1. Developing Applications with Oracle Visual Builder
  2. Augment Applications
  3. Secure the Application
  4. Manage User Roles and Access

Manage User Roles and Access

You can create, edit, and remove user roles to secure access to your application's business objects.

In addition to the Authenticated User role granted to users who sign in to your application, users can be assigned a user role based on their credentials and the groups they've been assigned to in Oracle Identity Cloud Service (IDCS). When a user tries to access data in a business object secured by this user role, the roles assigned to the user are authenticated in IDCS. Access is granted if one of the user roles securing the business object is mapped to one of the groups the user has been assigned to in IDCS or if the user was mapped to that user role directly.

Use the User Roles tab in a visual application’s Settings editor to create a user role and assign users and groups in your IDCS account to the user role. Assigning groups to your user role maps the role to IDCS groups and is known as "role mapping". Once you create a user role, the role and any users or groups assigned to it are automatically added to the client application in IDCS.

To create a user role in your visual application:

  1. On the Visual Builder Home page, locate the visual application whose settings you want to change and choose Settings in the Application Options menu. Alternatively, choose Settings in the application’s Menu in the upper right corner.
  2. Open the User Roles tab in the Settings editor.

    If user roles have been defined, you'll see a tile for each user role in your application (along with the groups and users assigned to it).


    Description of security-app-settings-userroles.png follows
    Description of the illustration security-app-settings-userroles.png

  3. Click Create Role.
  4. Enter a name for the role in the Create Role dialog box. Click Create.

    This role name is displayed when designing your application, but is not exposed to users.

  5. Before you proceed to assign groups or users, or edit a user role, verify that the application profile selected in the Application Profile drop-down list is the one where you want to make changes.
  6. Click Assign groups or users in the tile if no users or group have been assigned. If you want to edit a user role and some groups or users have already been assigned to it, click Edit icon that appears when you hover your cursor over the tile.
  7. In the Change Assignment... dialog box, click Add icon for each group that you want to assign to the role. In the Users field, enter the name of the user that you want to add, or enter a character to retrieve a list of users. For example, enter a to retrieve all user names that include the character a. Click Add icon to add the user to the role.

    Description of security-app-settings-assignuser.png follows
    Description of the illustration security-app-settings-assignuser.png

    You can assign multiple groups and users to your user role. Keep in mind that the list of groups and users is defined in the identity provider and managed by the identity domain administrator. Click Save Changes when you are done. Saving your changes automatically updates the user roles for your application in IDCS.

After you create a role, you'll need to enable role-based security for the application's business objects by specifying the user roles that can access the object and setting access privileges for the role in the business object’s Security tab.

Besides securing access to the data in your business objects, user roles can help control what a user sees in your application. For example, you can use role-based permissions to limit access to the app, entire pages or flows, even set restrictions on certain components in a page, so only users with certain roles can view that information.

Note:

An application's user role definitions are preserved whenever it is exported and imported—as long as the app is imported to the same IDCS domain it was exported from. When you export an app, its user roles (as defined in user-roles.json) are included in the exported application archive (role-mapping.json), then re-created when you import the application. Once this is done, the role-mapping.json file is deleted from the application's sources. But if you run into errors and this doesn't happen (say, because you're importing an older app whose users and groups no longer exist in IDCS), you'll need to manually set up the user roles again.