1. Securing Applications
  2. Assign Roles for Access to Manage Scheduled Processes

Assign Roles for Access to Manage Scheduled Processes

Users can view and manage the scheduled processes that they submit, for example, to cancel the process or see the output. But, if they need to do that for processes other people submitted, they need certain roles.

Here are the roles and what they let users do with scheduled processes that anyone submitted.

Role Name

Role Code

View

Update

Cancel

See Output

Republish Output

ESS Operator Role

ESSOperator

Yes

No

No

No

No

ESS Monitor Role

ESSMonitor

Yes

No

No

No

No

ESS Administrator Role

ESSAdmin

Yes

Yes

Yes

No

No

BI Administrator Role

BIAdministrator

No

No

No

Yes

Yes

You can use the Security Console to create a custom role that has the needed roles, and assign the custom role to the user. Usually it's best to give access just by giving users the needed roles.

  • But, in some cases you might need to give additional access to specific tasks. For example, someone with ESS Monitor Role can see scheduled processes from others, but they also need to put processes on hold. And you don't want to give them the ESS Administrator Role because that would be too much access.

  • Another case is that a user should not have access to all processes, but they still need to do certain tasks for some processes.

In these cases, the custom role you assign to users should have a data security policy, which gives users access to certain tasks. Here are the actions you should choose from for the policy, for the specific tasks you want to give users access to.

Action

Description

ESS_REQUEST_CANCEL

Cancel processes.

ESS_REQUEST_HOLD

Put processes on hold.

ESS_REQUEST_OUTPUT_READ

See the output from processes.

ESS_REQUEST_OUTPUT_UPDATE

Update the output from processes, for example to change what output you want if the process hasn't started running yet.

ESS_REQUEST_READ

Access processes and view details.

ESS_REQUEST_RELEASE

Release processes that were put on hold.

Access for All Scheduled Processes

Here's how you give someone access to manage all processes:

  1. On the Roles page in the Security Console, click Create Role.

  2. On the Create Role: Data Security Policies page, create a data security policy only if you need to give access to specific tasks.

    1. For the Data Resource field, select ESS_REQUEST_HISTORY.

    2. For the Data Set list, select All Values.

    3. For the Actions list, select any of the tasks that you want to give access to.

  3. On the Create Role: Role Hierarchy page, add any of the needed roles.

  4. On the Create Role: Users page, enter the users you want to assign this custom role to.

Access to Do Certain Tasks for Specific Processes

Say you don't want to give users access to all scheduled processes. When you create the custom role, instead of selecting a role like ESS Monitor Role, you enter a condition that controls what processes are included. You first create the condition in a data resource:

  1. On the Administration page in the Security Console, click Manage Database Resources on the General tab.

  2. On the Manage Database Resources and Policies page, search with ESS_REQUEST_HISTORY in the Object Name field.

  3. In the Search Results table, select the ESS_REQUEST_HISTORY database resource and click Edit.

  4. On the Edit Data Security page, click the Condition tab.

  5. On the Condition tab, click the Create icon.

  6. In the Create Database Resource Condition dialog box, select SQL predicate for the Condition Type option.

  7. In the SQL Predicate field, enter SQL that determines what processes to give access to, for example:

    EXISTS
(select 1 from dual)
and DEFINITION in (
'JobDefinition://oracle/apps/ess/hcm/users/SyncRolesJob'
)

  8. Save your work.

Now you're ready to create your custom role and assign it to users:

  1. On the Roles page in the Security Console, click Create Role.

  2. On the Create Role: Data Security Policies page, create a data security policy.

    1. For the Data Resource field, select ESS_REQUEST_HISTORY.

    2. For the Data Set list, select Select by instance set.

    3. For the Condition Name list, select the condition you created.

    4. For the Actions list, select ESS_REQUEST_READ so users can access the process in the first place. Include any other action that you want to give access to. For example, if the user needs to see output, select ESS_REQUEST_OUTPUT_READ too.

  3. On the Create Role: Users page, enter the users you want to assign this custom role to.

Related Topics