20Access Groups

This chapter contains the following:

Use access groups to provide sales resources with additional access to sales object data. Access groups are an alternative way of granting data permissions to users, and they use a different access path to that provided by the predefined data security policies.

An access group uses the access control list model. You create an access group, assign users to the access group and all group members are given access to standard or custom object data. You define object sharing rules which provide users with access to the specific records of an object. These rules specify the type of access to an object to be provided and the conditions under which the access is provided. For example, users might be granted access to:

  • All opportunities with a status of Open

  • All accounts where country is set to UK

You can also define the type of data access provided, for example, Full access or Read access.

A user can be assigned to one or more access groups and will have the access assigned to each group. So if Lisa Jones is assigned to Access Group A, which provides access to opportunities, and Access Group B, which provides access to Accounts, she receives the access provided by both groups. You can also use one access group to assign access to multiple objects.

Objects Supported for Access Groups

You can create access groups to provide data access to these objects:

  • Account

  • Activity

  • Activity Assignee

  • Asset

  • Business Plan (includes Sales Objective)

  • Campaign

  • Contact

  • Contests

  • Custom objects

  • Deal Registration

  • Duplicate Identification Batch

  • Duplicate Resolution Request

  • Forecast Territory Details

  • Goals

  • Goal Participants

  • Household

  • MDF Budget

  • MDF Claim

  • MDF Request

  • Note

  • Opportunity

  • Partner

  • Program Enrollments

  • Quote and Order

  • Resource

  • Sales Lead

  • Sales Quota Plan

  • Sales Resource Quota

  • Sales Territory

  • Sales Territory Proposal

  • Service Request

Note: When you provide users with access to the records of a top-level object using access groups, users automatically receive the same access to the records of any child objects.

Access Group Privileges

Users assigned the Manage Group Access privilege (ZCA_MANAGE_GROUP_ACCESS_PRIV) can create and manage access groups. By default, the Sales Administrator job role and the IT Security Manager job role have this privilege. If you use custom versions of these roles, assign this privilege to your custom roles.

Resource users must be assigned a duty role, the Access Groups Enablement role, to be added as members of access groups. By default, users assigned any of these roles have this privilege:

  • Resource abstract role

  • Partner Sales Representative job role

  • Partner Sales Manager job role

  • Partner Administrator job role

If you use custom versions of these roles, assign the Access Groups Enablement duty to your custom roles.

Caution: Don't make any changes to the predefined data security policies assigned to the Access Groups Enablement duty role. Changing or deleting these data security policies prevents the access groups functionality from working correctly.

How Access Groups Work with Other Security Mechanisms

You use access groups to supplement the data access users receive through their job roles and other security mechanisms. So when you configure users visibility to data using access groups, keep in mind that if you want only the access path provided by the group membership to take effect, you might also have to remove the access granted to group members by custom or predefined data security policies. If you don't remove these other access paths, users will have the data visibility granted both by the access group, and by existing data security policies they're assigned through record ownership or team membership, or through territory management setup.

Example of How Access Groups Interact with Other Security Mechanisms

The following example illustrates how the different security mechanisms work together.

Let's say Lisa Jones, who's assigned the Sales Representative job role, requires access to all opportunities in Germany for a specific project. Currently, Lisa can only access a subset of German opportunities through her team and territory membership. Lisa's manager, Mateo Lopez, doesn't need access to the additional opportunities in Germany.

To provide Lisa with the additional access she needs, do the following:

  1. Create an access group and add Lisa Jones as a member of the group. Don't add Mateo Lopez to the group.

  2. Create an object sharing rule for the access group that includes a condition similar to the following:

    Access all opportunities where country = Germany

Lisa can now access all opportunities in Germany. What opportunities can Mateo now access? Mateo Lopez isn't a member of the access group, and access groups don't provide access through the resource hierarchy by default, so Mateo can't access the additional opportunities in Germany through Lisa's access group membership.

Lisa's manager can only access opportunities through the resource or territory hierarchy where Lisa is on the sales team, the account team, or the territory associated with the opportunity.

  • If Lisa isn't on the team or territory of the opportunities that she gets access to through her access group membership (all opportunities in Germany), then Mateo still can't access those opportunities.

  • If Lisa is on the team or territory of some of the opportunities in Germany, then both Mateo and Lisa have access to that subset of opportunities through the standard security mechanisms, regardless of Lisa's access group membership.

Access Groups and Functional Privileges

You can use access groups to give users additional permissions at the data security level. You can't use access groups to provide functional security access privileges. Consider the example of a user assigned a job role which provides the functional privilege to view leads, but not the functional privilege to delete them. If you assign the user to an access group that specifies rules that provide delete lead and view lead data access, the user will be able to view leads but without the delete functional privilege, they still won't be able to delete leads.

Considerations in Deciding When to Use Access Groups

You can extend a user's visibility to sales object data in a number of ways:

  • By creating custom data security policies, assigning the custom policies to custom roles, and then assigning the custom roles to users.

  • By using Territory Management to set up territories and to assign users to territories, then using Assignment Manager to assign territories to object records.

  • By creating access groups and assigning users to the access group.

So what factors should you consider when deciding which option to choose? This topic provides you with some guidelines.

Custom Data Security Policies

In situations where you can use either access groups or custom data security policies to provide users with data permissions, use access groups for these reasons:

  • Access groups provide better performance than custom data security policies.

  • You can search for records assigned to users through their access group membership in Workspace. Records assigned to users through custom data security policies can't be searched in Workspace.

  • Access groups are easier to manage.

Access Groups

Access groups work together with the existing access mechanisms to allow you to provide access to users based on parameters that aren't provided by the standard access framework, such as the user's context (country or sales region for example), the user's resource organization or business unit, or some other attribute. You can also use access groups to assign access based on custom attributes. For example, you can assign all users in a specific business unit to a group and then grant that group read permissions to opportunities.

Territory Management

You can use territory management to manage users visibility to data but territory management isn't a security access mechanism. It's a way of assigning sales representatives to sales territories to enable optimal sales coverage. Territory management is used for configuring access primarily to facilitate the selling process by defining boundaries using hierarchical attributes such as products, geographies, industry and so on.

Use territory management functionality to extend visibility to data in these scenarios:

  • If you want to use forecasting or quota management functionality.

  • If the territory hierarchy and territory based reporting and roll-ups are different to the reporting resource hierarchy.

  • If you want to provide users with access based on hierarchical attributes and named accounts.

If you want to provide users with access using a standard mechanism, such as territory or management hierarchy, then use Territory Management. Otherwise, use access groups.

Note: Once you've implemented territory management, you can optionally use access groups to manage your territories. You can define custom rules for the Sales Territory or Sales Territory Proposal objects and assign them to custom access groups to specify who can manage the territory or territory proposal. For example, you can create rules for country-specific administrator access groups that allow the group members to view all territories in their country but not edit or delete the territories.

Types of Access Groups

There are two types of access groups:

  • Custom access groups.

    Custom access groups are groups you create to provide users with access to data according to the needs of your business. You can add members to these groups, define rules to specify the access group members should have to object data, and edit or delete the groups as required.

  • System access groups.

    These are access groups Oracle creates for you. A separate group is created for each of the predefined job roles in your environment and for the Resource abstract role. Predefined object sharing rules associated with each group provide the same access to data as is provided by the predefined job roles. These rules are inactive by default.

    A system access group is also created for each of the custom job roles in your environment but these system groups aren't associated with predefined rules; you can manually add predefined or custom rules to these system groups as required.

    You can't edit, create, or delete system access groups. You also can't add members to or delete members from these groups. Users are automatically added to or removed from system groups according to the job roles they're assigned.

On the Access Groups UI, the Type field indicates whether a group is a system group or a custom group. Custom groups are displayed by default but you can choose the type of group you want to view from the List drop-down list.

Overview of the Access Groups UI

You create and manage access groups and object sharing rules using the Access Groups UI in the Sales and Service Access Management work area. The Access Groups UI includes 2 tabs: the Access Groups tab and the Object Sharing Rules tab. Choose the appropriate tab depending on what you want to do:

  • Access Groups tab

    Displays the main Access Groups page. From here, you can review all the existing custom or system access groups, you can create custom access groups, review or add group members, and review or enable the rules assigned to a group. You can also add new rules to a group.

