1. Securing ERP
  2. Configure Advanced Implicit Data Security for Non-Discretionary Access

Configure Advanced Implicit Data Security for Non-Discretionary Access

In Oracle Fusion Cloud ERP, you can use the Manage Data Access for Users page to control who can see specific data. You do it by explicit data assignment. However, many predefined self-service roles include implicit data security assignments for non-discretionary access. Some job roles, like Procurement Requester, come with built-in access to data for the part of the business that they work in. This implicit data management has many benefits. Let’s look at why implicit data management is useful for an organization.

Sometimes, you may need to give many people the same access to certain data, especially for self-service roles like Procurement Requester. This role gives people access to data for the business unit they work in by default. For example, someone who works in the US business unit will be able to manage requisitions in that unit when given the Procurement Requester role. However, if they need access to data in other business units, you will have to specifically give them that access on the Manage Data Access for Users page. If many people in the same business unit need the same access to another business unit, it might be easier to set up a new data security policy instead of giving everyone access individually. For example, if all people in the US business unit need access to the Canada business unit, it is more efficient to set up a new policy rather than giving everyone access individually.

Advanced Implicit Data Security for Non-Discretionary Access helps you configure implicit data security. Let’s look at an example of setting up implicit data security for Vision Corporation. Vision Corporation is headquartered in Germany with operations in Spain and Italy. The operations in each country are set up as their own business units – Vision Germany, Vision Italy, and Vision Spain.

In this example, the employees in Germany can manage requisitions for all three business units, but employees in Italy and Spain can only manage requisitions for their own business units.

If the business unit on primary worker assignment is: Users can manage requisitions in:
Vision Germany

Vision Germany

Vision Italy

Vision Spain
Vision Italy Vision Italy
Vision Spain Vision Spain

Suppose that George is an employee from the German office with the predefined Procurement Requester role that grants him access to manage requisitions in Vision Germany. Similarly, Braun is an employee from the Spain office, so the predefined Procurement Requester role grants her access to manage requisitions in Vision Spain. Now, to configure additional data security policies to allow non-discretionary access for users in Vision Germany, you must configure a new database resource condition and then configure a new data security policy.

Configure New Database Resource Condition

To set up a new data security policy that lets other business units access your data, you need to create a database resource condition, also called an instance set. This will allow you the access you need.

To create the condition, use a specific kind of statement called a predicate.
BU_ID IN (
SELECT TARGET_BU.ORGANIZATION_ID
FROM HR_ALL_ORGANIZATION_UNITS_F_VL TARGET_BU
WHERE TARGET_BU.NAME IN
( &GRANT_ALIAS.PARAMETER2, &GRANT_ALIAS.PARAMETER3, &GRANT_ALIAS.PARAMETER4
, &GRANT_ALIAS.PARAMETER5, &GRANT_ALIAS.PARAMETER6, &GRANT_ALIAS.PARAMETER7
, &GRANT_ALIAS.PARAMETER8, &GRANT_ALIAS.PARAMETER9, &GRANT_ALIAS.PARAMETER10 )
AND EXISTS (
SELECT 1 FROM HR_ALL_ORGANIZATION_UNITS_F_VL ASSIGNMENT_BU
WHERE ASSIGNMENT_BU.NAME = &GRANT_ALIAS.PARAMETER1
AND ASSIGNMENT_BU.ORGANIZATION_ID = PER_GET_WORKER_BU.GET_WORKER_BU(HRC_SESSION_UTIL.GET_USER_PERSONID , NULL)
)
)

This predicate is a way to use different values for the primary business unit and the desired target business units. The primary business unit’s value is in PARAMETER1, and the desired target business unit’s values are in PARAMETER2 through PARAMETER10. Use the Security Console to set up conditions for the database. Only the IT Security Manager can use the Security Console, which you can find in the Navigator menu.

To configure a new database resource condition:

  1. Navigate to the Security Console.
  2. On the Administration tab, click Manage Database Resources.
  3. Search a database resource. In this example, enter Business Unit, and select Edit.
  4. On the Condition tab, click Add.
  5. In the Name field, enter a familiar name that you can distinguish from the predefined ones.
  6. In the Display Name field, enter a display name.
  7. In the Description field, enter a description of the condition.
  8. In the Condition Type field, select SQL predicate and then enter the predicate in the SQL predicate field as shown in the figure.
    Create database resource condition
  9. Click Save.
  10. Click Submit to save your changes. The new condition is ready for use.
If you don't need to reuse the condition for different scenarios, you can create a simpler condition with hardcoded values as shown below:
BU_ID IN (
SELECT TARGET_BU.ORGANIZATION_ID
FROM HR_ALL_ORGANIZATION_UNITS_F_VL TARGET_BU
WHERE TARGET_BU.NAME IN ( ‘Vision Italy’ , ‘Vision Spain’ )
AND EXISTS (
SELECT 1 FROM HR_ALL_ORGANIZATION_UNITS_F_VL ASSIGNMENT_BU
WHERE ASSIGNMENT_BU.NAME = ‘Vision Germany’
AND ASSIGNMENT_BU.ORGANIZATION_ID = PER_GET_WORKER_BU.GET_WORKER_BU(HRC_SESSION_UTIL.GET_USER_PERSONID , NULL)
)
)
You can make the predicate even simpler and faster if you already know the internal ID numbers for the business units. That way, you don't have to look them up every time in the runtime code.
BU_ID IN ( 1016 /* Vision Spain */ , 1017 /* Vision Italy */ )
AND PER_GET_WORKER_BU.GET_WORKER_BU(HRC_SESSION_UTIL.GET_USER_PERSONID , NULL) = 911 /* Vision Germany */

Configure New Data Security Policy

You can set up new data security rules for both predefined roles and roles you create yourself. In this example, we're making a rule for the predefined role of the Procurement Requester.

To configure a new data security policy:

  1. On the Roles tab of the Security Console, search for the role that you want to configure.
  2. In the search results, click the down arrow for the selected role and select Edit Role.
  3. Go to Data Security Policies.
  4. Click Create Data Security. In this example, you must create a new data security policy for the Business Unit resource and the Manage Requisition action, using the condition you created.
  5. In the Database Resource field, select Business Unit.
  6. In the Data Set field, select Select by instance set.
  7. In the Select data by condition field, select the condition that you created.
  8. In the PARAMETER1 field, enter the primary worker assignment business unit that's driving the data assignment.

  9. In PARAMETER2 through PARAMETER10, enter the target business units to be assigned when the primary worker assignment business unit for a user matches the value in PARAMETER1. You don't have to fill in all nine parameters. In this example, in PARAMETER1, you should enter Vision Germany, and in PARAMETER2 and PARAMETER3, you should enter Vision Italy and Vision Spain.

    Note: If you choose to use simple predicates with hardcoded values when setting up the database resource condition, you don't have to enter any parameter values here. The parameter values will be hidden.

  10. From the Actions drop-down list, select Manage Requisition.
  11. Click OK.
  12. Go to the Summary and Impact Report step to review the changes.
  13. Click Save and Close.

Verify New Data Security Policy

You can verify the new data security policy that you configured. Notice that users from Vision Germany can now manage requisitions in Vision Italy and Vision Spain.
Verify data security policy