Go to primary content
Oracle® Retail Predictive Application Server and Applications Cloud Edition Security Guide
  Go To Table Of Contents


3 Client Tier Security

This chapter discusses security for the RPASCE Client.

Factors Affecting Security

The factors affecting security within the RPASCE Client are Authentication and Authorization.


It is a requirement that user names and passwords for RPASCE users must be created in an Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) instance. RPASCE Client uses perimeter authentication. The Oracle software product, Web Tier Security Service (WTSS), is used to field all HTTP requests. WTSS redirects the browser to an OCI IAM login page if a request lacks the OCI IAM session cookie.

Users authenticated by OCI IAM and assigned the authentication role for the RPASCE application will be granted access to the RPASCE application with a set of application permissions based upon the application roles granted them in OCI IAM

Users can be added through the OCI IAM Admin Console and can be added in bulk using a CSV file. For more information on using OCI IAM, see the Oracle Identity Cloud Service online help at https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm">>https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm.

User accounts within the application will be automatically created and deleted in response to changes in OCI IAM. User accounts will be automatically created in the RPASCE application when a new user logs in for the first time if an account does not exist. However, this is not recommended, as there are some administrative tasks required to fully set up a new user account.

To address this, the Online Administrative Tools (OAT) contain tasks to facilitate the addition of new users after they have been created in OCI IAM but prior to their first time logging into the system. Information about these tasks can be found in the Oracle Retail Predictive Application Server Cloud Edition Administration Guide.


Authorization refers to the selective provisioning of data and the functional access to different classes of users.

Authorization Within an RPASCE UI Application

No external configuration is available for this authorization. The authorization data is managed within the RPASCE application. To administer authorization, the customer must use the RPASCE Client UI.

Once a user has been granted both the application authentication role and the administrator role, that user can log into the system as an administrative user. The user can then create application user groups corresponding to roles assigned to users in OCI AIM and grant authorization to application functionality to those roles. When users then access the application, they will receive the rights appropriate to the roles to which they have been assigned in OCI AIM.

For more information on users, user groups, and granting privileges, see Compute Tier Security.

Authorization for Retail Home Metric Tiles

For each RPASCE solution, there is a Retail Home configuration file. This file defines the metadata for the Retail Home metric tiles, including the assignment of OCI IAM user groups to tiles.

The visible metric tiles in the Retail Home dashboard are the ones assigned to the user's groups.

Password Policies

The customer administrator user can define password complexity and rotation rules. All application user maintenance is performed by Customer Administrators via OCI IAM.

The following guidelines are useful.

  • Automatic lock out occurs after a certain number of failed login attempts.

  • Password expiration may be enabled.

  • The password reuse time can be set.

Browser Security

Update the browser when new versions are released; they often include new security features.

Check the browser for built-in safety features.

Setting Policy For Unattended PC Sessions

Others may try to access an unattended workstation while the user is still logged into the system. Users must never leave their workstation unattended while logged into the system because it makes the system accessible to others. Organizations must set a corporate policy for handling unattended PC sessions. Users must use the password-locked screen savers feature on all PCs.