  • Object Sharing Rules tab

    Displays the main Object Sharing Rules page. From here, you can review all the rules defined for a selected object, you can create or delete object sharing rules and access extension rules, and you can assign rules to access groups.

You can manage your groups and rules on an on-going basis using either UI, depending on whether you want to work with access groups from an access group context or an object sharing rules context. For example, reviewing rule information from a rules context is useful if you decide to delete an object sharing rule you previously created and want to first check the rule isn't assigned to active groups. Similarly, reviewing rule information from a group context is useful if, for example, you want to enable and activate all the predefined rules assigned to a specific system group.

Create and Manage Custom Access Groups

This topic guides you through the main steps in the process of creating an access group and providing group members with access to object data. It describes these tasks:

  1. Create an access group

  2. Create object sharing rules to give group members access to object data

  3. Add members to the group

More detailed information about each task is available in other topics in the chapter.

Note: You must be assigned the IT Security Manager job role or the Sales Administrator job role to create and manage access groups.

Step 1. Create an Access Group

Once you have identified a group of resource users that require additional access to object data, create an access group for those users.

  1. Sign in to the application as the sales administrator or as a setup user.

  2. In the Setup and Maintenance work area, go to the following:

    1. Offering: Sales

    2. Functional Area: Users and Security

    3. Task: Manage Sales and Service Access

    Alternatively, click Navigator > Tools > Sales and Service Access Management.

    If you're a Sales Administrator, the Access Groups page in the Sales and Service Access Management work area is displayed.

  3. If you have the IT Security Manager job role, the Sales and Service Access Management main page is displayed. Click Configure Groups to display the Access Groups page.

    The Access groups page lists any existing active access groups. You can view all access groups (active and inactive) by selecting All Groups from the List drop-down list. You can also search for an existing group on this page.

  4. Click Create Access Group to display the Create Access Group page.

  5. Enter these values for the new access group.

    Field Value

    Name

    Enter a name for your group. For example, if you're creating a group to give sales support users access to all open opportunities, you might name the group Opportunity_Open.

    Description

    Enter a description for your group (optional). For example, Access to open opportunities.

    Active

    Select a status for the new group. By default, the status for new groups is inactive. Click the Active check box to activate the group.

  6. Click Save and Continue to save your new group.

    The Edit Access Group: Overview page is displayed for the group. From here, you can edit the access group details or delete the access group.

Step 2. Create Object Sharing Rules for the Group

Next, create object sharing rules to grant group members access to object records.

  1. On the Edit Access Group: Overview page select the Object Sharing Rules tab.

  2. To create a new rule, click Create Rule.

  3. On the Create Object Sharing Rule page, select the object you're creating the rule for from the Object drop-down list. For example, select Opportunity.

  4. Enter a Name for your new rule, for example, Opportunity_Open. You can optionally enter a rule Description.

  5. In the Access Level field, select the type of object access you want to give group members, either Read, Update, Delete or Full access.

  6. Make sure that the Active check box for the rule is checked.

  7. In the Conditions area, specify the rule conditions.

    For example, you might specify that group members have access to opportunity records that have a Status attribute equal to Open.

  8. Select Save and Publish from the Actions menu to publish the rule so it's available for assignment processing.

  9. When the status indicator shows the publish process has completed, select Save and Close from the Actions menu, then select Save and Close to return to the main Access Groups page.

  10. If this is the first custom rule you've created, you must also publish the new rule on the Object Sharing Rules page. To do this, select the Object Sharing Rules tab, then select Publish Rules from the Actions menu.

    For any subsequent rules you create, this step isn't required. You only have to publish the rule once as described in step 8.

  11. Now run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the object sharing rules for each object are assigned properly.

For detailed information about creating object sharing rules, see the section Manage Object Sharing Rules for Access Groups in this chapter.

Step 3. Add Members to the Group

Finally, add resources to your new custom access group. You can add users to the group in a number of ways: manually add users on the UI, create group membership rules to automatically add users, or use the standard import and export functionality to add users.

Here are the steps to create group membership rules to add users to your group.

  1. On the Edit Access Group: Overview page, click the Group Membership Rules tab.

  2. Click Create Rule.

  3. On the Create Group Membership Rule page, enter a Name for the rule, for example, Sales_Support_Resources and optionally enter a rule Description.

  4. Select the rule conditions. The conditions determine which resources are added or removed as members of the group.

    For example, you might specify that all resources that have an Organization attribute equal to Sales Support are added to the group.

  5. Select Save and Publish form the Actions menu to publish the rule, then click Save and Close from the Actions menu.

  6. On the Edit Access Group: Overview page, click Save and Close to save the group details.

    On the Access Groups page, check that your new group is included in the list of groups.

  7. Now run the Run Access Group Membership Rules scheduled process to ensure that the access group membership rules are assigned and resources are added to the group.

    For information on running this process, see the topic Run the Access Group Membership Rules Process in this chapter.

    Once the rules you created for your new access group are processed, all the users in the Sales Support organization will have access to all open opportunities.

    For more detailed information about the different methods of adding users to custom access groups see the section Add Members to Custom Access Groups in this chapter.

For an example of how to assign access to sales objects to groups of users on the basis of the users home country, see the topic Assign Group Access By Country.

Edit Access Groups

After you create a custom access group, you can edit the group details. For example, you might want to activate a group, add new object sharing rules for the group, or add or remove group members. You can also edit system access groups to configure the rules assigned to the group.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. Select the access group whose details you want to edit from the groups listed.

    Custom access groups are displayed by default so if you want to edit a system access group, you first have to select System Groups - Role from the List drop-down menu. You can also choose to list all access groups or just active groups.

    Details relating to the group and its members are listed on the Edit Access Group: Overview subtab.

  3. What you can do depends on whether you're editing a custom or a system group.

    • System Groups

      For system groups, you can review the group details and members on the Overview subtab but you can't change any of this information and you can't delete the group. System groups are predefined by Oracle and are automatically created and updated to reflect the job roles and user-job role assignments in your environment.

    • Custom Groups

      You can perform these actions from the Overview page for custom groups:

      • Change the group name or description.

      • Activate or inactivate a group.

        If you inactivate a group, group members lose any data access provided by the group.

      • Add group members by clicking Add Members.

      • Remove all group members who were added to the group manually by clicking Remove Members, or delete individual members from the group by clicking the Remove icon in the member row. Members who were added through group membership rules can't be removed.

      • Delete the group by selecting Delete Group from the Actions menu.

        For information about deleting groups, see the topic Delete Access Groups.

  4. Click the Object Sharing Rules subtab to view any predefined or custom object sharing rules defined for the group.

    You can make these changes for both system and custom access groups:

    • Enable or disable a predefined or custom rule for the access group by selecting or deselecting the Enable check box.

    • Remove a custom rule or a predefined rule you added to the access group. Click the rule and on the Edit Object Sharing Rule page, select Delete from the Actions menu.

      The rule is deleted for the group you're editing, but not for any other groups that the rule is associated with.

    • Add a preexisting rule to the access group. Click Add Rule, and then search for and select the rule you want to add in the search dialog box.

    • Create a new rule for the access group. Click Create Rule, and then define the new rule in the Create Object Sharing Rule page.

    • Change the access level provided by the rule for this group by selecting a new value from the rule's Access Level drop-down list.

    Note: If you're editing a system access group, a Lock icon is displayed for any predefined rules that are associated with the group as part of the default security configuration. For these rules, you can't change the access level for the group and you can't remove the rule from the group. The only change you can make is to enable or disable the rule for the group.

    For information on object sharing rules, see the topic Create Custom Object Sharing Rules.

  5. Click the Group Membership Rules subtab to view any group membership rules defined for the access group.

    Note: You can't add members to system groups using group membership rules so this subtab isn't available for system groups.

    You can edit an existing rule from this subtab by clicking the rule name link, or you can create a new rule by clicking Create Rule.

    If you select an existing rule to edit, the Access Group: Edit Group Membership Rule page is displayed where you can edit or delete any of the rule details. For information on group membership rules, see the topic Create Membership Rules for Custom Access Groups in this chapter.

