This chapter covers the following topics:
With the continuous support of existing notes data security, all data access and updates in Notes developed for Common Application Calendar are based on the concept of HTML Notes Application Object Library (AOL) data security rules. This security concept allows implementors or system administrators to customize the security rules and then grant object level security to users with qualifying access privileges. In other words, the security rules restrict the data access only to appropriate users.
To customize Notes data security, it is necessary to first identify the following three grant components:
Identifying users or user groups
Defining object instance sets
Defining menus
Once the grant components are identified, the administrator can start the granting process:
Disabling existing grants
Adding new grants
By leveraging the Application Object Library (AOL) data security model, the HTML Notes module provides a flexible mechanism for notes security access. This security model provides the ability to restrict data access to appropriate users through a specific authorization process.
For example, in the past, almost all users can create new notes, but now only the users who are granted access to the create note function would be able to create notes. The same theory can be applied to the creation or deletion of attachments, or note modifications.
With the new security model, based on the AOL security model, the HTML Notes module uses the concepts of objects, instances, and instance sets to further group all data in HTML Notes into different units or sets. The biggest unit is Notes that is considered as an object in AOL term. Within the object Notes, multiple notes can be grouped into different subsets (or object instance sets), such as all notes with status "private", all notes of type "offer", or all notes not of type "offer". Based on the definition of these subsets, a private note, or a note of type "offer" then becomes the smallest unit of the Notes object and is called the object instance.
With these data object concepts, information entered in HTML Notes can be further restricted to the data level, customized for your business needs, and then securely granted to resources and resource groups.
As HTML Notes security is based on the AOL security model, relevant AOL data security concept and terminology will be introduced first. How to customize the notes security is addressed later.
Note: Even if you define the data security rules in the HTML Notes module, these rules will not be enforced in the Forms-based Notes.
For detailed information on AOL data security framework, refer to the Oracle Application Object Library Security chapter in the Oracle E-Business Suite Security Guide.
HTML Notes security uses the following AOL data security model concepts:
Users (User Groups)
Objects
Notes is an example of an object.
Object Instances
If the Notes module is considered an object, then a note with number 1541 is an object instance.
Object Instance Sets
For example, all notes with a number smaller than 5 could be considered as an object instance set.
Use the following examples to understand the concept of object instance sets. Please note that all words after the "where" clause in Italic style are defined in the FND_OBJECT_INSTANCE_SET table. In addition, to avoid processing issues all the columns used in the "where" clause should be prefixed with "&TABLE_ALIAS" in the object instance set definition.
All notes with a number smaller than 5:
SELECT jtf_note_id FROM jtf_notes_b WHERE&TABLE_ALIAS.jtf_note_id < 5
All non private notes:
SELECT jtf_note_id FROM jtf_notes_b WHERE &TABLE_ALIAS.note_status <> 'P'
All notes that are not confidential
SELECT jtf_note_id FROM jtf_notes_b WHERE &TABLE_ALIAS.note_type <> 'CONFIDENTIAL'
All notes that are confidential
SELECT jtf_note_id FROM jtf_notes_b WHERE &TABLE_ALIAS.note_type = 'CONFIDENTIAL'
All columns exposed through the FND_OBJECTS.DATABASE_OBJECT_NAME table/view can be used to create instance sets, although basic performance rule should be taken into account.
Functions (Privileges)
For example, a note can be created so that CREATE_NOTE could be considered as a function. A note can be updated so that UPDATE_NOTE again could be considered as a function. Functions can be secured through the AOL security model. The Notes module has the following functions defined for the Notes object:
JTF_NOTE_SELECT, the ability to view a note
JTF_NOTE_TYPE_SELECT, the ability to view a note type
JTF_NOTE_CREATE, the ability to create a note including a regular note, large note (detailed note) and an attachment for a note
JTF_NOTE_UPDATE_NOTES, the ability to update a note's text (regular note)
JTF_NOTE_UPDATE_NOTE_DETAILS, the ability to update a note's details (a large or detailed note)
JTF_NOTE_DELETE, the ability to delete a note
JTF_NOTE_UPDATE_SECONDARY, the ability to update a note's type, status, relation (relate to), and attachment information
These functions are defined in the FND_FORM_FUNCTIONS table since they are referenced in the actual code. Therefore, they cannot be changed or extended.
In addition, functions (privileges) can be grouped into menus (roles) to reduce the granting overhead.
Menus (Roles)
The following menus (roles) are defined for Notes security:
JTF_NOTES_USER
JTF_NOTE_SELECT
JTF_NOTE_UPDATE_SECONDARY
JTF_NOTES_CREATOR
JTF_NOTE_CREATE
Please note that menus are user definable, the seeded menus only exist to ensure backward compatibility.
