We'll use an example from Oracle Utilities Customer Care and Billing to describe how access groups and roles are used to restrict access to accounts. The following diagram illustrates the objects involved with account security:
An Access Group defines a group of Accounts that have the same type of security restrictions. A Data Access Role defines a group of Users that have the same access rights (in respect of access to accounts). When you grant a data access role rights to an access group, you are giving all users in the data access role rights to all accounts in the access group.
The following points summarize the data relationships involved with account security:
- An account references a single access group. An access group may be linked to an unlimited number of accounts.
- A data access role has one or more users associated with it. A user may belong to many data access roles.
- A data access role may be linked to one or more access group. An access group may be linked to one or more data access roles.
If you use row level security, setting up your access roles and groups can be easy or challenging - it all depends on your organization's requirements. Refer to the product's Administration Guide - Implementing Account Security for several case studies. These case studies provide examples of how different requirements can be implemented using these concepts.