13 Implementing Functional Security

This chapter discusses the Allocation functional security and the components used to implement it. Allocation Functional Security is based on OPSS. For more details on OPSS, refer to the Oracle Fusion Middleware Application Security Guide.

Access Oracle Enterprise Manager Fusion Middleware Control

Oracle Enterprise Manager Fusion Middleware Control is used to create and manage roles and role hierarchies. The following procedures require you to access Oracle Enterprise Manager Fusion Middleware Control:

• Adding or Removing Members from an Application Role

• Creating a New Application Role

• Creating an Application Role from an Existing Role

Note: Launch Fusion Middleware Control by entering its URL into a Web browser. The URL includes the name of the host and the administration port number assigned during the installation. This URL takes the following form: http://hostname:port_number/em. The default port is 7001. For more information about using Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide.

Displaying the Security Menu

Use the following procedure to display the security menu in Fusion Middleware Control.

1. Log into Oracle Enterprise Manager Fusion Middleware Control by entering the URL in a Web browser.

   For example, http://hostname:7001/em.

   The Fusion Middleware Control login page displays.

   Figure 13-1 Logging in to Fusion Middleware Control

   
   

2. Enter the Retail Fusion application's administrative user name and password and click Login.

   The password is the one supplied during the installation of the Retail Fusion application. If these values have been changed, then use the current administrative user name and password combination.

3. From the target navigation pane, open the WebLogic Domain to display the application domain (for example: APPdomain). Display the Security menu by using one of the following methods:

   • Right-click the application domain and hover over Security in the popup menu to display a submenu.

     Figure 13-2 Displaying the Security Menu via Right-Clicking

     
     

   • From the content pane, select the application domain in the tree to open the domain's home page. Open the WebLogic Domain menu located below the domain's name and hover over Security to open the Security submenu.

     Figure 13-3 Displaying the Security Menu via the WebLogic Domain Menu

     
     

Managing Role Hierarchy

Members can be added or deleted from an application role using Fusion Middleware Control. Be very careful when changing the permission grants and membership for the default application roles. Changes could result in an unusable system.

Valid members of an application role are groups, or other application roles. The process of becoming a member of an application role is called mapping. That is, being mapped to an application role is to become a member of an application role. Best practice is to map groups instead of individual users to application roles for easier maintenance.

Adding or Removing Members from an Application Role

Use the following procedure to add or remove members from an application role.

1. Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

   For information about navigating to the Security menu, see "Access Oracle Enterprise Manager Fusion Middleware Control".

2. Choose Select Application Stripe to Search, then select the policy stripe name (for example: ALC_PORTAL) from the list. Click the search icon next to Role Name.

   Figure 13-4 Application Roles Window

   
   

   The Retail Fusion Application's application roles are displayed. As an example, in the following figure the default application roles are shown.

   Figure 13-5 Viewing the Default Application Roles

   
   

3. Select the cell next to the application role name and click Edit to display the Edit Application Role page. In the following figure the 'ALC_ALLOC_MANAGEMENT_DUTY' role has been selected.

   Figure 13-6 Editing the Application Role

   
   

   You can add or delete members from the Edit Application Role page. Valid members are application roles and groups.

4. Select from the following options:

   • To delete a member, select the member and click Delete.

   • To add a member, click the Add button that corresponds to the member type being added to open the window. From the window, select from Add Application Role, Add Group, and Add User.

     If adding a member, complete Search and select from the available list and click OK.

     For example, the following figure shows the Add Group window after the BUYER_JOB group has been selected.

     Figure 13-7 Adding a Group

     
     

The added member displays in the Members column corresponding to the application role modified in the Application Roles page.

Creating Job Roles

There are two methods for creating new Job roles:

• Create New – Refer to the Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) for creating new Enterprise Roles/Groups

• Replace with Existing – Refer to the Manage Role Hierarchy section to replace the default Job role with existing Enterprise role/group using Fusion Middleware Control.

Creating Duty Roles

There are two methods for creating new duty roles:

• Create New – A new application (duty) role is created. Members can be added at the same time or you can save the new role after naming it and add members later.

• Copy Existing – A new application (duty) role is created by copying an existing application role. The copy contains the same members as the original, and is made a Grantee of the same application policy. You can modify the copy as needed to finish creating the new role.

Creating a New Application Role

Use the following procedure to create a new application role.

1. Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

   For more information, see "Access Oracle Enterprise Manager Fusion Middleware Control".

2. Choose Select Application Stripe to Search, and then click the search icon next to Role Name.

   The Retail Fusion Application's application roles display.

3. Click Create to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:

   In the General section:

   • Role Name – Enter the name of the application role.

   • (Optional) Display Name – Enter the display name for the application role.

   • (Optional) Description – Enter a description for the application role.

   In the Members section, select the groups, or application roles to be mapped to the application role, select Add Application Role or Add Group accordingly. To search in the window that displays:

   1. Enter a name in Name field and click the blue button to search.

   2. Select from the results returned in the Available box.

   3. Click OK to return to the Create Application Role page.

   4. Repeat the steps until all members are added to the application role.

4. Click OK to return to the Application Roles page.

   The application role just created displays in the table at the bottom of the page.

Creating an Application Role from an Existing Role

Use the following procedure to copy an existing application role.

1. Log into Fusion Middleware Control, navigate to Security, then select Application Roles to display the Application Roles page.

   For more information, see "Access Oracle Enterprise Manager Fusion Middleware Control".

2. Choose Select Application Stripe to Search, and then click the search icon next to Role Name.

   The Retail Fusion Application's application roles display.

3. Select an application role from the list to enable the action buttons.

4. Click Create Like to display the Create Application Role Like page.

   The Members section is completed with the same application roles, groups that are mapped to the original role.

5. Complete the Role Name, Display Name, and Description fields.

   The following figure shows an application role based upon ALC_ALLOC_MANAGEMENT_DUTY after being named MyNewRole, as an example.

   Figure 13-8 Copying an Application Role

   
   

6. Use Add and Delete to modify the members as appropriate and click OK.

   The just-created application role displays in the table at the bottom of the page.

Security in Retail Applications

Retail applications leverage ADF's security framework that is based on the Oracle Platform Security Services.

This section discusses the various assumptions around security for Retail Applications.

Single Sign On (SSO) Setup for Retail Fusion Platform Applications

Retail Fusion Platform provides the following applications as enterprise archive (EAR) files to Retail applications. By default, these applications are installing as part of Retail applications.

1. RetailAppsAdminConsole(RAAC)

2. RetailAppsMobileSecurity

   1. RetailAppsMobileBasicAuth

   2. RetailAppsMobileAccessService

3. RetailAppsRESTServices

In SSO environment, follow the SSO setup procedure for these applications similar to Retail applications.

Displaying External Application Contents in Non-SSO Environments

Retail Applications allow retailers to display content from external applications. These contents are typically business intelligence reports from a third party application that are configured to display within the Retail Application's dashboard.

Some of these contents might be secured requiring users to login before the contents can be accessed and displayed.

In non-SSO environments, when you log out of the Retail application, you may not be logged out of any secured content you have configured access to. Therefore, it is highly recommended that retailers only configure access to external content in a SSO-enabled environments where the application logout manages the logout from any other secured content that was previously accessed.