| Oracle® Retail Enterprise Inventory Cloud Service Security Guide Release 22.1.201.0 F55039-01 |
|
 Previous |
| Oracle® Retail Enterprise Inventory Cloud Service Security Guide Release 22.1.201.0 F55039-01 |
|
Previous |
For information on the administrative tasks, see the following sections:
Users are required to have store access and permissions in order to use the SIOCS client applications.
For access to special areas, IDCS or OCI IAM application role and group assignment in IDCS or OCI IAM is also required as mentioned in previous sections.
Users that are assigned the global store users IDCS or OCI IAM application role (global_store_users) automatically have access to all store locations in EICS. Users that do not have global store access require store assignments, which are setup through the SIOCS security admin UI.
EICS implements fine grained permissions for controlling access to functionality and data. All users accessing the SIOCS client applications must have valid role assignments in order to be granted access to permissions. Users are assigned roles through the SIOCS security admin UI.
Application roles are created and managed through the SIOCS security admin UI by assigning permissions to the role.
For detailed information regarding user and role management with the EICS security admin UI, please see the Oracle Retail Enterprise Inventory Cloud Services User Guide.
Log into the SIOCS admin UI.
Navigate to Security\ Role Maintenance.
Click Create New or the name of an existing role.
For new roles, enter the name, description, type.
Assign permissions to the role using the table.
Click Save when changes are complete.
Log into the SIOCS admin UI.
Navigate to Security\ User Assignment.
Locate the user in the table, using filters as needed.
Click on the username.
Click on the Stores tab.
Assign stores to the user using the table.
Click Save when changes are complete.
Log into the SIOCS admin UI.
Navigate to Security\ User Assignment.
Locate the user in the table, using filters as needed.
Click on the username.
Click on the Roles tab.
Click Create New to assign roles to the user.
Select the store scope and store(s) for the role assignment(s).
Select the role(s) to assign.
Enter start and end dates if needed.
Click Apply to create the selected assignments.
Click Save when changes are complete.
Log into the SIOCS admin UI.
Navigate to Security\ User Assignment.
Click Import.
Click Download Template on the Import Data File dialog.
Fill data in the downloaded template.
Drag and drop the filled template file or click to select the file.
Click Import.
The EICS user profile will be automatically deleted through a scheduled batch job if the user is deleted in IDCS or OCI IAM.
However, an EICS user profile can be manually deleted without deleting the user in IDCS or OCI IAM. This should be done if the user no longer requires access to EICS, or if the same username is used for a new user before the batch job has executed.
The SIOCS User Assignment table displays users stored in IDCS or OCI IAM as well as EICS user profile information, such as the create date and login date. These refer to the EICS user profile creation and client login, not IDCS or OCI IAM user information.
Users with a create date have an existing EICS user profile, which can be deleted with the following steps.
Log into the SIOCS admin UI.
Navigate to Security\ User Assignment.
Locate the user in the table, using filters as needed.
Select the row(s) in the table.
Click Delete Profile.
Deleting an EICS user profile includes all store and role assignments for that user. It does not affect IDCS or OCI IAM application role assignments or other user information managed through IDCS or OCI IAM.
If a user account needs to be deleted or all access disabled it is recommended to use IDCS or OCI IAM to perform the user management.
If a user only needs access to certain stores or permissions within EICS removed then the SIOCS security admin UI should be used.
If you have batch of users that have to be created, the Oracle team can bulk load the users into the IDCS or OCI IAM application. When users are bulk loaded, each initial password is set to the current password of a template user. The new users are required to change the password on their first login.
To request the creation of accounts by bulk loading:
Create a CSV file listing all users to create. Following is an example of this file.
##################
filename.csv
###################
##########################################
USR_LOGIN,USR_FIRST_NAME,USR_LAST_NAME,USR_EMAIL,ORG_NAME
CE.ADMIN1,ce,admin1,CE.ADMIN1@oracle.com,Retail
CE.ADMIN2,ce,admin2,CE.ADMIN2@oracle.com,Retail
CE.ADMIN3,ce,admin3,CE.ADMIN3@oracle.com,Retail
CE.ADMIN4,ce,admin4,CE.ADMIN4@oracle.com,Retail
CE.ADMIN5,ce,admin5,CE.ADMIN5@oracle.com,Retail
CE.ADMIN6,ce,admin6,CE.ADMIN6@oracle.com,Retail
CE.ADMIN7,ce,admin7,CE.ADMIN7@oracle.com,Retail
CE.ADMIN8,ce,admin8,CE.ADMIN8@oracle.com,Retail
CE.ADMIN9,ce,admin9,CE.ADMIN9@oracle.com,Retail
CE.ADMIN10,ce,admin10,CE.ADMIN10@oracle.com,Retail
##########################################
Create or identify a user whose password will be used as the initial password for all created users.
Open an SR with Oracle Support and provide the CSV file and user from Steps 1 and 2.