  6. When you have finished editing the group details, click Save and Close.

    Changes you make to object sharing rules or group membership rules are processed when the Object Sharing Rule Assignment Process or the Access Group Membership Rules Process is next run.

Delete a Custom Access Group

You can delete a custom access group if you have the Delete Access Group privilege. By default, users assigned the IT Security Manager job role have this privilege. Sales Administrators aren't provided with the Delete Access Group privilege.

Caution: Once you delete a group and its members, you can't reactivate it. The users who were assigned to the group still exist but are no longer associated with the group and group members lose any data access provided by the group.
  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. Select the access group you want to delete from the groups listed.

    On the Edit Access Group: Group_Name page, select Delete Group from the Actions menu.

  3. In the confirmation dialog, click Yes to confirm your choice.

    The group is deleted and is no longer available on the Access Groups page.

Add Members to Custom Access Groups

Options for Assigning Members to Custom Access Groups

You can assign users to a custom access group when you create the group or you can add members at a later time. You can't assign users to system access groups. You can add members to a custom access group in any of these ways:

  • Manually add members to a group on the Edit Access Group: Overview page. This option is useful if you only need to add a few users to a group on an ad-hoc basis.

  • Create access group membership rules. Users who meet the conditions specified in the rule are automatically added to a group. Using group membership rules, you can add a large number of users to a group at once and simplify the process of maintaining the group's membership in the future. Users are added or removed from the group automatically depending on whether or not they meet the rule conditions.

  • Assign users to groups using the standard import and export functionality. If you have large numbers of users to assign to one or more access groups on a one-off basis, you can import users and groups.

You can assign a user to one or more access groups and the user will have the data access permissions assigned to each group.

Note: You can only assign users who are assigned the Resource abstract role (ORA_HZ_RESOURCE_ABSTRACT) to groups.

Member Types

Access group members are categorized into member types according to how they're added to an access group:

  • Manual members

    Users who are added to the group manually, either through the UI or through file import

  • Rule members

    Users who are added to the group through rule processing

You can delete access group members on the Edit Access Group: Overview page if they were added to the group manually. Group members added through rule processing can't be manually removed from a group; they're only removed from a group if they no longer meet the rule conditions.

If a user is added to an access group more than once, manually and through group membership rule processing, the user is listed twice on the Edit Access Group: Overview page. You can delete the manual entry for the user but the user remains a group member provided they still satisfy the access group membership rule conditions.

For information about creating access group membership rules, see Create Access Group Membership Rules. For information about importing access groups and members, see the section Import and Export Access Groups and Members later in this chapter.

Add Members to Custom Access Groups Using the UI

You can manually add resource users to a custom access group at any time using the UI by performing these steps.

  1. Navigate to the Access Groups page:

    • Sales Administrator: Navigator > Tools > Sales and Service Access Management

    • IT Security Manager: Navigator > Tools > Sales and Service Access Management > Configure Groups

  2. On the Access Groups page, select the group you want to add members to.

  3. On the Edit Access Group: Overview page, click Add Members.

    The Add: Group Members page is displayed.

  4. Search for the member you want to add using one of the search fields.

    For example, in the First Name field, enter the first 3 characters of a user's first name and click Search. Or in the Role field, select a resource role to view all users assigned that role.

    If you create a custom field for the Resource object, for example, Country, you can use Application Composer to expose the field so that it's available as a drop-down list on the Add: Group Members UI. You can then search for resources using this field. In this example, you can search for users by country.

  5. Select each of the users you want to add to the group in the Search Results area, then click Apply.

    Note: You can only assign users who are assigned the Resource abstract role (ORA_HZ_RESOURCE_ABSTRACT) to groups.
  6. Search for and select any additional members you want to add to the group and, when you're finished adding members, click OK.

  7. Verify that all the members you added to the group are listed in the Group Members area of the Edit Access Group: Overview page.

  8. If you want to remove a member, click the Remove icon in the member row. To remove all members of the group who were added manually, click Remove All Members.

  9. Click Save and Close to save the group membership details.

You can add resource users to a custom access group by defining one or more group membership rules. Each rule consists of conditions that determine which resources are added as members of the group. Any users who satisfy the conditions are automatically added to the access group and group members who no longer meet the conditions are automatically removed from the group. You can't remove members added through group membership rule processing using the UI.

Assigning members to groups using rules involves two steps: first you create and publish the membership rules, then you run the Access Group Membership Rules scheduled process to assign the rules.

Create Membership Rules

Here's how you can create a group membership rule to add members to your access group.

  1. On the Access Group page, select the group you're creating the membership rule for.

  2. On the Edit Access Group: Overview page, select the Group Membership Rules tab, then click Create Rule.

  3. On the Access Group: Create Group Membership Rule page, enter a Name for the group membership rule and a Description if required.

  4. In the Conditions section, specify the rule conditions.

    Each rule consists of one or more conditions that are evaluated individually. You can choose whether the rule action applies if any conditions are met, or only if all conditions are met, by choosing the appropriate value from the Rule Applies If list.

  5. Enter a rule condition by clicking the Add icon, then enter these values for the condition.

    Field Description

    Object

    Select either the Resources object or the Resources Hierarchy object.

    Only resource users can be added to an access group so you can only select one of these objects.

    Attribute

    Select an attribute from the list. Both custom and standard attributes defined for the object you selected are listed.

    Note: Support for a number of resource object attributes will be discontinued in future releases. So to prevent issues in the future:
    • Avoid using these attributes:

      User Account Status, Company, Phone, Job Title, Manager First Name, Manager Last Name, Organizations, Teams, Usages

    • Use custom attributes that are based on database columns only. Avoid using custom attributes, such as attributes based on the Formula field, that aren't based on database columns. Support for attributes that aren't based on database columns will be deprecated in future releases.

    Operator

    Select the operator for your condition. For example, Equals or Is blank.

    Tip: If an attribute can have multiple values, such as the Roles or Teams attributes, use the Contains operator instead of the Equals operator to make sure that the condition adds all the intended resources to the group. For example, if you create a rule Roles Equals Salesperson, then users who are assigned only the Salesperson role are added to the group. If you create a rule Roles Contains Salesperson, then users assigned the Salesperson role and any other role are also added to the group.

    Value

    Enter a value for the attribute, if relevant. If you're entering more than one value, separate each value with a comma.

    Enter as many conditions as needed to suit your specific requirements. For example, if you want to add all resources who are sales representatives based in the Sales Support organization to your group, create two conditions with values similar to these and choose the All conditions met value from the Rule Applies If drop-down list.

    Field Condition 1 Condition 2

    Object

    Resources

    Resources

    Attribute

    Job Title

    Organization

    Operator

    Equals

    Equals

    Value

    Sales Representative

    Sales Support

  6. From the Actions menu, select Save and Publish to ensure that your changes get included in the assignment processing.

  7. Click Save and Close.

Run the Access Group Membership Rules Process

Start the Run Access Group Membership Rules scheduled process to ensure that the access group membership rules are assigned. Once this process has run, all resources who meet the condition criteria are added to the access group. Here are the steps to run the scheduled process.

Note: Don't schedule or start the Run Access Group Membership Rules process at the same time as the Reporting Hierarchy Generation scheduled process. The Reporting Hierarchy Generation process updates the reporting hierarchy in accordance with changes to the internal resource or partner organization hierarchies and impacts the assignment of access group membership rules if both processes run at the same time.
  1. In the Navigator, click Tools > Scheduled Processes.

  2. On the Overview page, click Schedule New Process.

  3. In the Schedule New Process window, enter Run Access Group Membership Rules in the Name field.

  4. Select the process and click OK.

  5. On the Process Details page, select the job parameters in the Basic Options region, then click Submit to run the process immediately. You can monitor its progress by searching for the Run Access Group Membership Rules process by name on the Overview page.

    If you want to schedule the process to run at regular intervals, click Advanced on the Process Details page, then select the Schedule subtab in the Advanced Options region and enter your scheduling details. You can then click Submit to run the job according to your schedule.

    Tip: It's best practice to schedule the process to run every 24 hours for all records updated in the previous 24 hours. But if you edit the rule, it's also a good idea to run the process manually straight away.
  6. When the process completes, navigate to the Edit Access Group: Overview page where you can see that all the resources who meet the rule conditions are added to the group. Notice that the Member Type field is set to Rule for all the new members.