Grants (Authorizations)
A grant consists of the following three components:
Object. Any object instance or object instance set, for instance, all non-private notes.
Grantee. Any user or user group, for instance, "JDOE" for John Doe
Menu. Any menu, for instance, "JTF_NOTES_USER"
These three components would grant the user, John Doe, the ability to select and update all non-private notes.
In addition, all grants should be registered in table FND_GRANTS.
Please note that when using AOL security a user will by default not be able to do anything unless explicitly granted.
Global Grants
To reduce the administration of grants, authorizations can be granted globally to the following:
The "Global" user or user group (grantee)
The "Global" object instance (object)
After understanding of how data can be organized in HTML Notes based on the AOL security model, system administrators can further customize the HTML Notes security rules by granting users appropriate data access permissions using the concept of object instance sets.
To better explain how the customization can be done, use the following business scenario to lead you through the possible customization steps.
A company's Sales department wants sales managers to be able to create and delete confidential notes for their sales leads. These confidential notes will be of note type "Confidential" and should be invisible to normal sales representatives. In addition, only sales managers should be able to create and delete confidential notes.
To customize HTML Notes security which is, in other words, to create grants based on the business scenario. Before starting a new grant, the following three components should be identified first:
Identifying Users or User Groups (Grantee)
Users need to be identified so that appropriate access privileges can be granted to them. In general, a user can be a single resource, resource group, or all members of a resource group.
Based on the scenario, sales mangers and sales representatives are the grantees who will be given appropriate access permissions should be first identified. It can be done in Resource Manager by creating a resource group "SalesReps" containing all the sales representatives, and another group "SalesMan" containing all sales managers. How to create a resource group, refer to Resource Manager chapter, Oracle Trading Community Architecture Technical Implementation Guide.
Once the grant components (who has what privileges to access which objects) are identified, the administrator can start the granting process:
Use an object instance set to specify a parameterized set of rows for the Notes object so that it can be granted to appropriate users.
An object instance set is a subset of data resided within an object, therefore an object must exist first before you are able to create an object instance set for that object.
Note: The creation of object instance set is metadata driven, all data required to ensure backward compatibility with current Note security model are seeded.
The Notes module uses two seeded objects, JTF_NOTES and JTF_NOTE_TYPES. Each object can be customized by creating object instance sets to provide users with specific sets of Notes data if necessary. For example, notes (JTF_NOTES object) can be customized to have different object instance sets, such as all confidential notes. Note types (JTF_NOTE_TYPES object) list of values (LOV) can also be customized for different users.
Based on our scenario, in order to grant sales managers the permission to create confidential notes, and ensure sales representatives cannot create confidential notes, the following object instance sets should be created for JTF_NOTES:
All confidential notes
All non-confidential notes
Additional object instance sets should be created for JTF_NOTE_TYPES so that sales manager, not sales representatives, can see the confidential note type. To do so, you can filter the list of available note types:
All confidential note types
Sales representative note types (all note types except the confidential note type)
Note: The note type LOV uses the internal API and appends the returned where clause to the base query to provide security data access.
Use the following steps to define object instance sets.
Responsibility: Functional Developer
Tips: First locate the object that you want a new instance set created for, then enter necessary information for the set.
Prerequisites
Steps
Navigate to Objects.
Enter necessary search information in the Find Objects window to locate the JTF_NOTES and JTF_NOTE_TYPES objects. Search results should be listed after executing the search.
Click the object name hyperlink for which you want the new instance set to be created from the search result to open the Find Object Instance Set window.
Existing instance sets for the selected object are also listed here. Click Create Instance Set.
Enter instance set detail information including instance set name, display name, description and predicate.
Save your work.
Related Topics
For detailed information on how to define object instance sets, see Oracle E-Business Suite Security Guide.
A menu is a hierarchical arrangement of functions and menus of functions. If a grant just involves a single function, such as grant the create notes function (JTF_NOTE_CREATE) to a user, then there is no need to define menus. As mentioned earlier, the purpose of using menus is to reduce the administrative tasks. If multiple functions need to be given to a user, it is necessary to group them into a menu or menu structure.
In our scenario, sales mangers require the following functions in a menu format:
JTF_NOTE_SELECT
JTF_NOTE_CREATE
JTF_NOTE_DELETE
JTF_NOTE_UPDATE_NOTES
JTF_NOTE_UPDATE_SECONDARY
JTF_NOTE_TYPE_SELECT
In addition, create another menu for sales representatives including the following functions:
JTF_NOTE_SELECT
JTF_NOTE_CREATE
JTF_NOTE_UPDATE_SECONDARY
JTF_NOTE_TYPE_SELECT
Responsibility: System Administrator.
Steps
Navigate to Application, Menu.
