19Access Groups

This chapter contains the following:

Overview of Access Groups

Use access groups to provide sales resources with additional access to sales object data. Access groups are an alternative way of granting data permissions to users, and they use a different access path to that provided by the predefined data security policies.

An access group uses the access control list model. You create an access group, assign users to the access group and all group members are given access to standard or custom object data. You define object sharing rules which provide users with access to the specific records of an object. These rules specify the type of access to an object to be provided and the conditions under which the access is provided. For example, users might be granted access to:

  • All opportunities with a status of Open

  • All accounts where country is set to UK

You can also define the type of data access provided, for example, Full access or Read access.

A user can be assigned to one or more access groups and will have the access assigned to each group. So if Lisa Jones is assigned to Access Group A, which provides access to opportunities, and Access Group B, which provides access to Accounts, she receives the access provided by both groups. You can also use one access group to assign access to multiple objects.

Supported Objects

Use access groups to provide data access to these objects:

  • Accounts

  • Contacts

  • Opportunities

  • Leads

  • Partners

  • Custom objects

  • Activity

  • Deal Registration

  • MDF Budget

  • MDF Claim

  • MDF Request

  • Program Enrollment

Access Group Privileges

Users assigned the ZCA_MANAGE_GROUP_ACCESS_PRIV can create and manage access groups. By default, the Sales Administrator job role and the IT Security Manager job role have this privilege.

You can only add sales resources who are assigned the Resource abstract role to access groups. A group membership duty role, the Access Groups Enablement role, enables users to be added as members of access groups and is assigned to the Resource abstract role. If you use a custom version of the Resource abstract role, assign this duty to your custom role.

How Access Groups Work with Other Security Mechanisms

You use access groups to supplement the data access users receive through their job roles and other security mechanisms. So when you configure users visibility to data using access groups, keep in mind that if you want only the access path provided by the group membership to take effect, you might also have to remove the access granted to group members by custom or predefined data security policies. If you don't remove these other access paths, users will have the data visibility granted both by the access group, and by existing data security policies they're assigned through record ownership or team membership, or through territory management setup.

Access Groups and Functional Privileges

You can use access groups to give users additional permissions at the data security level. You can't use access groups to provide functional security access privileges. Consider the example of a user assigned a job role which provides the functional privilege to view leads, but not the functional privilege to delete them. If you assign the user to an access group that specifies rules that provide delete lead and view lead data access, the user will be able to view leads but without the delete functional privilege, they still won't be able to delete leads.

Considerations in Deciding When to Use Access Groups

You can extend a user's visibility to sales object data in a number of ways:

  • By creating custom data security policies, assigning the custom policies to custom roles, and then assigning the custom roles to users.

  • By using Territory Management to set up territories and to assign users to territories, then using Assignment Manager to assign territories to object records.

  • By creating access groups and assigning users to the access group.

So what factors should you consider when deciding which option to choose? This topic provides you with some guidelines.

Custom Data Security Policies

In situations where you can use either access groups or custom data security policies to provide users with data permissions, use access groups for these reasons:

  • Access groups provide better performance than custom data security policies.

  • You can search for records assigned to users through their access group membership in Workspace. Records assigned to users through custom data security policies can't be searched in Workspace.

  • Access groups are easier to manage.

Access Groups

Access groups work together with the existing access mechanisms to allow you to provide access to users based on parameters that aren't provided by the standard access framework, such as the user's context (country or sales region for example), the user's resource organization or business unit, or some other attribute. You can also use access groups to assign access based on custom attributes. For example, you can assign all users in a specific business unit to a group and then grant that group read permissions to opportunities.

Territory Management

You can use territory management to manage users visibility to data but territory management isn't a security access mechanism. It's a way of assigning sales representatives to sales territories to enable optimal sales coverage. Territory management is used for configuring access primarily to facilitate the selling process by defining boundaries using hierarchical attributes such as products, geographies, industry and so on.

Use territory management functionality to extend visibility to data in these scenarios:

  • If you want to use forecasting or quota management functionality.

  • If the territory hierarchy and territory based reporting and roll-ups are different to the reporting resource hierarchy.

  • If you want to provide users with access based on hierarchical attributes and named accounts.

If you want to provide users with access using a standard mechanism, such as territory or management hierarchy, then use Territory Management. Otherwise, use access groups.