    When the Run Access Group Membership Rules process is next run, members are added to or removed from the group according to whether or not they satisfy the rule conditions.

You can edit a group membership rule at any time by selecting the rule from the Edit Access Group: Group Membership Rules page. You can also delete or inactivate the rule. If you delete or inactivate a rule, any users added to the group through the rule are removed when the Run Access Group Membership Rules scheduled process is next run.

Assign Group Access By Country

If you want to provide a group of users with access to data on the basis of the users context, such as their business unit, country or region, then access groups are the best way of doing this.

This topic gives an example of the high-level steps to follow to assign access to sales objects (Accounts, Contacts, Opportunities, Partners and Leads) to groups of resource users on the basis of the users home country. You can use a similar process to assign a group with data access using some other attribute, such as resource organization.

These are the steps to provide users with access to sales records on the basis of the user's country.

  1. Create a custom attribute, Country, for each sales object and make the attribute available as a custom field on the sales object UI.

    When creating or editing an object record, such as an opportunity, the user can then select the country associated with the record from the custom Country field on the UI.

  2. Create a custom attribute, Country, for the Resource object to represent a user's country and make the attribute available as a custom field on the Resource object UI.

    When creating users, you can then select the country the user is associated with from the Country field on the UI.

  3. On the Access Groups page of the Sales and Service Access Management work area, create an access group for each country and add existing resources to each country group. As new users join your organization, make sure you add them to a country group.

    You can add members to each country-based access group manually on the Access Groups UI. Or use these steps to add members to access groups using the export and import functionality:

    1. Use the resource export functionality to generate a list of sales resources and filter the generated export file based on the Country field.

    2. Import country groups and members:

      • Create an import file similar to the following for each country-based access group.

        ACCESS_GROUP_NUMBER NAME DESCRIPTION ACTIVE_FLAG

        3788493471

        GERMAN REGION

        Access group for users in Germany

        Y

        3788493472

        UK

        Access group for users in UK

        Y

        3788493473

        FRANCE

        Access group for users in France

        Y

      • Create an import file of resources similar to the following to add members to each access group.

        ACCESS GROUP NUMBER GROUP_NAME PARTY_NUMBER RESOURCE_EMAIL_ADDRESS PARTY_NAME

        3788493471

        GERMAN REGION

        2793920203

        tom.jones@example.com

        Tom Jones

        3788493471

        GERMAN REGION

        2793920204

        lisa.jones@example.com

        Lisa Jones

        3788493471

        GERMAN REGION

        2793920205

        matt.hooper@example.com

        Matt Hooper

        3788493471

        GERMAN REGION

        2793920206

        jane.smith@example.com

        Jane Smith

  4. On the Access Groups page, click the Object Sharing Rules tab.

  5. To make the Country attribute visible and available for selection on the Object Sharing Rules page, select the Synchronize Custom Objects and Fields item from the Actions menu.

  6. When the value of the Last Synchronized field indicates that the synchronize process is finished, select the sales object that you want to assign by country, for example, Opportunity.

  7. Create an individual rule for each country by clicking Create in the Custom Rules region.

    1. In the Conditions region of the Create Rule page, in the Attribute field, select the Country attribute as the value used to assign object records.

    2. In the Action: Assign Access Group region, assign the rule to the relevant country-based access group and select the level of object access to be provided. For example, select Read or Update access.

    3. Click Save and Close from the Actions menu to save the rule.

      The Object Sharing Rules page is displayed.

  8. When you have created an object sharing rule for each country, on the Object Sharing Rules page select Publish Rules from the Actions menu to publish all new and changed rules for the object.

  9. Run the Perform Object Sharing Rule Assignment Processing process so that the access group sharing rules for the object are assigned properly.

    It's a good idea to run the object sharing rule assignment process for an individual record (for each type of object) and confirm the access group rule processing is correct before processing all records for an object.

For additional information about creating custom attributes and making them visible on a UI, see the Configuring Applications Using Application Composer guide. For additional information about importing and exporting data, see the guide Understanding Import and Export Management for CX Sales and B2B Service.

Manage System Access Groups

Overview of System Access Groups

You can use system access groups and predefined rules to support team-, territory-, and management hierarchy-based access to data for your users. You can also provide users with global access to object data, or with fine-grained access to data such as Personally Identifiable Information (PII) for the Contact object. System access groups provide an alternative way to manage user access to data for supported objects. There's a system access group to correspond to each of the standard sales and service job roles Oracle provides, and predefined object sharing rules assigned to each group provide the same access to supported object data as is provided by the standard job roles.

There are two types of system groups:

  • Groups generated for each of the predefined sales and service job roles in your environment and for the Resource and Authenticated User abstract roles

  • Groups generated for each of the custom job roles in your environment

On the UI, you can distinguish between the two types of system access groups as follows:

  • The numbers assigned to system access groups generated for predefined job roles or for the Resource and Authenticated User abstract roles start with the ORA_ prefix. The numbers assigned to access groups generated for your custom job roles don't include the ORA_ prefix.

  • The Predefined check box is checked for system access groups generated for the predefined job roles and for the Resource and Authenticated User abstract roles but not for groups generated for your custom job roles.

Any user you assign to a predefined or custom job role is automatically included as a member of the associated system access group. All authenticated users, including users who aren't resources, are automatically added to the All Users system access group. You can use the All Users system access group to provide all authenticated users of your application with access to object records.

On the Access Groups main page, you can select the Update System Groups and Members option from the Actions menu. This option runs the Refresh Access Control Data Process so that system groups are updated with changes to the custom job roles and user-job role assignments in your environment.

What Changes Can You Make to System Groups?

You can't create new system groups or delete existing system groups. You also can't add or delete members of system groups, either manually, through group membership rules, or through import and export functionality. Users are automatically added to, or removed from system access groups according to the job roles they're assigned. You can add additional predefined or custom object sharing rules to system groups.

System Groups and Predefined Rules

Each system group for a predefined job role is associated with predefined object sharing rules that provide group members with the same access to data for supported objects that the relevant job role provides through its predefined data security policies. The association between system groups and predefined rules is part of the default security configuration and can't be changed, but this association is disabled by default. Each predefined rule is also inactive by default. So to use system groups to manage user access to data, you must first:

  • Activate each of the predefined rules you want to use

  • Enable the association between the group and the predefined rules

Note: System groups created for custom job roles, and the All Users system group which includes all authenticated users of the application, aren't associated with any object sharing rules. You add the rules you want to assign to these groups manually.

Objects Supported for Predefined Rules

Predefined rules aren't currently available for all sales objects. You can now use predefined rules to provide access to data for these objects:

  • Account

  • Asset

  • Activity

  • Activity Assignee

  • Campaign

  • Contact

  • Custom objects

  • Duplicate Identification Batch

  • Duplicate Resolution Request

  • Forecast Territory Details

  • Opportunity

  • Quote and Order

  • Sales Lead

If you want to use system access groups provided by Oracle to manage your user's access to supported object data, you must enable the predefined rules for each system access group using these steps.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. From the List drop-down list, select System Groups - Role to display all system access groups.

  3. Click the name of a system access group whose rules you want to enable.

    Details relating to the group and its members are listed on the Edit Access Group page.

  4. Click the Object Sharing Rules subtab to view the object sharing rules defined for the access group.

    On the Object Sharing Rules UI, all the custom and predefined rules assigned to the group are listed.

    • The predefined rules associated with the access group as part of the default security configuration have a Lock icon and the Predefined check box is selected. You can't change any of the rule details, including the access level specified in the rule.

    • If you added a predefined rule to the group yourself, the Predefined check box is selected but the rule doesn't have a Lock icon. You can change the access level of the rule for the group.

  5. To enable each of the rules associated with this system group as part of the default security configuration, select the Enable check box for each rule.

  6. Click Save to save your changes.

  7. To activate each of the predefined rules you enabled:

    1. Click the rule name link in the Name field.

    2. On the Edit Object Sharing Rule page, click the Active check box.

    3. From the Actions menu, click Save and Publish.

      Note: Users must be assigned the Grant on Application Objects data security policy to publish individual rules that provide global access to object data. By default, the Sales Administrator job role and the IT Security Manager job role have this privilege. If you use custom versions of these roles, assign this privilege to your custom roles.
    4. Click Save and Close.

