| Oracle® Retail Allocation Operations Guide Release 14.1 E57847-01 |
|
 Previous |
 Next |
This chapter discusses the Allocation functional security and the components used to implement it. Allocation Functional Security is based on OPSS. For more details on OPSS, refer to the Oracle Fusion Middleware Application Security Guide.
This chapter includes the following sections:
Introduction to Retail Roles
Retail Role Hierarchy
Default Security Reference Implementation
Extending the Default Security Reference Implementation
Users are not assigned to permissions directly; rather access is assigned to roles. Roles group particular permissions required to accomplish a task; instead of assigning individual permissions, roles match users with the permissions required to complete their particular task.
There are two main types of roles, enterprise and application.
The Identity Store contains enterprise roles that are available across applications. These are created as groups in LDAP, making them available across applications. Application roles are stored in the application-specific policy store. These roles and role mappings are described in the jazn-data.xml file under the policy stripe 'ALC_PORTAL'.Applicable Oracle Retail applications security provides four types of roles: abstract, job, duty, and privilege.Applicable Oracle Retail applications will record job, abstract roles as enterprise roles and duty, privilege roles as application roles.
Application roles are stored in the application-specific policy store. These roles and role mappings are described in the jazn-data.xml file under the policy stripe 'ALC_CORE' is the policy stripe.
Abstract roles are associated with a user, irrespective of their job or job function. These are also roles that are not associated with a job or duty. These roles are normally assigned by the system (based on user attributes), but can be provisioned to a user on request.Naming Convention: All the Retail Abstract role names end with' _ABSTRACT' Example: APPLICATION_ADMIN_ABSTRACT
Job roles are associated with the job of an employee. An employee with this job can have many job functions or job duties.
|
Note: These roles are called Job roles as the role names closely map to the jobs commonly found in most organizations. |
Naming Convention: All the Retail Job role names end with' _JOB'
Example: ALLOCATOR_JOB.
Job duties are tasks one must do on a job. A person is hired into a job role. These are the responsibilities one has for a job.Duty roles are roles that are associated with a specific duty or a logical grouping of tasks. Generally, the list of duties for a job is a good indicator of what duty roles should be defined.Duty roles should:
Read as a job description at a job posting site
Duties that we create should be self-contained and pluggable into any existing or new job or abstract role
Naming Convention: All the Retail duty role names end with' _DUTY'
Example: ALC_ALLOC_POLICY_MAINTENANCE_MANAGEMENT_DUTY
Privilege is the logical collection of permissions. A privilege can be associated with any number of UI components. Privileges are expressed as application roles.Naming Convention: All the Retail Privilege role names end with' _PRIV' Ex: ALC_ALLOC_SEARCH_PRIVPrivilege roles carry security grants.Example:
<grant> <grantee> <principals> <principal> <class>oracle.security.jps.service.policystore. ApplicationRole</class> <name>ALC_ALLOC_SEARCH_PRIV</name> </principal> </principals> </grantee> <permissions> <permission> <class>oracle.adf.controller.security.TaskFlowPermission</class> <name>/oracle/retail/apps/alc/allocsummary/publicUi /flow/AllocationSummaryFlow.xml#AllocationSummaryFlow</name> <actions>view</actions> </permission> </permissions></grant>
Retail role hierarchies are structured to reflect the retail business process model.
Job roles inherit duty roles. For example, the Allocator Job role inherits the ALC_ALLOC_SYSTEM_OPTIONS_INQUIRY_DUTY roles.
<app-role> <name>ALC_ALLOC_SYSTEM_OPTIONS_INQUIRY_DUTY</name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <members> <member> <class>oracle.security.jps.internal.core.principals. JpsXmlEnterpriseRoleImpl</class> <name>ALLOCATOR_JOB</name> </member> </members></app-role>
Duty roles inherit Privilege roles. Duty roles can inherit one or more other Duty roles.
Example: ALC_ALLOC_SIZE_PROFILE_MANAGEMENT_DUTY inherits ALC_ALLOC_SIZE_PROFILE_INQUIRY_DUTY role.