Enter the menu name that describes the purpose of your menu, such as "SalesMan" or "Salesrep" in the Menu and User Menu Name fields.
The User Menu Name is used when a responsibility calls a menu or when one menu calls another.
Select an appropriate menu type and enter description information:
Standard. For menus that would be used in the Navigator form
Tab. For menus used in self service applications tabs
Security. For menus that are used to aggregate functions for data security or specific function security purposes, but would not be used in the Navigator form
Enter required functions for this menu including:
Sequence. Enter an integer here.
Navigation prompt. Enter a user-friendly, intuitive prompt your menu displays for this menu entry. This menu prompt appears in the hierarchy list of the Navigator window.
Submenu name. Enter a submenu name if applies. This calls another menu and allows users to select menu entries from that menu.
Function name and description. Enter a function name that you wish to include in the menu. Descriptions appear in a field at the top of the Navigate window when a menu entry is highlighted.
The Grant check box. This should always be checked which indicates that this function is automatically enabled for the user. If this is not checked, then the function must be enabled using additional data security rules.
Click View Tree... to see menu's hierarchical structure.
Related Topics
Refer to Oracle E-Business Suite Security Guide for more information regarding how to define a menu.
The purpose of disabling existing grants is to make sure that all seeded global grants are revoked so that they don't interfere with the new grants. To disable a grant, you can set an end date for the grant, instead of deleting it completely.
Responsibility: Functional Administrator
Steps
Navigate to Grants.
Search the existing grants that you want to disable by entering search criteria in the Search Grants window.
Click Go to retrieve the grants that match your search criteria.
Select the grant that you want to disable from the search result.
Set an end date in the Context window and click Finish to disable the grant.
Related Topics
For more information on how to disable existing grants, see Oracle E-Business Suite Security Guide.
A new grant must take place when there is a need to authorize access privileges for a user so that the user can perform certain functions, or to have more specific actions on a designated instance set. Therefore, based on the data access levels, there are two types of grants: Function Grants (such as "Administrator" menu) and Data Grants (such as the note type LOV data)
For function grant, it applies to all objects and consists of the following windows:
Grantee: There are three grantee types appeared in radio buttons. Only one of them should be selected as a grantee.
All users (global)
Group of users (group)
Single user (user)
In the case of a group or a single user is selected, the corresponding group or user name should be further identified. The selected grantee will be validated against WF_ROLES table.
Function Set: A function set (or a menu) can be selected from the LOV so that an appropriate function set can be granted to a specified grantee.
Context: The screen provides grant attributes information including organization, responsibility, start and end dates, program name, and program tag fields. This is the place where a grant can be disabled by entering an end date.
For data grant, a specific object and instance set information need to be further identified. It consists of the following windows in a sequential order:
Object: A specific object name needs to be specified for this grant.
Grantee: Like the function grant, grantee can be a user, a group, or all users.
Function Set: Like the function grant, a function set needs to be specified in order to authorize it to a specified grantee.
Data Set: There are three types of instance. Only one of them should be selected:
All rows of the object (global): When it is selected, the Data Set Details window will be skipped and you are directed to the Context window.
A specific row of the object (instance)
A parameterized set of rows (instance set): When it is selected, the instance set name needs to be further identified.
Data Set Details: In the case of instance or instance set is selected in the Data Set window, more data or data set details will be displayed in this window. If instance is selected, then this page will have associated primary key values displayed. If instance set is selected, then this page will have parameter columns displayed with the associated predicate information for the selected instance set.
Context: Like the function grant, additional grant attributes can be addressed here. Use the end date field to revoke a grant.
Based on the scenario we have, the following grants need to be authorized:
Grant all sales representatives the access to all non-confidential notes
Grant all sales mangers the access to all non-confidential notes
Grant all sales mangers the access to all confidential notes
Grant all sales representatives the access to sales representative note types
Grant all sales managers the access to all confidential note types
Grant all sales managers the access to sales representative note types
Use the following steps to add a new grant. Detailed information on how to add new grants, see Oracle E-Business Suite Security Guide.
Responsibility: Functional Administrator
Steps
Navigate to Grants, Create Grant.
Enter grant name, description, and effective end date information.
In the Security Context region, select the Group of Users from the LOVs for the Grantee Type field. Additionally, specify appropriate operating unit and responsibility information.
In the Data Security region, select JTF_NOTES as the object name.
In the Create Grant: Select Object Data Context page, select “Instance Set” in the Data Context Type field for JTF Notes Object. Select "JTF_SALES_NOTES" or "JTF_SALES_NOTETYPES" for the Instance Set field.
In the Create Grant: Define Object Parameters and Select Set page, Select “JTF Notes Creator” as the set name.
In the Create Grant: Review and Finish page, review the information and click the Finish button.