  8. On the Edit Access Group page, click Save and Close.

  9. Run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access group sharing rules for each object are assigned properly.

    For information, see the topic Run the Perform Object Sharing Rule Assignment Process in this chapter.

Run the Refresh Access Control Data Process for System Groups

On the Access Groups main page, you can select the Update System Groups and Members option from the Actions menu to run the Refresh Access Control Data scheduled process. Running this process ensures that system groups shown on the UI reflect changes to the custom job roles and user-job role assignments in your environment. You also need to schedule this process to run periodically in accordance with your business requirements. These are the steps to schedule the process.

  1. In the Navigator, click Tools > Scheduled Processes.

  2. On the Overview page, click Schedule New Process.

  3. In the Schedule New Process window, enter Refresh Access Control Data in the Name field and press Enter.

  4. Select the process and click OK.

  5. On the Process Details page, select whether you want to perform a full or an incremental refresh of the data by selecting the appropriate option from the Refresh Type drop-down list in the Basic Options area.

  6. To schedule the process to run regularly use these steps.

    How frequently you run the process will vary according to your business requirements but, in general, it's a good idea to run the process daily.

    1. Click Advanced on the Process Details page.

    2. Click the Schedule tab in the Advanced Options area and select the Using a schedule option.

    3. Select how often you want the process to run from the Frequency drop-down list.

      For example, select Daily.

    4. Indicate when you want the schedule to start and end by entering values in the Start Date and End Date fields.

    5. Click Submit.

      Depending on your settings, your process runs immediately or at the intervals you specified. You can monitor its progress on the Overview page.

Manage Object Sharing Rules for Access Groups

Object sharing rules provide access groups with access to an object's records. There are two types of object sharing rules:

  • Custom rules you create to configure data access for members of access groups.

    You must manually assign these rules to relevant access groups and the rules are active by default.

  • Predefined rules created by Oracle.

    One or more predefined rules are assigned to each system access group that's generated for a predefined job role. These rules provide the same access to data for supported objects as the job role provides. The association between a system group and the predefined rules assigned to it isn't enabled by default and each predefined rule is also inactive by default.

    On the Object Sharing Rules page, the Predefined column is checked if a rule is predefined. If the predefined rule is assigned to a system access group as part of the default security configuration, it also has a Lock icon to indicate that you can't change the association between the rule and the group, or the level of access provided by the rule to the group.

Both types of object sharing rules specify the object the rule is created for, the condition that must be met for the rule to be applied, the access group the rule is assigned to and the access level that group members receive. You can also create an access extension rule for both custom and predefined rules, and can activate or inactivate both types of rules.

But there are also a few differences between the object sharing rules you create and the predefined rules Oracle provides. There are also differences in what you can do when a predefined rule is associated with a system group as part of the default security configuration and when it isn't.

Comparison of the Predefined and Custom Object Sharing Rules

Some of the similarities and differences between the object sharing rules you create and the predefined rules are outlined in the table.

Custom Rules Predefined Rules Predefined Rules Associated to a System Group

You can create, edit, and delete the rule.

Oracle creates the rule. You can edit the rule.

You can only enable or disable the rule for the group.

Rule is active by default.

Rule is inactive by default.

Rule is inactive by default.

You can create one or more conditions for the rule.

Rule has one predefined condition which you can't change.

Rule has one predefined condition which you can't change.

You can't create rule conditions that provide either of these types of access:

  • Access to all of an object's records

  • Field-level access to object records, such as access to Personally Identifiable Information (PII) for the Contact object

Predefined rules with conditions that provide global and field-level access to object data are provided.

Predefined rules with conditions that provide global and field-level access to object data are available.

You can assign the rule to system access groups and custom access groups.

You can assign the rule to system access groups and custom access groups.

Note: Predefined rules that provide global or field-level access to object data are an exception. You can't assign these rules to custom access groups.

NA

You can change the access level provided by the rule for different custom or system groups.

You can change the access level provided by the rule for a custom access group. If a rule is predefined but doesn't have the Lock icon, you can also change the access level provided by the rule to a system group.

Can't change the access level provided by a predefined rule for a system access group.

Configure Real-Time and Near Real-Time Access for Access Group Object Records

You can implement real-time and near real-time processing for objects secured using access groups using profile options. These options allow you to do the following:

  • Enable real-time processing of object records secured using access groups so that when new object records are created, the record is immediately available on the UI.

    Real-time processing is supported for these objects: Opportunity, Leads, Account, Contact and Activity.

  • Enable near real-time processing for opportunity and lead records so that when new lead or opportunity records are created, either because a new object is created or as a result of changes to the object owner or object team, the new records are immediately available on the UI.

The real-time processing options are enabled by default but to enable near-real time processing for lead and opportunity records, there's some additional steps for you to perform.

Configure Real-Time Processing of Object Records

Two profile options control the real-time processing of object records that are secured using access groups:

  • Real-Time Transaction Tracking Enabled (ORA_ZCA_TRANSACTION_TRACKING_ENABLED)

  • Real-Time Transaction Tracking for Access Groups Enabled (ORA_ZCA_ACCESS_GROUPS_TRACKING_ENABLED)

Both of these profile options are enabled by default at the site level so that real-time processing is enabled for all users. In general, you won't need to change the default values for these profile options but you can disable real-time processing for individual users if necessary. For example, you might want to disable real-time processing for a specific user who has to import bulk data into the application. In cases like this, disable both profile options for the user using these steps.

  1. From Setup and Maintenance, navigate to the Manage Administrator Profile Values task.

  2. Search for the profile option name, for example, Real-Time Transaction Tracking Enabled.

  3. In the Profile Values section, select New from the Actions menu.

  4. In the Profile Level field, select User.

  5. In the User Name field, search for and select a user, then click OK.

  6. In the Profile Value field, select No.

  7. Click Save and Close.

  8. Repeat steps 2 - 7 for the Real-Time Transaction Tracking for Access Groups Enabled profile option.

Configure Near Real-Time Processing of Lead and Opportunity Object Records

You can access opportunity and lead records that are secured using access groups in near real-time. When an opportunity or lead is created, when a user is added to or removed from an opportunity or lead team, or when the owner of an opportunity or lead is changed, the new opportunity or lead records are available to the user on the UI immediately. To implement near-real time processing for opportunities and leads, both of these profile options have to be enabled:

  • Near Real-Time Transaction Tracking for Access Groups Enabled (ORA_ZCA_ACCESS_GROUPS_NEAR_REAL-TIME_TRACKING_ENABLED)

    This option is enabled at the site level by default.

  • Common CRM Signals Active (ORA_ZCA_ENABLE_SIGNALS).

    This option is disabled by default.

So to implement near real-time access for opportunity and lead records, enable the Signals functionality using these steps:

  1. From Setup and Maintenance, navigate to the Manage Administrator Profile Values task.

  2. Search for the profile option name Common CRM Signals Active.

  3. In the Profile Values section, select the Site profile level, then change the default value of the Profile Value field to Yes.

  4. Click Save and Close.

Once you have created an access group you can create rules to provide the group with access to an object's records. You can define rules for both standard and custom objects.

To create a custom object sharing rule, you specify the type of object access to be provided, the conditions under which the access is provided, and the groups to share the rule with. You then publish the rule to Assignment Manager. Finally, you run the Perform Object Sharing Rule Assignment Processing task to enable the resources in the associated access group to have access to the object data records.

This topic describes how to create object sharing rules from an object context. But you can also create a rule in the context of a group when editing the group. For additional information see the topic Edit Access Groups and the topic Create a Custom Access Group.

Here are the steps to create object sharing rules.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. On the Access Groups page, select the Object Sharing Rules tab.

    The Object Sharing Rules page is displayed. From here, you can modify an existing rule or create a new rule to share with an access group.

  3. To make sure that any custom attributes or objects created in Application Composer that are enabled for access groups are available on this UI, select the Synchronize Custom Objects and Fields option from the Actions menu.

    For more information about using custom objects with access groups, see the topic Enable Access Group Security for Custom Objects.

