Oracle Cloud Learning Center

 

This chapter contains the following:

Understanding Security : Getting Started

How Opportunity Information Is Secured : Explained

Enterprise Role Components : Explained

Creating Resource Roles : Worked Example

Creating Rules to Automatically Provision Enterprise Roles to Oracle Fusion CRM Users : Worked Example

Understanding Security : Getting Started

All Oracle Fusion Applications, including the Oracle Sales Cloud Service, come secured using the industry standard for access control, called role-based access control (RBAC). Users gain access both to application functions and to CRM data where they must perform those functions when you assign them enterprise roles, which correspond to their roles in your organization. This topic provides an overview of the RBAC approach that is specific to an Oracle Sales Cloud Service implementation. You must review other documentation to obtain a comprehensive understanding of how Oracle's implementation of RBAC is designed to handle a broad range of security needs.

Oracle Fusion Applications are secured with a predefined set of enterprise roles, called the security reference implementation. The security reference implementation fulfills the needs of midsize horizontal enterprises, generally between 250 and 10,000 employees.

You can change this security reference implementation if the roles in your enterprise are different or you must accommodate expansion into vertical industries, such as health care, insurance, automobiles, or food manufacturing. Application patching does not affect your changes.

How RBAC Works in Oracle Fusion CRM

In Oracle Fusion CRM, you assign users with enterprise roles that represent the job functions in your organization. These enterprise roles provide both function and data security. They specify what actions users can perform, under what conditions, and on what data. For example, the Sales Manager enterprise role permits sales managers to approve sales forecasts for salespersons, but only for those salespersons who work for them.

In Oracle Fusion CRM, you can assign two types of enterprise roles to each user:

  • Job roles

    Job roles permit users to perform activities specific to their jobs. For example, providing a user with the Sales Manager job role permits him to manage salespersons within the organization, follow up on leads, generate revenue within a territory, build a pipeline, manage territory forecasts, and assist salespeople in closing deals.

  • Abstract roles

    Abstract roles permit users to perform functions that span the different jobs in the enterprise. For example, uses who are employees must be provisioned with the Employee abstract role so that they can update their employee profiles and pictures. For CRM, you must also provision users with the Resource abstract role so that they can work on leads, opportunities, and other CRM tasks.

What Enterprise Roles Are Set Up for You

You can assign each application user with one or more of the following Oracle Fusion CRM job roles provided by Oracle. If you do assign multiple job roles to a user, and the job roles provide different levels of access, then the job role providing the greatest access takes precedence.

  • Channel Account Manager

  • Channel Administrator

  • Channel Operations Manager

  • Channel Partner Administrator

  • Channel Sales Director

  • Channel Sales Manager

  • Corporate Marketing Manager

  • Customer Data Steward

  • Data Steward Manager

  • Marketing Analyst

  • Marketing Manager

  • Marketing Operations Manager

  • Marketing Vice President

  • Master Data Management Application Administrator

  • Partner Administrator

  • Partner Sales Manager

  • Partner Salesperson

  • Sales Administrator

  • Sales Manager

  • Sales Vice President

  • Sales Representative

You must also assign the following abstract roles to all CRM application users who are employees so they can carry out their work:

  • Employee

  • Resource

A complete list of all enterprise roles, and a detailed description of what access they provide, is included in Oracle Fusion Applications security reference manuals available in the Oracle Fusion Applications Technology Documentation Library (http://docs.oracle.com).

Note

To create users with implementation privileges, you must provision special enterprise roles. See the Creating Setup Users for the Oracle Sales Cloud Service: Worked Example topic and other user topics in this guide for more information.

About Provisioning Enterprise Roles to Users

You enable the provisioning of enterprise roles to users by creating provisioning rules using the Manage HCM Role Provisioning Rules task from the Setup and Maintenance work area. Each rule (also referred to as a mapping) includes one or more conditions, the list of enterprise roles you want to provision, and an option to make the provisioning automatic.

