This chapter covers the following topics:
Oracle Trading Community Architecture provides a model for managing information about entities such as customers. The TCA Data Sharing and Security (DSS) feature provides the capability to manage who can create, modify, and delete information about TCA data model entities across the applications in the Oracle E-Business Suite.
You can configure applications in the E-Business Suite to implement the data sharing and security rules required by your organization's internal policies and procedures, as well those required by governmental regulations and laws. For example, you can establish security rules so that only healthcare workers can change personal information about patients.
The DSS feature registers data security rules in a central repository using the security features of Oracle's Application Object Library (AOL). Because E-Business Suite applications use the TCA public application programming interfaces (APIs) to create, update, and manage party information, data security rules are encoded in these APIs to enforce consistent behavior across the E-Business Suite.
With the DSS feature, you can control access to the following TCA data model entities:
Parties
Person parties
Organization parties
Relationships
Classification code assignments
Party addresses
Party contact points
Party site contact points
To secure information about entities, a TCA data security administrator must define the data sharing groups that specify the criteria used to determine the data to be secured. Security criteria can be one or more of the following characteristics:
Classification
Relationship
E-Business Suite module used to create the data
After defining a data sharing group, the TCA data security administrator can assign access privileges to users who create, update, or delete information secured by the data sharing group. You can assign access privileges to users at the following levels:
Global or public (all users)
Responsibility
Individual user
Note: You cannot use the DSS feature to restrict users of an application from viewing information created and maintained in that application. The DSS feature limits the ability of users to create, update, or delete information that is secured based on that data sharing group definition.
For more information see the Oracle E-Business Suite Security Guide and the user guides for the applications in the E-Business Suite.
Two responsibilities can access the Security Administration pages:
Trading Community Manager: The Trading Community Manager responsibility, allows users to create a setup or update data sharing and security. To get the Trading Community Manager responsibility users have to get the TCA Data Security Administrator responsibility.
TCA Data Security Administrator: The TCA Data Security Administrator responsibility alone, does not allow users to modify data sharing and security setup data. To create a setup or update data sharing and security, users must have both the TCA Data Security Administrator and Trading Community Manager responsibilities.
Example
Consider the case of a hospital implementing Oracle applications powered by TCA. In this situation, the hospital could define different data sharing groups to secure patient information as well as hospital employee information. A security conflict might occur if a hospital employee falls ill and becomes a patient at the same hospital. Which privilege assignment scheme controls access to this entity?
The DSS feature addresses this issue by allowing administrators to create a third data sharing group that defines the privileges associated with creating, updating, and deleting records of parties that are both employees and patients. For the appropriate privilege assignment to take place, this third data sharing group must be assigned a rank that is higher than the rank assigned to the Employee Only or the Patient Only groups.
You can use the seeded data sharing groups listed in this table, in addition to the ones that you create.
| Group Name | Group Code |
|---|---|
| Public | PUBLIC |
Related Topics
Data Sharing and Security Overview
Introduction to Administration
A TCA data security administrator creates and updates data sharing groups, enables or disables data sharing groups, and assigns access privileges to responsibilities and users.
Note: To create, update, or delete data sharing groups you must have the TCA Data Security Administrator responsibility.
The Data Sharing and Security Administration page provides a starting point for a TCA data security administrator to define security rules and to assign access privileges for information modeled by the Oracle Trading Community Architecture.
To create a new data sharing group, click the Create button. See: Creating a Data Sharing Group.
To assign the privilege to access a data sharing group to a responsibility or an individual user, click the Assign Privileges icon for the appropriate data sharing group. See: Assigning Privileges to Access a Data Sharing Group.
To view and update a data sharing group, click the data sharing group name. See: Updating a Data Sharing Group.
The Trading Community Manager responsibility can only view information. Only the TCA Data Security Administrator responsibility can also update the data sharing group information.
When you define a data sharing group, you must explicitly assign access privileges to the information secured by the data sharing groups. If an entity is secured by a data sharing group, then explicit assignments must be made to the appropriate users or responsibilities to define their access privileges. If privilege assignments are not made, then no one will have access to the information.
If an entity is not covered by any defined data sharing group, you can use the HZ: Default Data Sharing Group profile option to designate the default group that would be assigned to that entity.
To control Data Sharing and Security, TCA data security administrators can use the HZ: Data Sharing and Security Enabled profile option to limit TCA security features to a specific user before generally releasing the functionality. Furthermore, data sharing groups can be set up, but not enabled until the desired security is ready to be enforced.
See: Profile Options and Profile Option Categories.
Related Topics
Administering Data Sharing and Security
This process enables a TCA data security administrator to define data sharing groups by specifying information that identifies the data sharing group and the criteria that define the group: classifications, relationships, source modules, and specific TCA data model entities supported by the DSS feature.
