| Oracle® Retail AI Foundation Cloud Services Security Guide Release 22.2.401.0 F72323-01 |
|
 Previous |
 Next |
| Oracle® Retail AI Foundation Cloud Services Security Guide Release 22.2.401.0 F72323-01 |
|
Previous |
Next |
Oracle Retail AI Foundation Cloud Services uses web services to push information to Customer Engagement and to expose configuration as well as application incremental data and reports to customers.
This section details the security guidelines.
Oracle Retail AI Foundation Cloud Services supports the following security features.
Web Services
The Web service in Oracle Retail AI Foundation Cloud Services is stateless, so state is not stored or managed. Pagination such as the batch size of data and parameters such as export data time, product, location, and so on are used to manage payload size and to handle session timeouts.
SOAP
Oracle Retail AI Foundation Cloud Services has an Outbound Interface to push Customer Segment and its members to ORCE (Customer Engagement). This interface supports the following security features.
Message authentication is enabled in ORCE, and the Oracle Retail AI Foundation Cloud Services message includes authentication information in the HTTP header for the message. This authentication information is specific to ORCE and is stored in the Credential Stores. The Credential Stores are created or updated from the Data Management task, enabled for an Administrator. The Base64 encoding tool is used to encode the authorization key that is sent as part of the Message HTTP Header request. The Credential Stores use APIs that applications can use to create, read, update, and manage credentials securely and mark code as being "privileged", thus affecting subsequent access determinations.
Oracle Retail AI Foundation Cloud Services provides configuration to set up proxy settings for both HTTP and HTTPS.
XML sent as part of the message relies on marshalling and un-marshalling to and from Java Objects generated using the WSDL/Schema exposed via ORCE. This enforce XML generated is well formed and valid. It is the responsibility of ORCE to convert XML; Oracle Retail AI Foundation Cloud Services does not perform any XML Conversion. There are no concerns regarding XXE and XEE.
REST
Oracle Retail AI Foundation Cloud Services has an Outbound Interface to export data (GET request), and it use REST to expose data. These web services are REST-based; it is assumed that callers are familiar with the basic REST principles (such as the usage of HTTP verbs). AC and ASO export web services can serve as a means of obtaining incremental update data from a specified point in time. All services support the query parameter contentType and the HTTP header Content-Type, with supported values application/json and application/xml. The query parameter takes precedence; if no content type is supplied, then application/json serves as the default. Basic authentication is used, so you may use any client software that supports it. Authorization is done for ADF-LDAP (OID) mapped roles, and only administrator roles are used. (That is, the calling user must be in a duty that is mapped to the defined administrator roles.) JSON/XML parsing is done using standard JAXB request parameters that are validated before data is fetched.
For authorization, Oracle Retail AI Foundation cloud Services modules have been built with role-based access. Access to application user interface components is done by assigning application roles. Application roles are defined as part of the application and deployed as part of the installation process. Application roles are mapped to enterprise roles during the initial environment provisioning. Enterprise roles exist as LDAP groups in OID. For Oracle Identity Cloud Service (IDCS) and Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) users, it is available in the import file. Refer to the Oracle Retail AI Foundation Cloud Services User Guide for the definition of standard user roles.
User Roles
Oracle Retail AI Foundation Cloud Services supports the following roles.