When you select automatic as an option, then the enterprise role is provisioned automatically if the user matches the conditions whenever you create the user either in the Create User or Edit User pages or you import the user from file. (In the user interface, you click the Autoprovision button to trigger the rules to be evaluated.)

When you create Oracle Fusion CRM application users, you provision job roles based on each user's resource role. A resource role is the job title that you must assign to each resource you create. It appears in the resource directory along with the resource name.

Oracle provides you with resource roles that correspond to the job roles listed previously. Resource Role and Job Role names are the same except for the Salesperson resource role, which matches the Sales Representative job role.

If you are creating users with roles not on this list or your organization uses different titles, then you must create additional resource roles.

In addition to the job roles, each rule must also provision the resource abstract role.

To provision the required Employee abstract role, you should create a separate rule with using the Assignment Type = Employee condition rather than a resource role. This is because you want to provision the employee abstract role even to users who are not CRM resources, such as setup users. For details, see Creating Setup Users for the Oracle Sales Cloud Service: Worked Example.

Steps for Setting Up Enterprise Role Provisioning

Implement security for application users before you create the users themselves using the following steps:

  1. Create any additional resource roles that are not provided, for example, CEO.

    The procedure for creating a resource role is outlined in the Creating Resource Roles: Worked Example topic.

  2. Create one rule to provision the Employee abstract role to all users who are employees.

    This is a one-time setup. If you created setup users, then you already created this rule and can skip this step. Creating the rule to provision the Employee abstract rule is covered as part of the Creating Setup Users for the Oracle Sales Cloud Service: Worked Example topic.

  3. Create the rules to provision all the resource roles with the appropriate job roles. Each rule must also provision the Resource abstract role.

    The procedure for creating provisioning rules is outlined in the Creating Rules to Automatically Provision Enterprise Roles for the Oracle Sales and Marketing Cloud Service: Worked Example topic.

    You can assign multiple enterprise roles to an individual. For example, if the CEO wants to access the same functions as the Sales Vice President and the Marketing Vice President, then you can provision the CEO with both enterprise roles. If you want to create different enterprise roles with different levels of access, then you must understand the reference implementation provided by Oracle in more detail and you may have to ask Oracle for help.

How Opportunity Information Is Secured : Explained

This topic explains how the security reference implementation provided by Oracle determines who can access what opportunity information in your CRM organization.

Whether or not you can access a particular opportunity depends on your membership in the resource and territory hierarchies. You have access the opportunity if:

  • You create the opportunity.

  • You are on the opportunity sales team.

  • You are the owner of the territory.

  • The opportunity owner is your direct or indirect report in the resource hierarchy.

  • If you are assigned to a territory for the sales account associated with the opportunity or if a territory is assigned to the revenue lines on the opportunity.

Access differs between territory members and opportunity members:

  • An opportunity owner gets full access to the opportunity, which includes the ability to edit as well as add and remove team members.

  • Owners and members of territories assigned to the sales account of the opportunity get read-only access to the opportunity and are not added to the opportunity sales team.

  • Owners and members of territories assigned to the opportunity revenue lines are added as a distinct list of territories to the opportunity sales team. Owners and members of these territories get full access to the opportunity. Depending on a profile option, either only the owner or all the members of the territory are added as resources to the opportunity sales team. Regardless of the access level for these members as a resource on the opportunity team, they will always have full access.

The following figure illustrates some of the different ways you gain access to an opportunity:

  • Named agents in the diagram (A, B, and C) can access the opportunity

  • Unnamed agents (highlighted in yellow) cannot access the opportunity

  • Sales managers can access the opportunity because a salesperson in their management chain has access.

This figure shows who in a sales hierarchy can access an opportunity:

How data security policies determine access to opportunities.

  • Agent A can access the opportunity because she created it. When you create an opportunity, you are the initial owner.

  • Agent B can access the opportunity because he is on the sales team.

  • Agent C can access the opportunity because he is the owner of the NW territory.

