2Security Console

This chapter contains the following:

Overview of Security Console

Use the Security Console to manage application security in your Oracle Applications Cloud service. You can do tasks related to role management, role analysis, user-account management, and certificate management.

Security Console Access

You must have the IT Security Manager role to use the Security Console. This role inherits the Security Management and Security Reporting duty roles.

Security Console Tasks

You can do these tasks on the Security Console:

  • Roles

    • Create job, abstract, and duty roles.

    • Edit custom roles.

    • Copy roles.

    • Compare roles.

    • Visualize role hierarchies and assignments to users.

    • Review Navigator menu items available to roles or users.

    • Identify roles that grant access to Navigator menu items and privileges required for that access.

  • Users

    • Create user accounts.

    • Review, edit, lock, or delete existing user accounts.

    • Assign roles to user accounts.

    • Reset users' passwords.

  • Analytics

    • Review statistics of role categories, the roles belonging to each category, and the components of each role.

    • View the data security policies, roles, and users associated with each database resource.

  • Certificates

    • Generate, export, or import PGP or X.509 certificates, which establish encryption keys for data exchanged between Oracle Cloud applications and other applications.

    • Generate signing requests for X.509 certificates.

  • Administration

    • Establish rules for the generation of user names.

    • Set password policies.

    • Create standards for role definition, copying, and visualization.

    • Review the status of role-copy operations.

    • Define templates for notifications of user-account events, such as password expiration.

Administrate the Security Console

Before you start using the Security Console, ensure that you run the background processes that refresh security data. You can use the Security Console Administration pages to select the general options, role-oriented options, and track the status of role-copy jobs. You can also select, edit, or add notification templates.

Run the Background Processes

Here are the background processes you must run:

  • Retrieve Latest LDAP Changes - This process copies data from the LDAP directory to the Oracle Cloud Applications Security tables. Run this process once, before you start the implementation.

  • Import User and Role Application Security Data - This process imports users, roles, privileges, and data security policies from the identity store, policy store, and Oracle Cloud Applications Security tables. Schedule it to run regularly to update those tables.

To run the Retrieve Latest LDAP Changes process:

  1. In the Setup and Maintenance work area, go to the Run User and Roles Synchronization Process task in the Initial Users functional area.

  2. If you want to be notified when this process ends select the corresponding option.

  3. Click Submit.

  4. Review the confirmation message and click OK.

To run the Import User and Role Application Security Data process:

  1. In the Tools work area, select Scheduled Processes.

  2. Click Schedule New Process.

  3. Search for the Import User and Role Application Security Data process and select it.

  4. Click OK.

  5. Click Submit.

  6. Review the confirmation message and click OK.

Configure the General Administration Options

  1. On the Security Console, click Administration.

  2. In the Certificate Preferences section, set the default number of days for which a certificate remains valid. Certificates establish keys for the encryption and decryption of data that Oracle Cloud applications exchange with other applications.

  3. In the Synchronization Process Preferences section, specify the number of hours since the last run of the Import User and Role Application Security Data process. When you select the Roles tab, a warning message appears if the process hasn't been run in this period.

Configure the Role Administration Options

  1. On the Security Console, click Administration.

  2. On the Roles tab, specify the prefix and suffix that you want to add to the name and code of role copies. Each role has a Role Name (a display name) and a Role Code (an internal name). A role copy takes up the name and code of the source role, with this prefix or suffix (or both) added. The addition distinguishes the copy from its source. By default, there is no prefix, the suffix for a role name is "Custom," and the suffix for a role code is "_CUSTOM."

  3. In the Graph Node Limit field, set the maximum number of nodes a visualization graph can display. When a visualization graph contains a greater number of nodes, the visualizer recommends the table view.

  4. Deselect Enable default table view, if you want the visualizations generated from the Roles tab to have the radial graph view.

  5. Enable edit of data security policies: Determine whether users can enter data on the Data Security Policies page of the role-creation and role-edit trains available from the Roles tab.

  6. Enable edit of user role membership: Determine whether users can enter data on the Users page of the role-creation and role-edit trains available from the Roles tab.

View the Role Copy Status

  1. On the Security Console, click Administration.

  2. On the Role Copy Status tab, you can view records of jobs to copy roles. These jobs are initiated on the Roles page. Job status is updated automatically until a final status, typically Completed, is reached.