Create and Manage Access Groups

Create an access group to provide selected resource users with additional access to object data. You must be assigned the IT Security Manager job role or the Sales Administrator job role to create and manage access groups.

Note: You can also import access groups and group members. For information, see the topic Import and Export Access Groups and Group Members.
  1. Sign in to the application as the sales administrator or as a setup user.

  2. Select Navigator > Tools > Sales and Service Access Management.

    If you're a Sales Administrator, the Access Groups page in the Sales and Service Access Management work area is displayed.

    If you have the IT Security Manager job role, the Sales and Service Access Management main page is displayed. Click Configure Groups to display the Access Groups page.

    The Access groups page lists any existing active access groups. You can view all access groups (active and inactive) by selecting All Groups from the List drop-down list. You can also search for an existing group on this page.

  3. Click Create Access Group to display the Create Access Group page.

  4. Enter a name for your group in the Name field.

    You can also optionally enter a description for your group. For example, if you're creating a group to assign access to opportunities by country, you might name the group Country_Group and in the description enter Opportunity assignment by country.

  5. Select a status for the new group. By default, the group status for new groups is inactive. Click the Active check box to activate the group.

  6. Click Save and Continue. The Edit Access Group: Overview page is displayed for the group. On this page you can do any of these tasks:

    • Edit the access group details or delete the access group.

    • Add members to the new group by clicking Add Members or by selecting the Group Membership Rules tab.

    • Create object sharing rules to grant group members access to object records by selecting the Object Sharing Rules tab.

  7. Click Save and Close to save the group.

  8. On the Access Groups page, check that your new group is included in the list of groups.

You can now add members to your new group and define rules to provide group members with access to object records.

Edit Access Groups

After you create an access group, you can edit the group details, including membership and object sharing rules information, at any time.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. Select the access group whose details you want to edit from the groups listed.

    Details relating to the group and its members are listed on the Edit Access Group: Overview subtab.

  3. You can perform these actions from the Overview page:

    • Change the group name or description.

    • Activate or inactivate a group.

      Note: If you inactivate a group, group members lose any data access provided by the group.
    • Add group members by clicking Add Members.

    • Remove all group members who were added to the group manually by clicking Remove Members, or delete individual members from the group by clicking the Remove icon in the member row. Members who were added through group membership rules can't be removed.

    • Delete the group by selecting Delete from the Actions menu.

      For information about deleting groups, see the topic Delete Access Groups.

    • Click the Object Sharing Rules subtab to view any object sharing rules defined for the access group.

      You can edit an existing rule from this subtab by clicking the rule name link, or you can create a new rule by clicking Create Rule. If you select an existing rule to edit, the Access Group: Edit Rule page is displayed where you can edit or delete any of the rule details except for the rule object and rule set. For information on object sharing rules, see the topic Create Rules to Assign Data Permissions to an Access Group.

    • Click the Group Membership Rules subtab to view any group membership rules defined for the access group.

      You can edit an existing rule from this subtab by clicking the rule name link, or you can create a new rule by clicking Create Rule. If you select an existing rule to edit, the Access Group: Edit Group Membership Rule page is displayed where you can edit or delete any of the rule details. For information on group membership rules, see the topic Create Access Group Membership Rules.

  4. When you have finished editing the group details, click Save and Publish, then Save and Close.

    Changes you make to object sharing rules or group membership rules are processed when the Object Sharing Rule Assignment Process or the Access Group Membership Rules Process is next run.

Delete Access Groups

You can delete an access group if you have the Delete Access Group privilege. By default, users assigned the IT Security Manager job role have this privilege. Sales Administrators aren't provided with the Delete Access Group privilege.

Caution: Once you delete a group and its members, you can't reactivate it. The users who were assigned to the group still exist but are no longer associated with the group and group members lose any data access provided by the group.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. Select the access group you want to delete from the groups listed.

    On the Edit Access Group: GroupName page, select Delete Group from the Actions menu.

  3. In the confirmation dialog, click Yes to confirm your choice.

    The group is deleted and is no longer available on the Access Groups page.

Add Members to Access Groups

Options for Assigning Members to Access Groups

You can assign users to an access group when you create the group or you can add members at a later time. You can add group members in any of these ways:

  • Manually add members to a group on the Edit Access Group: Overview page. This option is useful if you only need to add a few users to a group on an ad-hoc basis.

