3 Implementing Billing Care Security

This chapter describes how to implement Oracle Communications Billing Care security.

Introduction to Billing Care Security

Billing Care supports stringent authorization, authentication, and audit requirements. This section describes how to implement the security capabilities supported by Billing Care.

About Identity Management Suite

Oracle Identity Management (IDM) is a primary component for authorization and authentication. Each instance of Billing Care requires a properly configured instance of IDM to enable these functions.

For information about installing Billing Care, refer to Oracle Communications Billing Care Installation Guide.

About Authentication

Billing Care supports the following security for authentication:

  • Authenticating Billing Care users against an LDAP-based user ID repository

  • Enabling Single Sign On capabilities

  • Supporting user's password policies

Oracle Identity Manager manages user password policies. For more information, refer to Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

About Authorization

Authorization refers to granting users privileges appropriate for their job functions, while denying access to other functionality. Oracle Entitlement Server (OES) handles all authorization tasks for Billing Care. This section provides an overview for setting up and maintaining the entitlements for Billing Care plus strategies for mapping enterprise users to those entitlements.

The following terms are used in authorization:

  • Resource type: contains the action definitions, for example, AdjustmentCurrencyResourceType.

  • Resource: represents a piece of application's functionality being secured, for example, AdjustmentResource, must always be of a known resource type.

  • Action: combined with a resource, defines operations permissible for an application's functionality, for example, AdjustmentResource and make.

  • Obligation: stores transaction limits. Some operations impose transaction limits, for example, the maximum payment amount. Obligations are the property of Authorization Policy.

  • Authorization Policy: a collection of resources, actions, and obligations that combine to form a logical grouping, for example, an entire set of application functions for the regular CSR.

  • Enterprise (External) Role: represents the job functions for the users at your company. You make OES aware of roles by mapping them to the Billing Care policies. If you do not map enterprise roles in the authorization policy, you must map to each user.

Billing Care includes an OES seed file containing all of the resource types, resources, actions, obligations, and four sample authorization policies (regular CSR, senior CSR, auditor, and billing admin).

For instructions on importing the seed file, refer to Oracle Fusion Middleware Administering Oracle Entitlements Server.

Note:

Unless you are customizing Billing Care, do not change the seed file.

To deploy the seed file, use the jps-config.xml file located in: BillingCareSDK\references\OESDataModel.

Figure 3-1 describes the authorization flow:

  1. The shaded area refers to areas defined in the OES seed file. (You load the seed file before performing the configuration.)

  2. The lower area represents how in OES, an authorization policy is mapped to one or more resources, which may have one or more actions.

  3. The authorization policy is mapped to obligations.

  4. The authorization policy is associated with a user (individual) or an enterprise role (function).

The authorization policy is mapped to obligations, which are listed in Table 3-2.

Any changes made in OES must be redeployed (or distributed).

Figure 3-1 Developing Authorization Policies for User and Enterprise Roles

Surrounding text describes Figure 3-1 .

About Billing Care Authorization Resources

A user who does not have a resource grant is denied access to Billing Care. This behavior is targeted for deployments where a central user identity repository, storing all of the enterprise users, authenticates Billing Care sign in requests. The authorization scheme allows access only to users that been granted resources in OES.

Table 3-1 shows the Billing Care Authorization Resources. Resources grant permissions to perform general CSR or more advanced A/R tasks, for example.

Table 3-1 Authorization Resources

Resource Type Resource Actions Description

SuperUserType

SuperUserResource

Any

Enables you to create users free of restrictions, including when the user's profile contains other resources.

The only exception is the ReadOnlyType, which takes precedence over all other resource types.

ReadOnlyType

ReadOnlyResource

Any

Causes Save and Apply buttons on overlays to be displayed as read-only.

Users are allowed only read operations even if they have other resources or entitlements.

PaymentResourceType

PaymentResource

Allocate,

Audit,

BatchProcess,

Make,

ReassignHandler,

Reverse,

SuspenseAccess,

SuspenseAllocate,

SuspenseMake,

SuspenseMove,

SuspenseReverse

Allocate: Allows user to allocate payments.

Audit: Allows user to view audit information on Payment Details overlay. (Audit information in payment suspense screen is always visible.)

BatchProcess: Displays the Batch Payment button on the landing page.

Make: Allows user to make payments.

ReassignHandler: Prevents user from assigning and reassigning batch payment handlers to suspended payments.

Reverse: Allows user to reverse payments.

SuspenseAccess: Prevents user from accessing any payment suspense functionality.

SuspenseAllocate: Allows user to allocate suspended payments partially or fully to an account.

SuspenseMake: Prevents user from making suspended payments.

SuspenseMove: Allows user to move posted payments into suspended status.

SuspenseReverse: Allows user to reverse suspended payments.

Returned as an obligation; OES returns a number, which is interpreted as a limit. See Table 3-2 for transaction limits.

ServiceResourceType

ServiceResource

Cancel,

Edit,

Inactivate,

Make,

Reactivate,

OfferInactivate,

OfferTerminate,

OfferReactivate,

Terminate

Cancel: Prevents user from canceling services.

Edit: Gives user read-only access to the Asset Details page.

Make: Blocks user's access to the Select and Configure pages of the customer creation wizard. Hides the Purchase button.

Inactivate: Prevents user from inactivating services.

OfferInactivate: Prevents user from inactivating product and discount offers.

OfferReactivate: Prevents user from reactivating product and discount offers.

OfferTerminate: Prevents user from terminating product and discount offers.

Reactivate: Prevents user from reactivating services.

Terminate: Prevents user from terminating services.


