Oracle® Retail Process Orchestration and Monitoring Security Guide Release 19.1 F34939-02 |
|
Previous |
Authentication confirms the identity of a user (is this user John Smith?). Authorization determines what parts of an application a user can access and what actions the user can perform (is John Smith allowed to run a batch job?).
As of version 19.0.001, Process Orchestration and Monitoring (POM) Cloud Service Suite uses Oracle Identity Cloud Service (IDCS) as its identity provider (IDP).
When a user connects to the POM User Interface, the request is redirected to the IDCS login screen. IDCS authenticates the user. When a user logs out of POM, the IDCS logout is invoked to disable session authentication.
IDCS is Oracle's cloud native security and identity platform. It provides a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. IDCS enables single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate IDCS with other on-premise applications to extend the scope of this SSO.
IDCS is available in two tiers: Foundation and Standard.
Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionalities, including user management, group management, password management, and basic reporting.
Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premises, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.
Details of the specific features available in each tier and IDCS Standard Tier licensing model are available in Administering Oracle Identity Cloud Service. Process Orchestration and Monitoring Cloud Service Suite only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management and Password Reset, SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of IDCS to also have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third Party Cloud Services and Custom Applications, Multi-Factor Authentication and generic SCIM Templates.
When any Oracle Retail cloud service is provisioned, Oracle Retail's Enterprise Roles are seeded into the customer's IDCS instance as Roles. It is expected that customers will also have other roles defined for other cloud services that use this IDCS instance.
Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.
The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators through IDCS. A key feature of IDCS is that basic user maintenance can be further delegated through identity self-service.
When application users are created in IDCS, they must be associated with an appropriate Oracle Retail Enterprise Role to access Process Orchestration and Monitoring Cloud Service. For more detailed information and procedures, see Managing Oracle Identity Cloud Service Users in Administering Oracle Identity Cloud Service.
Note: IDCS username is passed to Process Orchestration and Monitoring (POM) as the application user ID. It will be persisted on the database as part of the basic POM transaction audit trail. If the corporate email address is used as the IDCS username, that email address is persisted to the POM database. To fully inform POM users that their corporate email address will be saved, we recommend that retailer implements IDCS Terms of Use functionality. The IDCS Terms of Use feature enables retailers to set the terms and conditions for users to access an application, based on the user's consent. This feature allows the identity domain administrator to set relevant disclaimers for legal or compliance requirements and enforce the terms by refusing the service. The Terms of Use feature can be used to explicitly obtain user consent to persist corporate email address for POM auditing. See Administering Oracle Identity Cloud Service for more information about Terms of Use. |
The Process Orchestration and Monitoring (POM) application features a classic ADF User Interface (UI).
Note: As of POM 19.1.002, the classic ADF UI I is deprecated and replaced with the all new JET (Java Extension Toolkit) based UI. |
While IDCS has some authorization features, as an ADF application, Process Orchestration and Monitoring Cloud Service manages this type of access functional security using Fusion Middleware's security model. Fusion security supports a role-based, declarative model that employs container-managed security where resources are protected by roles that are assigned to users. Duties and privileges provide a further level of control.
Users are associated with Enterprise Roles in IDCS. Enterprise Roles are mapped to Duties and Privileges. Default mappings of Enterprise to Duties and Privileges are provided as part of Process Orchestration and Monitoring Cloud Service provisioning.
For the Process Orchestration and Monitoring (POM) classic ADF UI, all the native ADF security features are used.
ADF Security provides the following core benefits:
Declarative, permission-based protection for ADF security-aware resources, such as ADF bounded task flows, top-level web pages that use ADF bindings, and attributes defined by ADF entity objects and their attributes.
Dynamic user authentication. When you use ADF Security, the application will dynamically prompt the user to log in if the user is not yet authenticated and tries to access a page that is not granted to the anonymous-role role. In the application's web.xml file, a security constraint is applied to the ADF authentication servlet so that login is triggered through the Java EE web container before any secured resources can be accessed. After the user successfully logs in, the ADF authentication servlet runs to verify whether the authenticated user has view access to the requested page.