  4. Select the object you want to provide access to from the Object list. For example, select Opportunity.

    For a list of objects supported with access groups, see the topic Overview of Access Groups.

  5. To create a new object sharing rule, click Create in the Rules section.

    The Rules section lists any object sharing rules you previously created for this object and any predefined rules for the object.

  6. On the Create Rule page, enter a Name and Description for the new rule.

  7. New rules are set to Active by default. Deselect the Active check box if you don't want to activate the rule just yet.

  8. In the Conditions section, specify the rule conditions.

  9. You can optionally select a predefined condition to use with the custom conditions you're about to create from the Predefined Condition list.

    Note: The Predefined Condition list is only available if this functionality is enabled in your environment. For additional information on this functionality, see the topic Combine Predefined and Custom Conditions in a Rule.
  10. Each condition in a rule is evaluated individually. You can choose whether the rule action applies if any custom conditions are met or only if all custom conditions are met by choosing the appropriate value from the Rule Applies If list.

  11. Enter your first condition. For example, if you want to give group members read access to all opportunities associated with their home country, create a rule with values similar to these:

    Field Value

    Object

    Opportunity

    Attribute

    Country (this is a custom field for the Opportunity object)

    Operator

    Equals

    Value

    UK

    Here are some considerations to keep in mind when selecting the attributes to use in rule conditions.

    • By default, not all of the standard attributes for an object are displayed on the Access Groups Create Rule or Edit Rule UIs. To make additional standard attributes available for an object, follow the steps in the topic Enable Additional Attributes for Access Group Object Sharing Rules.

    • Support for the object attributes listed in this table will be discontinued in future releases. When creating conditions, it's a good idea to avoid using these attributes.

      Object Attribute

      Resource

      Phone

      Activity

      Account, Asset, Business Plan, Campaign, MDF Claim, Deal Registration, Delegated By, MDF Request, Lead, Opportunity, Enrollment Number, Partner, Program, Sales Objective, Service Request

      Asset

      Asset Owner, Product

      Account

      Type, Favorite, Organization Type

      Opportunity

      Business Unit, Win Probability (RcmndWinProb)

      Deals

      Account Country

      Product

      Eligible for Service

    • Use custom attributes that are based on database columns only. Avoid using custom attributes, such as attributes based on the Formula field, that aren't based on database columns. Support for attributes that aren't based on database columns will be deprecated in future releases.

  12. Enter any additional conditions required to specify the access level you want the rule to provide.

  13. Next, in the Action: Assign Access Group section, click Select and Add from the Actions menu.

  14. Search for and select the access group you want to share this rule with, then click Apply and then Done.

    You can assign a rule to multiple access groups.

  15. In the Access Level field, select the type of object access you want to give group members.

    Access Level Access Provided

    Read

    Read-only access

    Note: If you're creating a rule for the Sales Quota Plan object, only the Read access level is supported.

    Update

    Read and update access

    Delete

    Read and delete access

    Full

    Read, update and delete access

  16. Select Save and Close from the Actions menu.

  17. On the Object Sharing Rules page, publish the new rule to ensure that your changes get included in the assignment processing by selecting Publish Rules from the Actions menu.

  18. When the status indicator shows the publish process has completed, click Close.

  19. Run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access group sharing rules for each object are assigned properly. It's a good idea to schedule this process to run frequently.

    Tip: You might want to run the object sharing rule assignment process for an individual record (for each type of object) and confirm the access group rule processing is correct before processing all records for an object. See the topic Run the Perform Object Sharing Rule Assignment Process for more information.

Rule Publishing

After creating a custom rule, you must publish the rule to make it available for assignment processing. You can publish a new rule in two ways:

  • If you create the rule from the main Object Sharing Rules tab (object context), you publish the rule by selecting the Publish Rules option from the Actions menu on the Object Sharing Rules page. Publishing rules this way published rules for all objects (global rule publish).

  • If you create the rule in the context of a group when editing the group, then you can publish the individual rule by selecting Save and Publish from the Actions menu of the Create Object Sharing Rule page (single rule publish).

When you create your first object sharing rule, you must publish the rule using the global rule publishing option on the Object Sharing Rules page. If you create your first rule and publish it in the context of a group (single rule publish), you must still perform a global publish of all rules by selecting Publish Rules from the Actions menu on the Object Sharing Rules page. You can publish any subsequent custom rules you create either using the global rule publish or the single rule publish options.

Combine Predefined and Custom Conditions in a Rule

You can create hybrid object sharing rules for your access groups, that is, rules that combine a predefined condition with one or more custom conditions, by enabling the profile option System and Custom Rule Conditions Combination Supported. Once this profile option is enabled, a Predefined Condition list becomes available in the Conditions section of the Create Rule page where you can select a predefined condition. Combining custom conditions with a selected predefined condition in a hybrid rule lets you refine the access that's provided by the predefined condition.

For example, there is a predefined condition that provides all users who are on the opportunity team with access to the opportunity. If you want to restrict this access so team members have access to the opportunity only if it has a status of Open, then you can do so using these steps.

  1. Create an object sharing rule for the Opportunity object.

  2. In the Conditions section, select this condition from the Predefined Condition list:

    Opportunities where the access group member is on the opportunity team

  3. Select a value from the Rule Applies If list to choose whether the custom conditions you're about to create are applied when any of the custom conditions are met, or only when all the custom conditions are met.

    The default value is All Conditions Met.

  4. Create a rule with values similar to these.

    Field Value

    Object

    Opportunity

    Attribute

    Status

    Operator

    Equals

    Value

    Open

  5. In the Action: Assign Access Group section, select the access group you want to share this rule with and the type of access to give group members.

  6. Select Save and Close from the Actions menu to save the rule.

  7. On the Object Sharing Rules page, publish the new rule by selecting Publish Rules from the Actions menu.

  8. When the status indicator shows the publish process has completed, click Close.

  9. Run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access group sharing rule is assigned properly.

All users on an opportunity sales team can now view the opportunity provided it has a status of open.

Considerations When Using Predefined Conditions in a Rule

Here are some considerations to keep in mind when creating an object sharing rule that uses a predefined condition.

  • You can select only one predefined condition for the rule.

  • You have to define at least one custom condition for the rule.

  • Once you have created and saved a rule containing a predefined condition, you can't change the predefined condition selected for the rule.

  • If you create rules containing a predefined condition, then disable the profile option that lets you use predefined conditions in a rule, this is what happens:

    • On the Create Rule page, the Predefined Condition list is no longer available.

    • When you edit an existing hybrid rule, the predefined condition is visible in the Predefined Condition field on the Edit Rule page but you can't change the predefined condition.

    • If an existing hybrid rule is assigned to an access group, group members continue to receive the data access provided by the rule.

Enable the Profile Option

Use these steps to enable the profile option System and Custom Rule Conditions Combination Supported.

  1. In the Setup and Maintenance work area, open the task Manage Administrator Profile Values.

  2. Search for the profile option code ORA_MOW_SUPPORT_SEEDED_CONDITION.

  3. In the Profile Values section, select Yes from the Profile Value field.

  4. Click Save and Close.

Edit Object Sharing Rules

You can edit the predefined or custom object sharing rules at any time. For example, you might want to assign a rule to additional access groups, or change the level of access a rule provides to a specific group. Depending on what you want to do, you can choose to edit the object sharing rules from either of these locations:

  • The Edit Access Group: Object Sharing Rules subtab (group context)

    You can review and edit all the object sharing rules assigned to a specific access group, either by you or by Oracle, when editing an access group. Reviewing rule information from a group context is useful if you want to see what access group members have to data for different objects, or if you want to enable all the predefined rules assigned to a system group. For additional information, see the topic Edit Access Groups in this chapter.

  • The Object Sharing Rules page (object context)

    You can review or edit all the predefined and custom object sharing rules and access extension rules that have been created for a specific object on the Object Sharing Rules page. If you want to delete a custom rule, or edit an access extension rule, you can only do so from this page.

Follow these steps to edit rules from an object context.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. On the Access Groups page, select the Object Sharing Rules tab.

  3. On the Object Sharing Rules page, select the object you want to review from the Object list.

    All the rules and access extension rules defined for the object are listed.

  4. Search for and select the rule whose details you want to edit.

    Details relating to the rule are displayed on the Edit Rule UI.

