5 Merchandising Cloud Service Suite Authentication, Authorization and Data Filtering

Authentication confirms the identity of a user (is this user John Smith?). Authorization determines what parts of an application a user can access and what actions the user can perform (is John Smith allowed to create a purchase order?). Data Filtering is not strictly part of the Merchandising Cloud Service Suite security model, but can be implemented to further reduce attack surface (John Smith is allowed to create a purchase order, but only for items in Department 1234).

Authentication and IDCS or OCI IAM

As of version 21.0.000, Merchandising Cloud Service Suite uses either Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as its identity provider (IDP):

• Oracle Identity Cloud Service (IDCS):

  https://www.oracle.com/cloud/paas/identity-cloud-service.html

• Oracle Cloud Infrastructure Identity and Access Management (OCI IAM):

  https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm

When a user connects to the Merchandising Cloud Service UI, Merchandising Cloud Service Suite redirects application URL requests to the IDCS or OCI IAM login screen. IDCS or OCI IAM authenticates the user. When a user logs out of the Merchandising Cloud Service, Merchandising invokes an IDCS or OCI IAM logout to disable session authentication.

IDCS and OCI IAM

IDCS and OCI IAM are Oracle's cloud native security and identity platforms. They provide a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. Both IDCS and OCI IAM enable single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate IDCS or OCI IAM with other on premise applications to extend the scope of this SSO.

Both IDCS and OCI IAM are available in two tiers: Foundation and Standard.

• Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionalities, including user management, group management, password management, and basic reporting.

• Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premises, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.

Details of the specific features available in each tier and IDCS or OCI IAM Standard Tier licensing model are available in Administering Oracle Identity Cloud Service. Merchandising Cloud Service Suite only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management and Password Reset, SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of IDCS or OCI IAM to also have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third Party Cloud Services and Custom Applications, Multi-Factor Authentication and generic SCIM Templates.

IDCS, OCI IAM, and Oracle Retail Enterprise Roles

When any Oracle Retail cloud service is provisioned, Oracle Retail's Enterprise Roles are seeded into the customer's IDCS or OCI IAM instance as Roles. It is expected that customers will also have other roles defined for other cloud services that use this IDCS or OCI IAM instance.

IDCS, OCI IAM, and Application Users

Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.

The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators via IDCS or OCI IAM. A key feature of IDCS or OCI IAM is that basic user maintenance can be further delegated via identity self-service.

When application users are created in IDCS or OCI IAM, they must be associated with an appropriate Oracle Retail Enterprise Role to access Merchandising Cloud Service Suite. For more detailed information and procedures, see Managing Oracle Identity Cloud Service Users in Administering Oracle Identity Cloud Service.

Note: IDCS or OCI IAM username will be passed to Merchandising as the application user id. It will be persisted on the database as part of the basic Merchandising transaction audit trail. If corporate email address is used as the IDCS or OCI IAM username, corporate email address will be persisted to the Merchandising database. To fully inform Merchandising users that their corporate email address will be saved, we recommend that retailers implement IDCS or OCI IAM Terms of Use functionality. The IDCS or OCI IAM Terms of Use feature enables retailers to set the terms and conditions for users to access an application, based on the user's consent. This feature allows the identity domain administrator to set relevant disclaimers for legal or compliance requirements and enforce the terms by refusing the service. The Terms of Use feature can be used to explicitly obtain user consent to persist corporate email address for Merchandising auditing. See Administering Oracle Identity Cloud Service for more information about Terms of Use. https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/understand-terms-use.html

Authorization

While IDCS and OCI IAM have some authorization features, as an ADF application, Merchandising Cloud Service Suite manages this type of access functional security using Fusion Middleware's security model. Fusion security supports a role-based, declarative model that employs container-managed security where resources are protected by roles that are assigned to users. Duties and privileges provide a further level of control.

Users are associated with Enterprise Roles in IDCS or OCI IAM. Enterprise Roles are mapped to Duties and Privileges. Default mappings of Enterprise to Duties and Privileges are provided as part of Merchandise Cloud Service provisioning.