  • Create access group membership rules. Users who meet the conditions specified in the rule are automatically added to a group. Using group membership rules, you can add a large number of users to a group at once and simplify the process of maintaining the group's membership in the future. Users are added or removed from the group automatically depending on whether or not they meet the rule conditions.

  • Assign users to groups using the standard import and export functionality. If you have large numbers of users to assign to one or more access groups on a one-off basis, you can import users and groups.

You can assign a user to one or more access groups and the user will have the data access permissions assigned to each group.

Note: You can only assign users who are assigned the Resource abstract role (ORA_HZ_RESOURCE_ABSTRACT) to groups.

Member Types

Access group members are categorized into member types according to how they're added to an access group:

  • Manual members

    Users who are added to the group manually, either through the UI or through file import

  • Rule members

    Users who are added to the group through rule processing

You can delete access group members on the Edit Access Group: Overview page if they were added to the group manually. Group members added through rule processing can't be manually removed from a group; they're only removed from a group if they no longer meet the rule conditions.

If a user is added to an access group more than once, manually and through group membership rule processing, the user is listed twice on the Edit Access Group: Overview page. You can delete the manual entry for the user but the user remains a group member provided they still satisfy the access group membership rule conditions.

For information about creating access group membership rules, see Create Access Group Membership Rules. For information about importing access groups and members, see the section Import and Export Access Groups and Members later in this chapter.

Add Members to Access Groups Using the UI

You can manually add resource users to an access group at any time using the UI by performing these steps.

  1. Navigate to the Access Groups page:

    • Sales Administrator: Navigator > Tools > Sales and Service Access Management

    • IT Security Manager: Navigator > Tools > Sales and Service Access Management > Configure Groups

  2. On the Access Groups page, select the group you want to add members to.

  3. On the Edit Access Group: Overview page, click Add Members.

    The Add: Group Members page is displayed.

  4. Search for the member you want to add using one of the search fields.

    For example, in the First Name field, enter the first 3 characters of a user's first name and click Search. Or in the Role field, select a resource role to view all users assigned that role.

    If you create a custom field for the Resource object, for example, Country, you can use Application Composer to expose the field so that it's available as a drop-down list on the Add: Group Members UI. You can then search for resources using this field. In this example, you can search for users by country.

  5. Select each of the users you want to add to the group in the Search Results area, then click Apply.

    Note: You can only assign users who are assigned the Resource abstract role (ORA_HZ_RESOURCE_ABSTRACT) to groups.
  6. Search for and select any additional members you want to add to the group and, when you're finished adding members, click OK.

  7. Verify that all the members you added to the group are listed in the Group Members area of the Edit Access Group: Overview page.

  8. If you want to remove a member, click the Remove icon in the member row. To remove all members of the group who were added manually, click Remove All Members.

  9. Click Save and Close to save the group membership details.

    You're now ready to create the rules that will determine the data access permissions your group members will have. For information, see the topic Create Rules to Assign Data Permissions to an Access Group later in this chapter.

You can add resource users to an access group by defining one or more group membership rules. Each rule consists of conditions that determine which resources are added as members of the group. Any users who satisfy the conditions are automatically added to the access group and group members who no longer meet the conditions are automatically removed from the group. You can't remove members added through group membership rule processing using the UI.

Assigning members to groups using rules involves two steps: first you create and publish the membership rules, then you run the Access Group Membership Rules scheduled process to assign the rules.

Create Membership Rules

Here's how you can create a group membership rule to add members to your access group.

  1. On the Access Group page, select the group you're creating the membership rule for.

  2. On the Edit Access Group: Overview page, select the Group Membership Rules tab, then click Create Rule.

  3. On the Access Group: Create Group Membership Rule page, enter a Name for the group membership rule and a Description if required.

  4. In the Conditions section, specify the rule conditions.

    Each rule consists of one or more conditions that are evaluated individually. You can choose whether the rule action applies if any conditions are met, or only if all conditions are met, by choosing the appropriate value from the Rule Applies If drop-down list.

  5. Enter a rule condition by clicking the Add icon, then enter these values for the condition.

    Field Description

    Object

    Resource

    Only resource users can be added to an access group so this field is always set to Resource.

    Attribute

    Select a resource attribute from the drop-down list. Both custom and standard attributes defined for the Resource object are listed.