  5. The changes you can make to a rule vary depending on whether you're editing a predefined rule or a rule you created yourself. But to use either type of rule, the rule must be active. Rules you create are active by default, but predefined rules are inactive. To activate a rule, or inactivate a rule you no longer require, select or deselect the Active check box.

  6. If you're editing a custom object sharing rule you created, you can delete the rule by selecting Delete from the Actions menu.

    Provided the rule isn't assigned to any access groups, the rule is deleted. You can't delete predefined rules.

  7. Editing rule conditions:

    • If you're editing a predefined rule, you can't change the condition defined for the rule, delete the condition or add new conditions.

    • If you're editing a rule you created, you can create new conditions, or edit or delete the existing conditions in the Conditions area. For information on defining rule conditions, see the topic Create Custom Object Sharing Rules.

  8. Editing access groups:

    The access groups the rule is assigned to are listed in the Action: Assign Access Group area. You can make these changes for both predefined and custom object sharing rules:

    • Enable or disable the rule for a specific access group by selecting or deselecting the Enable check box.

    • Remove an access group from the list by selecting the group and then selecting the Delete option from the Actions menu.

    • Change the access level provided by the rule for a specific group by changing the value in the Access Level drop-down list.

    • Assign the rule to additional custom or system access groups by performing these steps:

      • Select the Select and Add option from the Actions menu.

      • In the Select and Add: Access Group dialog box, search for and then select the custom or system access group you want to assign the rule to, then click Apply.

      • Add any other groups and, when you have completed your selections, click Done.

    Note: For a predefined rule for which Oracle has created the rule-system group association, a Lock icon indicates that this association is part of the default security configuration. In these cases, you can't edit the rule to change the access level for the group and you can't remove the rule from the group. The only change you can make is to enable or disable the rule for the group.
  9. When you complete all your editing changes, click Save and Close from the Edit Rule page Actions menu.

  10. On the Object Sharing Rules page, select the Publish Rules option from the Actions menu to apply the changes you made.

  11. Run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access group sharing rules for each object are assigned properly.

Overview of Access Extension Rules

Create access extension rules to extend the access defined for an object in an object sharing rule to a related object. For example, if you have secured access to an object such as Account using object sharing rules, you can extend the access defined for the Account object to a related object, such as Activity, by creating an access extension rule. All members of an access group who can access account data will then have access to activity data for the account with the access level you choose in the access extension rule.

Supported Objects

Access extension rules functionality isn't currently supported for all the objects that are enabled for access groups. You can create an access extension rule only for these objects.

  • Activity

  • Asset

  • Business Plan

  • Contact

  • Custom objects

  • Deal Registration

  • Sales Lead

  • MDF Budget

  • MDF Claim

  • MDF Request

  • Opportunity

  • Program Enrollments

  • Quote and Order

You can define as many access extension rules as required for each object.

Considerations When Using Access Extension Rules

Before creating an access extension rule for an object, review the following considerations.

  • You can't link access extension rules.

    Each access extension rule provides access to records for only one object and can't be extended to provide access to records for a second object.

    For example, if you create an access extension rule to provide group members with access to activity data for accounts they can access (Rule 1), you can't create another rule to grant access to opportunities on the basis of the activities they can access through Rule 1. In this scenario, you have to create two new access extension rules for the Opportunity object:

    • A rule to provide opportunity access based on the group members access to activities

    • A rule to provide opportunity access based on the group members access to accounts

  • When you define a relationship between two objects in Application Composer, you can optionally specify data filter criteria for both the source and target objects. The filter criteria control which records are available for association at runtime with a record from the other object in the relationship.

    Access Extension rules don't support filters, so if you create an access extension rule for related objects with filters, be aware that the filter isn't applied. For additional information about object relationships, see the Configuring Applications Using Application Composer guide.

  • You can't extend the access of rules that provide global access to an object's data to related objects.

Create access extension rules to extend the access defined for an object in an object sharing rule to a related object using these steps.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. On the Access Groups page, click the Object Sharing Rules tab.

  3. Select the Synchronize Custom Objects and Fields option from the Actions menu to make sure that custom attributes or objects that are enabled for access groups are available on the UI.

  4. Select the object you're creating the extension rule for in the Object drop-down list. For example, select the Activity object.

    Any existing object sharing rules or access extension rules defined for the object are displayed.

  5. In the Access Extension Rules area, click Create.

  6. On the Create Access Extension Rule page, specify these values.

    Field Description

    Name

    Enter a unique name for the rule. It's a good idea to use a meaningful name that identifies the purpose of the rule. For example, if you're creating a rule to extend the access defined for an account to its related activities, you might name the rule something like ActivityToAccount.

    Description

    Enter additional details about the rule if required.

    Active

    Rules are active by default. Deselect the Active check box if you're not yet ready to apply the rule.

  7. From the Related Object list, select the object whose access you want to extend.

    All the object sharing rules defined for the related object you selected are listed in the rules table.

    Note: Only objects related to the object you're creating the rule for are listed in the Related Object list. For standard objects, the relationship between objects is predefined by Oracle. For example, if you're creating the rule for the Activity object, then the default related objects include Account, Contact, Sales Lead and Opportunity. But if you used Application Composer to define a custom relationship between two standard objects, between a custom object and a standard object, or between two custom objects, then additional objects are also available to select.
  8. If more than one predefined or custom relationship is defined between the two objects you've selected in the access extension rule, then select the relevant relationship from the Relationship list.

    For example, if you're creating the rule for the Quote and Order object and the related object is the Account object, then these two predefined relationships are listed in the Relationship field and you can select whichever is relevant:

    • Account to Quote and Order Account (Standard)

    • Account to Quote and Order's Opportunity Account (Standard)

    Object relationship names that include (Standard) at the end of the name are predefined by Oracle. See the section Object Relationship Naming Conventions at the end of this topic for additional information about naming conventions for standard relationships.

  9. Select one of these options depending on whether you want to extend the access provided by all rules or by selected rules.

    Option Description

    Extend all access defined for related object

    Select this option if you want to extend the access provided by all the rules to all the groups assigned the rule.

    Any access group members assigned access to the related object by any of the rules listed is assigned the same access to the object you're creating the extension rule for. You can't change the level of access provided by the rules.

    Select rules to extend access defined for related object

    Select this option if you want to extend the access of only the rules you select to only the groups you select.

    When you select this option, the Read, Update and Delete access level check boxes for each rule in the rules table are deselected.

    • To apply a rule to your selected object, click one or more of the check boxes for the rule. For example, click the Update check box for a rule to specify that anyone who can access the related object (for example, Account) can update data for the object you're creating the rule for (for example, Note).

      There's a separate row for each rule-group combination so you can choose to extend the access provided by a rule only to a specific access group or to a number of groups.

    • If you don't want to apply a rule, leave the access level check boxes for the rule unchecked.

  10. Click Clear at any time to deselect all the Read, Update, and Delete selections you made.

  11. Click Save and Close to save your changes.

  12. Publish the new rule on the Object Sharing Rules page by selecting the Publish Rules option from the Actions menu.

  13. When the status indicator shows the publish process has completed, run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access extension rule is assigned.

Object Relationship Naming Conventions

The object relationship names listed in the Relationship field on the Create Access Extension Rule page include (Standard) at the end of the name if they're predefined by Oracle.

Standard relationship names distinguish between contacts in a business-to-business (B2B) or business-to-consumer (B2C) sales environment. In a B2B environment, the customer is a business or corporation (an account) and a contact refers to an individual who's associated with the account. In a B2C environment, the customer is an individual and a contact refers to the individual consumer. To reflect these differences the relationship names use the term Contact to refer to an individual associated with an account and the term Contact of Type Account Consumer to refer to an individual consumer.

For example, if you create an access extension rule for the Opportunity object and the related object is the Contact object, then two predefined relationships are listed in the Relationship field:

  • Contact to Opportunity (Standard)

    This relationship applies to a B2B environment. A specific individual is associated as a contact on the opportunity. The access extension rule lets users who can access a contact (individual) access the opportunities associated with the individual.

