| Oracle® Retail Enterprise Inventory Cloud Service User Guide Release 22.1.301.0 F58716-01 |
|
 Previous |
 Next |
| Oracle® Retail Enterprise Inventory Cloud Service User Guide Release 22.1.301.0 F58716-01 |
|
Previous |
Next |
The following topics are described in this section:
The desktop application provides role-based user access control in order to manage application functionality and data available to users. This role-based user access control allows security to be managed in a way that corresponds closely to the organization's structure. This model provides improved support for customization, maintenance, and management of security in the system, simplifying customer implementations while maintaining a high degree of control and flexibility.
Role Based Security is handled by assigning privileges (permissions) to a role in the system. These roles are then assigned to users for stores. If you do not have permission for that store for a feature, the feature will not be available for you. The application secures buttons, drop down values and menu options on the mobile application.
An external system controls security (LDAP). User details like User name, First name and Last name, Password and Security groups are administered in the external system and displayed in the desktop application. Managing the user's profile (assigning stores, roles, and so on) is done in the desktop application. Authentication is performed in LDAP.
During install, the cloud engineering team sets up the initial admin user for the customer to access OIM. After that, users can be setup by the customers and necessary groups can be assigned based on the role these users are going to play. For example, a user accessing web services will need to have integration_users group assigned, a user executing batches will need batch_users assigned. Roles that are needed for a user are assigned in the desktop application.
This chapter covers the following:
Role Maintenance
Create new roles
Update, view and delete roles
Assigning and revoking permissions for a role
User Maintenance
Viewing user details
Assigning and revoking stores for a user
Assigning and revoking roles for a user
Viewing the groups assigned to a user
|
Note: The group security_users is required for accessing security management tasks in the desktop application, such as role maintenance and user role/store assignments. |
The Role Maintenance screen is an admin screen used to create new roles and assign permissions to it, modify and delete roles. A role that has been currently assigned to a user cannot be deleted. The screen will be accessed via the menu: Security/ Role Maintenance. User must have Access Role Maintenance permission for the Role Maintenance screen to be accessed. The screen displays the list of roles that have been added. User can edit or view the details of the roles by clicking on the Role Name. User will be taken to the Role Detail screen in order to edit or view the role.
The screen displays the list of users who has access to the store that the security user has logged in.
It is an admin screen used by a security user to view a user's details, assign roles and stores and view groups assigned to you. You will also be able to mass assign roles and stores to users. This can be done by importing the file which contains the details about assignments.
You can reset a user's profile through this screen. The screen is accessed via the menu: Security/ User Assignment. You must have Access User Maintenance permission in order for you Assignment menu option to be available under Security in the desktop application.
The details of the user, roles, stores and groups assigned can be viewed by clicking on the respective Username.
You can use 'Filter' in order to narrow down the list of users displayed in the screen.
The screen can be reached by clicking on the user name in the Assignment screen. This screen has been divided into four tabs: User, Stores, Roles, and Groups.
This is the section that is displayed by default when the security user enters the screen by clicking on a Username from you Assignment screen.
This section displays basic details of a user such as First name, Last name, Create date of the user's profile in the application, Login date (most recent login date), Last Store (the last logged in store) and also the primary language of you. This is a read only screen.
This section enables the security user to assign or revoke stores for a user. The list of stores that the security user has access to are displayed in the screen and he can assign stores from this list to a user or revoke already assigned stores. If the security user has global_store_users group assigned to him, then all stores should be displayed in the list. User needs Assign User Store security permission for this section to be accessed.
This section displays the set of roles currently assigned to a user and it also enables assigning new roles or revoke already assigned roles for the user, set Start Date and End Date for the role assignments. The user changing this data needs Assign User Role security permission for this section to be accessed.
A security user would need the ability to assign roles to a user (single role or multiple roles) and also to assign stores. This screen enables him to perform this activity. In the desktop application, roles are assigned to the stores that a user has access to. The system allows a user to have different permissions for each store that they are allowed to log into the system with. This section displays all roles that the security user has access to assign. The security users will only be able to assign a role to a user if they have the Data Permission for the Role Type assigned to the Role. It is possible select a store(s) and select role(s) to be assigned for the store(s).
The screen provides a list of options that controls the list of stores that are displayed for the security user to assign a role to.
Select from assigned stores: List the stores that you has been assigned to that the security user also has access to. The security user can select one or more stores from this list to assign roles.
Select from available stores: List all the stores that the security user has access to.
All assigned stores: List the stores that you has been assigned to that the security user also has access to. As the name suggests, this enables the security user to assign roles to ALL the stores assigned to a user at once.
This is a read only section which lists the groups available in the system and also indicates ones that are assigned to you. The groups are assigned through the external system (OIM).
List of Security Groups
The desktop application comes with seven groups used for special purpose access, which are managed through OIM as roles.Users accessing application UI features that are restricted by group access must also be granted the relevant permissions through role and store assignments.A regular store user should not require any security group assignments for accessing the application UI.
Admin: The group admin_users is required for access to administration tasks, such as managing configuration settings or translations. This group should only be assigned to system operators and administrators.
Batch: The group batch_users is required for access to batch related tasks, such as job management or scheduling. This group should only be assigned to system operators and batch administrators.
Global Store User: The group global_store_users grants you access to all store locations. This group should only be assigned to system operators, and administrators or special users requiring access to all store locations.
Integration: The group integration_users is required for accessing integration resources, such as web services. This group should only be assigned to users designated for application integration, not those requiring access to the application UI. Users that are only integrating with the inventory desktop application are considered integration users, for example, the RIB injection user is a typical case of an integration user. These users do not require access to the inventory system client applications, and therefore do not require store assignments or role assignments (permissions).
MPS: The group mps_users is required for access to MPS (message processing system) related tasks, such as staged message maintenance or work type management. This group should only be assigned to system operators and MPS administrators.
Security: The group security_users is required for access to security management tasks, such as role maintenance and user role/store assignments. This group should only be assigned to system operators and security administrators.
System Operator: The group sysop_users is required for access to restricted areas and only assigned to system operators, which is typically the cloud operator.
Full Permission: The group full_permission_users grants the user all permissions without a role assignment however it does not grant all data permissions. It is enough for a cloud operator or customer admin to create a user with only Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) app roles and not needing to setup anything in the Inventory system database in order to login and perform usual administrative tasks.
Retail Home: The group retail_home_users is required for users that want to access Inventory system features in the Retail Home application
Users: The group users is required for all Inventory system client user access, that is, desktop or mobile client, not integration users.