<app-role> <name>ALC_ALLOC_SIZE_PROFILE_INQUIRY_DUTY</name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <members> <member> <class>oracle.security.jps.internal.core.principals. JpsXmlEnterpriseRoleImpl</class> <name>BUYER_JOB</name> </member> <member> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <name>ALC_ALLOC_SIZE_PROFILE_MANAGEMENT_DUTY</name> </member> </members></app-role>
Example: ALC_ALLOC_SIZE_PROFILE_INQUIRY_DUTY role inherits the ALC_ALLOC_SIZE_PROFILE_VIEW_PRIV role
<app-role> <name>ALC_ALLOC_SIZE_PROFILE_VIEW_PRIV</name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <members> <member> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <name>ALC_ALLOC_SIZE_PROFILE_INQUIRY_DUTY</name> </member> </members></app-role>
Oracle Retail Allocation ships with a default security reference implementation. The source of truth for default reference implementation is jazn-data.xml.
Table 11-1 Allocation Privileges
| Name | Description |
|---|---|
| Search Allocations Priv | A privilege for searching for allocations. |
| Maintain Allocation Priv | A privilege for creating and editing an allocation. |
| Delete Allocation Priv | A privilege for deleting an allocation. |
| View Allocation Priv | A privilege for viewing an allocation. |
| Submit Allocation Priv | A privilege for submitting a allocation for approval. |
| Review Allocation Priv | A privilege for approving or reviewing an allocation. |
| Search Allocation Location Groups Priv | A privilege for searching for allocation location groups. |
| Maintain Allocation Location Group Priv | A privilege for creating and editing an allocation location group |
| Delete Allocation Location Group Priv | A privilege for deleting an allocation location group. |
| View Allocation Location Group Priv | A privilege for viewing an allocation location group. |
| Search Allocation Policy Templates Priv | A privilege for searching for allocation policy templates. |
| Maintain Allocation Policy Template Priv | A privilege for creating and editing a policy template. |
| Delete Allocation Policy Template Priv | A privilege for deleting a policy template. |
| View Allocation Policy Template Priv | A privilege for viewing a policy template. |
| Search Size Profiles Priv | A privilege for searching for size profiles. |
| Maintain Size Profile Priv | A privilege for creating and editing a size profile. |
| Delete Size Profile Priv | A privilege for deleting a size profile. |
| View Size Profile Priv | A privilege for viewing a size profile. |
| Maintain System Options System Properties Priv | A privilege for editing the system properties for system options. |
| Maintain System Options User Group Properties Priv | A privilege for editing the user group properties for system options. |
| View System Options Priv | A privilege for viewing system options. |
Table 11-2 Allocation Duties
| Duty | Description | List of Privileges |
|---|---|---|
| Allocation Management Duty | A duty for managing allocations. This duty is an extension of the Allocation Inquiry Duty. |
|
| Allocation Inquiry Duty | A duty for viewing allocations. |
|
| Allocation Submit Duty | A duty for submitting allocation for approval. | Submit Allocation Privilege |
| Allocation Review Duty | A duty for approving or rejecting an allocation. | Review Allocation Privilege |
| Allocation Location Groups Management Duty | A duty for managing allocation location groups. This duty is an extension of the Allocation Location Groups Inquiry Duty and Allocation Location Group Search Duty. |
|
| Allocation Location Groups Inquiry Duty | A duty for viewing allocation location groups. | View Allocation Location Groups Privilege |
| Allocation Location Groups Search Duty | A duty for searching allocation location groups. | Search Allocation Location Groups Privilege |
| Allocation Policy Template Management Duty | A duty for managing allocation policy template. This duty is an extension of the Allocation Policy Template Inquiry Duty and Allocation Policy Template Search Duty. |
|
| Allocation Policy Template Inquiry Duty | A duty for viewing allocation Policy Template. | View Allocation Policy Template Privilege |
| Allocation Policy Template Search Duty | A duty for search allocation Policy Template. | Search Allocation Policy Template Privilege |
| Size Profile Management Duty | A duty for managing size profile. This duty is an extension of the Size Profile Inquiry Duty. |
|
| Size Profile Inquiry Duty | A duty for viewing allocation Size Profile. |
|
| System Options System Properties Management Duty | A duty for managing the system properties in system options. This duty is an extension of the System Options Inquiry Duty. |
|
| System Options User Group Properties Management Duty | A duty for managing user group properties system options. This duty is an extension of the System Options Inquiry Duty. |
|
| System Options Inquiry Duty | A duty for inquiring on profile. This duty is an extension of the Size Profile Inquiry Duty. |
|
| Administrator Duty | A duty for managing WebCenter Portal Administrative duties |
N/A |
|
Edit Current Page Duty |
This duty provides personalization capability on pages. by default, this feature is disabled for all users, But a system administrator can grant this role to any of the enterprise roles during run time based on need. |