    Operator

    Select the operator for your condition. For example, Equals or Is blank.

    Tip: If an attribute can have multiple values, such as the Roles or Teams attributes, use the Contains operator instead of the Equals operator to make sure that the condition adds all the intended resources to the group. For example, if you create a rule Roles Equals Salesperson, then users who are assigned only the Salesperson role are added to the group. If you create a rule Roles Contains Salesperson, then users assigned the Salesperson role and any other role are also added to the group.

    Value

    Enter a value for the attribute, if relevant. If you're entering more than one value, separate each value with a comma.

    Enter as many conditions as needed to suit your specific requirements. For example, if you want to add all resources who are sales representatives based in the Sales Support organization to your group, you could create two conditions with values similar to these.

    Field Condition 1 Condition 2

    Object

    Resource

    Resource

    Attribute

    Job Title

    Organization

    Operator

    Equals

    Equals

    Value

    Sales Representative

    Sales Support

  6. From the Actions menu, select Save and Publish to ensure that your changes get included in the assignment processing.

  7. Click Save and Close.

Run the Access Group Membership Rules Process

Start the Run Access Group Membership Rules scheduled process to ensure that the access group membership rules are assigned. Once this process has run, all resources who meet the condition criteria are added to the access group. Here are the steps to run the scheduled process.

  1. In the Navigator, click Tools > Scheduled Processes.

  2. On the Overview page, click Schedule New Process.

  3. In the Schedule New Process window, enter Run Access Group Membership Rules in the Name field.

  4. Select the process and click OK.

  5. On the Process Details page, select the job parameters in the Basic Options region, then click Submit to run the process immediately. You can monitor its progress by searching for the Run Access Group Membership Rules process by name on the Overview page.

    If you want to schedule the process to run at regular intervals, click Advanced on the Process Details page, then select the Schedule subtab in the Advanced Options region and enter your scheduling details. You can then click Submit to run the job according to your schedule.

    Tip: It's best practice to schedule the process to run every 24 hours for all records updated in the previous 24 hours. But if you edit the rule, it's also a good idea to run the process manually straight away.
  6. When the process completes, navigate to the Edit Access Group: Overview page where you can see that all the resources who meet the rule conditions are added to the group. Notice that the Member Type field is set to Rule for all the new members.

    When the Run Access Group Membership Rules process is next run, members are added to or removed from the group according to whether or not they satisfy the rule conditions.

You can edit a group membership rule at any time by selecting the rule from the Edit Access Group: Group Membership Rules page. You can also delete or inactivate the rule. If you delete or inactivate a rule, any users added to the group through the rule are removed when the Run Access Group Membership Rules scheduled process is next run.

Import and Export Access Groups and Members

Overview of Importing and Exporting Access Groups and Members

Use the standard export and import framework to export and import access groups and access group members. You can't import object sharing rules; you must create these individually in the Manage Object Sharing Rules UI.

For example, if there are thousands of sales representatives in your organization and you want to assign them to a group, you could search for all users who are assigned the Sales Representative role and export this list of users to a CSV file. After reviewing or editing the file, you could then import the updated CSV file and specify the name of the group the users are to be assigned to when you import the file.

For additional information about importing data, see the File-Based Data Import for CX Sales and B2B Service guide and the Understanding File-Based Data Import and Export for CX Sales and B2B Service guide on Oracle Help Center.

Import User Groups and Group Members

You can import users and user groups into your sales environment rather than performing these tasks manually in the UI. To import access groups and group members, create two import files, one for each of the following objects:

  • Access Groups

  • Access Group Members

Import the access groups first, then the group members.

Import Access Groups

  1. Create a CSV file containing the list of the access groups you want to import.

    Create columns to specify these values for each group you import:

    • A name for the group (Name)

    • A number for the group (AccessGroupNumber)

    You can optionally enter a group description (Description) and a column to indicate if the group is active or not (ActiveFlag).

  2. Navigate to the Manage Imports page (Tools > Import Management), then click Create Import Activity.

  3. Assign a name to the import in the Name field.

  4. In the Object field, select Access Groups.

  5. In the File Name field, select the CSV file you created in step 1, then click Next.

  6. On the Create Import Activity: Map Fields page, review the field mappings, then click Next.

  7. On the Create Import Activity: Review and Submit page, click Submit.

Import Access Group Members

  1. Create a CSV file containing the list of access group members you want to import.

    For each group member, create columns to specify these values:

    • PartyNumber column. This is the user's resource registry ID. This value is available on the Add: Group Members UI in the Sales and Service Access Management work area.

