Self-Service Optimization Security

When the user is created in Identity Cloud Service a GUID attribute is created. This attribute maps to a GUID field in the Service Contact record.

Here's how authentication works:

• Identity Cloud Service is the identity provider for self-service users. Identity Cloud Service uses a local identity provider to authenticate the self-service users.

• Self-service user accounts are only created in Identity Cloud Service. You just need to set the SVC_CSS_USE_FA_AS_IDP profile option to False to control this behavior. For more information, see the link to the Set Profile Options topic in Related Topics.

• You have one proxy user for each application persona. The Customer Self Service User and the Customer Service Administrator are two personas, and two separate roles.

• Each self-service user is associated with a customer contact record in Fusion Service. The GUID field in the Identity Cloud Service user record maps to the GUID field in the Fusion Service contact record.

• Data in Fusion Service is accessed using a proxy user account with appropriate functional privileges. Proxy user data service manages access to data in Fusion Service with the appropriate proxy user.

Functional Privileges of the Proxy User

Here's an overview of the functional privileges of the proxy user.

• Has all the functional privileges given to the proxy user role.

• Has the FND_IDP_PROXY_USER_PRIV privilege allowing it to act as a proxy user.

Data Privileges of the Proxy User

Data privileges given to the proxy user vary dynamically based on the actual user session. The data privilege of the proxy user is determined by using the proxy user authentication mechanism:

• The GUID of the authenticated user is taken from the HTTP header and stored into the session in Fusion Service.

• The GUID is used to look up the PARTY_ID of the appropriate contact.

• Data security policy predicates are based on the PARTY_ID of the contact.