Permission checking within the web page. At runtime, the security policy you define for ADF resources is enforced using standard JAAS permission authorization to determine the user's access rights. If your application requires it, you can use Expression Language (EL) to perform runtime permission checks within the web page to hide components that should not be visible to the user.
Simplifies securing of applications by providing an abstraction layer between the application and various security providers. Calls from the application to the security layer can be made through standards-based APIs, so developers do not have to deal with implementation details of the security providers.
Refer Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server - https://docs.oracle.com/middleware/1212/wls/SCOVR/toc.htm">>https://docs.oracle.com/middleware/1212/wls/SCOVR/toc.htm
As mentioned earlier, The Process Orchestration and Monitoring (POM) application features a classic ADF User Interface (UI) that is being deprecated as of POM 19.1.002. It is replaced with a JET based UI.
Oracle POM security requirements come from the need to protect application data from unauthorized changes. This is accomplished by the following security features:
Authentication - POM JET UI restrict access to users that have been authenticated by the configured security provider.
Authorization - POM JET UI uses enterprise roles to limit what features individual users can access.
Origin Control - POM JET UI implements the Cross-Origin Resource Sharing (CORS) protocol to allow only same origin.
Transport Security - POM JET UI and services communicate through REST calls. These communications need to be secured.
Always use TLS encryption. Endpoints should be HTTPS URLs and the servers should be configured to use trusted certificates.
Route access through WTSS or equivalent. Make sure all service URLs are at a location exposed on WTSS, otherwise each endpoint will be independently authenticated.
The JET UI and services communicate through ReST calls which are secured using JAX-RS security implementation.
For more information regarding securing Restful Web Services, refer to https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF113
Roles are used to classify users based on job responsibilities and actions to be performed in the Oracle Retail Process Orchestration and Monitoring application (POM). Using roles, a user's access can be restricted to specific areas or functions within the application. In POM, users must be associated with at least one job role in order to access the application.
The following topics are covered in this chapter:
Roles
Functional Access by Role
POM comes available with a set of pre-defined roles described in the table below. In addition to the roles, the table contains an alias for each role which is used in the next section for easier reading.
Note: The first three roles have thus far been associated with POM's classic user interface and are being deprecated along with the classic user interface itself. Customers need to migrate to the other four roles before those classic roles are removed.These roles have been given similar access in the new user interface as the access they had in the classic user interface. |
Table 5-1 Roles
Role | Alias | Description |
---|---|---|
BATCH_MONITORING_JOB |
Monitor |
One of the classic user interface roles. Users within this role are typically retailer administrators responsible for monitoring and executing batch. They can perform select activities on the Batch Monitor screen to move the schedule along. |
BATCH_BUSINESS_JOB |
Business User |
Another one of the classic user interface roles. Users within this role are typically retailer business users responsible for just monitoring batch and configuring POM to enable callbacks into the Company's systems. |
BATCH_ADMINISTRATOR_JOB |
Administrator |
Another one of the classic user interface roles. Users within this role are typically Oracle AMS administrators who monitor, maintain and configure the batch schedules. They also maintain POM application configurations for efficient operations. They troubleshoot batch issues and work with other Oracle development and support personnel to address those issues. Finally they apply POM and batch schedule patches and upgrades. In the new POM user interface, they have additionally been given access to the new AMS Utilities screen. |
BATCH_VIEWER_JOB |
Viewer |
Users within this role are retailer business users responsible for just monitoring batch. They have view access to all POM screens except AMS Utilities. |
BATCH_SCHEDULE_CONFIGURATION_MANAGER_JOB |
Schedule Config Mgr |
Users within this role are typically retailer administrators responsible for just monitoring batch and configuring external dependencies and callbacks into the Company's systems. They have view access to all POM screens except AMS Utilities. |
BATCH_SCHEDULE_ADMINISTRATOR_JOB |
Schedule Admin |
Users within this role are typically retailer administrators responsible for maintaining monitoring and executing batch. They have view access to all POM screens except AMS Utilities. They can perform select activities on the Batch Monitor screen to move the schedule along. They also have update access to the Batch Administration screen. |
BATCH_ORACLE_AMS_ADMINISTRATOR_JOB |
AMS Admin |
Users within this role are typically Oracle AMS administrators who monitor, maintain and configure the batch schedules. They also maintain POM application configurations for efficient operations. They troubleshoot batch issues and work with other Oracle development and support personnel to address those issues. Finally they apply POM and batch schedule patches and upgrades. |
This section lists all roles that have update access for each functional aspect of every screen. It is organized by screen, except for the first two tables.
