Enable Team-Based Access to Custom Objects

You can provide resources with access to custom object data, where access is based on the resource's membership in a team, also known as team-based access group security. With this type of security, team members as well as their management hierarchy can access custom object records.

To enable team-based security for custom objects, complete these steps in Application Composer:

1. Create a relationship between your custom object and the Resource object.

   In Application Composer, create a many-to-many relationship between your custom object and the Resource object, where your custom object is the source object.

2. Create a subtab so that your users can add resources to custom object records at runtime.

   Add a Team subtab to the custom object details page layout, where the Team subtab is based on the intersection object created from your many-to-many relationship.

3. Configure security so that the team member on the custom object record as well as his management hierarchy have access to the record.

   To do this, set security for both the intersection object as well as the custom object.

   For the intersection object:

   1. Navigate to the Security node for the intersection object.

   2. On the Define Policies page, select each role that needs access and, for each column (Read, Update, Delete), select All.

   For the custom object:

   1. Navigate to the Security node for the custom object.

   2. On the Define Policies page, select the Enable Access Group Security check box.

   3. Select the Configure Team for Access Group Security check box and select the many-to-many relationship that you just created.

4. Configure functional security for the required roles.

   This step isn't related to access group security (data security), but it's a required step so that the right roles can access the custom object's user interface pages at the appropriate level (functional security).

   1. Navigate to the Security node for the custom object.

   2. On the Define Policies page, select each role that needs access and, for each column (Read, Update, Delete), select the access level for reading, updating, and deleting records: Functional Read, Functional Delete, or Functional Update.

5. Publish your sandbox.

Finally, enable your custom object for access group object sharing rules. You do the next set of steps in the Sales and Service Access Management work area.

1. Navigate to Access Groups in the Sales and Service Access Management work area.

2. On the Object Sharing Rules page, select the Synchronize Custom Objects and Fields item from the Actions menu.

   After you sync, your custom object displays in the Object list.

3. Select your custom object from the Object list to configure object sharing rules.

   In the Rules region, the (Custom Object) Team and (Custom Object) Team Hierarchy predefined rules display, in addition to the rules for (Custom Object) Owner and (Custom Object) Owner Hierarchy.

4. Click each rule to assign a custom access group and access level.

   Note that access groups are automatically created based on roles created using the Security Console.

   For more information, see the Access Groups chapter in the Oracle Fusion Cloud Customer Experience Securing Sales and Fusion Service guide:

5. On the Access Groups Monitor page, optionally schedule and run the Perform Object Sharing Rule Assignment process to assign access group object sharing rules to your custom object.

   By default, the process runs automatically at scheduled intervals to make sure you have the required access to all object data for your selected access groups. But you can submit the process manually if, for example, you want immediate access to new records and objects.