This chapter covers the following topics:
When a task is created, who can view, update or delete the task is based on the security rules in Task Manager. Task Manager leveraging the Application Object Library (AOL) data security model provides you with four aspects of security protection (user, network, function, and data levels) for the data entered in the system. With the finest security controlled in the data level, a specific data record can be further customized and authorized to different users for the security access and modifications. This AOL security was initially used in HTML Tasks only.
To allow product specific security added to the existing AOL task security, and to extend the task data security offerings specifically for task related resource assignments to the Forms-based Tasks and to the Oracle Application Self-Service Framework based Tasks, Task Manager enhances the AOL data security based on Virtual Private Database (VPD) policy, a feature implemented in database to allow security dynamically created at runtime to all queries issued against a database table or view. This new security model with VPD feature provides more flexibility in task security for resource assignments by allowing any applications to set product specific security rules around the existing task security.
For example, not every resource can create, view, or update a service related task of certain types. Only the resources that have privileges to access certain types of service request can be assigned to the service related tasks of the same types as assignees. Therefore, with this enhanced security model, Oracle Service Online can pass its own security functions to Tasks in Forms or in Oracle Applications Framework to allow qualified resources to be retrieved from the resource list of values when assigning them to a task within the service request of certain types.
Note: This security model with VPD feature only applies to task security for resource assignments in the Forms-based and Oracle Applications Framework based Task Manager. It is not implemented in task security rules currently used in HTML Tasks.
For detailed information on AOL security framework, refer to Oracle E-Business Suite System Administrator's Guide - Security.
In addition to the task rules based on the AOL Data Security model, HTML Task Manager provides additional security rules for users to access the tasks of either standalone or context sensitive tasks. In addition, based on the group hierarchy defined in Resource Manager, group managers can have full access or read only access privilege to their directs' HTML tasks only if necessary privileges are granted to the group managers. Furthermore, Task Manager also allows different users to see various resource selections appearing in the resource list of values (LOV) while creating a task.
Task security rules are applied to Task Summary, Details, and Contextual Tasks screens. It will not secure task data accessed through non-Task modules, such as the Quick Find screen and Calendar View. These non-Task screens will continue to show the tasks for which the user is the owner or assignee.
In regard to the resource list of values security, it is applied to the major task screens. However, it will not be applied to the Customer/Contact LOV (organization, person, relationships) and References if not based on resources (such as customer/contact, and lead).
In general, HTML Task Manager provides the following security access rules:
For Calendar Grants Functionality
HTML Task Manager supports the calendar grants functionality used in the past when a user grants calendar access privilege (full access or read only) to another user. When this calendar grant is executed, the access for tasks is also given at the same time. The same functionality applies while revoking the grants.
For Standalone Tasks
A user has full access (view, update, and delete) to tasks if she or he:
Is the owner or assignee of the task
Is granted "full access" by another resource (excluding private tasks) using the calendar grants functionality
Is granted "full access" by the administrator because of security grants
Belongs to the group that is either assigned to the task or is the owner of the task
Belongs to the team that is either assigned to the task or is the owner of the task
A user will have read only access (view only) to tasks (excluding private tasks) if she or he:
Is granted "read only" access by another resource using the calendar grants functionality
Is granted "read only" by the administrator because of security grants
Note: For a private task, only the owner and assignees can have full access to that private task. In addition, for security purposes, even if full access is granted to another resource, that private task is excluded from the authorization. None of the grantees can see that private task.
For Context Sensitive Tasks
Context sensitive tasks are tasks that are attached to certain business objects, such as tasks created for an object instance (lead or opportunity).
Since task security can be further customized to meet other Oracle Applications needs while integrating with Tasks, who can access the context sensitive tasks can be based on the security defined by the individual application. For example, Oracle Marketing Online might implicitly grant users with full access permissions to access certain marketing objects if they are on a team for that object.
For the Resource List of Values
For the resource list of values (LOV) security access, users may see different resource options populated in the list of values (LOV) when trying to assign resources (owner or assignees) to a task. This is because the resource LOV can be furthered customized and granted to a different user, user groups, or members of resource group based on individual or business needs.
Note: The resource list of values can be resources of any category (employee, party, partner, supplier contact, group, team, other, and to be hired).
This rule is currently applied to the following task screens:
Create or Update Task
Mass Task Reassignment
Reference (Relate To) based on resources
For the Manager-Directs Security Access
Based on the resource group hierarchy defined in Resource Manager, each manager can have full access or read only access privilege to his or her directs' tasks in the Task Summary screen (excluding private tasks) if necessary privileges are granted to group managers. This way, for example, sales managers can view their directs' tasks to track possible sales related activities performed for a particular week.
Note: Only the group manager with active manager's role, such as the role for that group, can have the access privileges to his or her direct's tasks.
The manager-directs security access only covers the resource reporting hierarchy of one level below. It does not include any multiple levels beneath.
In addition, if a resource group has more than one group managers identified in the reporting hierarchy, then all of the group managers will have the access privileges to the group member's tasks. Managers cannot view any private tasks created by their subordinates even if they have full access privilege.
This functionality is not available out of the box. To implement this manager-directs security, see Customizing Tasks Security chapter, Oracle Common Application Calendar Implementation Guide.
Based on the existing task security rules used in HTML Tasks, users if they have appropriate privileges can view or update a task created in Oracle Applications Framework.
In addition, since Task Manager allows product specific security rules added to the existing AOL task security used for the resource list of values assignment in Forms and in Oracle Applications Framework, if service related security rules are used in a service request assignment, users may only see the resources that are qualified for the service rules from the resource list of values (LOV) when assigning them to a service related task.
Task Manager in Oracle Applications Framework provides the following security rules:
For the Contextual Tasks
When updating a contextual task developed based on Oracle Applications Framework, whether you have Full Access or Read Only Access is determined by values set in a profile option.
For Standalone Tasks
For standalone tasks, such as personal to dos created for a sales agent through Oracle Sales, the system will check the user security access based on data security. The user can have Full Access or Read Only access privilege.
For the Resource List of Values Security
Users with different privileges may see different resource options populated in the list of values (LOV) when trying to assign resources (assignees) to a task in Forms and in Oracle Applications Framework. These privileges can be customized by your system administrators and then granted to a user, user groups, or members of a resource group.
If product specific security rules are used in selecting resources for a service request, users might see only the resources who have privileges to access certain types of service requests populated from the assignee LOV.
In the Forms-based Tasks, security is based on object metadata definition. If product specific security rules are used, users can see secured task views based on the product security rules. Since tasks can be queried only in read-only format, product specific rules will not be modified in the standalone Tasks forms. To update these contextual tasks, for example tasks created for service requests, you should use the parent application to query the source document, such as the service request, first and then update the contextual tasks. Additionally, these product specific privileges are defined and maintained by the relevant products. For how to use this feature, see product specific documentation for details.
Note: The resource list of value security access discussed here is restricted to the assignee list of values with resource types of employee, group, and team.
For the Manager-Direct Security Access
Similar to the manager-direct security rule in HTML Tasks, Task Manager in Oracle Applications Framework allows group managers to access their directs' tasks with appropriate privileges.
The only security rule currently available in Tasks Forms is the resource list of values security.