This chapter describes how to implement Oracle Communications Billing Care security.
Billing Care supports stringent authorization, authentication, and audit requirements. This section describes how to implement the security capabilities supported by Billing Care.
Oracle Identity Management (IDM) is a primary component for authorization and authentication. Each instance of Billing Care requires a properly configured instance of IDM to enable these functions.
For information about installing Billing Care, refer to Oracle Communications Billing Care Installation Guide.
Billing Care supports the following security for authentication:
Authenticating Billing Care users against an LDAP-based user ID repository
Enabling Single Sign On capabilities
Supporting user's password policies
Oracle Identity Manager manages user password policies. For more information, refer to Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Authorization refers to granting users privileges appropriate for their job functions, while denying access to other functionality. Oracle Entitlement Server (OES) handles all authorization tasks for Billing Care. This section provides an overview for setting up and maintaining the entitlements for Billing Care plus strategies for mapping enterprise users to those entitlements.
The following terms are used in authorization:
Resource type: contains the action definitions, for example, AdjustmentCurrencyResourceType.
Resource: represents a piece of application's functionality being secured, for example, AdjustmentResource, must always be of a known resource type.
Action: combined with a resource, defines operations permissible for an application's functionality, for example, AdjustmentResource and make.
Obligation: stores transaction limits. Some operations impose transaction limits, for example, the maximum payment amount. Obligations are the property of Authorization Policy.
Authorization Policy: a collection of resources, actions, and obligations that combine to form a logical grouping, for example, an entire set of application functions for the regular CSR.
Enterprise (External) Role: represents the job functions for the users at your company. You make OES aware of roles by mapping them to the Billing Care policies. If you do not map enterprise roles in the authorization policy, you must map to each user.
Billing Care includes an OES seed file containing all of the resource types, resources, actions, obligations, and four sample authorization policies (regular CSR, senior CSR, auditor, and billing admin).
For instructions on importing the seed file, refer to Oracle Fusion Middleware Administering Oracle Entitlements Server.
Note:
Unless you are customizing Billing Care, do not change the seed file.To deploy the seed file, use the jps-config.xml file located in: BillingCareSDK\references\OESDataModel.
Figure 3-1 describes the authorization flow:
The shaded area refers to areas defined in the OES seed file. (You load the seed file before performing the configuration.)
The lower area represents how in OES, an authorization policy is mapped to one or more resources, which may have one or more actions.
The authorization policy is mapped to obligations.
The authorization policy is associated with a user (individual) or an enterprise role (function).
The authorization policy is mapped to obligations, which are listed in Table 3-2.
Any changes made in OES must be redeployed (or distributed).
A user who does not have a resource grant is denied access to Billing Care. This behavior is targeted for deployments where a central user identity repository, storing all of the enterprise users, authenticates Billing Care sign in requests. The authorization scheme allows access only to users that been granted resources in OES.
Table 3-1 shows the Billing Care Authorization Resources. Resources grant permissions to perform general CSR or more advanced A/R tasks, for example.
Table 3-1 Authorization Resources
Resource Type | Resource | Actions | Description |
---|---|---|---|
SuperUserType |
SuperUserResource |
Any |
Enables you to create users free of restrictions, including when the user's profile contains other resources. The only exception is the ReadOnlyType, which takes precedence over all other resource types. |
ReadOnlyType |
ReadOnlyResource |
Any |
Causes Save and Apply buttons on overlays to be displayed as read-only. Users are allowed only read operations even if they have other resources or entitlements. |
PaymentResourceType |
PaymentResource |
Allocate, Audit, BatchProcess, Make, ReassignHandler, Reverse, SuspenseAccess, SuspenseAllocate, SuspenseMake, SuspenseMove, SuspenseReverse |
Allocate: Allows user to allocate payments. Audit: Allows user to view audit information on Payment Details overlay. (Audit information in payment suspense screen is always visible.) BatchProcess: Displays the Batch Payment button on the landing page. Make: Allows user to make payments. ReassignHandler: Prevents user from assigning and reassigning batch payment handlers to suspended payments. Reverse: Allows user to reverse payments. SuspenseAccess: Prevents user from accessing any payment suspense functionality. SuspenseAllocate: Allows user to allocate suspended payments partially or fully to an account. SuspenseMake: Prevents user from making suspended payments. SuspenseMove: Allows user to move posted payments into suspended status. SuspenseReverse: Allows user to reverse suspended payments. Returned as an obligation; OES returns a number, which is interpreted as a limit. See Table 3-2 for transaction limits. |
ServiceResourceType |
ServiceResource |