    • AccessGroupNumber column. The number of the group you want to assign the user to. This number must match the number of one of the groups you previously imported.

  2. Navigate to the Manage Imports page (Tools > Import Management), then click Create Import Activity.

  3. Assign a name to the import in the Name field.

  4. In the Object field, select Access Group Members.

  5. In the File Name field, select the CSV file you created in step 1, then click Next.

  6. On the Create Import Activity: Map Fields page, review the field mappings, then click Next.

  7. On the Create Import Activity: Review and Submit page, click Submit.

Navigate to the Access Groups page and verify that you can see the access groups you imported and that they're assigned the correct members. Notice that imported users are listed in the Member Type column as Manual users because they weren't added to the group through group membership rule processing.

Export User Groups and Group Members

You can export users and user groups from your sales environment into a CSV file and then use this file to import the user groups and group members into another environment. You can export either access groups or access group members or both.

  1. Create an Export Activity to export access groups or members by navigating to the Manage Exports page (Tools > Export Management) and clicking Create Export Activity.

  2. On the Create Export Activity: Enter Export Options page, select a name for the export job in the Name field.

  3. Select either Access Group or Access Group Members in the Object field.

  4. In the Advanced Options region, select Language Independent Header, then click Next.

  5. In the Create Export Activity: Map Fields page, select the fields to map. You must select mapping values for both access groups and access group members.

  6. In the Export Objects area, select the objects you want to export. You can select either Access Group or Access Group Members or both objects.

  7. In the Category Attributes area, select the fields you want to map for the selected object. For example, for the Access Group object, you might select these fields:

    • Number

    • Name

    • Description

    • Active

  8. Click Next.

  9. On the Filter Name page, select the attribute you want to use to filter the access groups that are exported and enter SQL to identify the specific groups or members. You can filter access groups by either name or number. For example, to filter the groups by name, enter values similar to the following:

    • In the Attribute Name column, select GroupName.

    • In the Script Edit area, enter the SQL to identify the access group to export, for example, GroupName='France_Admin_Group'.

      If you want to export all access group members with a specific member, then you can specify an SQL filter on the access group member in the Script Edit area, for example, ResourceEmail='[email address]'

  10. Click Save and Close.

  11. On the Create Export Activity: Review and Submit page, click Submit.

  12. On the Manage Exports page, review the export job and when it completes, verify that the file contains all the information you exported.

Manage Object Sharing Rules for Access Groups

Once you have created an access group you can create rules in Assignment Manager to provide the group with access to an object's records. In these rules, you specify the type of access to be provided and the conditions under which the access is provided. You can define rules for both standard and custom objects.

You create assignment rules by defining rule sets, rules, and conditions and when complete, assign the rule or rules to the access groups that you want. You then publish the rule set and rules to Assignment Manager. Finally, you run the Perform Object Sharing Rule Assignment Processing task to enable the resources in the associated access group to have access to the object data records.

Here are the steps to create object sharing rules.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. On the Access Groups page, click Manage Object Sharing Rules to navigate to the Manage Object Sharing Rules page where you can either create a rule or modify an existing rule that you want to share with the access group.

  3. To make sure that any custom attributes or objects created in Application Composer that are enabled for access groups are available on this UI, click Synchronize Configuration.

    For more information about using custom objects with access groups, see the topic Enable Access Group Security for Custom Objects.

  4. In the Rule Sets area, select the object you want to provide access to in the Object field. For example, select Opportunity. For a list of objects supported with access groups, see the topic Overview of Access Groups.

    Any existing rule sets for the object are displayed. A rule set groups a number of related rules for an object and determines the additional processing performed. You can add a new rule to an existing rule set or modify an existing rule, or you can create a new rule set.

  5. To create a new rule set, select Add Row from the Actions menu, then enter a name and description for the rule set.

  6. In the Rules area, click Create from the Actions menu.

  7. On the Create Rule page, enter a name and description for your new rule.

  8. In the Conditions section, specify the rule conditions.

    Each rule consists of one or more conditions that are evaluated individually by Assignment Manager. You can choose whether the rule action applies if any conditions are met or only if all conditions are met by choosing the appropriate value from the Rule Applies If drop-down list.

