Oracle Simple Data Security enforces security authorizations for access and modification of specific data records. Oracle Simple Data Security integrates with Oracle Platform Security Services (OPSS) by granting actions to OPSS principals.
The grant defines who (the principals) can do what (the actions) on a given resource. A grant in Oracle Simple Data Security can use any enterprise user or enterprise group as principals.
In the context of Oracle Enterprise Scheduler, a job request access control data security policy comprises a grant, a grantee and a set of oracle.as.scheduler.security.RuntimeDataPermission
privileges for a set of job requests as follows:
A grantee, represented by grantee ID such as a user or application role. The ID should match the user GUID or application role GUID retrieved from Oracle Fusion Middleware.
You can manage the job request access control data security policy using Oracle Enterprise Manager Fusion Middleware Control.
The following behaviors are in place by default:
A user by default can see only the requests they submitted.
If a user can see a request, then they can see the request logs.
If a user can see a request, and if the request does not run as elevated privilege, then the user sees the request output.
If a user can see a request, and if the request run as elevated user, the user is not able to see the request output.
A request run-as user (elevated user, if specified) is able to see the request, request log, and request output.
An Administrators group user (for example, "weblogic") is able to see all the requests and request logs.
Administrators user is not able to see request output unless the requests were submitted and run as himself.
You can use Enterprise Manager to create functional and data security policies for Oracle Enterprise Scheduler. There, you can associate actions with roles to create a policy.
Table 4-7 lists available Simple Data Security actions.
Table 4-7 Grant Actions for Data Security
Action | Effect |
---|---|
|
Read the request, get request state, and get details. |
|
Update the request. |
|
Hold request execution. |
|
Cancel a request execution. |
|
Lock a request. |
|
Release the lock on a request. |
|
Delete a request. |
|
Purge a request. |
ESS_REQUEST_OUTPUT_CREATE |
Create the output of a request. |
|
View the output of a request. |
|
Delete the output of a request. |
|
Update the output of a request. |