Go to primary content
Oracle® Retail Enterprise Inventory Cloud Service Security Guide
Release 19.7
F70120-01
  Go To Table Of Contents
Contents
Previous
Previous 		  

3 Application Security

For information on the administrative tasks, see the following sections:

EICS Application Security

Users are required to have store access and permissions in order to use the SIOCS client applications.

For access to special areas, IDCS or OCI IAM application role assignment in IDCS or OCI IAM is also required as mentioned in previous sections.

Users that are assigned the global store users IDCS or OCI IAM application role (global_store_users) automatically have access to all store locations in EICS. Users that do not have global store access require store assignments, which are setup through the SIOCS security admin UI.

EICS implements fine grained permissions for controlling access to functionality and data. All users accessing the SIOCS client applications must have valid role assignments in order to be granted access to permissions. Users are assigned roles through the SIOCS security admin UI.

Application roles are created and managed through the SIOCS security admin UI by assigning permissions to the role.

For detailed information regarding user and role management with the EICS security admin UI, please see the Oracle Retail Enterprise Inventory Cloud Services User Guide.

Role Management

  1. Log into the SIOCS admin UI.

  2. Navigate to Security\ Role Maintenance.

  3. Click Create New or the name of an existing role.

  4. For new roles, enter the name, description, type.

  5. Assign permissions to the role using the table.

  6. Click Save when changes are complete.

Assigning Stores to a User

  1. Log into the SIOCS admin UI.

  2. Navigate to Security\ User Assignment.

  3. Locate the user in the table, using filters as needed.

  4. Click on the username.

  5. Click on the Stores tab.

  6. Assign stores to the user using the table.

  7. Click Save when changes are complete.

Assigning SIOCS Application Roles to a User

  1. Log into the SIOCS admin UI.

  2. Navigate to Security\ User Assignment.

  3. Locate the user in the table, using filters as needed.

  4. Click on the username.

  5. Click on the Roles tab.

  6. Click Create New to assign roles to the user.

  7. Select the store scope and store(s) for the role assignment(s).

  8. Select the role(s) to assign.

  9. Enter start and end dates if needed.

  10. Click Apply to create the selected assignments.

  11. Click Save when changes are complete.

Mass Assigning SIOCS Application Roles and Stores

  1. Log into the SIOCS admin UI.

  2. Navigate to Security\ User Assignment.

  3. Click Import.

  4. Click Download Template on the Import Data File dialog.

  5. Fill data in the downloaded template.

  6. Drag and drop the filled template file or click to select the file.

  7. Click Import.

Deleting an EICS User Profile

The EICS user profile will be automatically deleted through a scheduled batch job if the user is deleted in IDCS or OCI IAM.

However, an EICS user profile can be manually deleted without deleting the user in IDCS or OCI IAM. This should be done if the user no longer requires access to EICS, or if the same username is used for a new user before the batch job has executed.

The SIOCS User Assignment table displays users stored in IDCS or OCI IAM as well as EICS user profile information, such as the create date and login date. These refer to the EICS user profile creation and client login, not IDCS or OCI IAM user information.

Users with a create date have an existing EICS user profile, which can be deleted with the following steps.

  1. Log into the SIOCS admin UI.

  2. Navigate to Security\ User Assignment.

  3. Locate the user in the table, using filters as needed.

  4. Select the row(s) in the table.

  5. Click Delete Profile.

Deleting an EICS user profile includes all store and role assignments for that user. It does not affect IDCS or OCI IAM application role assignments or other user information managed through IDCS or OCI IAM.

If a user account needs to be deleted or all access disabled it is recommended to use IDCS or OCI IAM to perform the user management.

If a user only needs access to certain stores or permissions within EICS removed, then the SIOCS security admin UI should be used.

Importing a Batch of User Accounts

If you have batch of users that have to be created, the Oracle team can bulk load the users into the IDCS or OCI IAM application. When users are bulk loaded, each initial password is set to the current password of a template user. The new users are required to change the password on their first login.