  3. Click the Delete icon to delete the row representing a copy job.

Run Retrieve Latest LDAP Changes

Information about users and roles in your LDAP directory is available automatically to Oracle Cloud Applications. However, in specific circumstances you're recommended to run the Retrieve Latest LDAP Changes process. This topic describes when and how to run Retrieve Latest LDAP Changes.

You run Retrieve Latest LDAP Changes if you believe data-integrity or synchronization issues may have occurred between Oracle Cloud Applications and your LDAP directory server. For example, you may notice differences between roles on the Security Console and roles on the Create Role Mapping page. You're also recommended to run this process after any release update.

Run the Process

Sign in with the IT Security Manager job role and follow these steps:

  1. Open the Scheduled Processes work area.

  2. Click Schedule New Process in the Search Results section of the Overview page.

    The Schedule New Process dialog box opens.

  3. In the Name field, search for and select the Retrieve Latest LDAP Changes process.

  4. Click OK to close the Schedule New Process dialog box.

  5. In the Process Details dialog box, click Submit.

  6. Click OK, then Close.

  7. On the Scheduled Processes page, click the Refresh icon.

    Repeat this step periodically until the process completes.

Note: Only one instance of Retrieve Latest LDAP Changes can run at a time.

Security Visualizations

A Security Console visualization graph consists of nodes that represent security items. These may be users, roles, privileges, or aggregate privileges. Arrows connect the nodes to define relationships among them. You can trace paths from any item in a role hierarchy either toward users who are granted access or toward the privileges roles can grant.

You can select one of the following two views:

  • Radial: Nodes form circular (or arc) patterns. The nodes in each circular pattern relate directly to a node at the center. That focal node represents the item you select to generate a visualization, or one you expand in the visualization.

  • Layers: Nodes form a series of horizontal lines. The nodes in each line relate to one node in the previous line. This is the item you select to generate a visualization, or the one you expand in the visualization.

For example, a job role might consist of several duty roles. You might select the job role as the focus of a visualization (and set the Security Console to display paths leading toward privileges):

  • The Radial view initially show nodes representing the duty roles encircling a node representing the job role.

  • The Layers view initially show the duty-role nodes in a line after the job-role node.

You can then manipulate the image, for example, by expanding a node to display the items it consists of.

Alternatively, you can generate a visualization table that lists items related to an item you select. For example, a table may list the roles that descend from a role you select, or the privileges inherited by the selected role. You can export tabular data to an Excel file.

Options for Viewing a Visualization Graph

Within a visualization graph, you can select the Radial or Layers view. In either view, you can zoom in or out of the image. You can expand or collapse nodes, magnify them, or search for them. You can also highlight nodes that represent types of security items.

  1. To select a view, click Switch Layout in the Control Panel, which is a set of buttons on the visualization.

  2. Select Radial or Layers.

Node Labels

You can enlarge or reduce a visualization, either by expanding or collapsing nodes or by zooming in or out of the image. As you do, the labels identifying nodes change:

  • If the image is large, each node displays the name of the item it represents.

  • If the image is small, symbols replace the names: U for user, R for role, S for predefined role, P for privilege, and A for aggregate privilege.

  • If the image is smaller, the nodes are unlabeled.

Regardless of labeling, you can hover over a node to display the name and description of the user, role, or privilege it represents.

Nodes for each type of item are visually depicted such that item types are easily distinguished.

Expand or Collapse Nodes

To expand a node is to reveal roles, privileges, or users to which it connects. To collapse a node is to hide those items. To expand or collapse a node, select a node and right-click or just double-click on the node.

Using Control Panel Tools

Apart from the option to select the Radial or Layers view, the Control Panel contains these tools:

  • Zoom In: Enlarge the image. You can also use the mouse wheel to zoom in.

  • Zoom Out: Reduce the image. You can also use the mouse wheel to zoom out.

  • Zoom to Fit: Center the image and size it so that it's as large as it can be while fitting entirely in its display window. (Nodes that you have expanded remain expanded.)

  • Magnify: Activate a magnifying glass, then position it over nodes to enlarge them temporarily. You can use the mouse wheel to zoom in or out of the area covered by the magnifying glass. Click Magnify a second time to deactivate the magnifying glass.

