1. Using Oracle CASB Cloud Service
  2. Setting Up Cloud Applications for Monitoring
  3. Setting Up Oracle Sales Cloud
  4. Preparing Oracle Sales Cloud

Preparing Oracle Sales Cloud

Before registering your Oracle Sales Cloud application instance with Oracle CASB Cloud Service, you need to create a dedicated administrative user within Oracle Sales Cloud and ensure that Oracle Sales Cloud auditing is enabled.

Creating a Dedicated Oracle CASB Cloud Service User in Oracle Sales Cloud

Create a dedicated user account for Oracle CASB Cloud Service in the Oracle Sales Cloud account that you want to monitor.

The user cannot use multifactor or federated authentication (for example, through a single sign-on service). You will use the login credentials for this user to allow Oracle CASB Cloud Service to connect to Oracle ERP Cloud and retrieve system events.

Note:

If you have already created a dedicated Oracle CASB Cloud Service administrative user account for another application within Oracle Applications Cloud, it is not necessary to create another user now.

  • You can use that existing user for all Oracle Applications Cloud services to communicate with Oracle CASB Cloud Service.

  • Or you can create a new user for individual Oracle Applications Cloud services, if you prefer.

  1. Log into the Oracle Fusion Applications console as an administrator with permission to create other administrators.
  2. In the Oracle Fusion Applications console home page:
    1. Open the Navigator.
    2. Scroll to the bottom.
    3. Click More.
    4. In the left panel, click Security Console.
  3. In the left navigation panel, click Users.
  4. On the User Accounts page, click Add User Account in the upper-right corner.
  5. On the Add User Account page:
    1. Set the Person Type field to None.
    2. Enter a First Name for the user (for example, CASB).
    3. Enter a Last Name to describe the account (for example, Oracle CASB Service Account).
    4. Enter a User Name to identify the account (for example, CASB).

      You will use this name when you register the application instance in Oracle CASB Cloud Service.

    5. Enter a Password, and then re-enter it in Confirm Password.
    6. Click Add Role.
  6. In the Add Role Membership dialog box:
    1. Paste this role code into the Search box.

      ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY

    2. Click the Search icon Image of the Search icon.
    3. Select the ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY_ DISCRETIONARY code returned in the search results.
    4. Click Add Role Membership.

      This assigns the Audit Access for Cloud Access Security Broker role.

    5. Click OK on the confirmation message.
    6. Click Done in the Add Role Membership dialog box.
  7. On the Add User Account page, click Save and Close.
  8. In the left navigation panel, click Roles.
  9. On the Roles page, click Create Role in the upper-right corner.
  10. On the Create Role : Basic Information page:
    1. Enter a Role Name (for example, CASB_MANAGE_AUDIT_ROLE).
    2. Copy that entry into the Role Code box.
    3. Set Role Category to Setup - Job Roles.
    4. Click Next.
  11. On the Function Security page, Privileges tab, click Add Function Security Policy.
  12. In the Add Function Security Policy dialog box:
    1. Paste FND_MANAGE_AUDIT_POLICIES_PRIV into the Search box.
    2. Click the Search icon Image of the Search icon.
    3. Select the Manage Audit Policies privilege returned in the search results.
    4. Click Add Privilege to Role.
    5. Click OK on the confirmation message.
    6. Click Done in the Add Function Security Policy dialog box.
  13. Click Next until you reach the Summary page, then click Save and Close, and OK the confirmation message.
  14. In the left navigation panel, click Users.
  15. On the User Accounts page:
    1. Enter the name of the CASB service user you created in the Search box.
    2. Click the Search icon Image of the Search icon.
    3. In the search results, locate the user you created and click the link next to User Name.
  16. On the User Account Details page, click Edit.
  17. On the Edit User Account page, click Add Role.
  18. In the Add Role Membership dialog box:
    1. Enter the name of the role you created (CASB_MANAGE_AUDIT_ROLE) in the Search box.
    2. Click the Search icon Image of the Search icon.
    3. Select the role in the search results.
    4. Click Add Role Membership.
    5. Click OK on the confirmation message.
    6. Click Done in the Add Role Membership dialog box.
  19. On the Edit User Account page, click Save and Close in the upper-right corner.

    Note:

    It takes up to 10 minutes for the changes to take effect. Please wait for a minimum of 10 minutes before you try to register an application instance, or update credentials for an existing application instance, in the CASB Cloud Service console.

Enabling Role Auditing for Oracle Sales Cloud

Set the security level for Oracle Platform Security Services (OPSS) auditing to capture all of the security events for the role changes that you want Oracle CASB Cloud Service to audit.