To request the creation of accounts by bulk loading:

  1. Create a CSV file listing all users to create. Following is an example of this file.

    ##################

    filename.csv

    ###################

    ##########################################

    USR_LOGIN,USR_FIRST_NAME,USR_LAST_NAME,USR_EMAIL,ORG_NAME

    CE.ADMIN1,ce,admin1,CE.ADMIN1@oracle.com,Retail

    CE.ADMIN2,ce,admin2,CE.ADMIN2@oracle.com,Retail

    CE.ADMIN3,ce,admin3,CE.ADMIN3@oracle.com,Retail

    CE.ADMIN4,ce,admin4,CE.ADMIN4@oracle.com,Retail

    CE.ADMIN5,ce,admin5,CE.ADMIN5@oracle.com,Retail

    CE.ADMIN6,ce,admin6,CE.ADMIN6@oracle.com,Retail

    CE.ADMIN7,ce,admin7,CE.ADMIN7@oracle.com,Retail

    CE.ADMIN8,ce,admin8,CE.ADMIN8@oracle.com,Retail

    CE.ADMIN9,ce,admin9,CE.ADMIN9@oracle.com,Retail

    CE.ADMIN10,ce,admin10,CE.ADMIN10@oracle.com,Retail

    ##########################################

  2. Create or identify a user whose password will be used as the initial password for all created users.

  3. Open an SR with Oracle Support and provide the CSV file and user from Steps 1 and 2.

Bulk IDCS or OCI IAM Application Role Membership Update (Optional)

If a considerable number of users need to have roles to be assigned, the Customer Security Admin can bulk import the role membership into the IDCS or OCI IAM application.

Bulk Update

To update the membership by bulk update:

  1. Use these sample files as a starting point.

  2. Extract the compressed file and then open the AppRoleMembership.csv file.

  3. Review and then delete any demo data in the AppRoleMembership.csv file.

  4. Create an import file using the AppRoleMembership.csv file. The AppRoleMembership.csv file is a simple text file in a tabular format (rows and columns). The first row in the file defines the columns (fields) in your table. At a minimum, the file must have these exact column headings.

    • Entitlement Value - Name of the IDCS or OCI IAM application role

    • Grantee Name - Name of the user

    • Grantee Type - Type should be fixed to 'User' (without quotes)

    For each membership, you create a new row (line) and enter data into each column (field). Each row equals one record.

    Important: The maximum number of membership roles that can be imported in a single job must not exceed 10,000.

  5. Save your file in a CSV format.

    Important: If you do not save the file in a CSV format with UTF-8 encoding, the import fails.

Bulk Import

IDCS

To import users and groups for Oracle application roles:

  1. Log into the IDCS console.

  2. Navigate to Oracle Cloud Services from the Navigation Drawer.

  3. Locate and click on the EICS application for your deployment.

  4. Click Application Roles.

  5. Click Import.

  6. In the Import Application Roles window, click Browse to locate and select the CSV file that contains the users and groups to import.


    Note:

    Click Download sample file in the dialog box to download a sample file.

  7. Verify that the path and name of the CSV file that you selected appear in the Select a file to import field.

  8. Click Import.

  9. If Oracle Identity Cloud Service can't import a membership record, then it evaluates the next record in the CSV file.

  10. After Oracle Identity Cloud Service evaluates all records, review the job results.

    • If the job can be processed immediately, then a dialog box appears with the Job ID link for your import job. Click the link. Review the details that appear on the Jobs page.

    • If the job cannot be processed immediately, then a message appears with a Schedule ID in it. Copy that ID and use it to search for the job on the Jobs page. The job will appear when processing completes. Go to Step 9.

  11. On the Jobs page, locate the job that you want to view, and then click View Details. If the job failed, then click on Export Errors to export all the rows that the job was not able to process.


    Note:

    If more than one role is to be attached to a particular user, add one more row with the role that the user is to have and the user name.

OCI IAM

To import users and groups for Oracle application roles:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.

  2. Select the identity domain you want to work in and click Applications.

  3. In the Applications page, click the Oracle application that has roles to which you want to assign users and groups.


    Note:

    Importing application roles imports application roles memberships only. The application roles must already exist in the identity domain. If the application roles don't exist, you will receive an error for the membership import for that application role.

  4. Click Import.

  5. In the Import application roles window, drag and drop the file or click Select one to browse for the file.


    Note:

    Click Download sample file in the dialog box to download a sample file.

  6. Verify that the path and name of the CSV file that you selected appear in the Select a file to import field.

  7. Click Import.

    If a user or a group is missing a required value, such as the user name or the group name, then that user or group can't be imported. If the user or group can't be imported, then the next user or group is evaluated in the CSV file.

  8. After the job completes, review the job results.

    • If the job can be processed immediately, then a dialog box appears with the Job ID link for your import job. Click the link. Review the details that appear on the Jobs page.

    • If the job cannot be processed immediately, then a message appears with a Schedule ID in it. Copy that Schedule ID and use it to search for the job on the Jobs page. The job will appear when processing completes.

