| Oracle® Retail Merchandising Security Guide Release 16.0 E76966-03 |
|
 Previous |
The chapter provides guidance for administrators to understand, configure, and customize functional security for the Oracle Retail Allocation application.
The following topics are covered in this chapter:
The section describes the authentication, authorization, audit, and user management.
The relevant security features fall into one or more of the following categories. For information on these categories, see the following sections:
Authentication
Authorization
Audit
User Management
Only authenticated users should have access to Allocation. By the point of application authentication the user potentially successfully authenticates with the network and/or the workstation OS.
Allocation supports the following two types of authentication:
Dedicated
Single Sign-On
Dedicated Authentication: User credentials (username and password) are submitted by the Application Server to the LDAP server or any other configured authentication provider. If the authentication provider can successfully identify the user, then that user is considered authenticated with the Allocation application. Dedicated authentication credentials are either provided by the online application user in real time (entering user name and password on the Allocation provided login page) or are retrieved by the client from the Secure Wallet in the case of batch process. The batch user still needs to provide credentials alias, so that the appropriate username and passwords is retrieved from the Secure Wallet.
Single Sign-On authentication: In case of Single Sign-On, authentication happens only once per application suite. Authentication is performed by Single Sign -On infrastructure (potentially backed by the same LDAP server as the case for dedicated authentication). In this case login page is provided by the Single Sign - On infrastructure.
In both cases of authentication, the authentication is performed when it is determined that the session is not authenticated or the session has been invalidated (in case of dedicated authentication).
Only application users that belong to one of the Allocation user roles are authorized to use functionality provided by Allocation. If the user is a valid enterprise user, login may be successful but authorization may prevent access to specific workflows based on the user's assigned role. Authorization is performed for each user driven operation. It is assumed that the batch user is assigned to the administrator role which is authorized to perform all operations.
Auditing can be performed at the application level and at the infrastructure level. The operating system (OS) can be configured to audit user access and processes invoked. The network layer can be configured to audit entire communication data set. The application server can be configured to audit access to the application, including all URLs requested. The database can be configured to audit each table separately or entire sessions. Allocation also has some limited auditing capabilities.
The application will maintain some level of audit trail by keeping track of the last user modifying data and the date and time it was done.
LAST_UPDATED_BY
LAST_UPDATE_DATE
CREATED_BY
CREATED_DATE
Additional audit can be performed by decreasing logging level of the application. In this case additional information is reported into logs. The drawback is that performance can suffer and that amount of log entries to be recorded will increase. You can selectively decrease logging (see Log4J and Java Logging documentation on logging configuration for more information). Also make sure that the log files generated by the application are secure and are accessible to authorized OS users only.
Allocation does not store or maintains users. Instead, Allocation relies on external systems such as LDAP to provide user management functionality on its behalf.
To create a new user to be used within Allocation, you need to create a new user in the LDAP or whatever data store the configured authentication provider relies on. To access Allocation workflows, the user should be assigned to a valid Allocation user role.
Access control of system resources is achieved by requiring users to authenticate at login and by restricting users to only those resources for which they are authorized. A default security configuration is available for immediate use after the Oracle Retail Fusion application is installed and is configured to use the Oracle Fusion Middleware security model. The default configuration includes three predefined security roles for application specific permission grants. Users can be added to predefined groups that are mapped to preconfigured application roles. Allocation is preconfigured to grant specific application permissions.
