4Users and Security

This chapter contains the following:

User Setup Overview

Overview of Setting Up Users and Security

Since you followed the Getting Started with Your Sales Implementation guide steps to set up your initial set of users, then you already know that Oracle applications secure access to functionality and data using role-based access control. In a role-based access control model, users are assigned roles, and roles are assigned access privileges to protected system resources.

Sales users who access the transactional UI, for example sales representatives working in leads and opportunities, are created as resources and are known as sales resources.

Default Preferences

To set up default preferences for users and roles, access the Security Console as a setup user or other user with the IT Security Manager job role. Only setup users, or other users with the IT Security Manager job role, can access the Security Console.

User Identity Store

The Lightweight Directory Access Protocol (LDAP) identity store is a repository of user identity data. Your LDAP directory stores definitions of LDAP user accounts. In general, changes you make to user accounts are automatically synchronized between the sales application and your LDAP directory server. However, you must also run processes on a daily basis to manage the information exchange between your application and the LDAP directory server. For information, see the chapter about setting up application security in the Securing CX Sales and B2B Service guide.

Setup Tasks in the UI and Other Setup Options

As a setup user, you use multiple different tasks in Setup and Maintenance to create and maintain users. You also have additional setup options to consider. The following table describes these tasks and setup options.

Setup Task or Option and Navigation Description

Manage Job Roles Task

Navigation: Setup and Maintenance > Sales Offering > Users and Security functional area

Oracle provides many predefined job roles. The relevant sales roles are listed in the Getting Started with Your Sales Implementation guide.

You perform the Manage Job Roles task to:

  • Review the role hierarchy of a job or abstract role.

  • Create custom job and abstract roles.

  • View the roles assigned to a user and list the users who have a specific role.

This task opens the Roles tab of the Security Console.

Manage Duties Task

Manage Sales and Service Access Management Task

Navigation: Setup and Maintenance > Sales Offering > Users and Security functional area

You perform the Manage Duties task to:

  • Review the duties of a job or abstract role.

  • Manage the duties of a custom job or abstract role.

  • Create custom duty roles.

This task opens the Roles tab of the Security Console.

Manage Data Security Policies Task

Manage Sales and Service Access Task

Navigation: Setup and Maintenance > Sales Offering > Users and Security functional area

You use the Manage Data Security Policies task to manage the data security policies that determine grants of entitlement to a user or role on an object or attribute group. This task opens the Roles tab of the Security Console.

You can also use the Manage Sales and Service Access task to review and configure data security. This task opens the Sales and Service Access Management work area. For information, see the Securing CX Sales and B2B Service guide.

Users and Roles Task

Navigation: Navigator > Users and Roles item or Setup and Maintenance > Sales Offering > Users and Security functional area

You create application users in the UI using the Users and Roles task. A user with the IT Security Manager job role performs the Manage Users tasks.

Note: You can also create sales users by importing users. For information on the user import options available, see the Understanding Import and Export Management for CX Sales and B2B Service and Getting Started with Your Sales Implementation guides.

Manage HCM Role Provisioning Rules Task

Navigation: Setup and Maintenance Sales Offering > Users and Security functional area

Oracle provides predefined role mapping rules for provisioning many of the standard job roles included with the application. However, using the Manage HCM Role Provisioning Rules task, you can create any additional role mappings you need to, to control the provisioning of roles to application users. For example, you can create a role mapping to provision the Channel Sales Manager role automatically to specific sales managers.

Import and Export Management

You can import users in bulk using data files. For information on the user import options available, see the Understanding Import and Export Management for CX Sales and B2B Service and Getting Started with Your Sales Implementation guides.

Import Partner Users Task

You can also import partner contact data using the Import Partner Users task. For more information, see the Getting Started with Your Partner Relationship Management Implementation guide.

Single Sign-On Authentication

Single sign-on authentication is optionally available for user authentication. If your enterprise has moved from a traditional on-premises environment to an Oracle Cloud implementation, you might want to use your existing identity management solution for authenticating your employees, and you might also want to provide a single sign-on experience. Implementing federated single sign-on lets you provide users with single sign-on access to applications and systems located across organizational boundaries. For additional information, see Oracle Applications Cloud Service Entitlements (Doc ID 2004494.1) on My Oracle Support at https://support.oracle.com.

Resetting User Passwords

Setup users provisioned with the IT Security Manager job role can use the Users tab in the Security Console work area to reset passwords for all application users. Users who can't access the Security Console can reset only their own passwords using the Set Preferences link in the Settings and Actions menu available by clicking their user name in the application or by using the Forgot Password link on the sign-in page. See the Getting Started with Your Sales Implementation guide for more information.

Updating Email Addresses

Use the Users tab in the Security Console work area to change user email addresses. You can use the procedure described in this topic to update addresses of both setup users and sales users. If you're updating the email addresses of sales users, then you can also use the same import process you use to create them. See the Getting Started with Your Sales Implementation guide for more information.