  9. On the Jobs page, locate the job that you want to view. A table appears that displays the user names or group names, classification types (User or Group), and status of the users and groups that you imported and assigned to Oracle application roles in the identity domain.

Nightly Batch File Uploads

The following steps describe the file upload process.

The Private/Public keys must be generated and the Public key must be associated with your SFTP Account for the file uploads. The Adding Authorized Keys section describes the step-by-step method to generate the keys (2048-bit RSA Keys).

Adding Authorized Keys

The following process is used to generate a 2048-bit RSA key and to add the same to the SFTP server. This is done with the help of the WinSCP tool on Windows. However, the same can be done using ssh-keygen on Linux as well.

  1. Launch WinSCP and select Tools\ Run PuttyGen.

  2. Select SSH-2 RSA for the type of key to generate and enter 2048 for the number of bits in a generated key field. Click Generate.

    Figure 3-1 Key Generator

    Key Generator

  3. Move the mouse over the blank space in the window until the key is generated. Moving the mouse over the blank space creates a random pattern which is used for key generation.

    Figure 3-2 Key Generator Progress

    Key Generator Progress

  4. Once the key is generated, click Save public key to save the public key to a file.

  5. Click Save private key to save the private key to a file. Confirm to save it with or without a pass phrase.

  6. Open an SR with Oracle Support, to associate the public key with your SFTP account (attach the key with the SR).

Logging In to WinSCP

The upload steps use the private key generated in the Adding Authorized Keys section.

  1. Launch WinSCP and connect to <SFTP Server> using port 22.

  2. Enter the user name and click Advanced.

  3. Click Authentication.

  4. In the Private Key File field, click Browse and select the private key created in the Adding Authorized Keys section.

    Figure 3-3 Advanced Site Settings Dialog

    Advanced Site Settings Dialog

  5. After loading the private key file, click OK.

    Figure 3-4 Private Key File Loaded

    Private Key File Loaded

  6. Click Login. The window does not prompt for a password and logs in to the SFTP server. Provide a passphrase if one has been set up.


    Note:

    Login can only be performed using the authorized keys. Login with username / password is not supported.

Uploading the Batch File

To upload the batch file:

  1. Log in to WinSCP. Follow the steps in Logging In to WinSCP.

  2. Transfer the file to be copied (for example, test) to /<SFTP User>.

    Figure 3-5 <SFTP User> Directory

    <SFTP User> Directory

  3. Transfer an empty file <filename>.complete (for example, test.complete) to the directory /<SFTP User>.

    Figure 3-6 Transferring Empty File

    Transferring Empty File

  4. If multiple files must be transferred, copy all the files to /<SFTP_user>.

    Figure 3-7 Transferring Multiple Files

    Transferring Multiple Files

  5. Transfer all the corresponding <filename>.complete files to the /<SFTP_user> directory for the transfer to complete.

    Figure 3-8 Transferring .complete Files

    Transferring .complete Files

Export File Downloads

To export file downloads:

  1. Log in to WinSCP. Follow the steps in Logging In to WinSCP.

  2. Change the directory to /<SFTP User>/EXPORT.

  3. Download all data files.

Web Services Security

The SOAP web services provided and consumed by EICS can be configured with security policies by the installer. These web services are designed to participate in Retail Service Backbone (RSB) flows which support two distinct Oracle WebLogic WS-Policy configurations. These are referred to as Policy A and Policy B.


Note:

Cloud deployment supports only Policy A for SOAP web services.

On the provider side of the communication, Policy A and Policy B are configured using one or more Oracle WebLogic WS-Policy configurations defined in the xml files included in Oracle WebLogic:

  • Policy A

    • Description: Message must be sent over SSL and requires authentication of a plain text UsernameToken.

    • Configuration: Wssp1.2-2007-Https-UsernameToken-Plain.xml

  • Policy B

    • Description: Message body must be encrypted and signed and requires authentication of an encrypted UsernameToken.

    • Configuration:

      • Wssp1.2-2007-Wss1.1-UsernameTokenPlain-EncryptedKey-Basic128.xml

      • Wssp1.2-2007-EncryptBody.xml

      • Non-RSB Web ServicesWssp1.2-2007-SignBody.xml

Personal Data

Personal data is not stored within EICS.

Regulatory Compliance

EICS does not store any credit card data.

EICS does not store any HIPPA/health related data.

EICS does use Oracle TDE (Transparent Data Encryption) for portion of schema that stores users' passwords.

  Previous
Previous 
  Go To Table Of Contents
Contents