Note Priv |
A privilege for allowing a user to void a credit note. |
|
Search Tolerance Priv |
A privilege for searching for tolerance settings. |
|
Maintain Tolerance Priv |
A privilege for creating and editing tolerance settings. |
|
Delete Tolerance Priv |
A privilege for deleting a tolerance setting. |
|
View Tolerance Priv |
A privilege for viewing for tolerance settings. |
|
Search Tolerance Mapping Priv |
A privilege for searching for tolerance mapping settings. |
|
Maintain Tolerance Mapping Priv |
A privilege for creating and editing tolerance mapping settings. |
|
Delete Tolerance Mapping Priv |
A privilege for deleting a tolerance mapping setting. |
|
View Tolerance Mapping Priv |
A privilege for viewing for tolerance mapping settings. |
|
Search Match Strategy Priv |
A privilege for searching for Match Strategy settings. |
|
Maintain Match Strategy Priv |
A privilege for creating and editing Match Strategy settings. |
|
Delete Match Strategy Priv |
A privilege for deleting a Match Strategy setting. |
|
View Match Strategy Priv |
A privilege for viewing for Match Strategy settings. |
|
Search Match Strategy Mapping Priv |
A privilege for searching for Match Strategy mapping settings. |
|
Maintain Match Strategy Mapping Priv |
A privilege for creating and editing Match Strategy mapping settings. |
|
Delete Match Strategy Mapping Priv |
A privilege for deleting a Match Strategy mapping setting. |
|
View Match Strategy Mapping Priv |
A privilege for viewing for Match Strategy mapping settings. |
|
Maintain System Options Priv |
A privilege for creating and editing System Options settings. |
|
Delete System Options Priv |
A privilege for deleting a System Options setting. |
|
View System Options Priv |
A privilege for viewing for System Options settings. |
|
Search Supplier Options Priv |
A privilege for searching for Supplier Options settings. |
|
Maintain Supplier Options Priv |
A privilege for creating and editing Supplier Options settings. |
|
Delete Supplier Options Priv |
A privilege for deleting a Supplier Options setting. |
|
View Supplier Options Priv |
A privilege for viewing for Supplier Options settings. |
|
Search Manual Match Priv |
A privilege to allow a user search for invoices and receipts to be manually matched. |
|
Manual Match Priv |
A privilege to allow a user to match an invoice manually through the UI. |
|
Search Credit Note Match Priv |
A privilege to allow a user to search for Credit Notes to Credit Note Requests to be matched. |
|
Credit Note Match Priv |
A privilege to match Credit Notes to Credit Note Requests. |
|
Search Discrepancy List Priv |
A privilege to search for Discrepancies. |
|
Cost Resolution Priv |
A privilege to allow a cost discrepancy to be resolved. |
|
Quantity Resolution Priv |
A privilege to allow a quantity discrepancy to be resolved. |
|
Search Tax Discrepancy List Priv |
A privilege to search for Tax Discrepancies. |
|
Tax Discrepancy Resolution Priv |
A privilege to allow a tax discrepancy to be resolved. |
Table 16-2 Duties
| Duty | Description | List of Privileges |
|---|---|---|
|
Document Management Duty |
A Duty for managing documents. This duty is an extension of the Document Inquiry Duty. |
- All privileges found in the Document Inquiry Duty. - Maintain Documents Priv. - Delete Documents Priv. |
|
Document Inquiry Duty |
A duty for viewing documents. |
- View Documents Priv. - Search Documents Priv. |
|
Pay Invoice Duty |
A duty for paying an invoice manually. |
Pay Invoice Manually Priv. |
|
EDI Maintenance Duty |
A duty for fixing EDI Errors. |
EDI Maintenance Priv. |
|
Reverse Debit Memo Duty |
A duty to allow user to reverse a Credit Note. |
Reverse Debit Memo Priv. |
|
Create Credit Note from CNR Duty |
A duty to allow user to create a Credit Note from a Credit Note Request. |
Create Credit Note from CNR Priv. |
|
Void Credit Note Duty |
A duty for voiding a Credit Note. |
Void Credit Note Priv. |
|
Tolerance Maintenance Duty |
A Duty for managing Tolerance settings. This duty is an extension of the Tolerance Inquiry Duty. |
- All privileges found in the Tolerance Inquiry Duty. - Maintain Tolerance Priv. - Delete Tolerance Priv. - Maintain Tolerance Mapping Priv. - Delete Tolerance Mapping Priv. |
|
Tolerance Inquiry Duty |
A duty for viewing Tolerance settings. |
- View Tolerance Priv. - View Tolerance Mapping Priv. - Search Tolerance Priv. - Search Tolerance Mapping Priv. |
|
Match Strategy Maintenance Duty |
A Duty for managing Match Strategy settings. This duty is an extension of the Match Strategy Inquiry Duty |