Note: Other data security tasks listed in the Users and Security functional area task list don't apply to the sales applications. Follow the guidance in the Getting Started with Your Sales Implementation guide and the Securing CX Sales and B2B Service guide.

Overview of Defining Setup Users

One of your first tasks when setting up the application is the creation of users who can perform setup tasks.

Oracle creates an initial user for you when your environment is provisioned. This initial user is configured to perform security tasks, such as creating other users and granting additional privileges. As an initial user you can create users, known as setup users, to help with application setup. The setup user performs the tasks in implementation projects, sets up enterprise structures, creates application users, and administers security.

Use the Manage Users task in the Setup and Maintenance work area to create setup users. You can access this task in the Setup and Maintenance work area by selecting these options:

  • Offering: Customer Data Management

  • Functional Area: Users and Security

  • Task: Manage Users

For information about creating setup users, see the Getting Started with Your Sales Implementation guide.

Configure Password Policies

The applications have default settings around the user sign-in policies. For example, by default, users have 90 days before their sign-in passwords expire. You can change this default value, and you can configure other sign-in parameters. See the related topics for more information.

Discard Domain Emails

During an implementation, you set up users and test business flows that trigger automatic emails. During this stage of setup, you probably don't want emails being sent to real users, so you can simply use discard email domains that Oracle has made available.

Discard Email Domains

Oracle recommends that you don't use fictitious email addresses, because this causes email bounces. Fictitious emails generally take three forms:

  • An incorrect user identifier at a valid domain

  • A random domain

  • A domain that doesn't exist

Using fictitious email addresses can have numerous negative consequences, including unintentionally sending email to a real person or damaging the reputation of the IP address that sends out the email, potentially flagging it as a sender of spam. For example, you might send an email to tina.best@ssf.com, thinking that ssf is just a random alphabetic sequence and not an actual domain. However, your email is actually sent to the Spruce Street Foods (ssf.com). The Spruce Street Foods email server must then determine if there is a valid recipient and, if not, make a reputation decision about the sender's IP address.

To avoid these undesirable conditions, Oracle has established email domains in each of its data centers that you can use temporarily during setup. Any email sent from Oracle cloud applications to one of the discard domains doesn't leave the data center. Instead, it's discarded by the mail servers during the send process. You can turn any recipient address into a discard address by replacing the domain information with one of the discard domains. So, in the example presented here, we might use tina.best@discard.mail.us1.cloud.oracle.com.

Here are the discard domains and the data centers that they're associated with:

Discard Domain Data Center

@discard.mail.us1.cloud.oracle.com

Austin

@discard.mail.us2.cloud.oracle.com

Chicago

@discard.mail.us6.cloud.oracle.com

Ashburn

@discard.mail.ca2.cloud.oracle.com

Markham

@discard.mail.ca3.cloud.oracle.com

Calgary

@discard.mail.ap1.cloud.oracle.com

Sydney

@discard.mail.ap2.cloud.oracle.com

Singapore

@discard.mail.em1.cloud.oracle.com

Linlithgow

@discard.mail.em2.cloud.oracle.com

Amsterdam

@discard.mail.em3.cloud.oracle.com

Slough

@discard.mail.em4.cloud.oracle.com

Frankfurt

@discard.mail.em5.cloud.oracle.com

Munich

Discard domains cross data center boundaries. You can use any of them, no matter which data center supplies your service. Oracle provides data center-specific domains in case you're concerned about geopolitical boundaries and want to ensure that discard data remains in your data center region.

Discard domains are also available for government and defense data centers. For details on these restricted data centers, log a service request for cloud operations through My Oracle Support.

If you're importing your users, you can use the discard domains in your import file and then go back later and re-import the users with the real domain information. For more information on importing users, see the importing users topics in the Getting Started with Your Sales Implementation guide.

About the Sales Administrator

A user with the Sales Administrator job role performs most setup tasks related to sales the sales applications.

Although he doesn't participate directly in the sales process, you create the sales administrator user as a sales resource and employee in the organization hierarchy. For steps, see the Getting Started with Your Sales Implementation guide.

Here are the tasks the sales administrator user typically performs:

  • Download task lists and setup reports.

  • Set sales profile options.

  • Configure extensible lookups for sales.

  • Run most of the scheduled processes for sales.

  • Configure pages in Application Composer and Page Composer.

  • Set up the sales calendar.

  • Set up accounts and contacts options.

  • Manage global search options.

  • Function as a centralized territory administrator.

  • Configure opportunities.

  • Configure forecast criteria.

  • Administer sales quotas.

  • Configure work assignment.

  • Manage price books.

  • Create and manage sales products and promotions.

  • Set up and administer the sales catalog.

  • Set up mobile applications.

  • Set up partner functionality.

  • Perform configuration tasks.