If a considerable number of users need to have roles to be assigned, the Customer Security Admin can bulk import the role membership into the IDCS or OCI IAM application.
To update the membership by bulk update:
Use these sample files as a starting point.
Extract the compressed file and then open the AppRoleMembership.csv file.
Review and then delete any demo data in the AppRoleMembership.csv file.
Create an import file using the AppRoleMembership.csv file. The AppRoleMembership.csv file is a simple text file in a tabular format (rows and columns). The first row in the file defines the columns (fields) in your table. At a minimum, the file must have these exact column headings.
Entitlement Value - Name of the IDCS or OCI IAM application role
Grantee Name - Name of the user
Grantee Type - Type should be fixed to 'User' (without quotes)
For each membership, you create a new row (line) and enter data into each column (field). Each row equals one record.
Important: The maximum number of membership roles that can be imported in a single job must not exceed 10,000.
Save your file in a CSV format.
Important: If you do not save the file in a CSV format with UTF-8 encoding, the import fails.
IDCS
To import users and groups for Oracle application roles:
Log into the IDCS console.
Navigate to Oracle Cloud Services from the Navigation Drawer.
Locate and click on the EICS application for your deployment.
Click Application Roles.
Click Import.
In the Import Application Roles window, click Browse to locate and select the CSV file that contains the users and groups to import.
|
Note: Click Download sample file in the dialog box to download a sample file. |
Verify that the path and name of the CSV file that you selected appear in the Select a file to import field.
Click Import.
If Oracle Identity Cloud Service can't import a membership record, then it evaluates the next record in the CSV file.
After Oracle Identity Cloud Service evaluates all records, review the job results.
If the job can be processed immediately, then a dialog box appears with the Job ID link for your import job. Click the link. Review the details that appear on the Jobs page.
If the job cannot be processed immediately, then a message appears with a Schedule ID in it. Copy that ID and use it to search for the job on the Jobs page. The job will appear when processing completes. Go to Step 9.
On the Jobs page, locate the job that you want to view, and then click View Details. If the job failed then click on Export Errors to export all the rows that the job was not able to process.
|
Note: If more than one role is to be attached to a particular user, add one more row with the role that the user is to have and the user name. |
OCI IAM
To import users and groups for Oracle application roles:
Open the navigation menu and click Identity & Security. Under Identity, click Domains.
Select the identity domain you want to work in and click Applications.
In the Applications page, click the Oracle application that has roles to which you want to assign users and groups.
|
Note: Importing application roles imports application roles memberships only. The application roles must already exist in the identity domain. If the application roles don't exist you will receive an error for the membership import for that application role. |
Click Import.
In the Import application roles window, drag and drop the file or click Select one to browse for the file.
|
Note: Click Download sample file in the dialog box to download a sample file. |
Verify that the path and name of the CSV file that you selected appear in the Select a file to import field.
Click Import.
If a user or a group is missing a required value, such as the user name or the group name, then that user or group can't be imported. If the user or group can't be imported, then the next user or group is evaluated in the CSV file.
After the job completes, review the job results.
If the job can be processed immediately, then a dialog box appears with the Job ID link for your import job. Click the link. Review the details that appear on the Jobs page.
If the job cannot be processed immediately, then a message appears with a Schedule ID in it. Copy that Schedule ID, and use it to search for the job on the Jobs page. The job will appear when processing completes.
On the Jobs page, locate the job that you want to view. A table appears that displays the user names or group names, classification types (User or Group), and status of the users and groups that you imported and assigned to Oracle application roles in the identity domain.
To import user membership for IDCS groups in bulk:
Log into the IDCS console.
Navigate to Groups from the Navigation Drawer.
Click the Import button to open Import Groups dialog.
Click on Download sample file to download the sample file.
Open the Groups.csv from the downloaded sample archive.
Update the file to reflect the desired mapping.
Display Name - Name of the IDCS group
Description - Description of the IDCS group, leave blank to not override the existing description
User Members - Comma separated usernames
Browse to the file that you updated in Step 6 on the Import Groups dialog.
Click the Import button to import the assignments. This should start an IDCS job.
Click the job link and review the details that appear on the Jobs page.
|
Note: This will not override existing assignments and will only create new group assignment records. |
The SOAP web services provided and consumed by EICS can be configured with security policies by the installer.
On the provider side of the communication, Policy A is configured using one or more Oracle WebLogic WS-Policy configurations defined in the xml files included in Oracle WebLogic:
Policy A
Description: Message must be sent over SSL and requires authentication of a plain text UsernameToken.
Configuration: Wssp1.2-2007-Https-UsernameToken-Plain.xml
Personal data is not stored within EICS.
EICS does not store any credit card data.
EICS does not store any HIPPA/health related data.
EICS does use Oracle TDE (Transparent Data Encryption) for portion of schema that stores users' passwords.