- All privileges found in the Match Strategy Inquiry Duty. - Maintain Match Strategy Priv. - Delete Match Strategy Priv. - Maintain Match Strategy Mapping Priv. - Delete Match Strategy Mapping Priv. |
|
Match Strategy Inquiry Duty |
A duty for viewing Match Strategy settings |
- View Match Strategy Priv. - View Match Strategy Mapping Priv. - Search Match Strategy Priv. - Search Match Strategy Mapping Priv. |
|
System Options Maintenance Duty |
A Duty for managing System Options settings. This duty is an extension of the System Options Inquiry Duty |
- All privileges found in the System Options Inquiry Duty. - Maintain System Options Priv. - Delete System Options Priv. |
|
System Options Inquiry Duty |
A duty for viewing System Options settings |
View System Options Priv. |
|
Supplier Options Maintenance Duty |
A Duty for managing Supplier Options settings. This duty is an extension of the Supplier Options Inquiry Duty |
- All privileges found in the Supplier Options Inquiry Duty. - Maintain Supplier Options Priv. - Delete Supplier Options Priv. |
|
Supplier Options Inquiry Duty |
A duty for viewing Supplier Options settings |
- View Supplier Options Priv. - Search Supplier Options Priv. |
|
Invoice Matching Duty |
A duty for manually matching invoices |
- Manually Match Priv. - Search Manual Match Priv |
|
Resolve Cost Discrepancies Duty |
A duty for resolving cost discrepancies |
- Cost Discrepancy Priv - Search Discrepancy List Priv. |
|
Resolve Quantity Discrepancies Duty |
A duty for resolving quantity discrepancies |
- Quantity Discrepancy Priv. - Search Discrepancy List Priv. |
|
Resolve Discrepancies Duty |
A duty for resolving either cost or quantity discrepancies |
- Cost Discrepancy Priv. - Quantity Discrepancy Priv. - Search Discrepancy List Priv. |
|
Credit Note Matching Duty |
A duty for matching Credit Notes |
- Credit Note Match Priv. - Search Credit Note Match Priv. |
|
Resolve Tax Discrepancy Duty |
A duty for resolving tax discrepancies |
- Tax Discrepancy Resolution Priv. - Search Tax Discrepancy List Priv. |
Table 16-3 Function Security Mapping
| Role | Duty | Privileges |
|---|---|---|
|
Accounts Payable Specialist |
Document Management Duty Pay Invoice Duty EDI Maintenance Duty Reverse Debit Memo Duty Create Credit Note from CNR Duty Void Credit Note Duty Tolerance Inquiry Duty Match Strategy Inquiry Duty System Options Inquiry Duty Supplier Options Inquiry Duty Invoice Matching Duty Credit Note Matching Duty Discrepancy Resolution Duty Resolve Tax Discrepancy Duty |
- All privileges found in the Document Inquiry Duty. - Maintain Documents Priv. - Delete Documents Priv. - Pay Invoice Manually Priv. - EDI Maintenance Priv. - Reverse Debit Memo Priv. - Create Credit Note from CNR Priv. - Void Credit Note Priv. - View Tolerance Priv. - View Tolerance Mapping Priv. - Search Tolerance Priv. - Search Tolerance Mapping Priv. - View Match Strategy Priv. - View Match Strategy Mapping Priv. - Search Match Strategy Priv. - Search Match Strategy Mapping Priv. - View System Options Priv. - Search System Options Priv. - View Supplier Options Priv. - Search Supplier Options Priv. - Manually Matching Priv. - Cost Discrepancy Priv. - Quantity Discrepancy Priv - Credit Note Matching Priv. |
|
Finance Manager |
Document Management Duty Pay Invoice Duty EDI Maintenance Duty Reverse Debit Memo Duty Create Credit Note from CNR Duty Void Credit Note Duty Tolerance Maintenance Duty Match Strategy Maintenance Duty System Options Inquiry Duty Supplier Options Maintenance Duty Invoice Matching Duty Credit Note Matching Duty Discrepancy Resolution Duty Resolve Tax Discrepancy Duty |
- All privileges found in the Document Inquiry Duty. - Maintain Documents Priv. - Delete Documents Priv. - Pay Invoice Manually Priv. - EDI Maintenance Priv. - Reverse Debit Memo Priv. - Create Credit Note from CNR Priv. - Void Credit Note Priv. - All privileges found in the Tolerance Inquiry Duty. - Maintain Tolerance Priv. - Delete Tolerance Priv. - Maintain Tolerance Mapping Priv. - Delete Tolerance Mapping Priv. - All privileges found in the Match Strategy Inquiry Duty. - Maintain Match Strategy Priv. - Delete Match Strategy Priv. - Maintain Match Strategy Mapping Priv. - Delete Match Strategy Mapping Priv. - All privileges found in the System Options Inquiry Duty. - All privileges found in the Supplier Options Inquiry Duty. - Maintain Supplier Options Priv. - Delete Supplier Options Priv. - Manually Match Priv. - Search Manual Match Priv. - Credit Note Match Priv. - Search Credit Note Match Priv. - Cost Discrepancy Priv. - Quantity Discrepancy Priv. - Search Discrepancy List Priv. - Tax Discrepancy Resolution Priv. - Search Tax Discrepancy List Priv. |