Table 5-2 External Integration
Feature | Roles (aliases) with access |
---|---|
Invoking batch execution from an external system Requesting the status of a batch execution Releasing dependency on an external process |
Monitor Schedule Admin Administrator AMS Admin |
Table 5-3 POM Task Menu
Feature | Roles (aliases) with access |
---|---|
Show Batch Monitoring task |
Monitor Business User Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show System Configuration task |
Business User Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show Batch Administration task |
Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show Scheduler Administration task |
Administrator Monitor Schedule Admin AMS Admin |
Show Schedule Maintenance task |
Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show AMS Utilities task |
AMS Admin |
Table 5-4 Screen: Batch Monitoring
Feature | Roles (aliases) with update access |
---|---|
Buttons for Create Schedule, Close Schedule and Restart Schedule |
Monitor Schedule Admin Administrator AMS Admin |
Jobs table on Batch Monitoring screen - Buttons for Run, Rerun, Hold, Release, Skip, Release Skip, and action for Add Comments |
Monitor Schedule Admin Administrator AMS Admin |
Jobs table Actions menu on Batch Monitoring screen - Edit Parameters (for selected job) |
Monitor Schedule Admin Administrator AMS Admin |
Job Details screen - Enable/Disable External Dependencies |
Monitor Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Job Details screen - Retry Schedule Link button |
Monitor Administrator AMS Admin |
Job Details screen - Retry Callback button |
Monitor Administrator AMS Admin |
Execution Engine admin dialog Configuration |
AdministratorAMS Admin |
Execution engine admin dialog start, stop, and force shutdown buttons |
Monitor Administrator AMS Admin |
Download Job Log |
All authenticated users |
Download Cycle Summary |
All authenticated users |
Scheduler Tasks Monitoring and actions |
Monitor Administrator Schedule Admin AMS Admin |
Table 5-5 Screen: System Configuration
Feature | Roles (aliases) with update access |
---|---|
System tab - Update actions |
AdministratorAMS Admin |
Schedule tab - Update actions for general & environment settings |
AdministratorAMS Admin |
Schedule tab - Job admin system options dialog |
AdministratorAMS Admin |
Schedule tab - Update actions for MDF configuration |
AdministratorAMS Admin |
Schedule tab - Update actions for job admin throttling configuration |
AdministratorAMS Admin |
System tab - Update actions for external configurations |
Business User Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Global Edit - Settings updates |
AdministratorAMS Admin |
Global Edit - External Configuration updates |
Business User Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Table 5-6 Screen: Batch Administration
Feature | Roles (aliases) with update access |
---|---|
Export Config and Import Config buttons |
Administrator Schedule Admin AMS Admin |
Enable/disable switch on each of the Recurring Flows and Jobs within each Flow |
Administrator Schedule Admin AMS Admin |
Jobs table on main UI - Edit and Enable/Disable actions |
Administrator Schedule Admin AMS Admin |
Batch Job Details - Enable/Disable Dependencies |
AdministratorAMS Admin |
Batch Job Details - Create/Enable/Disable/Delete Inter-Schedule Dependencies |
AdministratorAMS Admin |
Batch Job Details - Create/Enable/Disable/Delete Schedule links |
AdministratorAMS Admin |
Batch Job Details - Create/Enable/Disable/Delete External Dependencies |
Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Table 5-7 Screen: Scheduler Administration
Feature | Roles (aliases) with update access |
---|---|
All Functions on the Scheduler Administration screen |
Monitor Administrator Schedule Admin AMS Admin |