The Oracle Fusion BI Security model consists primarily of users, job roles, duty roles, and privileges. The term job role is synonymous with enterprise role, and duty role is synonymous with application role. In this section, job role and duty role are used.
A user is a member of the deploying organization who is permitted access to installed applications and reporting tools as part of the job function. Within the security model, a user is assigned one or more job roles. A job role is descriptive of the user's job function, such as Accounts Payable Manager. A user is said to be granted a job role. A job role has one or more associated duty roles, where a duty role describes a task related to the job function, such as Payable Invoice Approval. A given job role may span all applications, whereas a duty role is specific to an application. Job roles are grouped hierarchically to reflect lines of authority and responsibility.
Privileges allow specific access to an application or reporting objects and data sets; for example: read access to a report, or read or update access to a table. Privileges are associated with duty roles, and a given duty role grants certain privileges. It is the responsibility of each underlying application or technology to decide how to realize each data or object privilege that it supports.
Note: | A job role is ultimately empowered with the aggregate or union of all the data/object privileges associated with its collection of duty roles. |
The Assignment Manager dimension is secured by the logged in user. The logged in user sees aggregated data for the user or the people reporting to the user. The dimensional browse is also secured by the logged in user. This security is in addition to the Fusion data security that is present in other facts and dimensions. For example, when a manager views a head count of directs, the manager sees only directs that he has access to.
Within a deployment of Oracle Fusion BI, user identities are provisioned and maintained through either Oracle LDAP or the user's preferred LDAP service provider. Job role-duty role mappings are maintained in Oracle LDAP and managed by Oracle Platform Security Services and its associated UI. Figure 63, Sample Job Role and Duty Role Mappings is an example of a job role-duty role mapping, also known as the role hierarchy.