|
Buyer |
Resolve Cost Discrepancies Duty |
- Cost Discrepancy Priv. - Search Discrepancy List Priv. |
|
Corporate Inventory Control Analyst |
Resolve Quantity Discrepancies Duty |
- Quantity Discrepancy Priv. - Search Discrepancy List Priv. |
|
ReIM Application Administrator |
All duties. |
All privileges. |
It is recommended that you implement LDAP policies to prevent reusing user names. This will prevent users from inheriting user role privileges. If other non-LDAP authentication provider is used then similar available mechanism should be deployed.
ReIM uses location criteria to limit the data set available for processing. Only the documents that are associated with the locations accessible to the user security group can be accessed by the user. ReIM uses RMS mechanism to associate location with the user group. See the RMS documentation for details on setting up location level security. It is important to note that if no locations have been defined for the user's group the use will have access to ALL location. At the same time if some locations have been assigned to the user's group then the user will have access just to those defined locations. Location security is used across the application, so all the workflows will adhere to the location restrictions, including batches. Because of this the batch user(s) should have access to ALL locations.
In addition to location security ReIM uses similar mechanism to restrict access to the reason codes and accordingly the resolution actions that the user can take. The access is defined manually via IM_SEC_GRP_REASON_CODE table. The table maintains mapping of the reason codes to the RMS security group. One difference of the reason code security from location security is that if no reason codes have been assigned to the user security group then no reason codes will be available for the user (no access by default). Reason code access needs to be explicitly granted to the user's security group.
As a part of the operational workflow, ReIM needs to have credential information to authenticate application users and to authenticate application itself with other dependent components such as Web Services. For the case of remote users connecting to ReIM servers through browsers, credentials are retrieved in real time through an online form. For all other cases the credentials are determined at installation and are stored in Secure Wallet by means of Credential Store Manager Component. At runtime the credentials are retrieved from the wallet and supplied to the component for authentication. The credentials can be updated if required. As part of installation ReIM provides convenience scripts that allow credential entries to be updated. The scripts allow the system administrator to see usernames stored in ReIM wallet partition and to change the password if necessary. The script does not display original passwords. For more information, see the Operations Guide.
There are two sets of logs that are used by the ReIM application: Application and Batch client Execution Logs. The application logs are configured and maintained by Oracle Fusion Middleware Logging. Application log messages will be written to the server's diagnostic logs within the WebLogic directory structure. Such logs are owned by the OS users that own the WebLogic container. The logging level and other logging parameters can be adjusted through the Oracle Diagnostic Logging configuration as provided by Oracle Fusion Middleware. The batch client logs are not managed by Oracle Fusion Middleware and the logging level and other configurations are controlled through the Log4J properties within the batch client distribution. The default log path is the same directory as the batch client distribution. It is recommended that only administrative users are granted access to these log files, preferably the same OS users that would run the batch.
The ReIM application does not restrict concurrent sessions from the same user. It means that multiple users can log in to ReIM server with the same credentials. There will be more than one session from application standpoint, but there will be the same user from auditing standpoint of view. It is recommended not to use the same credentials for different sessions.
The session is maintained per browser instance. So if more than a single browser is used then the server will consider such scenario as multiple user logins. At the same time multiple tabs of the same browser would share the session.
Session timeout is defined at the application server level. It is 60 minutes by default, but can be changed through WebLogic configuration.
