Overview of Project Management Security
Oracle Project Management Cloud predefines common job roles such as Project Manager and Project Accountant. You can use these job roles or create new ones if the predefined job roles don't fully represent your enterprise.
For example, the predefined Project Manager job role includes project budget management privileges. If some of your project managers don't manage budgets, you can copy the predefined project manager job role and remove the appropriate privileges to create a custom role. A user can have more than one job role, so don't define a job role that includes all the accesses needed for every user.
Refer to the Security Reference Manual for a description of predefined roles in Oracle Project Portfolio Management Cloud.
The aspects of security that are discussed in this topic include:
-
Securing common functionality
-
Securing Project Financial Management and Grants Management applications
-
Securing Project Execution Management applications
Securing Common Functionality
Common functionality that's not job specific, such as creating time cards and expense reports, are granted to the Enterprise Resource Planning Self Service User abstract role. Abstract roles like Employee, Contingent Worker and Line Manager also grant access to common functionalities across a wide collection of Oracle Cloud Applications.
Oracle Project Portfolio Management Cloud provides the following roles that are designed for initial implementation and the ongoing management of setup and reference data:
-
Application Implementation Manager: Manages implementation projects and assigns implementation tasks.
-
Application Implementation Consultant: Accesses all setup tasks.
-
Project Integration Specialist: Plans, coordinates, and supervises all activities related to the integration of project management information systems.
-
Project Application Administrator: Accesses all Project Portfolio Management setup tasks for ongoing management of setup and reference data. Also uses the Application Composer to extend the application.
Securing Project Financial Management and Grants Management Applications
Project Financial Management and Grants Management applications require both function and data security privileges.
You can secure access to data in one of the following ways:
-
Manage Projects in Organization Hierarchy
-
Not part of seeded role, but can be used to extend the access to projects that belong to organizations in a hierarchy.
-
For example, Consulting West consists of organizations, Consulting South West and Consulting North West. A user assigned as administrator to Consulting West organization node is automatically able to access projects in Consulting West, Consulting South West, and Consulting North West.
-
-
Manage Data Access for Users
-
Explicit using Data Assignment Model Access
Data security is explicitly assigned to users through the Manage Data Access for Users page. User role assignment is done separately using the Security Console.
For example, the user Abraham Mason with Project Accountant job role can be assigned access to costing data in the US business unit by selecting the appropriate security context of Business Unit and context value of US on Manage Data Access for Users page.
-
Implicit Using Product-Specific Access
Data security is determined by product-specific logic.
For Project Financial Management application, the role on the project determines the access to the project.
For Grants Management application, the role on the award determines the access of a principal investigator to the award.
For example, if you're assigned the Project Manager role on a project, you can edit budgets for that project.
-
You can be assigned data access in one of the following ways:
-
During implementation, you can be assigned roles with appropriate data security assignment.
-
During the project life cycle you can be assigned to one or more projects.
These data roles and project assignments authorize you to navigate, access, and perform business functions in work areas or dashboards.
The following table lists predefined job roles or abstract job roles and the type of security that grants the role access to data in a work area or dashboard.
|
Job or Abstract Role |
Work Area or Dashboard |
Data Security Based On |
|---|---|---|
|
Project Accountant |
Asset |
Project business unit |
|
Project Accountant |
Costs |
Project expenditure business unit |
|
Project Accountant |
Revenue |
Contract business unit |
|
Project Administrator |
Project Financial Management |
Project business unit Project organization |
|
Project Billing Specialist |
Invoices |
Contract business unit |
|
Project Management Duty |
Project Management Infolet Dashboard |
Project assignment |
|
Project Management Duty |
Project Performance Dashboard |
Project assignment |
|
Project Manager |
Project Management Infolet Dashboard |
Project assignment |
|
Project Manager |
Project Performance Dashboard |
Project assignment |
|
Project Manager |
Project Management |
Project assignment |
|
Project Manager |
Project Manager Dashboard |
Project assignment |
|
Project Team Member |
Project Financial Management |
Project assignment |
|
Grants Accountant |
Invoices |
Contract business unit |
|
Grants Accountant |
Revenue |
Contract business unit |
|
Grants Accountant |
Asset |
Project business unit |
|
Grants Accountant |
Costs |
Project expenditure business unit |
|
Grants Administrator |
Awards |
Contract business unit |
|
Grants Administrator |
Contracts |
Contract business unit |
|
Grants Administrator |
Project Financial Management |
Project business unit |
|
Grants Department Administrator |
Awards |
Award organization |
|
Grants Department Administrator |
Contracts |
Contract business unit |
|
Grants Department Administrator |
Project Financial Management |
Project organization |
|
Principal Investigator |
Awards |
Award assignment |
|
Principal Investigator |
Contracts |
Award assignment |
|
Principal Investigator |
Project Financial Management |
Project assignment |
|
Labor Distribution Accountant |
Labor Distribution |
Business unit |
|
Labor Distribution Administrator |
Labor Distribution |
Person Security Profile Assigned to role |
| Program Manager | Program Management | Program organization Person Security Profile assigned to role |
Securing Project Execution Management Applications
Project Execution Management applications use implicit, product specific logic to authorize access to data in various business functions.
During the project life cycle you can be assigned to one or more projects or tasks. These assignments authorize you to navigate, access, and perform business functions in work areas or dashboards.
The following table lists predefined job roles or abstract job roles and the type of security that grants access to data in a work area or dashboard.
|
Job Role or Abstract Role |
Work Area or Dashboard |
Data Security Based On |
|---|---|---|
|
Project Execution |
Project Management |
Project assignment |
|
Project Execution |
Project Management Infolet Dashboard |
Project assignment |
|
Project Execution |
Project Manager Dashboard |
Project assignment |
|
Project Execution |
Requirements |
No data security required |
|
Project Execution |
My Work - Tasks |
Task assignment or task follower |
|
Project Execution |
My Work - Change Orders |
Change order role |
|
Project Execution |
My Work - Deliverables and Issues |
No data security required |
|
Team Collaborator |
My Work - Tasks |
Task assignment or task follower Note: If you change a to do task to a project task, security
is based on project assignment.
|
|
Team Collaborator |
My Work - Change Orders |
Change order role |
|
Team Collaborator |
My Work - Deliverables and Issues |
No data security required |
|
Team Collaborator |
Team Member Dashboard |
Task assignment |
|
Project Executive |
Project Hierarchy |
Project hierarchy element assignment |
|
Resource Manager |
Project Resources |
No data security required |
|
Resource Manager |
Resource Manager Dashboard |
No data security required |