N/A |
Table 11-3 Allocation Role Mappings
| Role | Duty | Privileges |
|---|---|---|
| Administrator | Allocation Management Duty Allocation Submit Duty Allocation Review Duty Allocation Location Groups Management Duty Allocation Policy Template Management Duty Size Profile Management Duty System Options System Properties Management Duty System Options User Group Properties Management Duty |
Search Allocations Privilege Maintain Allocation Privilege Delete Allocation Privilege Submit Allocation Privilege Review Allocation Privilege View Allocation Privilege Search Allocation Privilege View Allocation Location Groups Privilege Search Allocation Location Groups Privilege View Allocation Policy Template Privilege Search Allocation Policy Templates Privilege View Size Profile Privilege Search Size Profile Privilege View System Options Privilege Maintain System Options User Group Properties Privilege Maintain System Options System Properties Privilege |
| Allocation Manager | Allocation Management Duty Allocation Submit Duty Allocation Review Duty Allocation Location Groups Management Duty Allocation Policy Template Management Duty Size Profile Management Duty System Options User Group Properties Management Duty |
Search Allocations Privilege Maintain Allocation Privilege Delete Allocation Privilege Submit Allocation Privilege Review Allocation Privilege View Allocation Privilege Search Allocation Privilege View Allocation Location Groups Privilege Search Allocation Location Groups Privilege View Allocation Policy Template Privilege Search Allocation Policy Templates Privilege View Size Profile Privilege Search Size Profile Privilege View System Options Privilege Maintain System Options User Group Properties Privilege |
| Allocator | Allocation Management Duty Allocation Submit Duty Allocation Review Duty Allocation Location Groups Inquiry Duty Allocation Location Groups Search Duty Allocation Policy Template Inquiry Duty Allocation Policy Template Search Duty Size Profile Management Duty System Options Inquiry Duty |
Search Allocations Privilege Maintain Allocation Privilege Delete Allocation Privilege Submit Allocation Privilege Review Allocation Privilege View Allocation Privilege Search Allocation Privilege View Allocation Location Groups Privilege Search Allocation Location Groups Privilege View Allocation Policy Template Privilege Search Allocation Policy Templates Privilege View Size Profile Privilege Search Size Profile Privilege View System Options Privilege |
| Buyer | Allocation Inquiry Duty Allocation Policy Template Inquiry Duty Allocation Location Groups Inquiry Duty |
View Allocation Privilege Search Allocation Privilege View Allocation Location Groups Privilege View Allocation Policy Template Privilege |
| Application Administrator | Administrator Duty |
N/A |
|
Note: Make sure that the policy store is loaded with the default security configuration. For more information, see the Post Installation steps in the Oracle Retail Allocation Installation Guide. |
The common decisions made to match your enterprise to the default security reference implementation include the following:
Do the default job roles match the equivalent job roles in your enterprise?
Do the jobs in your enterprise exist in the security reference implementation?
Do the duties performed by the jobs in your enterprise match the duties in the security reference implementation?
|
Important: It is important when constructing a role hierarchy that circular dependencies are not introduced. Best practice is to leave the default security configuration in place and first incorporate your customized application roles in a test environment. |
Oracle Enterprise Manager Fusion Middleware Control is used to create and manage roles and role hierarchies. The following procedures require you to access Oracle Enterprise Manager Fusion Middleware Control:
"Add or Remove Members from an Application Role" on page 11-11
"Create a New Application Role" on page 11-16
"Create an Application Role from an Existing Role" on page 11-16
|
Note: Launch Fusion Middleware Control by entering its URL into a Web browser. The URL includes the name of the host and the administration port number assigned during the installation. This URL takes the following form: http://hostname:port_number/em. The default port is 7001. For more information about using Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide. |
Use the following procedure to display the security menu in Fusion Middleware Control.
Log into Oracle Enterprise Manager Fusion Middleware Control by entering the URL in a Web browser.
For example, http://hostname:7001/em.
The Fusion Middleware Control login page displays.
Enter the Retail Fusion application's administrative user name and password and click Login.
The password is the one supplied during the installation of the Retail Fusion application. If these values have been changed, then use the current administrative user name and password combination.
From the target navigation pane, open the WebLogic Domain to display the application domain (for example: APPdomain). Display the Security menu by using one of the following methods:
Right-click the application domain and hover over Security in the popup menu to display a submenu.