The default OPSS audit level for Oracle Fusion Applications is “none” — you must change this setting to Low - Critical Events Only, in order to fully enable role auditing.

Note:

You only need to set the OPSS audit level once, to support role auditing for all the application instances from the same Fusion Applications POD that are registered in the same Oracle CASB Cloud Service tenant.

  1. Log in to the Oracle Fusion Applications console.
  2. In the Oracle Fusion Applications console home page:
    1. Open the Navigator.
    2. Scroll down.
    3. Click Setup and Maintenance in the lower-right corner.
  3. On the Setup: Compensation Management page:
    1. In the Search Tasks box, enter manage audit policies.
    2. Click the Search icon Image of the Search icon.
    3. In the search results, select Manage Audit Policies.
  4. On the Manage Audit Policies page:
    1. At the right end of the Oracle Platform Security Services row, set Audit Level to Low - Critical Events Only.
    2. Click Save and Close.

Enabling Association of Oracle CASB Cloud Service with Oracle Access Manager (OAM) for Sales Cloud

If you want to enable OAM association Oracle CASB Cloud Service, submit an Oracle Service Request.

This task is necessary to ensure that auditing is enabled for login and logout for Fusion Application instances that Oracle Sales Cloud monitors.

Note:

You only need to enable OAM association once for the same Fusion Applications pod in the same Oracle CASB Cloud Service tenant. The OAM association option is then available to all instances of Oracle Fusion Applications (such as Oracle ERP Cloud, Oracle HCM Cloud, or Oracle Sales Cloud) in that Fusion Applications pod on that Oracle CASB Cloud Service tenant.

Enabling OAM association is a two-step process:

  1. First, you must submit an Oracle Service Request.

  2. After that request is fulfilled, you must enable OAM once for a Fusion Application in Oracle CASB Cloud Service.

    You can do this when you register your Oracle Sales Cloud instance (see Adding an Oracle ERP Cloud Instance), or after registration (see Updating the Credentials for an Oracle ERP Cloud Instance).

Submitting an Oracle Support Service Request to enable OAM

Note:

In order to associate with OAM, you must be using Oracle Access Manager version R13 18.02 and you must request that your Oracle CASB Cloud Service tenant be enabled. To enable association with Oracle Access Manager, contact Oracle Support (http://support.oracle.com).  If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets.  As an alternative, you can also contact your Oracle CASB Customer Success Manager.

  1. Log in to the Oracle Support Portal.
  2. On the Dashboard, under the Technical Service Requests section, click Create Technical SR.
  3. Enter a Problem Summary and a Problem Description.
  4. Enter the Service Type Ex: Oracle Fusion Global Human Resource Cloud Service.
  5. For Problem Type, select Cloud Hosting Service (Outage,P2T/T2T,Enable SSO,Resize,CloudPortal,MyServices,User/Password,Network,Schedule Maintenance).
  6. Specify your Support Identifier.
  7. Select the appropriate Severity.
  8. Click Next.
  9. For Question 1, select Service Entitlements (Includes Federated SSO, Language Pack Installs, Data Masking, Break Glass etc.) as the area of concern.
  10. From Question 2, select Configure Oracle Cloud Access Security Broker (CASB).
  11. For Question Set 3, provide the following information:

    • The POD name and the Fusion home page URL for which you want to enable Oracle CASB Cloud Service

      For example, https://<POD_Name>.fs.ap1.oraclecloud.com/homePage/faces/AtkHomePageWelcome

    • The Service User ID that you created in Creating a Dedicated Oracle CASB Cloud Service User in Oracle ERP Cloud.

    • If you are using a Fusion Applications version earlier than R-13.18.05, provide the start time and the time zone for a 90 minute window during which your Fusion Application will not be available. Configuring this change requires a downtime of up to 90 minutes in versions earlier than R-13.18.05.

  12. Click Continue.
  13. Review your Support Request for completeness, and then click Submit.

Whitelisting Oracle CASB Cloud Service if Oracle Sales Cloud Fusion POD is Whitelisted

If Oracle Sales Cloud Fusion POD is whitelisted, you must whitelist some IP addresses for Oracle CASB Cloud Service.

  1. Browse to the Oracle Knowledge Base article, How To Integrate Oracle Fusion Cloud With Oracle CASB.
  2. Scroll down to the section titled, Deployment Considerations If Fusion POD is whitelisted.
  3. Whitelist the IP address listed there for the URL where your Oracle CASB Cloud Service tenant is hosted.