Table 1-1 User Roles
| Job Role | Role Description |
|---|---|
|
AIF Platform |
|
|
ADMINISTRATOR_JOB |
A user who understands all the parameters driving the application and is responsible for their configuration as well as managing the credential store for CE, RPM, and so on. |
|
ANALYTIC_EXPERT_JOB |
Responsible for understanding the retailer's business, has some business analytics training, and has been trained in the use of the CDT and DT applications. |
|
ASSORTMENT_PLANNER_JOB |
The Assortment Planner is responsible for creating the category assortments, to meet the roles, strategies, and tactics set for the category by the Category Manager. Multiple category assortments are created, for each cluster or store. One planner can be responsible for multiple categories. |
|
CLUSTERING_ADMINISTRATOR_JOB |
Responsible for planning, building, and analyzing store clusters based on a variety of store and category attributes to support assortment, pricing, and space planning business processes in the Store Clustering Module. |
|
CUSTOMER_ANALYST_JOB |
Develops customer segments and analyzes their customer shopping and buying behavior to determine customer differentiation, trends, and opportunities in Customer Segmentation Module. |
|
CUSTOMER_SEGMENT_ADMINISTRATOR_JOB |
Responsible for analytical defaults and configuration, testing, and model diagnosis. This includes Filter, Sampling and Attribute Mining in the Customer Segmentation Module. |
|
DATA_LAKE_HUE_ANALYST_JOB |
Analyst role for accessing data lake. |
|
DATA_LAKE_HUE_ADMIN_JOB |
Administrator role for accessing data lake. |
|
FORECAST_ANALYST_JOB |
Reviews and approves forecasts on a day-to-day basis. An advanced forecast analyst may also be responsible for forecast parameter maintenance and demand modeling activities. |
|
HOS_FORECAST_ANALYST_JOB |
A user who understands the restaurant's business, has some business analytics training, and has been trained in the use of the Forecasting application. |
|
HOS_FORECAST_CORPORATE_ANALYST_JOB |
Responsible for ensuring the efficient running and profitability of multiple stores in a restaurant chain. This user works with the store manager to review and override the daily sales forecasts, as needed. |
|
HOS_FORECAST_STORE_MANAGER_JOB |
Responsible for overseeing stock levels and ordering supplies to meet a restaurant's profitability and quality goals. This user reviews, overrides, and approves the daily sales forecast of menu item groups. The store manager is typically responsible for one store. |
|
MARKET_ANALYST_JOB |
Reviews customer segments with business experts, suited (distinctly) for targeted promotion, category and assortment planning, targeted pricing, customer, and market basket analytics in Customer Segmentation module. |
|
MARKET_BASKET_ANALYSIS_JOB |
A user who understands the retailer's business, has some business analytics training, and is responsible for reviewing sales transaction affinity analysis. |
|
MERCHANDISER_JOB |
A Store Merchandiser (or In-Store Merchandiser) is an hourly employee who executes the placement and assembly of retail fixtures, adjustment of shelves and arrangement and placement of product on the shelves in accordance with CAD drawings and planograms. |
|
ORCL_ADMIN_JOB |
Oracle Cloud Administration role for a retailer using Innovation Workbench using APEX Workspace. |
|
RETURN_LOGISTICS_JOB |
A user who is familiar with the retailer's product categories and has been trained in the use of the AE application. |
|
SIZE_PROFILE_ANALYST_JOB |
Responsible for system parameter maintenance to support size profile calculations. May also be responsible for approval of size profiles. A user who understands size and profile estimations and is able to review and submit them for the retailer's business. |
|
SIZE_PROFILE_OPT_JOB |
A user who understands size and profile estimations and is able to review and submit them for the retailer's business. |
|
SOCIAL_ANALYTICS_JOB |
A user who understands the retailer's business, has some business analytics training, and has been trained in the use of the Social Analytics application. |
|
ATTRIBUTE_EXTRACTION_JOB |
A user who is familiar with the retailer's product categories and has been trained in the use of the Attribute Extraction. |
|
ATTRIBUTE_BINNING_JOB |
A user who understands the retailer's business, has some business analytics training, and has been trained in the use of the CDT application and attribute binning application. |
|
MENU_RECOMMENDATION_JOB |
A user who understands the restaurant's business, has some business analytics training, and has been trained in the use of the Menu Recommendation. |
|
DATA_SCIENCE_ANALYST_JOB |