AdjustmentCurrencyResourceType

AdjustmentResource

Allocate,

Make

Allocate: Prevents user from allocating currency adjustments.

Make: Prevents users from making adjustments.

Uses a policy that constrains the maximum payment amount as a function of CSRs access level. See Table 3-2 for transaction limits.

WriteoffResourceType

WriteoffResource

Make


Prevents user from writing off accounts.

Policy on the minimum and maximum write-off amount applies. See Table 3-2 for transaction limits.

AdjustmentNonCurrencyResourceType

AdjustmentNonCurrencyResource

Make


Gives noncurrency adjustments their own resource type because they cannot be allocated (unlike currency resources).

Policy on the minimum and maximum noncurrency amount applies. See Table 3-2 for transaction limits.

DisputeResourceType

DisputeResource

Raise,

Settle


Raise: Disables bill dispute functionality.


Settle: Disables bill dispute settlement functionality.

Policy on the maximum dispute amount applies. See Table 3-2 for transaction limits.

RefundResourceType

RefundResource

Make


Allows user to refund bills.

AccountResourceType

AccountResource

Make,

Modify,

Search

Transition,

View


Make: Allows user to create accounts.


Modify: Prevents user from adding, deleting, or saving contact information.


Search: Allows user to access search functionality.


Transition: Enables changing account status.


View: Enables user to view account profile and other customer information.

ConfigurationsArtifactsType

ConfigurationArtifactsResource

View


Allows user to read all configuration-related REST APIs (for example, authorization profiles).

InvoiceImageType

InvoiceImageResource

View


Allows user to view invoices.

NoteResourceType

NoteResource

Comment


Allows user to make comments.

PaymentMethodResourceType

PaymentMethodResource

Add,

Delete,

Modify


Add: Allows user to add payment method.


Delete: Allows user to delete payment method.


Modify: Allows user to change payment method.

TaxExemptionResourceType

TaxExemptionResource

Add,

Delete,

Modify


Add: Allows user to add tax exemptions whether account has or does not have prior tax exemptions.


Delete: Allows user to delete tax exemptions.


Modify: Allows user to save changes to tax exemption attributes.

BillUnitResourceType

BillUnitResource

Add,

Delete,

Modify


Add: Allows user to create bill units.


Delete: Reserved for future use.


Modify: Allows user to change the bill unit.

BillResourceType

BillResource

BillNow


BillNow: Allows user to perform Bill Now operations.

Policies on Transaction Limits

Some of the resources listed in Table 3-1 work in combination with transaction limits. For example, a CSR can be authorized to make adjustments, but not over a certain amount. System administrators must configure the limits with Oracle Entitlement Server.

Table 3-2 lists the attributes that require system administrators to configure transaction limits (values).

Table 3-2 Listing of Transaction Limits (Obligations)

Attribute Type

Maximum Currency Adjustment Amount

Integer

Minimum Currency Adjustment Amount

Integer

Maximum Non-currency Adjustment Amount

Integer

Minimum Non-currency Adjustment Amount

Integer

Maximum Payment Amount

Integer

Maximum Dispute Amount (applies to settle as well)

Integer

Maximum Write-off Amount

Integer

Maximum Refund Issues Amount

Integer

Maximum Refund Settle Amount

Integer

About Auditing

The BRM server software handles auditing of Billing Care activities. The BRM event notification framework captures the audit trail records inside the /user_activity storable class. Each audit trail record links the activity with its creator, date, and time. In the audit trail, the identity of the person creating the record is the user name entered in Billing Care at sign in.

To configure the capture of new activity in the audit trail, include the event corresponding to the relevant activity using the pin_notify file in BRM. The same instructions apply when excluding events from the audit trail. For more information, refer to Oracle Communications Billing and Revenue Management System Administrator's Guide.

Table 3-3 lists all activities preserved in BRM by default. The list is from the /config/pin_notify storable class. You can add to or delete from this list.

Table 3-3 Audited List from /config/pin_notify

Task BRM Event Name (Activity)

Account creation

/event/notification/account/create

Subscription purchase

/event/billing/product/action/purchase

Subscription modification

/event/billing/product/action/modify

Subscription cancellation

/event/billing/product/action/cancel

Updates to bill info (for example, BDOM [billing day of month), billing frequency, accounting type changes)

/event/customer/billinfo/modify

Event adjustment

/event/billing/adjustment/event

Item adjustment

/event/billing/adjustment/item

Account adjustment

/event/billing/adjustment/account

Top up

/event/billing/vouchertopup

Dispute issue

/event/billing/dispute

Dispute settled

/event/billing/settlement/event

Refund

/event/billing/refund

Write-off operation

/event/billing/writeoff

Payment

/event/billing/payment

Credit limit changes

/event/billing/limit, /event/billing/credit

Bill Now

/event/notification/billing/start

Charge sharing group lifecycle operations

/event/group/sharing/charges/create

/event/group/sharing/charges/modify

/event/group/sharing/charges/delete

Discount sharing group lifecycle operations

/event/group/sharing/discounts/create

/event/group/sharing/discounts/modify

/event/group/sharing/discounts/delete

Profile (for example, Friends and Family) lifecycle operations

/event/group/sharing/profiles/create

/event/group/sharing/profiles/modify

/event/group/sharing/profiles/delete

Credit Monitors lifecycle operations

/event/group/sharing/monitor/modify

/event/group/sharing/monitor/delete

/event/group/sharing/profiles/delete

Account hierarchy operations

/event/group/parent /event/group/member

For information on logging events, including changing the events logged, see the sections on logging customer service representative activities Oracle Communications Billing and Revenue Management System Administrator's Guide.