  9. Enter your first condition. For example, if you want to give group members read access to all opportunities associated with their home country, you could create a rule with values similar to these:

    Field Value

    Object

    Opportunity

    Attribute

    Country (this is a custom field for the Opportunity object)

    Operator

    Equals

    Value

    UK

    Note: By default, not all of the standard attributes for an object are displayed on the Access Groups Create Rule or Edit Rule UIs. To make additional standard attributes available for an object, follow the steps in the topic Enable Additional Attributes for Access Group Object Sharing Rules.
  10. Next, in the Action: Assign Access Group section, click Select and Add from the Actions menu.

  11. Search for the access group you want to share this rule with and click Apply and then Done.

    Note: You can assign this rule to multiple access groups.
  12. In the Access Level field, select the type of object access you want to give group members, for example, Read, Update, or Delete access.

  13. Click Save and Close.

  14. Publish the new rule to ensure that your changes get included in the assignment processing by clicking Save and Publish, then click OK.

  15. When the status indicator shows the publish process has completed, click Save and Close, then Close.

  16. Run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access group sharing rules for each object are assigned properly. It's a good idea to schedule this process to run frequently.

    You might want to run the object sharing rule assignment process for an individual record (for each type of object) and confirm the access group rule processing is correct before processing all records for an object. See the topic Run the Perform Object Sharing Rule Assignment Process for more information.

You can edit, delete or inactivate object sharing rules at any time from either the Manage Object Sharing Rules page or from the Edit Access Group: Object Sharing Rules subtab. Any changes you make are applied when the Perform Object Sharing Rule Assignment Process scheduled process is next run.

Note: If you delete a rule from the Edit Access Group: Object Sharing Rules subtab, the rule is deleted only for the group you're editing, not for any other groups that the rule is associated with. The entire rule is deleted only if it isn't associated with any other group.

Run the Perform Object Sharing Rule Assignment Process

Run the Perform Object Sharing Rule Assignment process to assign access group object sharing rules to assignment objects each time you add an access group and share rules. You can also run the Object Sharing Assignment Job Set to assign a batch of access group object sharing rules for all the available assignment objects. A job set contains multiple jobs. The job is the executable that controls what the process can do and what parameters and other options are available to you to run the process. You can schedule these jobs to run regularly to ensure that all access group object sharing rules are assigned properly.

Perform Object Sharing Rule Assignment Processing

Here's how to run the Perform Object Sharing Rule Assignment job for the account object:

  1. In the Navigator, click Tools > Scheduled Processes.

  2. On the Overview page, click Schedule New Process.

  3. In the Schedule New Process window, enter Perform Object Sharing Rule Assignment Processing in the Name field and press Return.

  4. Select the process and click OK.

    Here's a screenshot of the Process Details page.

    Screenshot of the Process Details page for Perform
Object Sharing Rule Assignment Processing job
  5. On the Process Details page, enter these details:

    Field Entry

    Work Object

    Select the work object you want from the drop-down list.

    Record Selection

    You can run the assignment process on a subset of records. Select from the following list:

    • All records

      Note: You might want to run the object sharing rule assignment process for an individual record (for each type of object) and confirm the access group rule processing is correct before processing all records for an object.

      Enter a record selection value for these options:

    • Records updated in last 'X' days

    • Records updated in last 'X' hours

    • Records updated between dates

    • Single record

  6. The first time you run the process click Submit to run it immediately.

Depending on your settings, your process runs immediately or at the intervals you specified. You can monitor its progress by searching for the Perform Object Sharing Rule Assignment Processing process by name on the Overview page.

Run the Object Sharing Assignment Job Set

Here's an example of the steps to run the Object Sharing Assignment Job Set for your access groups.

  1. Navigate to the Setup and Maintenance area, and search for the Manage Enterprise Scheduler Job Definitions and Job Sets for Customer Relationship Management and Related Applications task.