Table 25-1 Privileges
| Name | Description |
|---|---|
|
Search Allocations Priv |
A privilege for searching for allocations. |
|
Maintain Allocation Priv |
A privilege for creating, maintaining, and editing an allocation. |
|
Delete Allocation Priv |
A privilege for deleting an allocation. |
|
View Allocation Priv |
A privilege for viewing an allocation. |
|
Submit Allocation Priv |
A privilege for submitting an allocation for approval. |
|
Review Allocation Priv |
A privilege for approving or reserving an allocation. |
|
Batch Allocation Priv |
A privilege for running batch jobs. |
|
Search Allocation Location Groups Priv |
A privilege for searching for allocations. |
| Maintain Allocation Location Group Priv |
A privilege for creating and editing and an allocation location group. |
| Delete Allocation Location Group Priv |
A privilege for deleting an allocation location group. |
| View Allocation Location Group Priv |
A privilege for viewing an allocation location group. |
|
Search Allocation Policy Templates Priv |
A privilege for searching for allocations. |
| Maintain Allocation Policy Template Priv |
A privilege for creating and editing a Policy Template. |
|
Delete Allocation Policy Template Priv |
A privilege for deleting a Policy Template. |
|
View Allocation Policy Template Priv |
A privilege for viewing a Policy Template. |
|
Search Size Profile Priv |
A privilege for searching Size Profiles. |
|
Maintain Size Profile Priv |
A privilege for creating and editing and a Size Profile. |
|
Delete Size Profile Priv |
A privilege for deleting a Size Profile. |
|
View Size Profile Priv |
A privilege for viewing a Size Profile. |
|
Maintain System Options System Properties Priv |
A privilege for editing the System Properties for System Options. |
|
Maintain System Options User Group Properties Priv |
A privilege for editing the user group properties for System Options. |
|
View System Options Priv |
A privilege for viewing System Options. |
|
Search Auto Quantity Limits Priv |
A privilege for searching for Auto Quantity Limits |
|
Maintain Auto Quantity Limits Priv |
A privilege for editing for Auto Quantity Limits. |
|
View Auto Quantity Limits Priv |
A privilege for Viewing for Auto Quantity Limits. |
|
Maintain Allocation Dashboard Priv |
A privilege for maintaining the Allocation Dashboard. |
|
Maintain Allocation Buyer Dashboard Priv |
A privilege for maintaining the Allocation Dashboard. |
Table 25-2 Duties
| Duty | Description | List of Privileges |
|---|---|---|
|
Allocation Management Duty |
A duty for managing allocations. This duty is an extension of the Allocation Inquiry Duty. |
All privileges found in the Allocation Inquiry Duty. Maintain Allocation Priv, Delete Allocation Priv, |
| Allocation Inquiry Duty |
A duty for viewing allocations. |
View Allocation Priv, Search Allocations Priv, |
|
Allocation Submit Duty |
A duty for submitting allocation for approval. |
Submit Allocation Priv, |
|
Allocation Review Duty |
A duty for approving or rejecting an allocation. |
Review Allocation Priv, |
|
Allocation Batch Duty |
A duty for running batch process. |
Batch Allocation Priv, |
|
Allocation Location Groups Management Duty |
A duty for managing allocation location groups. This duty is an extension of the Allocation Location Groups Inquiry Duty and Allocation Location Group Search Duty. |
All privileges found in the Allocation Location Groups Inquiry Duty and the Allocation Location Groups Search Duty. Maintain Allocation Location Groups Priv, Delete Allocation Location Groups Priv, |
|
Allocation Location Groups Inquiry Duty |
A duty for viewing allocation location groups. |
View Allocation Location Groups Priv, Search Allocation Location Groups Priv, |
| Allocation Policy Template Management Duty |
A duty for managing allocation policy template. This duty is an extension of the Allocation Policy Template Inquiry Duty and Allocation Policy Template Search Duty. |
All privileges found in the Allocation Policy Template Inquiry Duty and the Allocation Policy Template Search Priv, Maintain Allocation Policy Template Priv, Delete Allocation Policy Template Priv, |
| Delete Allocation Location Group Priv |
A duty for viewing allocation Policy Template. |
View Allocation Policy Template Priv, Search Allocation Policy Template Priv, |
| Size Profile Management Duty | A duty for managing size profile. This duty is an extension of the Size Profile Inquiry Duty. |
All privileges found in the Size Profile Inquiry Duty. Maintain Size Profile Priv, Delete Size Profile Priv, |
|
Size Profile Inquiry Duty |
A duty for viewing allocation Policy Template. |
View Size Profile Priv, Search Size Profiles Priv, |
|
System Options System Properties Management Duty |
A duty for managing the system properties in system options. This duty is an extension of the System Options Inquiry Duty. |
All privileges found in the System Options Inquiry Duty. Maintain System Options System Properties Priv, |
| System Options User Group Properties Management Duty |
A duty for managing user group properties system options. This duty is an extension of the System Options Inquiry Duty. |