  • Search: Enter text to locate nodes whose names contain matching text. You can search only for nodes that the image is currently expanded to reveal.

  • Control Panel: Hide or expose the Control Panel.

Using the Legend

A Legend lists the types of items currently on display. You can take the following actions:

  • Hover over the entry for a particular item type to locate items of that type in the image. Items of all other types are grayed out.

  • Click the entry for an item type to disable items of that type in the image. If an item of that type has child nodes, it's grayed out. If not, it disappears from the image. Click the entry a second time to restore disabled items.

  • Hide or expose the Legend by clicking its button.

Using the Overview

On the image, click the plus sign to open the Overview, a thumbnail sketch of the visualization. Click any area of the thumbnail to focus the actual visualization on that area.

Alternatively, you can click the background of the visualization and move the entire image in any direction.

Refocusing the Image

You can select any node in a visualization as the focal point for a new visualization: Right-click a node, then select Set as Focus.

Note: You can review role hierarchies using either a tabular or a graphical view. The default view depends on the setting of the Enable default table view option on the Administration tab.

Visualization Table Display Options

A visualization table contains records of roles, privileges, or users related to a security item you select. The table displays records for only one type of item at a time:

  • If you select a privilege as the focus of your visualization, select the Expand Toward Users option. Otherwise the table shows no results. Then use the Show option to list records of either roles or users who inherit the privilege.

  • If you select a user as the focus of your visualization, select the Expand Toward Privileges option. Otherwise the table shows no results. Then use the Show option to list records of either roles or privileges assigned to the user.

  • If you select any type of role or an aggregate privilege as the focus of your visualization, you can expand in either direction.

    • If you expand toward privileges, use the Show option to list records of either roles lower in hierarchy, or privileges related to your focus role.

    • If you expand toward users, use the Show option to list records of either roles higher in hierarchy, or users related to your focus role.

Tables are all-inclusive:

Table Name What it displays

Roles

Records for all roles related directly or indirectly to your focus item. For each role, inheritance columns specify the name and code of a directly related role.

Privileges

Records for all privileges related directly or indirectly to your focus item. For each privilege, inheritance columns display the name and code of a role that directly owns the privilege.

Users

Records for all user assigned roles related directly or indirectly to your focus item. For each user, Assigned columns display the name and code of a role assigned directly to the user.

The table columns are search-enabled. Enter the search text in a column field to get the records matching your search text. You can export a table to Excel.

Generate a Visualization

Here's how you can generate a visualization:

  1. On the Security Console, click Roles.

  2. Search for the security item on which you want to base the visualization.

    • In a Search field, select any combination of item types, for example, job role, duty role, privilege, or user.

    • In the adjacent field, enter at least three characters. The search returns the matching records.

    • Select a record.

      Alternatively, click Search to load all the items in a Search Results column, and then select a record.

  3. Select either Show Graph or View as Table button.

    Note: On the Administration page, you can determine the default view for a role.
  4. In the Expand Toward list, select Privileges to trace paths from your selected item toward items lower in its role hierarchy. Or select Users to trace paths from your selected item toward items higher in its hierarchy.

  5. If the Table view is active, select an item type in the Show list: Roles, Privileges, or Users. (The options available to you depend on your Expand Toward selection.) The table displays records of the item type you select. Note that an aggregate privilege is considered to be a role.

Simulate Navigator Menus in the Security Console

You can simulate Navigator menus available to roles or users. From a simulation, you can review the access inherent in a role or granted to a user. You can also determine how to alter that access to create roles.

Opening a Simulation

To open a simulated menu:

  1. Select the Roles tab in the Security Console.

  2. Create a visualization graph, or populate the Search Results column with a selection of roles or users.

  3. In the visualization graph, right-click a role or user. Or, in the Search Results column, select a user or role and click its menu icon.

  4. Select Simulate Navigator.

Working with the Simulation

In a Simulate Navigator page:

  • Select Show All to view all the menu and task entries that may be included in a Navigator menu.

  • Select Show Access Granted to view the menu and task entries actually assigned to the selected role or user.

In either view:

  • A padlock icon indicates that a menu or task entry can be, but isn't currently, authorized for a role or user.

  • An exclamation icon indicates an item that may be hidden from a user or role with the privilege for it, because it has been modified.