  • Sales managers who are higher up in the management chain can also see the opportunity because access is provided through the resource hierarchy. Agent C's manager can access the opportunity information, but agent C's colleagues cannot.

Note

Access using revenue lines and sales accounts are not shown in this figure.

Special Access

Some access is not affected by the management hierarchy and membership in sales teams or territories. This special access includes:

  • Administrators: Administrators get access to opportunities and other objects. This access is based on their privileges, regardless of where the administrators are in the management hierarchy. Administrators do not have to be on the sales team or members of territories.

  • Deal Protection: Salespersons assigned to an opportunity retain the sales credit on an opportunity even if they are moved to another opportunity.

  • Team Selling: You can configure the application to allow salespersons to see all opportunities related to their sales accounts.

Enterprise Role Components : Explained

You must understand the components of the enterprise roles in the security reference implementation provided by Oracle if you want to learn what permissions these enterprise roles grant to users and to plan any changes.

The permissions each enterprise role gives a user are described in security reference manuals. This topic describes enterprise roles and their components, and provides an example of how those components work together.

The Components of Enterprise Roles

The following figure outlines the different components of an enterprise role:

Enterprise role components.

  • Enterprise roles

    There are two types of enterprise roles that are assigned to each user:

    • Job roles

      Job roles permit users to perform activities specific to their jobs. For example, providing a user with the Sales Manager job role permits him to manage salespersons within the organization, follow up on leads, generate revenue within a territory, build a pipeline, manage territory forecasts, and assist salespeople in closing deals.

    • Abstract roles

      Abstract roles permit users to perform functions that span across the different jobs in the enterprise. For example, uses who are employees must be provisioned with the Employee abstract role, so they can update their employee profiles and pictures. For CRM, you must also provision users with the Resource abstract role, so they can work on leads, opportunities, and other CRM tasks.

  • Duty roles

    Job and abstract roles permit users to carry out actions by virtue of the duty roles they include. For example, the Sales Manager job role includes the Sales Lead Follow Up Duty and the Quota Management Duty. The Sales Management Duty makes it possible for the managers to create and update a sales lead, qualify a sales lead, and convert a sales lead into an opportunity. The Quota Management Duty enables the management of sales territory quotas and territory quota formulas.

  • Functional security policies

    Attached to the duty roles are policies that permit an individual who is assigned that duty to access different user interface elements, Web services, tasks flows, and other functions. For example, a sales manager who has the Delete Opportunity functional policy will be able to view and click the Delete button. Removing that policy removes the button from view.

    A functional policy is made up of the duty role name and the functional privilege (for example, Delete Opportunity) that specifies the application features that are being secured. In the security reference manuals, functional privileges are listed in the Privileges section.

  • Data security policies

    Also attached to the duty roles are data security policies that specify which roles can perform an action under what conditions. For example, the Opportunity Sales Manager Duty includes a data security policy which specifies that sales managers can view opportunities if they are in the management chain or are members of the sales team on the opportunity.

    Each data security policy represents an underlying SQL query. The application evaluates the query at run time, and permits access to data that meets the condition.

    A data security policy is composed of the name of the duty where it applies, a data privilege, and a condition. A data privilege is the combination of: the action users can take, the conditions under which they can carry them out, and the objects they can act on. Data privileges are listed in the Data Security Policies section of the security reference manuals.

How Enterprise Roles Work in Practice

The following figure illustrates how the different components of the Sales Manager job role work in practice:

  • The provisioning rule automatically provisions employee sales managers with the enterprise roles they need to do their jobs: the Sales Manager job role and the Employee and Resource abstract roles.

  • The Sales Manager job role includes the Quota Viewing Duty and the Sales Manager Duty.

  • Duty roles inherit other duty roles. For example, the Sales Manager Duty inherits many other duty roles including the Marketing Lead Analysis Duty and the Opportunity Sales Manager Duty.