All privileges found in the System Options Inquiry Duty. Maintain System Options User Group Properties Priv, |
| System Options Inquiry Duty | A duty for inquiring on profile. This duty is an extension of the Size Profile Inquiry Duty. |
All privileges found in the System Options Inquiry Duty. Maintain System Options Priv, |
| Auto Quantity Limits Duty | A duty for managing Auto Quantity Limits. This duty is an extension of the Auto Quantity Limits Duty. |
All privileges found in the Auto Quantity Limits Inquiry Duty. Maintain Auto Quantity Limits Priv. |
| Auto Quantity Limits Inquiry Duty | A duty for viewing Auto Quantity Limits. |
View Auto Quantity Limits Priv. Search Auto Quantity Limits Priv. |
| Allocation Dashboard Duty | A duty for maintaining the Allocation Dashboard. | Maintain Allocation Dashboard Priv. |
| Allocation Buyer Dashboard Duty | A duty for maintaining the Allocation Buyer Dashboard. | Maintain Allocation Buyer Dashboard Priv. |
Table 25-3 Function Security Mapping
| Role | Duty | Privileges |
|---|---|---|
|
Administrator |
Allocation Management Duty, Allocation Submit Duty, Allocation Review Duty, Allocation Location Groups Management Duty, Allocation Policy Template Management Duty, Size Profile Management Duty, System Options System Properties Management Duty, System Options User Group Properties Management Duty, Allocation Batch Duty, Auto Quantity Limits Management Duty, Allocation Dashboard Duty |
Search Allocations Priv, Maintain Allocation Priv, Delete Allocation Priv, Submit Allocation Priv, Review Allocation Priv, View Allocation Priv, Search Allocation Priv, View Allocation Location Groups Priv, Search Allocation Location Groups Priv, View Allocation Policy Template Priv, Search Allocation Policy Templates Priv, View Size Profile Priv, Search Size Profile Priv, View System Options Priv, Maintain System Options User Group Properties Priv, Batch Allocation Priv, Maintain Auto Quantity Limits Priv, View Auto Quantity Limits Priv, Search Auto Quantity Limits Priv, Maintain Allocation Dashboard Priv |
| Allocation Manager |
Allocation Management Duty, Allocation Submit Duty, Allocation Review Duty, Allocation Location Groups Management Duty, Allocation Policy Template Management Duty, Size Profile Management Duty, System Options User Group Properties Management Duty, Auto Quantity Limits Management Duty, Allocation Dashboard Duty |
Search Allocations Priv, Maintain Allocation Priv, Delete Allocation Priv, Submit Allocation Priv, Review Allocation Priv, View Allocation Priv, Search Allocation Priv, View Allocation Location Groups Priv, Search Allocation Location Groups Priv, View Allocation Policy Template Priv, Search Allocation Policy Templates Priv, View Size Profile Priv, Search Size Profile Priv, View System Options Priv, Maintain System Options User Group Properties Priv, Maintain Auto Quantity Limits Priv, View Auto Quantity Limits Priv, Search Auto Quantity Limits Priv, Maintain Allocation Dashboard Priv |
|
Allocator |
Allocation Management Duty, Allocation Submit Duty, Allocation Review Duty, Allocation Location Groups Inquiry Duty, Allocation Policy Template Inquiry Duty, Size Profile Management Duty, System Options Inquiry Duty Auto Quantity Limits Management Duty, Allocation Dashboard Duty. |
Search Allocations Priv, Maintain Allocation Priv, Delete Allocation Priv, Submit Allocation Priv, Review Allocation Priv View Allocation Priv, Search Allocation Priv, View Allocation Location Groups Priv, Search Allocation Location Groups Priv, View Allocation Policy Template Priv, Search Allocation Policy Templates Priv, View Size Profile Priv, Search Size Profile Priv, View System Options Priv, Maintain Auto Quantity Limits Priv, View Auto Quantity Limits Priv, Search Auto Quantity Limits Priv, Maintain Allocation Dashboard Priv |
|
Buyer |
Allocation Inquiry Duty, Allocation Policy Template Inquiry Duty, Allocation Location Groups Inquiry Duty, Allocation Size Profile Inquiry Duty, Allocation Buyer Dashboard Duty. |
View Allocation Priv, Search Allocation Priv, View Allocation Location Groups Priv, View Allocation Policy Template Priv, Search Size Profile Priv, View Size Profile Priv, Maintain Allocation Buyer Dashboard Priv |
For more information about the Oracle Fusion Middleware security model and the authenticated role, see Oracle Fusion Middleware Application Security Guide.
Allocation utilizes a JMS Queue for long running processes. This queue can and should be secured. To do this, see Chapter 1, Asynchronous Task JMS Queue Security section.
|
Note: When step 9 is reached in Securing the Asynchronous Task JMS Queue, you need to name the JMS Queue Role as AllocJMSQueueAccessRole for security to work. |
Some Oracle Retail Allocation Reports include in-context launch of RMS screens functionality to display specific orders or shipments information. This feature allows users to gain access to data which may be restricted by RMS permissions. It is therefore necessary that users with access to this property also have the proper role in RMS to access these screens.
The Allocation reports that contain the attribute that allows direct launch into RMS screens are:
PO Arrival Report
Shipment Arrival Report
