Oracle® Retail Enterprise Inventory Cloud Service Security Guide Release 19.8 F79090-01 |
|
Previous |
Next |
This chapter covers the following sections:
This section defines Security Terms used.
Table 2-1 Security Terms
Term | Definition |
---|---|
Application Administrator |
A customer application admin user who can perform application configurations via SIOCS admin screen. |
Application Implementer |
System implementer is user who implements the application. |
Customer Cloud Administrator |
A delegated customer cloud user for customer cloud management tasks, for example create customer security admin user, and other users. |
Customer Security Admin |
A customer security admin user who can create customer users and assign application roles. Please note that sometimes this may not be setup as a separate user than application administrator. |
IDCS or OCI IAM Application Role |
IDCS or OCI IAM application roles are specific user entitlements that are created at the time of provisioning EICS application on IDCS or OCI IAM. Each IDCS or OCI IAM application role creates a security group. |
Retail Home User |
A user who can access SIOCS tile reports on Retail Home and navigate to related operational views in SIOCS from there. |
Retail Home Service Admin User |
A user who can access SIOCS tile reports and service admin screens in the Retail Home. |
Security Group |
A collection of users and groups. These groups are created automatically at the time of provisioning EICS application on IDCS or OCI IAM for each IDCS or OCI IAM application role. These groups are known to the Java EE server container. |
SIOCS Application Role |
SIOCS application role is a collection of users and other application roles. SIOCS Application roles are defined in the application and they are not necessarily known to a Java Container. |
Store Manager |
A user who performs store manager role. |
Store User |
A user who performs store operations with assigned role permissions. |
System Operator |
Will be used by Oracle cloud team for debug. |
User |
A user is an end-user accessing a service or application. |
In addition to application users, integration users need to be setup based on integrated applications.
Users of SIOCS have roles through which they gain access to functions and data.
Security implementation involves the management of:
User creations
Assigning IDCS or OCI IAM Application Roles to corporate operational users
Assigning SIOCS Application Roles to store users
SIOCS comes with eleven IDCS or OCI IAM application roles used for special purpose access. These IDCS or OCI IAM application roles are defined inside EICS application on IDCS or OCI IAM.
All
The IDCS or OCI IAM application role all_users is required to access SIOCS.
This app role should be assigned to all users.
Admin
The IDCS or OCI IAM application role admin_users is required for access to administration tasks, such as managing configuration settings or translations.
The IDCS or OCI IAM application role should only be assigned to system operators and administrators.
Batch
This IDCS or OCI IAM application role should only be assigned to system operators and batch administrators.
The IDCS or OCI IAM application role batch_users is required for access to batch related tasks, such as job management or scheduling.
Full Permission
The IDCS or OCI IAM application role full_permission_users allows the user to gain access to all available permissions without any database role assignment.
The IDCS or OCI IAM application role should only be assigned to system operator and initial customer admin user.
Note: This full permissions IDCS or OCI IAM application role does not provide full data permission access. For performing administration operations, user should be assigned ADMINISTRATOR SIOCS application role in SIOCS application. |
Global Store User
The IDCS or OCI IAM application role global_store_users grants the user access to all store locations.
This IDCS or OCI IAM application role should only be assigned to system operators, and administrators or special users requiring access to all store locations.
Integration
The IDCS or OCI IAM application role integration_users is required for accessing integration resources, such as web services.
This IDCS or OCI IAM application role should only be assigned to users designated for application integration, not those requiring access to the application UI.
Users that are only integrating with SIOCS are considered integration users, for example, the RIB injection user is a typical case of an integration user.
These users do not require access to the SIOCS client applications, and therefore do not require store assignments or role assignments (permissions).
MPS
The IDCS or OCI IAM application role mps_users is required for access to MPS (message processing service) related tasks, such as staged message maintenance or work type management.
This IDCS or OCI IAM application role should only be assigned to system operators and MPS administrators.
PSRAF
The IDCS or OCI IAM application role psraf_users is required to access platform features, for example, Favorites.
This app role should be assigned to all users.
PSRAF Admin
The IDCS or OCI IAM application role psraf_admin_users is required to access platform admin features, for example, Subscription Services. Any user that needs access to the PSRAF admin functionality in the Retail Home should be a member of this role. The user belonging to this role will be able to access all PSRAF endpoints.
Retail Home
The IDCS or OCI IAM application role retail_home_users is required for retail home application to successfully call EICS APIs to fetch tile report data.
This IDCS or OCI IAM application role should only be assigned to retail home users.
Security
The IDCS or OCI IAM application role security_users is required for access to security management tasks, such as role maintenance and user role/store assignments.
This IDCS or OCI IAM application role should only be assigned to system operators and security administrators.
Users accessing application UI features that are restricted by group access must also be granted the relevant permissions through role and store assignments.
A regular store user should not require this assignment for accessing the application UI.
System Operator
The IDCS or OCI IAM application role sysop_users is required for access to restricted areas of the application, such as certain system configuration settings.
This IDCS or OCI IAM application role should only be assigned to system operators, which are typically the cloud operator.
Note: The sysop_users IDCS or OCI IAM application role is for internal use by Oracle team only and should not be assigned to customer users. |
These IDCS or OCI IAM application roles are scoped to the EICS application on IDCS or OCI IAM. Since a new EICS application will be provisioned on IDCS or OCI IAM for each deployment type, there won't be any overlap in IDCS or OCI IAM application roles between different deployment types. This allows a Customer Security Admin to assign an IDCS or OCI IAM application role to a user on one deployment and not on others.
