1. Administering and Working with Enterprise Profitability and Cost Management
  2. Setting Up Access Permissions and Data Security
  3. About Managing Access and Data Security

25 About Managing Access and Data Security

Enterprise Profitability and Cost Management implements several security layers to ensure that users have the right access to functions and data. Infrastructure security components, which are implemented and managed by Oracle, create a highly secure environment for the service.

Business process-level security is ensured by using the following mechanisms that permit only authorized users to access the application:

  • Single Sign-on (SSO)
  • Role-based access to data and artifacts

User access and data security in Enterprise Profitability and Cost Management is assigned using this process:

  1. Create users: The Identity Domain Administrator creates or imports users using My Services. See Creating Users Using Oracle Cloud Identity Console in Getting Started with Oracle Enterprise Performance Management Cloud for Administrators.
  2. Assign predefined roles: The Identity Domain Administrator assigns users to one of four predefined roles in My Services in order to provide them access to the service environment. See Assigning Roles Using Identity Cloud Service in Getting Started with Oracle Enterprise Performance Management Cloud for Administrators.

    Each predefined role provides a different level of access to business functions and associated data. See About Predefined Roles.

  3. Create groups: After the predefined roles are assigned in My Services, Service Administrators can create groups in Access Control. Assigning roles to groups enables Service Administrators to grant roles to many users at once, thereby reducing administrative overhead. See Managing Groups in Administering Access Control for Oracle Enterprise Performance Management Cloud.
  4. Assign application roles: Service Administrators can extend the capabilities of users and groups by assigning them application roles. See Assigning Roles to a Group or a User in Administering Access Control for Oracle Enterprise Performance Management Cloud.

    Application roles can be assigned to users to enable them to perform functions beyond the access that is granted by a predefined role. See About Application Roles.

  5. Assign access permissions: Access permissions determine how you interact with the contents of the artifacts that are made accessible by your predefined and application role assignments. Service Administrators use access permissions to assign users or groups Read, Write, or None permissions on specific application artifacts such as dimension members, reports, and forms. Service Administrators can also restrict access to certain cell intersections by implementing cell-level security. See Working with Access Permissions.

How Permissions and Data Access are Evaluated

Permissions and data access are evaluated in this order:

  1. Predefined roles. Users with the Service Administrator role have permissions to all application artifacts.
  2. Application roles.
  3. Access permissions that are specifically assigned to a user or a group that a user belongs to.

    Note:

    If one member belongs to two groups with different permissions assigned to group members, the least restrictive permission takes precedence. For example, if one group assigns the member Read permission and another group assigns the same member Write permission, Write takes precedence. However if one of the groups assigns no permission (None) to its members, None takes precedence over Read and Write.
  4. Parent-level assignments (for example, to parent members or folders).