To plan how this authorization may be altered:

  1. Click any menu item on the Simulate Navigator page.

  2. Select either of the two options:

    • View Roles That Grant Access: Lists roles that grant access to the menu item.

    • View Privileges Required for Menu: Lists privileges required for access to the menu item. Lists privileges required for access to the task panel items.

Analytics for Roles

You can review statistics about the roles that exist in your Oracle Cloud instance.

On the Analytics page, click the Roles tab. Then view these analyses:

  • Role Categories. Each role belongs to a category that defines some common purpose. Typically, a category contains a type of role configured for an application, for example, "Financials - Duty Roles."

    For each category, a Roles Category grid displays the number of:

    • Roles

    • Role memberships (roles belonging to other roles within the category)

    • Security policies created for those roles

    In addition, a Roles by Category pie chart compares the number of roles in each category with those in other categories.

  • Roles in Category. Click a category in the Role Categories grid to list roles belonging to that category. For each role, the Roles in Category grid also shows the number of:

    • Role memberships

    • Security policies

    • Users assigned to the role

  • Individual role statistics. Click the name of a role in the Roles in Category grid to list the security policies and users associated with the role. The page also presents collapsible diagrams of hierarchies to which the role belongs.

    Click Export to export data from this page to a spreadsheet.

Analytics for Database Resources

You can review information about data security policies that grant access to a database resource, or about roles and users granted access to that resource.

  1. On the Analytics page, click the Database Resources tab.

  2. Select the resource you want to review in the Database Resource field.

  3. Click Go.

    Results are presented in three tables.

Data Security Policies

The Data Security Policies table documents policies that grant access to the selected database resource.

Each row documents a policy, specifying by default:

  • The data privileges it grants.

  • The condition that defines how data is selected from the database resource.

  • The policy name and description.

  • A role that includes the policy.

For any given policy, this table may include multiple rows, one for each role in which the policy is used.

Authorized Roles

The Authorized Roles table documents roles with direct or indirect access to the selected database resource. Any given role may comprise the following:

  • Include one or more data security policies that grant access to the database resource. The Authorized Roles table includes one row for each policy belonging to the role.

  • Inherit access to the database resource from one or more roles in its hierarchy. The Authorized Roles table includes one row for each inheritance.

By default, each row specifies the following:

  • The name of the role it documents.

  • The name of a subordinate role from which access is inherited, if any. (If the row documents access provided by a data security policy assigned directly to the subject role, this cell is blank.)

  • The data privileges granted to the role.

  • The condition that defines how data is selected from the database resource.

Note: A role's data security policies and hierarchy may grant access to any number of database resources. However, the Authorized Roles table displays records only of access to the database resource you selected.

Authorized Users

The Authorized Users table documents users who are assigned roles with access to the selected database resource.

By default, each row specifies a user name, a role the user is assigned, the data privileges granted to the user, and the condition that defines how data is selected from the database resource. For any given user, this table may include multiple rows, one for each grant of access by a data security policy belonging to, or inherited by, a role assigned to the user.

Manipulating the Results

In any of these three tables, you can do the following actions:

  • Add or remove columns. Select View - Columns.

  • Search among the results. Select View - Query by Example to add a search field on each column in a table.

  • Export results to a spreadsheet. Select the Export to Excel option available for each table.

FAQs on Using the Security Console

What's the difference between private, personally identifiable, and sensitive information?

Private information is confidential in some contexts.

Personally identifiable information (PII) identifies or can be used to identify, contact, or locate the person to whom the information pertains.

Some PII information is sensitive.

A person's name isn't private. It's PII but not sensitive in most contexts. The names and work phone numbers of employees may be public knowledge within an enterprise, so not sensitive but PII. In some circumstances it's reasonable to protect such information.

Some data isn't PII but is sensitive, such as medical data, or information about a person's race, religion or sexual orientation. This information can't generally be used to identify a person, but is considered sensitive.

Some data isn't private or personal, but is sensitive. Salary ranges for grades or jobs may need to be protected from view by users in those ranges and only available to senior management.

Some data isn't private or sensitive except when associated with other data the isn't private or sensitive. For example, date or place of birth isn't a PII attribute because by itself it can't be used to uniquely identify an individual, but it's confidential and sensitive in conjunction with a person's name.