Redwood: Use Enhanced Access Control Lists for Items

You can now leverage these enhancements for access controls list on items.

  • Delete a condition that isn’t used in any permission set.
  • Add the Structure Item Type and multi-select extensible attributes in conditions.
  • Secure the items appearing in the workflow summary and Oracle Transactional Business Intelligence (OTBI) reports.
  • Secure items appearing in workflow notifications.

Delete a Condition

Delete a condition that isn’t used in any permission set. Here’s how:

  1. Navigate to the Search Conditions page.
  2. Select one or more conditions that you want to delete. Note that you can delete conditions created on items as well as other objects.
  3. Click Delete.

Select and Delete Conditions from the Search Conditions Page

Select and Delete Conditions from the Search Conditions Page

Structure Item Type Attribute in Item Conditions

Create a condition based on the Structure Item Type attribute. You can also include the basic and extensible flexfield attributes.

Structure Item Type Attribute in the New Condition Drawer

Structure Item Type Attribute in the New Condition Drawer

Add Multiselect Extensible Attributes in Conditions on Items

Add multiselect attributes in item conditions. This will help you filter down items using multi select attributes.

Multiselect Attribute Named Color in New Condition for an Item

Multiselect Attribute Named Color in New Condition for an Item

Generate Workflow Summary Report

When you generate the workflow summary report from Redwood pages, you can only view items for which you have one of the following permissions: Discover, View, and Manage permissions.

To generate the report, click Actions > Generate Summary Report.

Generate Summary Report Action on the Change Order

Generate Summary Report Action on the Change Order

Generate Summary Report Drawer

Generate Summary Report Drawer

Oracle Transactional Business Intelligence

The  OTBI report for items can now be secured by an access control list when the following feature is enabled: Enable Access Control List for Items. 
You can access item-related data in the report if you have the View or Manage permission on the item.
The secured report is available in the following subject areas:

  • Product Management - Item Catalog Category Hierarchy Real Time
  • Product Management - Item Supplier Associations Real Time
  • Product Management - Structures and Components Real Time
  • Product Management - Structures Real Time
  • Product Management - Where Used Real Time

Secure Items in Notifications Generated Using Oracle Analytics Publisher

Secure items appearing in the workflow notifications as per the configuration in the access control list. If you have the View or Manage permissions on an item, you can view the item details in the notification or manage items from the notification.

Scheduled Processes

  • Refresh the Access Control List for the Teams: This process runs automatically whenever you save a permission set used in a team or add a permission set to a team. If you disable and then enable the profile option (Enable Access Control List for Items), you'll need to run this process manually.

  • Update the Members List Based on Membership Criteria: Run this first time you associate filtered lists to the team. You can specify the frequency at which the member list should be refreshed, based on how often member data is likely to change. You can run this job when members are moving divisions, joining the organization or leaving the organization and you want to refresh the data before the scheduled refresh. You must enable Atom Feeds for this. For more information, see Atom Feeds.

This enhancement benefits your business by the following:

  • Provides the ability to delete conditions that allows for clean-up of unused data.

  • Provides additional control by allowing you to create conditions based on structure item type and multi-select attributes, as well as manage item visibility in reports.

Steps to Enable

To use criteria-based access control for items, you must enable the profile option Enable Access Control List for Items. By default, the profile option is set to No.

On enabling the profile option, the items continue to honor the existing security settings till you create a permission and permission set.

NOTE: Once the profile option is enabled and a permission is created for an item, all items in the application will become private, regardless of their current public or private settings. You must manually assign user permissions to these items.

Tips And Considerations

  • You can delete up to 25 conditions in a single operation from the search page. If you select more than 25 conditions, the delete action will be disabled.

  • The Generate Summary Report action will honor the Access Control List only when it’s launched from Redwood pages.

  • The extensible and descriptive flexfields appearing in notifications aren’t secured by Access Control Lists.

Key Resources

Access Requirements

Users who are assigned a configured job role that contains these privileges can access this feature:

To configure conditions for items using a filtered list:

  • Use REST Service - Identity Integration (ASE_REST_SERVICE_ACCESS_IDENTITY_INTEGRATION_PRIV)

  • Use Atom Feed - Employees Workspace (PER_ATOM_WORKSPACE_ACCESS_EMPLOYEES_PRIV)

  • Manage HCM Lists (HRC_MANAGE_HCM_LISTS_PRIV)

  • Human Capital Management Application Administrator (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB)

To configure teams, permission sets, and conditions:

  • Manage Landing Page Layout (EGP_MANAGE_LANDING_PAGE_LAYOUT_PRIV)

  • Access Clipboard (ACA_ACCESS_CLIPBOARD_PRIV)

  • Access HCM Common Components (HRC_ACCESS_HCM_COMMON_COMPONENT)

  • Manage Search Consumer Applications Rest (EGP_MANAGE_SEARCH_CONS_REST_PRIV)

  • Monitor Product Development (ACA_MONITOR_PRODUCT_DEVELOPMENT_PRIV)

  • Configure Access Control Teams, Permission Sets, and Conditions (EGP_ACCESS_CONTROL_TEAMS_PRIV)

  • Use REST Service - Identity Integration (ASE_REST_SERVICE_ACCESS_IDENTITY_INTEGRATION_PRIV)

  • Use Atom Feed - Employees Workspace (PER_ATOM_WORKSPACE_ACCESS_EMPLOYEES_PRIV)

  • Manage HCM Lists (HRC_MANAGE_HCM_LISTS_PRIV)

  • Manage HCM Rules (HRC_MANAGE_HCM_RULES_PRIV)

  • Run Scheduled Processes (HEY_RUN_SCHEDULED_PROCESSES_PRIV)

  • Manage Scheduled Processes (FND_MANAGE_SCHEDULED_PROCESSES_PRIV)

  • Access Product Management Landing Page (EGP_ACCESS_LANDING_PAGE_PRIV)

  • Manage Scheduled Job Definition (FND_MANAGE_SCHEDULED_JOB_DEFINITION_PRIV)

  • Access Users (EGP_ACCESS_USERS_PRIV)

  • Manage Item Redwood Items (EGP_MANAGE_REDWOOD_ITEM_PRIV)

  • View product management search (EGP_VIEW_PRODUCT_MGT_SEARCH_PRIV)

  • Get Item Attribute Control REST (EGP_ITEM_ATTRIBUTE_CONTROL_READ_PRIV)

  • Get Item Lifecycle Phases Read Rest (EGP_ITEM_LIFECYCLE_PHASES_READ_REST_PRIV)

  • Get Item Status REST (EGP_ITEM_STATUSES_READ_PRIV)

  • Get Template REST (EGP_TEMPLATE_READ_PRIV)

  • View Global Inventory Organizations List of Values by Web Service(RCS_GLOBAL_VIEW_INV_ORG_LOV_WEB_SERVICE_PRIV)

  • View Units Of Measure List of Values by Web Service(RCS_VIEW_UNITS_OF_MEASURE_LOV_WEB_SERVICE_PRIV)

  • Get Item Class Rest (EGP_GET_ITEM_CLASS_REST_PRIV)

  • View Item (EGP_VIEW_ITEM_PRIV)

  • View Feature States Value by Web Service (RCS_VIEW_FEATURE_STATES_WEB_SERVICE_PRIV)

  • Use REST Service - Users and Roles Lists of Values (PER_REST_SERVICE_ACCESS_USERS_AND_ROLES_LOVS_PRIV)

To access the secured items, users must be assigned the relevant item privilege along with the following:

  • View Feature States Value by Web Service (RCS_VIEW_FEATURE_STATES_WEB_SERVICE_PRIV)

To access journeys setup and configure the roles in role hierarchy:

  • Manage Journey (ORA_PER_MANAGE_JOURNEY_TEMPLATE)

  • Manage Guided Journeys (ORA_PER_MANAGE_GUIDED_JOURNEYS)

  • Use REST Service - Guided Journeys Read Only (ORA_PER_REST_SERVICE_ACCESS_GUIDED_JOURNEYS_RO)

  • Use REST Service - Journey Categories List of Values (ORA_PER_REST_SERVICE_ACCESS_JOURNEY_CATEGORIES_LOV)

To access business rules:

  • Administer Sandbox (FND_ADMINISTER_SANDBOX_PRIV)

Additionally, add the following to access an object report:

  • Product Catalog Transaction Analysis Duty (FBI_PRODUCT_CATALOG_TRANSACTION_ANALYSIS_DUTY)

  • Product Transaction Analysis Duty (FBI_PRODUCT_TRANSACTION_ANALYSIS_DUTY)

  • BI Consumer Role (BIConsumer)