Security Overview
In Oracle Fusion Cloud Risk Management, you grant access to functionality by assigning job roles (and through them, duty roles and privileges). You grant access to data by appointing users who can work with each record as you create or edit that record.
Roles in Oracle Risk Management
A job role conceptually represents a job that a user performs in an organization. It typically provides broader functional access than a duty role, which represents one or more tasks included within a job.
Even so, either role type may define function security policies, role hierarchies, or both. A function security policy grants privileges to complete specific tasks. A role hierarchy is a set of subordinate roles; the parent role inherits functional access from them.
A job role provides broad enough access for assignment to a user. You can assign job roles directly to users, but you can't assign duty roles. A user is granted duty roles only indirectly, as elements in the hierarchy of a job role.
You can assign predefined job roles to users, or you can create and manage both job and duty roles. You'd use Oracle Applications Security, also known as the Security Console, to create your own roles.
Data Security in Oracle Risk Management
To have access to data records, a user must first be "eligible" and then "authorized." To be eligible for records of an object, a user must be assigned a role that grants privileges to work with that type of object. To be authorized for a record, an eligible user must be appointed as its owner, editor, or viewer. A user has access only to records for which he or she's authorized.
The eligible user who creates a record is authorized automatically as its owner, and that person may select other eligible users as owners, editors, or viewers.
-
An owner can modify the details of a record, including its security configuration (the selection of users who can work with the record, and the level of their access).
-
An editor can't change the security configuration, but can modify other details.
-
A viewer can see record details, but can't change them.
If you assign predefined roles to users, owners may select them for records at any of the three levels. An owner can authorize less access for a record than a user's role allows. For example, an owner may select a user as a viewer of a transaction model. If so, that user can't edit the model, even if he or she remains eligible to be authorized as an editor or owner of other models.
Owners may also assign data-security rights that are specific to individual applications. For example, a user may have a role that grants rights to review or approve records in Oracle Fusion Cloud Financial Reporting Compliance. But those rights would apply only to records whose owners have authorized the user as a reviewer or approver.
Owners may authorize individual users for records, or may select user assignment groups. Each group is a set of users with an authorization for a type of object. Assigning groups to records is typically the more efficient approach to managing security: As users move into and out of positions in your organization, they can be added to or removed from user assignment groups. This effectively grants or rescinds their access to records the groups are associated with. You create groups in a Risk Management Data Security work area.
Business Object Security
Within Oracle Fusion Cloud Advanced Controls, transaction models and controls define risks, then uncover transactions displaying those risks. Business objects provide business-application data for models and controls to analyze. As a further element of data security, you can select the business objects each user has access to. You make these selections in the Risk Management Data Security work area.