  2. Click the Manage Job Sets tab and create a job set with the following parameters:

    Parameter Entry

    Name

    (Required)

    For example: ObjectSharingAssignmentEssJobSet

    Display Name

    (Required)

    For example: Object Sharing Assignment ESS Job Set

    Description

    (Optional)

    Enter text to describe the job set

    Package

    (Optional)

    Enter the custom path

  3. In the Job Set Steps section, select Parallel and click the plus (+) icon to display the Edit Step window.

  4. Enter 1 or any unique number in the Step ID field.

  5. Enter ObjectShareBatchAssignRequest in the Job field and click OK.

  6. Repeat Step 4, 5 and 6 based on the number of jobs you want to trigger in parallel. For example, if you want to run Perform Object Sharing Assignment in parallel for two objects, Account and Opportunity, then, create two Job Set Steps.

  7. Next, click the System Properties tab from the Edit Step window.

  8. Click the plus (+) icon to display the Add System Property window and enter the following:

    • Name: SYS_effectiveApplication

    • Type: String

    • Initial Value: CrmEss

  9. Click OK.

  10. Click Save and Close, and then Done.

    Now the newly created ESS Job Set is listed in ESS UI.

  11. In the Navigator, click Tools > Scheduled Processes.

  12. On the Overview page, click Schedule New Process.

  13. In the Schedule New Process window, select Job Set and search and select the newly created ESS Job Set by display name.

  14. Click each newly created job set and add the parameters accordingly.

  15. The first time you run the job set process, click Submit to run it immediately.

Depending on your settings, your process runs immediately or at the intervals you specified. You can monitor its progress by searching for the job set process by name on the Overview page.

You can also set up the process to run regularly per your business requirements as follows:

  1. Click Advanced.

  2. Click the Schedule tab.

  3. Select the Using a schedule option.

  4. Select the frequency and start date.

  5. Enter an end date far in the future.

  6. Click Submit.

Enable Access Group Security for Custom Objects

You can use access groups to provide resources with access to custom object data. To do this, you must first enable access group security for each custom object.

To enable access group security for custom objects, complete these steps:

  1. Navigate to Application Composer and confirm that you're in an active sandbox.

  2. Navigate to the Security node of the custom object that you want to enable access group security for.

  3. On the Define Policies page, select the Enable Access Group Security check box.

  4. Next, enable that custom object for access group object sharing rules. You do this in Assignment Manager.

    On the Manage Object Sharing Rules page, click the Synchronize Configuration button to register that custom object and its attributes with Assignment Manager. The custom object and its attributes are now available when defining object sharing rules for access groups.

  5. In Application Composer, set functional security for required roles.

    Navigate to the custom object's Security node, and configure functional security in the Roles section of the Define Policies page. This step isn't related to access group security (data security), but it's a required step so that the right roles can see the custom object's user interface pages (functional security).

After you enable access group security for a custom object, you work with it just like a standard object. Create your object sharing rules for access groups, and all group members are given access to that custom object's data according to the rules.

Tip: When configuring data security, you can optionally configure owner security instead of access group security. With owner security, for example, you can provide create and read access to all users, update access to the record's owner and owner management chain, and delete access to only the owner. You configure owner security in the Roles section of the Define Policies page.

If you configure both owner and access group security, then your users will see data from both their owner management chain as well as from access groups that they're members of.

Disabling Access Group Security for a Custom Object

You can disable access group security for a custom object, too.

In Assignment Manager, complete these steps:

  1. Inactivate the assignment rules for the custom object.

  2. Run the Perform Object Sharing Rule Processing process for the custom object.

  3. Cancel all future object sharing scheduled processes for the object.

Next, go to Application Composer:

  1. Navigate back to the object's Security node in an active sandbox.

  2. Confirm that the Enable Access Group Security check box isn't selected and that its data security policy is configured properly for each role.

  3. Publish the sandbox.

Finally, back in Assignment Manager, click the Synchronize Configuration button on the Manage Object Sharing Rules page. This hides the custom object and its rules.

Enable Additional Attributes for Access Group Object Sharing Rules

Use the Manage Object Sharing Assignment Objects task to add additional attributes and make them available for your selected rules when you create or edit a standard object sharing rule. You create object sharing rules to associate with access groups and if the attribute value that you want isn't available from the rule conditions drop-down list, you can enable the attributes you want from here.

Once you set up the rules with the conditions that records must meet, then resources from your access groups get assigned to the object when they match the rule conditions.

Note: This procedure isn't needed for any custom objects. It's needed only if you want to expose additional attributed for one of your standard objects. Custom objects and attributes created in Application Composer are synchronized and available when you click Synchronize Configuration from the Manage Object Sharing Rules page.

Here's an example of the steps to enable an Opportunity object rule attribute for your access group.