  • The duty roles are associated with functional security policies and data security policies. For example, the inherited Opportunity Sales Manager Duty comes with:

    • Functional security policies that specify which application pages and functions sales managers can access for deleting, assigning, closing, creating, and viewing an opportunity. The view opportunity policy. for example, permits sales managers to view all UIs, Web services, and task flows related to opportunities.

    • Data security policies that specify what actions opportunity sales managers can take on what opportunities and under what conditions.

      For example, opportunity sales managers can view all data related to opportunities where they are an opportunity sales team members with view, edit, or full access.

Sales manager duty example.

The following figure shows more detail about the composition of policies. Each policy, such as the View Opportunity policy, is composed of a duty role name and a privilege:

  • The view opportunity functional security policy is composed of duty name and the View Opportunity functional privilege.

  • The view opportunity data security policy is composed of the duty name, the View Opportunity data privilege, and the condition: Where they are an opportunity sales team member with view, edit, or full access.

Functional and data security policy detail.

Creating Resource Roles : Worked Example

Follow the steps in this topic to create resource roles. Resource roles, for example, Sales Manager, Salesperson, or Vice President of Marketing, describe the role that a resource plays in the CRM organization and appear as job titles in the resource directory and in social applications, such as Activity Stream. Resource roles are also used to assign users with the enterprise roles they need to carry out the duties of their job.

After you create a resource role, you must create the appropriate provisioning rules to provision the user with the required enterprise roles. The resource role by itself is only a title.

Note

Common CRM resource roles are already set up for you. These are labeled as System roles in the application. To obtain a list, click Search in the Manage Resources page without entering any search criteria.

Steps to Create a Resource Role

  1. Navigate to the Setup and Maintenance work area by selecting the link in the Navigator menu.
  2. On the All Tasks tab, search for the Manage Resource Role task.
  3. Click the Go to Task button.

    The Manage Resource Roles page appears.

  4. Click the Create button.

    The Create Resource Role page appears.

  5. In the Role Name field, enter the name of the resource role as it will appear in the application, for example, CEO.
  6. In the Role Code field, enter a unique internal name. No spaces are permitted.
  7. Select the Manager option if the resource role belongs to a manager, or the Member option if the resource role belongs to a single contributor.
  8. In the Role Type list, select either Sales or Marketing to classify the role that you are creating. Your selection has no impact on the security functionality.
  9. Click the Save and Close button.

Creating Rules to Automatically Provision Enterprise Roles to Oracle Fusion CRM Users : Worked Example

Follow the steps in this example to create rules that automatically provision Oracle Fusion CRM application users with the necessary enterprise roles. The provisioning is based on the resource role that you assign to a user.

In this example, you create a rule to provision users with the Sales Vice President resource role with the enterprise roles they need to perform their jobs.

Steps to Create an Autoprovisioning Rule

  1. From the Navigator menu, click the Setup and Maintenance link located under the Tools heading.
  2. On the Overview page All Tasks tab, search for the Manage HCM Role Provisioning Rules task.
  3. Click the Go to Task button for the Manage HCM Role Provisioning Rules task.

    The Manage HCM Role Provisioning page appears.

  4. Click the Create button.

    The Create Role Mapping page appears.

  5. In the Mapping Name field enter a name, for example, Sales Vice President.
  6. In the Conditions region, enter the resource role as a condition. In this example, you enter Sales Vice President in the Resource Role field.
  7. Enter Active for Assignment Status.

    This additional condition ensures that the provisioned enterprise roles are automatically removed if the user is terminated.

  8. In the Associated Roles region, click Add to add the enterprise roles. For this example, you add the following:
    • Sales Vice President

    • Resource

    Note

    Each CRM resource who is an employee must be provisioned with both the Resource and Employee abstract roles. You must create a separate rule that assigns the required Employee abstract role to all users who are employees. You must always provision the Resource role along with the appropriate job roles. This provisioning ensures that the user can be assigned work in your CRM application.

  9. Make sure the Autoprovision option is selected for all the job roles.
  10. Click Save and Close.

Previous Page Next Page

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices