Redwood: Secure Manufacturers Using Access Control Lists

You can now give a set of workers access to certain manufacturers using criteria-based access control. This is especially helpful when you have to give access to manufacturer data based on the different types of workers in the organization.

Access can be controlled through Teams:

  • Team – A team comprises a set of team members, membership conditions, and one or more permission sets.
  • Members and Membership Conditions – Members can be added to the team individually, or derived from a filtered list of workers who match certain membership conditions. For example, workers belonging to the same business unit, location, department, and so on.
  • Permission Sets - Each permission set contains individual permissions. Each permission identifies the object for which permission is given, the conditions that must be met, and the type of access to be granted.

For example- The administrator wants to give component engineers based out of New York City or Houston permission to view all manufacturers and restrict manage permission to some US manufacturers.

To enable criteria-based access control, you must perform these configuration tasks.

  1. Create team members.
  2. Create permission sets with data access conditions.
  3. Create teams, add membership conditions or members, and apply permission sets.

Create Access Control List

Create Access Control List

Create Team Members

You can create and manage workers who should be part of your teams from Setup and Maintenance --> Product Management --> Users and Security --> Manage Users. Once the users are created ensure that they have the right set of privileges assigned in the Security Console. For more details see the Access Requirements section.

Each user should be set up as an appropriate worker type in the application before you can associate them to your teams.

Once you have workers set up, create membership conditions to filter out relevant workers for a team. You can do this from My Client Groups --> Data Exchange Filtered Lists.

Filtered Lists Link from My Client Groups

Filtered Lists Link from My Client Groups

While creating a condition, fill in the fields as described here:

  1. Name - Provide a name for the membership condition.
  2. Details - Provide a description for the membership condition.
  3. Object - Select Worker Assignment Extract.
  4. Subscriber - Select Product Life Cycle Management.
  5. Status - Set the status as Active.
  6. Create a condition:
  • Select a member attribute (for example, Location, or Department).
  • An operator (Is one of, Is not one of).
  • Values for the attribute.

A condition can built on these attributes- Location Code, Location Name, Department Name, Department Title, Legal Employer Name, Assignment User Status, Assignment Status type, System Person Type, User Person Type, Assignment Category, Position Code, Position Code, Position Name, and Worker Type.

You can select multiple conditions separated with an 'And' or 'OR' operator. For example, filter members whose location is either 'New York City' OR 'Houston'. The conditions that you create will be available for selection when you create teams.

Membership Condition for Component Engineers in US Locations

Membership Condition for Component Engineers in US Locations

Create Permission Sets with Access Conditions

Navigate to the Permission Set Search page from Product Management --> Tasks Menu --> Configure Teams --> Permission Set.

On the Permission Set Search page, you will see a listing of the permission sets that have already been created.

On this search page

  • You can search for specific permission sets. 
  • Click the permission set name to see details of the permission set.
  • You can sort the list of permission sets by the columns.

Search Page for Permission Sets

Search Page for Permission Sets

To create a permission set, click Create on the Permission Set Search page and add these details:

  1. Name - Unique name of the permission set.
  2. Description - Short description on the permission set.
  3. Add permissions:
  • Object - This contains a list of objects in the application like Manufacturer, Item, Change Order and so on. Access control right now is enabled only on Manufacturers.
  • Condition - This helps narrow down the object by applying filters on object attributes. Select a condition from the list of available conditions. or create a new condition.
  • Permission - This helps user select one of Create, View, or Manage, depending on what the team should be able to do.
    • Create Permission - This allows user to create a manufacturer
    • View Permission - This allows the user to see the manufacturer attributes in read only format.
    • Manage Permission - This allows the user to view and edit a manufacturer.

Create and Edit Permission Set Page

Create and Edit Permission Set Page

In this example, this permission set gives access to

  1. View all manufacturers in the application
  2. Manage (View and Edit) all manufacturers based out of US

You can also create new conditions from the same page.

Create a Condition

A condition is used to define restrictions on manufacturers based on the manufacturer attributes. Users can create a condition on one or more manufacturer attributes.

Use the Create Condition button in the Permission Set page to create a new condition.

Add these details:

  1. Name - A unique name for the condition.
  2. Description - A short description of the condition
  3. Active - By default, this is set to Yes.
  4. Add Rule
  • Attribute - Select the attribute on which you want the rule to be set up. You can add a rule on header or extensible flexfield attributes of manufacturers
  • Operator - Select an operator such as equals, is, or not equal to.
  • Value - Provide the attribute value

You can also set up nested rules with a combination of 'AND' and 'OR' to meet your business requirement.

Create Condition

Create Condition

In this example, US manufacturers condition filters out Manufacturers where the country attribute is United States.

Create Teams, Add Membership Conditions, and Apply Permission Sets

Now that you’ve created team members, membership conditions for component engineers based out of New York City and Houston, and permission sets which give view access to all manufacturers and manage access to US manufacturers, you can create teams and associate these to your teams.

To start configuring teams, navigate to the Tasks panel > and click Configure Teams.

New Link for Teams in Product Management Experience Section

New Link for Teams in Product Management Experience Section

In the Teams Search page, you can search for existing teams or create new teams. For each team, you can define memberships and select applicable permission sets.

Search Page for Teams

Search Page for Teams

Team members can be manually added or derived by membership conditions.

To create a new team:

  1. In the Teams Search page, click Create.
  2. In the Create Team page, provide these details:
  • Name - Unique name for the team
  • Description - A short description of the team.
  • Status - Set the status of the team to Active.
  1. In the Membership tab:
  • Add members based on the membership conditions defined for your filtered list.
  • Optionally, add individual members directly.
  1. In the Permission Set tab:
  • Add the permissions you created in the Permission Set page.

Membership Tab on the Create Team Page

Membership Tab on the Create Team Page

Permission Set Tab on the Create Team Page

Permission Set Tab on the Create Team Page

All the permissions granted to the team are granted to all the members of the team. If you add a user to multiple teams, that user can access all the manufacturers that each of those teams has access to.

If a new user is created and meets the membership condition defined for a team, then that member automatically gets assigned the team’s privileges for data access.

Similarly, if a user leaves the organization, then that user won’t meet the membership condition, and will no longer have access. If a user moves from one division to another, then the team access will be computed automatically based on the conditions defined for membership rules.

A member or membership condition can be included in multiple teams. A permission set can also be assigned to multiple teams.

The team is inactive by default. After permissions are applied, members can access the data only when the team status is set to active.

Update Team Data

Updates to team data can be managed by the following scheduled processes.

  • Refresh the Access Control List for Teams - Run this job when you want to reset the access control list for teams completely.
  • Update the Members List Based on Membership Criteria - Run this job the first time you associate membership conditions to the team. You can specify the frequency at which the member list should be refreshed, based on how often member data is likely to change. You can run this job when members are moving divisions, joining the organization or leaving the organization and you want to refresh the data before the scheduled refresh you can run this job. In order for this job to work you need to enable Atom Feeds. For more information, see Atom Feeds.

Scheduled Process to Update Team Data

Scheduled Process to Update Team Data

This feature benefits your business by providing:

  • Controls to define who has access to your manufacturer data.
  • Flexibility to add granular access conditions for different workers. 
  • Easy identification of exactly what privileges are assigned to each user. 
  • Reduced time and effort when managing the security of your manufacturer data because your list of workers can be built dynamically based on specified conditions.

Steps to Enable

Use the Opt In UI to enable this feature. For instructions, refer to the Optional Uptake of New Features section of this document.

Offering: Product Management

Tips And Considerations

  • Access control through teams must be provided along with the necessary functional privileges assigned from Security Console.
  • To access manufacturers in Redwood users must be defined as workers. A worker is a person who has a work relationship with a legal employer within the enterprise. 
  • Ensure that the members you create from Security Console are linked to a person record through Setup and Maintenance --> Product Management --> Users and Roles --> Manage Users, before you add them to a team.
  • If you have added new extensible flexfields, you must deploy these for the security to be defined based on those attributes.
  • If you make any updates to the permission sets or conditions containing extensible flexfield attributes, you must rebuild the index for manufacturers to apply the updates.
  • You can use both active and inactive membership conditions while creating membership rules for teams.
  • The create permission on manufacturers is a blanket permission and no conditions can be applied. Even if you specify a condition along with the create permission on manufacturers, the condition isn't honored and the user will be able to create any manufacturer.
  • When the State attribute is modified or added in a condition used in a permission set, you must rebuild the index for manufacturers to apply the updates.
  • This feature is applicable on manufacturers in Redwood.

Key Resources

Access Requirements

Users who are assigned a configured job role that contains these privileges can access this feature:

To configure manufacturer conditions using a filtered list:

  • Use REST Service - Identity Integration (ASE_REST_SERVICE_ACCESS_IDENTITY_INTEGRATION_PRIV)
  • Use Atom Feed - Employees Workspace (PER_ATOM_WORKSPACE_ACCESS_EMPLOYEES_PRIV)
  • Manage HCM Lists (HRC_MANAGE_HCM_LISTS_PRIV)
  • Human Capital Management Application Administrator (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB)

To configure teams, permission sets, and conditions:

  • Monitor Product Development (ACA_MONITOR_PRODUCT_DEVELOPMENT_PRIV)
  • Configure Access Control Teams, Permission Sets, and Conditions (EGP_ACCESS_CONTROL_TEAMS_PRIV)
  • Use REST Service - Identity Integration (ASE_REST_SERVICE_ACCESS_IDENTITY_INTEGRATION_PRIV)
  • Use Atom Feed - Employees Workspace (PER_ATOM_WORKSPACE_ACCESS_EMPLOYEES_PRIV)
  • Manage HCM Lists (HRC_MANAGE_HCM_LISTS_PRIV)
  • Manage HCM Rules (HRC_MANAGE_HCM_RULES_PRIV)
  • Run Scheduled Processes (HEY_RUN_SCHEDULED_PROCESSES_PRIV)
  • Manage Scheduled Processes(FND_MANAGE_SCHEDULED_PROCESSES_PRIV)

To access the secured manufacturer data:

  • Create Manufacturer (EGP_CREATE_MANUFACTURER_PRIV)
  • View Manufacturers (EGP_VIEW_MANUFACTURER_PRIV)
  • Manage Manufacturers (EGP_MANAGE_MANUFACTURER_PRIV)

To access journeys setup and configure the roles in role hierarchy:

  • Manage Journey (ORA_PER_MANAGE_JOURNEY_TEMPLATE)
  • Manage Guided Journeys (ORA_PER_MANAGE_GUIDED_JOURNEYS)
  • Use REST Service - Guided Journeys Read Only (ORA_PER_REST_SERVICE_ACCESS_GUIDED_JOURNEYS_RO)
  • Use REST Service - Journey Categories List of Values (ORA_PER_REST_SERVICE_ACCESS_JOURNEY_CATEGORIES_LOV)

To access business rules:

  • Administer Sandbox (FND_ADMINISTER_SANDBOX_PRIV)