IDCS or OCI IAM application roles are assigned to users through IDCS or OCI IAM.
Each IDCS or OCI IAM application role creates one security group. These security groups are not visible on IDCS or OCI IAM, but the access can be managed via the associated IDCS or OCI IAM application role.
For example, assigning admin_users IDCS or OCI IAM application role to a user will automatically assign the associated security group, thus providing access to administration tasks to the user.
This table identifies IDCS or OCI IAM application roles:
Table 2-2 IDCS or OCI IAM Application Roles
Cloud Service or Options | IDCS or OCI IAM Application Roles |
---|---|
Admin Service |
admin_users |
Authenticated |
all_users |
Batch Service |
batch_users |
Initial user setup to login to EICS application |
full_permission_users |
All store locations |
global_store_users |
Integration Service |
integration_users |
Message Processing Service |
mps_users |
Platform Service |
psraf_users |
Platform Service |
psraf_admin_users |
Retail Home Service |
retail_home_users |
Security Service |
security_users |
Perform application system configurations (both non-restricted and restricted) |
sysop_users |
SIOCS application roles are a collection of permissions that are assigned to users for specific or all of their assigned stores. These permissions are used to control access to application functionality and data. Roles are created, managed, and assigned to users through the SIOCS security admin UI.
SIOCS has the following predefined application roles.
Table 2-3 Predefined Application Roles
Operations | SIOCS Application Role |
---|---|
Admin permission role |
ADMINISTRATOR |
Store Manager permission role |
MANAGER |
Retail Home permission role |
RETAIL HOME |
There are 350+ configuration settings that decide how users access functionality. For details, see the Oracle Retail Enterprise Inventory Cloud Service Administration Guide - Configuration chapter.
Table 2-4 User Types with IDCS or OCI IAM Application Roles and SIOCS Application Roles
Application User Type | Job Duties | SIOCS Application Roles Assigned (User Role Assignment is via SIOCS Security Admin Screen) | IDCS or OCI IAM Application Role Assigned |
---|---|---|---|
Initial Application Admin User |
To access SIOCS application and create other application admin and store users. |
N/A |
all_users admin_users batch_users full_permission_users global_store_users mps_users psraf_users security_users |
Application Admin User |
Perform all administration activities, setup other customer application store users and perform application configuration. |
ADMINISTRATOR |
all_users admin_users batch_users global_store_users mps_users psraf_users security_users |
Store Users |
Perform store operations in store using Mobile client. |
Custom Defined Role with selected role permissions. |
all_users psraf_users |
Integration Users |
External system invokes EICS provided Integration Services. See Integration Implementation sections for additional details. |
N/A |
integration_users |
Retail Home User |
Access SIOCS tiles on retail home and navigate to related operational views in SIOCS. |
RETAIL HOME |
all_users psraf_users retail_home_users |
Retail Home Service Admin User |
Access SIOCS tiles and service admin screens in Retail Home and navigate to related operational views in SIOCS |
all_users psraf_admin_users retail_home_users |
Before users can access the Oracle Retail Stores Inventory and Operations Cloud Service applications, it is necessary to provision each user access to the system, and assign IDCS or OCI IAM application roles, stores, and SIOCS application roles to each user to control what functionality will be available to them. The access provisioning is done using Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) for initial customer admin user. This user can create or manage other user provisioning via IDCS or OCI IAM and the SIOCS security admin UI.
IDCS or OCI IAM application roles assignments are typically used for special purpose access such as integration or various administration tasks. IDCS or OCI IAM application roles are assigned to users through IDCS or OCI IAM.
The application client uses store based sessions for performing business operations. Store assignments control the stores available for a user to login to. Users can be assigned access to specific stores through the SIOCS security admin UI.
SIOCS application roles are a collection of permissions that are assigned to users for specific or all of their assigned stores. These permissions are used to control access to application functionality and data. Roles are created, managed, and assigned to users through the SIOCS security admin UI.
It is recommended that users are granted the least level of access they require to perform their duties.
Users should not be reused or shared by multiple people or for multiple purposes.
For example, users created for integration purposes should not be granted access required for application UI usage.
Oracle Identity Cloud Service (IDCS) provides a fully integrated service that delivers all the core identity and access management capabilities through a multi-tenant Cloud platform.
For instructions on managing users in IDCS, follow the Manage Users IDCS document at the following URL:
https://docs.oracle.com/en/cloud/paas/identity-cloud/index.html
IDCS Application Roles are used for special purpose access. A Customer Security Admin can assign IDCS application roles to users on IDCS as follows:
Log into the IDCS console.
Select Oracle Cloud Services from the Navigation Drawer.
Locate and click on the EICS application for your deployment.
Navigate to the Application Roles tab.
Open the application role menu ( ) for the role you want to assign and select Assign Users.
Select the users that you want to assign the IDCS application role to and click Assign.
You can also use the IDCS application role menu to revoke a role from a team member.
Assigning an IDCS application role will automatically assign the associated security group to the user. These security groups are not visible on the IDCS UI and are only maintained internally.
Oracle Cloud Infrastructure Identity and Access Management (IAM) provides identity and access management features such as authentication, single sign-on (SSO), and identity lifecycle management for Oracle Cloud.
For instructions on managing users in OCI IAM, follow the Manage Users OCI IAM document at the following URL:
https://docs.oracle.com/en-us/iaas/Content/Identity/home.html