Skip Headers

Oracle Pedigree and Serialization Manager Security Guide
Release 1.2
Part Number E48145-01
Go to Table of Contents
Contents
Go to previous page
Previous
Go to next page
Next

Security Features

This chapter covers the following topics:

Security Model

Oracle Pedigree and Serialization Manager (OPSM) leverages the Oracle Fusion Middleware Security features to offer:

OPSM can be configured to use Secure Sockets Layer (SSL), a security protocol that allows a client program (for example, web browser) to talk to a server program (for example, web server) over an encrypted link. Oracle Web Services Manager security policies also provides additional security for web services.

Securing Oracle Pedigree and Serialization Manager

Security Explained

Oracle Pedigree and Serialization Manager (OPSM) provides functional security. Functional security is a statement of what you can do. It typically mirrors what you would see on a job description. For example, a Supply Chain Application Administrator is responsible for creating and maintaining the system setup for OPSM such as, definitions of locations, serial types, serial destinations, and system parameters.

Database Users

The following table lists all of the default Oracle Database users that OPSM creates during install and are required for the application to work correctly.

Database User ID Roles and System Privileges
FUSION_ATGLITE GRANT "RESOURCE" TO FUSION_ATGLITE
GRANT "CONNECT" TO FUSION_ATGLITE
GRANT "CTXAPP" TO FUSION_ATGLITE
GRANT "JAVAUSERPRIV" TO FUSION_ATGLITE
GRANT "AQ_USER_ROLE" TO FUSION_ATGLITE
ALTER USER "FUSION_ATGLITE" DEFAULT ROLE ALL
GRANT CREATE SYNONYM TO FUSION_ATGLITE
GRANT ALTER ANY MATERIALIZED VIEW TO FUSION_ATGLITE
GRANT ALTER SESSION TO FUSION_ATGLITE
GRANT ANALYZE ANY TO FUSION_ATGLITE
GRANT CHANGE NOTIFICATION TO FUSION_ATGLITE
GRANT CREATE ANY CONTEXT TO FUSION_ATGLITE
GRANT CREATE ANY DIRECTORY TO FUSION_ATGLITE
GRANT CREATE ANY JOB TO FUSION_ATGLITE
GRANT CREATE DATABASE LINK TO FUSION_ATGLITE
GRANT CREATE EXTERNAL JOB TO FUSION_ATGLITE
GRANT CREATE JOB TO FUSION_ATGLITE
GRANT CREATE MATERIALIZED VIEW TO FUSION_ATGLITE
GRANT CREATE MINING MODEL TO FUSION_ATGLITE
GRANT CREATE PROCEDURE TO FUSION_ATGLITE
GRANT CREATE PUBLIC DATABASE LINK TO FUSION_ATGLITE
GRANT CREATE PUBLIC SYNONYM TO FUSION_ATGLITE
GRANT CREATE SEQUENCE TO FUSION_ATGLITE
GRANT CREATE SESSION TO FUSION_ATGLITE
GRANT CREATE SYNONYM TO FUSION_ATGLITE
GRANT CREATE TABLE TO FUSION_ATGLITE
GRANT CREATE TRIGGER TO FUSION_ATGLITE
GRANT CREATE TYPE TO FUSION_ATGLITE
GRANT CREATE VIEW TO FUSION_ATGLITE
GRANT DROP ANY CONTEXT TO FUSION_ATGLITE
GRANT DROP ANY DIRECTORY TO FUSION_ATGLITE
GRANT DROP PUBLIC SYNONYM TO FUSION_ATGLITE
GRANT UNLIMITED TABLESPACE TO FUSION_ATGLITE
PAS GRANT RESOURCE TO PAS
GRANT CONNECT TO PAS
GRANT CHANGE NOTIFICATION TO PAS
GRANT CREATE VIEW TO PAS
GRANT UNLIMITED TABLESPACE TO PAS
GRANT CREATE MATERIALIZED VIEW TO PAS
GRANT EXECUTE ON DBMS_CRYPTO TO PAS
GRANT EXECUTE ON UTL_SMTP TO PAS
GRANT CREATE JOB TO PAS
GRANT CREATE ANY DIRECTORY TO PAS
GRANT CREATE TABLE TO PAS
GRANT CREATE SYNONYM TO PAS
GRANT CREATE DATABASE LINK TO PAS
PASJMS GRANT RESOURCE TO PASJMS
GRANT CONNECT TO PASJMS
GRANT UNLIMITED TABLESPACE TO PASJMS

Jobs, Duties, and Application Roles Explained

A job is the actual job description such as, what you would view on a job board. Duties are the tasks that the job owner performs. Application roles are collections of duties that job owners perform. Only application roles may be the beneficiary of a permission grant. For example:

Roles Explained

All users are assigned specific roles that allow them to perform only those tasks that are appropriate to their job. This provides security as only users that are assigned certain roles are allowed to perform certain tasks and to access certain data. Administrators can create roles and users as needed.

Note: All job roles must be suffixed with "_Job, for example, Supply_Chain_Application_Administrator_Job

Each Job Role has Duty roles that are associated to it; each Duty Role has Privileges associated with it. Access to functionality is determined by the Duty Role and Privilege. For example:

Job Role Duty Role Privilege
Inventory Control Manager Manage Product Lot for Pedigree and Serialization Duty
  • Create Product Lot for Pedigree and Serialization

  • Delete Product Lot for Pedigree and Serialization

  • Edit Product Lot for Pedigree and Serialization

Product Data Steward Manage Product for Pedigree and Serialization Duty
  • Create Product for Pedigree and Serialization

  • Delete Product for Pedigree and Serialization

  • Edit Product for Pedigree and Serialization

Summary of Seeded Roles

The following roles are seeded in Oracle Pedigree and Serialization Manager (OPSM):

Note: Administrators can view the job role code when they create users in LDAP.