Data Science Analyst role for a retailer using Innovation Workbench using APEX Workspace |
|
DATA_SCIENCE_ADMINISTRATOR_JOB |
Data Science Administration role for retailer using Innovation Workbench using APEX Workspace |
|
DATA_SCIENCE_ORCL_ADMIN_JOB |
Data Science Cloud Administration role for a retailer using Innovation Workbench using APEX Workspace |
|
DATA_SCIENCE_OLDS_ADMIN_JOB |
Role to enable the administration of python notebook service under Innovation Workbench |
|
DATA_SCIENCE_OLDS_ANALYST_JOB |
Role to enable the Python notebook for an analyst under Innovation Workbench. |
|
POSLOGS_SERVICE_JOB |
Point of Sales broadcast listener role to enable integration between AIF and Oracle XStore. |
|
PLATFORM_SERVICES_ADMINISTRATOR_ABSTRACT |
Platform Services role required for accessing services. |
|
Assortment Space Optimization |
|
|
CATEGORY_MANAGER_JOB |
Product-assortment-centric user who is interested in viewing ASO results and in the translation of data between CMPO, Retail Analytics, and ASO. |
|
SPACE_PLANNER_JOB |
A Store Planner is a corporate employee with responsibility for designing the layout of floor plans, department sizes and locations, the layout of fixtures and aisles, applying health, safety and welfare guidelines, and managing and publishing floor-plan versions. This user is also responsible for the day-to-day micro-space optimization activities. |
|
MERCHANDISING_ANALYST_JOB |
Main business user responsible for day-to-day micro-space optimization activities |
|
SPACE_ADMINISTRATOR_JOB |
Responsible for general system setup and configuration tasks related to the business |
|
FORECAST_MANAGER_JOB |
Responsible for analytical configuration, testing, and model diagnosis. |
|
Promotions and Markdowns Optimization |
|
|
BUYER_JOB |
Responsible for a department or departments and makes the budget decisions for pricing recommendations. Approves or rejects an OO run. Responsible for the translation of data between OO and Oracle Retail Price Management (RPM) and Oracle Retail Customer Engagement (CE). |
|
PRICING_ANALYST_JOB |
Main business user responsible for day-to-day pricing optimization activities (e.g., creating scenarios). |
|
PRICING_MANAGER_JOB |
Responsible for analytical configuration, testing, and model diagnosis. Oversees the work done by the pricing analyst. |
|
PRICING_ADMINISTRATOR_JOB |
Responsible for the general system setup and configuration tasks related to the business. |
|
Offer Optimization |
|
|
CHATBOT_QNA_VIEW_JOB |
Conversational AI role to enable frequently asked question types of bot conversation. |
|
CHATBOT_SERVICE_JOB |
Conversational AI role to enable integration between AIF and Oracle Chatbot. |
|
CHATBOT_VIEW_JOB |
Conversational AI role to enable real time bot conversations. |
|
TARGETED_OFFER_JOB |
User who probably works in the marketing department and who is responsible for accepting or rejecting targeted offers that are sent out to customers. |
|
Inventory Optimization |
|
|
INVENTORY_ANALYST_JOB |
Works closely with the buyer to ensure product distribution aligns to strategy. Main business user responsible for day-to-day inventory optimization activities (e.g., reviewing strategies, recommendations, and so on). |
Note that in stage and pre-production environments, users are assigned roles that are appended with _PREPROD.
This section provides security details regarding ORDS/(APEX) integration with Oracle Retail AI Foundation Cloud Services. The following three security features are provided:
Single Sign On (SSO). AIFF integration with ORDS supports SSO, using ORDS-provided authentication schemes called the HTTP Header Variable. User credential verification is performed by IDCS or OCI IAM, which passes the user's name to Oracle Application Express using a HTTP header variable such as IDCS REMOTE_USER. While setting up the scheme in ORDS, the logout URL is also configured.
Schema used in the ORDS Workspace. Oracle Retail AI Foundation Cloud Services integration with ORDS includes defining a new schema called Retail Workspace Schema in the ORDS workspace. This is provided to the retailer, and in turn is associated with the AIF product schema. Any database objects shared with the Retail Workspace Schema have read-only privileges.
Declarative REST API. Oracle Retail AI Foundation Cloud Services integration with ORDS also provides the retailer with a declarative way to create new service endpoints in the system. Access to such endpoints are enabled via oAuth2.0. This REST API request is authorized using the IDCS or OCI IAM client credential grants type, where the retailer requests an access code from IDCS or OCI IAM and passes the token in subsequent calls to access data.