  1. Navigate to the Setup and Maintenance area, and search for the Manage Object Sharing Assignment Objects task.

  2. On the Manage Object Sharing Assignment Objects page, select the Opportunity work object.

  3. In the Opportunity: Details section, select the Attributes tab.

    The attributes defined for the selected Opportunity object are displayed.

  4. Click the attribute that you want to add to an Opportunity record rule that you want to share.

    For example, if you want to provide the access group called High_Tech_Oppti_Members with access to the all opportunities for the GreenServer account based on the Asset ID, then enable the attribute Asset ID to include in your combination of attributes for the sharing rule.

  5. Click Save and Close.

Once the additional attributes are enabled, setup the rules using the Manage Object Sharing Assignment Rules page. See the topic Manage Object Sharing Rules for Access Groups for more information.

Run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access group sharing rules are assigned properly. See the topic Run the Perform Object Sharing Rule Assignment Process for more information.

Assign Group Access By Country

If you want to provide a group of users with access to data on the basis of the users context, such as their business unit, country or region, then access groups are the best way of doing this.

This topic gives an example of the high-level steps to follow to assign access to sales objects (Accounts, Contacts, Opportunities, Partners and Leads) to groups of resource users on the basis of the users home country. You can use a similar process to assign a group with data access using a custom attribute, or some other attribute such as resource organization.

These are the steps to provide users with access to sales records on the basis of the user's country.

  1. Create a custom attribute, Country, for each sales object and make the attribute available as a custom field on the sales object UI.

    When creating or editing an object record, such as an opportunity, the user can then select the country associated with the record from the custom Country field on the UI.

  2. Create a custom attribute, Country, for the Resource object to represent a user's country and make the attribute available as a custom field on the Resource object UI.

    When creating users, you can then select the country the user is associated with from the Country field on the UI.

  3. On the Access Groups page of the Sales and Service Access Management work area, create an access group for each country and add existing members to each country group. As new users join your organization, make sure you add them to a country group.

    You can add members to each country-based access group manually on the Access Groups UI. Or use these steps to add members to access groups using the export and import functionality:

    1. Use the resource export functionality to generate a list of sales resources and filter the generated export file based on the Country field.

    2. Import country groups and members:

      • Create an import file similar to the following for each country based access group.

        ACCESS_GROUP_NUMBER NAME DESCRIPTION ACTIVE_FLAG

        3788493471

        GERMAN REGION

        Access group for users in Germany

        Y

        3788493472

        UK

        Access group for users in UK

        Y

        3788493473

        FRANCE

        Access group for users in France

        Y

      • Create an import file of resources similar to the following to add members to each group.

        ACCESS GROUP NUMBER GROUP_NAME PARTY_NUMBER RESOURCE_EMAIL_ADDRESS PARTY_NAME

        3788493471

        GERMAN REGION

        2793920203

        tom.jones@example.com

        Tom Jones

        3788493471

        GERMAN REGION

        2793920204

        lisa.jones@example.com

        Lisa Jones

        3788493471

        GERMAN REGION

        2793920205

        matt.hooper@example.com

        Matt Hooper

        3788493471

        GERMAN REGION

        2793920206

        jane.smith@example.com

        Jane Smith

  4. On the Access Groups page, click Manage Object Sharing Rules.

  5. To make the Country attribute visible and available for selection on the Manage Object Sharing Rules page, click Synchronize Configuration.

  6. When the value of the Last Synchronized field indicates that the synchronize process is finished, create a rule set for each object and within each rule set, create an individual rule for each country to specify the condition when the rule applies.

  7. In the Conditions region of the Create Rule page, in the Attribute field, select the Country attribute as the value used to assign object records.

  8. Assign the rule to the relevant access group for the country and select the level of object access to be provided. For example, select Read or Update access.

  9. Click Save and Publish to save the rule set and then run the Perform Object Sharing Rule Assignment Processing process to ensure that the access group sharing rules for each object are assigned properly.

    It's a good idea to run the object sharing rule assignment process for an individual record (for each type of object) and confirm the access group rule processing is correct before processing all records for an object.

For additional information about creating custom attributes and making them visible on a UI, see the Configuring Applications Using Application Composer guide. For additional information about importing and exporting data, see the Understanding File-Based Data Import and Export for CX Sales and B2B Service guide.