Cancel, Edit, Inactivate, Make, Reactivate, OfferInactivate, OfferTerminate, OfferReactivate, Terminate |
Cancel: Prevents user from canceling services. Edit: Gives user read-only access to the Asset Details page. Make: Blocks user's access to the Select and Configure pages of the customer creation wizard. Hides the Purchase button. Inactivate: Prevents user from inactivating services. OfferInactivate: Prevents user from inactivating product and discount offers. OfferReactivate: Prevents user from reactivating product and discount offers. OfferTerminate: Prevents user from terminating product and discount offers. Reactivate: Prevents user from reactivating services. Terminate: Prevents user from terminating services. |
|
AdjustmentResource |
Allocate, Make |
Allocate: Prevents user from allocating currency adjustments. Make: Prevents users from making adjustments. Uses a policy that constrains the maximum payment amount as a function of CSRs access level. See Table 3-2 for transaction limits. |
WriteoffResourceType |
WriteoffResource |
Make |
Policy on the minimum and maximum write-off amount applies. See Table 3-2 for transaction limits. |
AdjustmentNonCurrencyResourceType |
AdjustmentNonCurrencyResource |
Make |
Policy on the minimum and maximum noncurrency amount applies. See Table 3-2 for transaction limits. |
DisputeResourceType |
DisputeResource |
Raise, Settle |
Policy on the maximum dispute amount applies. See Table 3-2 for transaction limits. |
RefundResourceType |
RefundResource |
Make |
|
AccountResourceType |
AccountResource |
Make, Modify, Search Transition, View |
|
ConfigurationsArtifactsType |
ConfigurationArtifactsResource |
View |
|
InvoiceImageType |
InvoiceImageResource |
View |
|
NoteResourceType |
NoteResource |
Comment |
|
PaymentMethodResourceType |
PaymentMethodResource |
Add, Delete, Modify |
|
TaxExemptionResourceType |
TaxExemptionResource |
Add, Delete, Modify |
|
BillUnitResourceType |
BillUnitResource |
Add, Delete, Modify |
|
BillResourceType |
BillResource |
BillNow |
|
Some of the resources listed in Table 3-1 work in combination with transaction limits. For example, a CSR can be authorized to make adjustments, but not over a certain amount. System administrators must configure the limits with Oracle Entitlement Server.
Table 3-2 lists the attributes that require system administrators to configure transaction limits (values).
Table 3-2 Listing of Transaction Limits (Obligations)
Attribute | Type |
---|---|
Maximum Currency Adjustment Amount |
Integer |
Minimum Currency Adjustment Amount |
Integer |
Maximum Non-currency Adjustment Amount |
Integer |
Minimum Non-currency Adjustment Amount |
Integer |
Maximum Payment Amount |
Integer |
Maximum Dispute Amount (applies to settle as well) |
Integer |
Maximum Write-off Amount |
Integer |
Maximum Refund Issues Amount |
Integer |
Maximum Refund Settle Amount |
Integer |
The BRM server software handles auditing of Billing Care activities. The BRM event notification framework captures the audit trail records inside the /user_activity storable class. Each audit trail record links the activity with its creator, date, and time. In the audit trail, the identity of the person creating the record is the user name entered in Billing Care at sign in.
To configure the capture of new activity in the audit trail, include the event corresponding to the relevant activity using the pin_notify file in BRM. The same instructions apply when excluding events from the audit trail. For more information, refer to Oracle Communications Billing and Revenue Management System Administrator's Guide.
Table 3-3 lists all activities preserved in BRM by default. The list is from the /config/pin_notify storable class. You can add to or delete from this list.
Table 3-3 Audited List from /config/pin_notify
Task | BRM Event Name (Activity) |
---|---|
Account creation |
/event/notification/account/create |
Subscription purchase |
/event/billing/product/action/purchase |
Subscription modification |
/event/billing/product/action/modify |
Subscription cancellation |
/event/billing/product/action/cancel |
Updates to bill info (for example, BDOM [billing day of month), billing frequency, accounting type changes) |
/event/customer/billinfo/modify |
Event adjustment |
/event/billing/adjustment/event |
Item adjustment |
/event/billing/adjustment/item |
Account adjustment |
/event/billing/adjustment/account |
Top up |
/event/billing/vouchertopup |
Dispute issue |
/event/billing/dispute |
Dispute settled |
/event/billing/settlement/event |
Refund |
/event/billing/refund |
Write-off operation |
/event/billing/writeoff |
Payment |
/event/billing/payment |
Credit limit changes |
/event/billing/limit, /event/billing/credit |
Bill Now |
/event/notification/billing/start |
Charge sharing group lifecycle operations |
/event/group/sharing/charges/create /event/group/sharing/charges/modify /event/group/sharing/charges/delete |
Discount sharing group lifecycle operations |
/event/group/sharing/discounts/create /event/group/sharing/discounts/modify /event/group/sharing/discounts/delete |
Profile (for example, Friends and Family) lifecycle operations |
/event/group/sharing/profiles/create /event/group/sharing/profiles/modify /event/group/sharing/profiles/delete |
Credit Monitors lifecycle operations |
/event/group/sharing/monitor/modify /event/group/sharing/monitor/delete /event/group/sharing/profiles/delete |
Account hierarchy operations |
/event/group/parent /event/group/member |
For information on logging events, including changing the events logged, see the sections on logging customer service representative activities Oracle Communications Billing and Revenue Management System Administrator's Guide.