Roles

The default configuration includes a number of default roles. This document describes some sample roles for each application in describing the overall security model. For a full set of roles for each Oracle Retail Merchandising Cloud Service, please see the Cloud Service specific Security Guides:

• Merchandising Cloud Services Security Guide Volume 2 - Merchandising and Import Management

• Merchandising Cloud Services Security Guide Volume 2 - Pricing

• Merchandising Cloud Services Security Guide Volume 2 - Sales Audit

• Merchandising Cloud Services Security Guide Volume 2 - Allocation

• Merchandising Cloud Services Security Guide Volume 2 - Invoice Matching

Sample roles include but are not limited

• Application Administrator

• Data Steward

• Buyer

• Inventory Analyst

• Inventory Manager

• Corporate Inventory Control Analyst

• Pricing Analyst

• Allocator

These roles are used in common terminology throughout the business processes defined in the Oracle Retail Reference Model (see MOS Doc ID 2458078.1)

One important thing to note is that there is also a mirrored set of these Enterprise roles with the suffix _PREPROD (Data Steward_PREPROD, Buyer_PREPROD, Inventory Analyst_PREPROD, etc) available in IDCS or OCI IAM. This set of _PREPROD roles should be used so that users can have different access in non-production vs production systems. For example, it is common for QA employees to have virtually all Enterprise roles, and therefore unlimited access, to non-production systems. However these same QA employees might have limited or no access to production systems.

Duties and Privileges

Within Merchandising Cloud Service Suite, Enterprise Roles are mapped to Duties and Privileges. Privileges are essentially actions that a user can perform. Duties are collections of related privileges.

In Merchandising Cloud Service Suite, role-based security is implemented to control:

• Access to navigational links/tasks in the application. The role associated with the user (for example a Buyer or Inventory Analyst) determines the set of links visible in the task pane.

• Access to various UI widgets in the screens like buttons, menu items, LOVs, Panels and so on. The role determines if the UI widgets are to be shown or hidden and if shown whether they need to be enabled or disabled.

• How the screens will be opened, such as in an edit or view only mode based on the role the user belongs to and the duties and privileges mapped to that role.

Duties are intended to build on one another and work in a hierarchical manner. The example in the table below illustrates how this works using purchase orders as an example. The most basic purchase order duty is Purchase Order Inquiry, which grants the user permission to search and view purchase orders. The next level of access is Purchase Order Management, which grants the user the ability to search and view purchase orders, but also maintain and submit them. The final level of access in this example is Purchase Order Approval, which grants the user the ability to approve orders, in addition to searching, viewing, and maintaining them.

Table 5-1 Duties and Privileges

Duty	Privileges
Purchase Order Inquiry	Search Purchase Orders View Purchase Orders
Purchase Order Management	All Privileges in Purchase Order Inquiry Maintain Purchase Orders Submit Purchase Orders
Purchase Order Approval	All Privileges in Purchase Order Management Approve Purchase Orders

The application specific security guides for each solution in the Merchandising Cloud Service Suite describe the Privileges and Duties for each application. See the following documents for more information.

• Merchandising Cloud Services Security Guide Volume 2 - Merchandising and Import Management

• Merchandising Cloud Services Security Guide Volume 2 - Pricing

• Merchandising Cloud Services Security Guide Volume 2 - Sales Audit

• Merchandising Cloud Services Security Guide Volume 2 - Allocation

• Merchandising Cloud Services Security Guide Volume 2 - Invoice Matching

Administrator users can change the mappings of Enterprise Roles, Duties and Privileges in the Merchandising Cloud Service Suite user interface. Details about how to manage these application security policies are available in Chapter 2, Manage Security Policies in the Merchandising Cloud Services Administration Guide.

Data Security/Filtering

Oracle Retail Cloud Service offers an additional optional layer of data filtering. Data filtering in the application UI limits the data end users see by levels in the merchandise and organizational hierarchies.

Note: Data Filtering is implemented in all Merchandising Cloud Service Suite applications, with the exception of Allocation.

Data level security is configured by assigning users to a data security group within Merchandising Cloud Service Suite. All users within a group would have similar access to a particular section of the merchandise or organizational hierarchy. For example, a group may be defined for a particular division, giving users across Application Roles access to the departments, classes, subclasses, and items in that division.

To implement data security/filtering, Data Security Groups must be defined in Merchandising Cloud Service Suite. These groups are associated with levels of the merchandise and organizational hierarchies. Every application user must also be defined in Merchandising Cloud Service Suite and assigned to Data Security Groups. The processes for defining these groups, hierarchy associations and users is detailed in Chapter 3, Data Security/Filtering in the Merchandising Cloud Services Administration Guide.

Note: Adding these users to Merchandising Cloud Services for data security/filtering purposes is a manual process (via spreadsheet upload). Users are not automatically loaded from IDCS or OCI IAM for data security purposes.

When considering whether to implement data filtering/security, customers should consider the benefits of data filtering and the processes they would need to implement to synchronize Merchandising Cloud Service Suite with IDCS or OCI IAM. As authentication is based on user definition in IDCS or OCI IAM (which includes Enterprise Role), it is possible that a user could authenticate correctly and reach Merchandise Cloud Service and based on the mapping of their Enterprise Role to Application Role, be authorized to access various user interfaces. However, if the data filtering/security is in use, and the user is defined in Merchandising Cloud Service Suite or not associated with a Data Security Group, the user may not see certain types of data in the application.