Note: A TCA data security administrator can only set table or row level security. Specific attributes such as a person's date of birth cannot be secured. However, the entire person profile can be secured using the Create Data Sharing Group page.
This page can only be accessed with a TCA Data Security Administrator responsibility.
Click the Create button in the Data Sharing and Security Administration page. See: Administration Process.
Enter a name for this group in the Data Sharing Group Name field.
The name should be descriptive of the secured data and of the users, responsibilities, and public that you assign the privilege of accessing this data sharing group.
Enter a code for this group in the Data Sharing Group Code field.
This code must be a unique identifier. The code cannot be updated, although other attributes can be.
Enter a description for this group in the Data Sharing Group Description field.
You can specify the rank of this group that will be used to resolve conflicting security rules between groups and to order the display of this group with other groups on the Data Sharing and Security Administration page. Rank controls the order in which data sharing groups are evaluated to determine which sharing group applies to data.
For example, you can set up two data sharing groups, one for patients and one for employees. If the Patient group is ranked higher than the Employee group, then information about an employee who is a patient would be secured as part of the Patient group.
Select the Last option to place this data sharing group at the end of the list.
Select the Before option and a data sharing group to place the new data sharing group before the selected existing data sharing group.
Check or clear the Enable Data Sharing Group check box.
In the Classifications region, add class categories to be included in this data sharing group.
Enter the name of a classification, or class code, associated with each class category.
The Class Path column displays the hierarchical position of class codes in the class code hierarchy of a class category.
For more information on classifications, see: Classifications Overview and Administering Classifications.
Check or clear the Enabled check box to enable or disable the class category and classification.
Add relationship roles, such as Employee, Patient, Customers, and so on in the Relationships region.
Check or clear the Enabled check box to enable or disable the relationship role.
For more information on relationships, see: Administering Relationships.
In the Created By Module region, enter a source application or module that stores and maintains the information secured by this data sharing group. This section displays a list of the applications and modules, secured by a TCA data security administrator, that created the entity within the TCA registry.
For example, to only allow Oracle Healthcare application users to create a particular person entity called Patient, then the TCA data security administrator may secure the Patient relationship in the Relationships region, the Business Function of Patient in the Classifications region, and the Oracle Healthcare Applications (OHC) in the Created By Module region to specify the business rules needed to secure patient information.
Check or clear the Enabled check box to enable or disable the created by module.
Check or clear the check boxes, in the Entities region, for the entities secured by this data sharing group.
The DSS feature encapsulates the following entities modeled within TCA:
Parties
Person parties
Organization parties
Relationships
Classification code assignments
Party addresses
Party contact points
Party site contact points
Click the Apply button to create this data sharing group.
Related Topics
Administering Data Sharing and Security
This process enables a TCA data security administrator to update existing data sharing groups by modifying the classifications, relationship roles, and entities of previously defined data sharing groups.
You can modify or update existing criteria based on changes in the application used to create and manage the information a TCA data security administrator secures. For example, if an enterprise plans to use Customers Online, in addition to its Oracle TeleService call center, the TCA data security administrator could modify an existing data sharing group used to protect customer information to include Customers Online, so that only users of the two applications can create, update or delete customer information modeled within TCA.
This page can only be accessed with the TCA Data Security Administrator responsibility.
Click the name of a data sharing group in the Data Sharing and Security Administration page. See: Administration Process.
Modify the details of the data sharing group, as necessary, in the Update Data Sharing Group page.
In response to changes in their organization's business policies or requirements, TCA data security administrators can:
Enable or disable an existing classification, relationship, or created-by module from the data sharing group.
Edit or add classifications, relationships, or created-by modules.
Click the Apply button.
Related Topics
Administering Data Sharing and Security
This process enables TCA data security system administrators to assign specific users, responsibilities, or all users (public) to specific data sharing groups.
A data sharing group assignment is a special entity that associates any entity with a data sharing group. Due to the configurable nature of the Data Sharing and Security solution, not all TCA entities are directly associated with a data sharing group, but only those that require protection. When you assign data sharing group privileges, those users, responsibilities, or groups can access the information protected by that data sharing group.
On the Data Sharing and Security Administration page, click the Assign Privileges icon for a data sharing group. See: Administration Process.
On the Assign Privileges page, select the type of grantee:
Public: All users
Group: Responsibility
User: Individual user
Enter the user or responsibility name of the grantee in the Name field, or use the list of values to find and select a user or responsibility name set up by the system administrator.
Check the appropriate check boxes to give create, update, or delete privileges to a grantee.
Click the Apply button.
Related Topics