  • Perform data import and export.

  • Add and configure sales infolet pages.

  • Add analytics to application pages, such as accounts, leads, and opportunities.

  • Add analytics to the Analytics page.

  • Create analytics in business intelligence (BI).

  • Edit analytics in BI.

Note: The sales administrator doesn't have the same setup permissions as a setup user. He has permissions required to set up and administer sales features and components, but not the higher-level permissions required to implement enterprise and security features.

You can find more information about user setup in the related guides.

Restricted Users

Sales Restricted Users

To do their jobs effectively, users must be able to view all the data that's relevant to their role in the enterprise. But not all users also require the ability to create, update, or delete that data. You can create sales application users who have extensive privileges to view sales data, but limited privileges to change data, by provisioning users with the Sales Restricted User job role.

Access Provided by the Sales Restricted User Job Role

Users assigned the Sales Restricted User job role can:

  • View accounts, contacts, leads, and opportunities.

  • Create and modify reports and analytics.

  • Update, create, and manage service requests.

  • Create, update, and delete notes, tasks and activities for the Activity object.

  • Edit forecasts.

  • Access content in Oracle Sales Lightbox.

Assigning the Sales Restricted User job role to the following types of users provides these users with the visibility into sales data that they require, without assigning them excess privileges.

  • Back-office users can view reports, edit forecasts, and view activities and interactions.

  • Service representatives can view all the information available for a customer and can see leads and opportunities.

  • Seasonal or administrative users can view leads and opportunities.

For additional information about creating restricted sales users, see the topic Create Sales Restricted Users.

Create Sales Restricted Users

You can create sales application users who have extensive privileges to view sales data, but limited privileges to create, update, or delete that data, by assigning users the Sales Restricted User job role. For example, you might want to assign the Sales Restricted User job role to accounting or legal users, to seasonal or administrative users, or to users who are assigned an Essential User license. The Essential User license provides a user with a read-only subscription to the cloud service.

Use these steps to create a sales restricted user.

  1. Create the user who's to have restricted access to the application.

    For information about this task, see the topic Creating Sales Application Users.

  2. When creating the user, specify these values.

    Field Value

    Person Type

    Employee

    Resource Role

    Sales Restricted User

  3. In the Roles region, click Autoprovision Roles.

    The user is automatically assigned the following roles:

    • Sales Restricted User job role

    • Resource abstract role

    • Employee abstract role

      A predefined rule automatically assigns the Employee abstract role to all active users who are created as employees.

Records Transfer Between Users

About Transferring Records Between Users

Mass transfer of records lets you move records from one user to another. A record owner or any user higher than the owner in the role or territory hierarchy can transfer records from one user to the other.

Before transferring records, you must understand:

  • Record Types

  • Record Filters

  • Record Transfer Status

Record Types

Record types are broad categories of objects or information related to a user. For example, Deal Registrations associated with a user. Currently, you can mass transfer Leads, Opportunities, Deal Registrations, and all custom objects excluding the vertical custom object that belong to a user. You can't mass transfer Accounts and Contacts.

Record Filters

Record filters let you refine the list of records associated with the user for a record type. For example, you can transfer only deal registrations that were created during a time period. You can't specify filters for all record type. The Transfer Records: Define Filters page lets you view the record types that allow filtering, and specify the record filters.

Record Transfer Status

Record transfer statuses appear in the Mass Transfer Status page and show the status of transfer jobs. The Mass Transfer processes records to ensure data integrity before transferring the records from a user to the other.

A Record Transfer job can have one of these statuses:

  • In Progress: Transfer job is currently in process.

  • Completed: Transfer job has been completed without errors.

  • Errors: Transfer job has resulted in an error.

You can click on the transfer job name to view the record types that were transferred, the status of each record type, and the log file associated with a record type.

Transfer Records Between Users

This procedure describes how you can transfer records from one user to the other using the Mass Transfer tool.

To transfer records from one user to another:

  1. Navigate to Mass Transfer from the Tools menu.

  2. In the Mass Transfer Status page, click Transfer Records.

  3. In the Transfer Records: Select Owners and Records page, search for the current owner and the new owner of the records. For example, if you're transferring from Adam Smith to Samantha Hayes, then select Adam Smith as the current owner and Samantha Hayes as the new owner.

  4. Select the types of records you want to transfer. For example, if you're transferring opportunities and leads, then select Opportunities and Sales Leads.

    The Transfer Details column lists the types of records that will be transferred.

  5. Click Next.

    In the Transfer Records: Define Filters page, you specify filters for record types you have selected. For example, you can specify the start and close dates for opportunities to transfer the opportunities that were closed during a specified period of time.

  6. Select a record type to view the filters available, and specify the filters.

  7. Click Submit.

  8. Click Yes in the confirmation dialog box.

The Mass Transfer Status page lists the recent mass transfer jobs and their statuses.