From the content pane, select the application domain in the tree to open the domain's home page. Open the WebLogic Domain menu located below the domain's name and hover over Security to open the Security submenu.
Members can be added or deleted from an application role using Fusion Middleware Control. Be very careful when changing the permission grants and membership for the default application roles. Changes could result in an unusable system.
Valid members of an application role are groups, or other application roles. The process of becoming a member of an application role is called mapping. That is, being mapped to an application role is to become a member of an application role. Best practice is to map groups instead of individual users to application roles for easier maintenance.
Use the following procedure to add or remove members from an application role.
Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.
For information about navigating to the Security menu, see "Access Oracle Enterprise Manager Fusion Middleware Control" on page 11-9.
Choose Select Application Stripe to Search, then select the policy stripe name (for example: ALC_PORTAL) from the list. Click the search icon next to Role Name.
The Retail Fusion Application's application roles are displayed. As an example, in the following figure the default application roles are shown.
Select the cell next to the application role name and click Edit to display the Edit Application Role page. In the following figure the 'ALC_ALLOC_MANAGEMENT_DUTY' role has been selected.
You can add or delete members from the Edit Application Role page. Valid members are application roles and groups.
Select from the following options:
To delete a member, select the member and click Delete.
To add a member, click the Add button that corresponds to the member type being added to open the window. From the window, select from Add Application Role, Add Group, and Add User.
If adding a member, complete Search and select from the available list and click OK.
For example, the following figure shows the Add Group window after the BUYER_JOB group has been selected.
The added member displays in the Members column corresponding to the application role modified in the Application Roles page.
There are two methods for creating new Job roles:
Create New – Refer to the Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) for creating new Enterprise Roles/Groups
Replace with Existing – Refer to the Manage Role Hierarchy section to replace the default Job role with existing Enterprise role/group using Fusion Middleware Control.
There are two methods for creating new duty roles:
Create New – A new application (duty) role is created. Members can be added at the same time or you can save the new role after naming it and add members later.
Copy Existing – A new application (duty) role is created by copying an existing application role. The copy contains the same members as the original, and is made a Grantee of the same application policy. You can modify the copy as needed to finish creating the new role.
Use the following procedure to create a new application role.
Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.
For more information, see "Access Oracle Enterprise Manager Fusion Middleware Control" on page 11-9.
Choose Select Application Stripe to Search, and then click the search icon next to Role Name.
The Retail Fusion Application's application roles display.
Click Create to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:
In the General section:
Role Name – Enter the name of the application role.
(Optional) Display Name – Enter the display name for the application role.
(Optional) Description – Enter a description for the application role.
In the Members section, select the groups, or application roles to be mapped to the application role, select Add Application Role or Add Group accordingly. To search in the window that displays:
Enter a name in Name field and click the blue button to search.
Select from the results returned in the Available box.
Click OK to return to the Create Application Role page.
Repeat the steps until all members are added to the application role.
Click OK to return to the Application Roles page.
The application role just created displays in the table at the bottom of the page.
Use the following procedure to copy an existing application role.
Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.
For more information, see "Access Oracle Enterprise Manager Fusion Middleware Control" on page 11-9.
Choose Select Application Stripe to Search, and then click the search icon next to Role Name.
The Retail Fusion Application's application roles display.
Select an application role from the list to enable the action buttons.
Click Create Like to display the Create Application Role Like page.
The Members section is completed with the same application roles, groups that are mapped to the original role.
Complete the Role Name, Display Name, and Description fields.
The following figure shows an application role based upon ALC_ALLOC_MANAGEMENT_DUTY after being named MyNewRole, as an example.
Use Add and Delete to modify the members as appropriate and click OK.
The just-created application role displays in the table at the bottom of the page.
Retail applications leverage ADF's security framework that is based on the Oracle Platform Security Services.
This section discusses the various assumptions around security for Retail Applications.
Retail applications allow retailers to display content from external applications. These contents are typically business intelligence reports from a third party application that are configured to display within the Retail application's dashboard.
Some of these contents might be secured requiring users to login before the contents can be accessed and displayed.
In non-SSO environments, when you log out of the Retail application, you may not be logged out of any secured content you have configured access to. Therefore, it is highly recommended that customers only configure access to external content in a SSO-enabled environments where the application logout manages the logout from any other secured content that was previously accessed.
