Security
Overview of Security in Oracle Enterprise Command Center Framework
Oracle Enterprise Command Center Framework relies on the security model provided by Oracle E-Business Suite to secure access to dashboards and the underlying data. It inherits user access privileges from Oracle E-Business Suite and relies on the user being authenticated by a Security Manager and Oracle E-Business Suite before gaining access to the embedded Oracle Enterprise Command Center Framework dashboards. Filters are also applied to control access to dashboards and data sets.
Overview of Security Model for Oracle Enterprise Command Center Framework and Oracle E-Business Suite
Oracle Enterprise Command Center Framework Authentication
The figure below explains the process that Oracle Enterprise Command Center Framework employs to authenticate and authorize access to the embedded dashboard.
When a business user accesses an embedded dashboard, the following procedure is followed:
-
Oracle Enterprise Command Center Framework sends information on the user session and the source system URL (page name).
-
The ECC Security Manager selects an Authorization Provider.
-
The ECC Security Manager validates the existence of a valid and authenticated Oracle E-Business Suite session before any additional checks are performed. It sends a valid session token for Oracle E-Business Suite to the Source System Authorization Manager.
-
The ECC Security Manager then retrieves the user context.
-
Authorization controls are applied next to allow granular control over which dashboards are exposed to the user.
The ECC Security Manager also validates access to data sets. Authorization is verified through matching the Oracle Enterprise Command Center Framework data set privilege name with the FND form function.
-
A response is then sent to the user.
Page Level Security
Pages are secured in Oracle Enterprise Command Center Framework using FND_FORM_FUNCTION defined in Oracle E-Business Suite.
A shipped Oracle E-Business Suite role (utilizing Role Based Access Control, or RBAC) is used to assign Oracle Enterprise Command Center Framework dashboard access to responsibilities.
Oracle Enterprise Command Center Framework ships an ECC Developer responsibility that allows access to the Oracle Enterprise Command Center Framework home page and supports different developer and administrator capabilities.
A dashboard page, when accessed by a user who has the ECC Developer responsibility, will allow edits to page layout and component configurations.
Data Level Security
To access data within an Oracle Enterprise Command Center Framework data set, the user must have at least one of the data set privileges (these are controlled and defined as an Oracle E-Business Suite form function). Once access to the data set is verified by the Enterprise Command Center Framework Security Manager, a security handler is applied for any subsequent query against that data set to ensure data access is restricted to the subset the user is allowed to see. This is the next level of security that enforces data access restrictions on data displayed in the dashboard based on setups available in Oracle E-Business Suite that may be applicable to different business dashboards (for example operating unit access, inventory org access, asset book access, and so on).
As illustrated in the following diagram, Oracle Enterprise Command Center allows configuration of a custom security handler that is applied on top of the existing security handler. A separate package can be configured as the custom security handler, utilizing a PL/SQL security package in Oracle E-Business Suite. This custom security handler can also use Apache Solr as a search API.
Data Security