  • Contact of Type Account (Consumer) to Opportunity Account (Standard)

    This relationship applies to a B2C environment. A specific consumer is associated as an account on the opportunity. The access extension rule lets users who can access a contact (consumer) access the opportunities associated with this consumer.

Run the Perform Object Sharing Rule Assignment process to assign access group object sharing rules to objects each time you add an access group and share rules. You must also run this process periodically in accordance with your business requirements to make sure you have the required access to all records and object data for your selected access groups. If you require immediate access to new records and objects, you can manually submit the Perform Object Sharing Rule Assignment process to run immediately.

For example, a rule already exists for the asset object and you create a new asset record. You won't have real time access to this record based on the existing object rule until the next scheduled run of the Perform Object Sharing Rule Assignment job. If you want to access the new asset record immediately, you can submit the job on an ad-hoc basic.

You can also run the Object Sharing Assignment Job Set to assign a batch of access group object sharing rules for all the available assignment objects. A job set contains multiple jobs. The job is the executable that controls what the process can do and what parameters and other options are available to you to run the process. You can schedule these jobs to run regularly to ensure that all access group object sharing rules, records, and object data for your selected access groups are assigned and available to you.

Perform Object Sharing Rule Assignment Processing

Here's how to run the Perform Object Sharing Rule Assignment job for the account object:

  1. In the Navigator, click Tools > Scheduled Processes.

  2. On the Overview page, click Schedule New Process.

  3. In the Schedule New Process window, enter Perform Object Sharing Rule Assignment Processing in the Name field and press Return.

  4. Select the process and click OK.

    Here's a screenshot of the Process Details page.

    Screenshot of the Process Details page for Perform
Object Sharing Rule Assignment Processing job
  5. On the Process Details page, enter these details:

    Field Entry

    Work Object

    Select the work object you want from the drop-down list.

    Record Selection

    You can run the assignment process for all records or for a subset of records by selecting the appropriate option from the Record Selection list.

    • The first time you schedule the job, select the All records option. After that, avoid processing delays by selecting the All records option only when it's essential. For example, when you activate and enable rules for a new object.

      Tip: You might want to run the object sharing rule assignment process for an individual record (for each type of object) and confirm the access group rule processing is correct before processing all records for an object.
    • In general, schedule the process to run for a subset of records using one of these options. You must enter a record selection value for these options.

      • Records updated in last 'X' days.

      • Records updated in last 'X' hours

      • Records updated between dates

      • Single record

      Here are some examples of how you can use these options:

      • If you've scheduled the job to run every hour, select Records updated in last 1 hours.

      • If you've scheduled the job to run every 4 hours, select Records updated in last 4 hours.

      • If you've scheduled the job to run daily, then select Records updated in last 1 days.

    Maximum Sub Processes per Process

    If the number of objects created is less than 500 thousand, then leave the default option of 2 as the maximum number of sub processes per process. The following recommendation is only applicable for when this process is run for the first time or for a complete run for all objects. However, the next time you run the process, only the changed objects are processed. If you're executing incremental runs at periodic scheduled times, then there's no need to update the default value of 2.

    Oracle recommends changing this value if the number of objects is:

    • Between 500 thousand and 1 million objects enter 5

    • Greater than 1 million objects, enter 10

    • Greater than 5 million objects, enter 20

    • Greater than 10 million objects, enter 30

  6. The first time you run the process click Submit to run it immediately.

Depending on your settings, your process runs immediately or at the intervals you specified. You can monitor its progress by searching for the Perform Object Sharing Rule Assignment Processing process by name on the Overview page.

You can also schedule the process to run regularly using the following steps. How frequently you run the process will vary according to your business requirements but, in general, it's a good idea to run the process hourly.

  1. Click Advanced.

  2. Click the Schedule tab.

  3. Select the Using a schedule option.

  4. Select the frequency and start date.

  5. Enter an end date far in the future.

  6. Click Submit.

Run the Object Sharing Assignment Job Set

Here's an example of the steps to run the Object Sharing Assignment Job Set for your access groups.

  1. Navigate to the Setup and Maintenance area, and search for the Manage Enterprise Scheduler Job Definitions and Job Sets for Customer Relationship Management and Related Applications task.

  2. Click the Manage Job Sets tab and create a job set with the following parameters:

    Parameter Entry

    Name

    (Required)

    For example: ObjectSharingAssignmentEssJobSet

    Display Name

    (Required)

    For example: Object Sharing Assignment ESS Job Set

    Description

    (Optional)

    Enter text to describe the job set

    Package

    (Optional)

    Enter the custom path

  3. In the Job Set Steps section, select Parallel and click the plus (+) icon to display the Edit Step window.

  4. Enter 1 or any unique number in the Step ID field.

  5. Enter ObjectShareBatchAssignRequest in the Job field and click OK.

  6. Repeat Step 4, 5 and 6 based on the number of jobs you want to trigger in parallel. For example, if you want to run Perform Object Sharing Assignment in parallel for two objects, Account and Opportunity, then, create two Job Set Steps.

  7. Next, click the System Properties tab from the Edit Step window.

  8. Click the plus (+) icon to display the Add System Property window and enter the following:

    • Name: SYS_effectiveApplication

    • Type: String

    • Initial Value: CrmEss

  9. Click OK.

  10. Click Save and Close, and then Done.

    Now the newly created Job Set is listed in the Scheduled Process UI.

  11. In the Navigator, click Tools > Scheduled Processes.

  12. On the Overview page, click Schedule New Process.

  13. In the Schedule New Process window, select Job Set and search and select the newly created Job Set by display name.

  14. Click each newly created job set and add the parameters accordingly.

  15. The first time you run the job set process, click Submit to run it immediately.

Depending on your settings, your process runs immediately or at the intervals you specified. You can monitor its progress by searching for the job set process by name on the Overview page.

You can also set up the process to run regularly per your business requirements.

Enable Additional Attributes for Access Group Object Sharing Rules

Use the Manage Object Sharing Assignment Objects task to add additional attributes and make them available for your selected rules when you create or edit a standard object sharing rule. You create object sharing rules to associate with access groups and if the attribute value that you want isn't available from the rule conditions drop-down list, you can enable the attributes you want from here.

Once you set up the rules with the conditions that records must meet, then resources from your access groups get assigned to the object when they match the rule conditions.

Note: This procedure isn't needed for any custom objects. It's needed only if you want to expose additional attributes for one of your standard objects. Custom objects and attributes created in Application Composer are synchronized and available when you select the Synchronize Custom Objects and Fields menu item from the Actions menu on the Object Sharing Rules page.

Here's an example of the steps to enable an Opportunity object rule attribute for your access group.

  1. Navigate to the Setup and Maintenance area, and search for the Manage Object Sharing Assignment Objects task.

  2. On the Manage Object Sharing Assignment Objects page, select the Opportunity work object.

  3. In the Opportunity: Details section, select the Attributes tab.

    The attributes defined for the selected Opportunity object are displayed.

  4. Click the attribute that you want to add to an Opportunity record rule that you want to share.

    For example, if you want to provide the access group called High_Tech_Oppti_Members with access to the all opportunities for the GreenServer account based on the Asset ID, then enable the attribute Asset ID to include in your combination of attributes for the sharing rule.

  5. Click Save and Close.

Once the additional attributes are enabled, setup the rules using the Object Sharing Rules page. See the topic Manage Object Sharing Rules for Access Groups for more information.

Run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the access group sharing rules are assigned properly. See the topic Run the Perform Object Sharing Rule Assignment Process for more information.

Custom Objects and Access Group Security

Enable Access Group Security for Custom Objects

You can use access groups to provide resources with access to custom object data. To do this, you must first enable access group security for each custom object.

To enable access group security for custom objects, complete these steps:

  1. Navigate to Application Composer and confirm that you're in an active sandbox.

  2. Navigate to the Security node of the custom object that you want to enable access group security for.

  3. On the Define Policies page, select the Enable Access Group Security check box.

  4. Next, enable that custom object for access group object sharing rules. To do this, navigate to the Access Groups page in the Sales and Service Access Management work area.

  5. On the Object Sharing Rules page, select the Synchronize Custom Objects and Fields item from the Actions menu. The custom object and its attributes are now available when defining object sharing rules for access groups.

  6. In Application Composer, set functional security for required roles.

    Navigate to the custom object's Security node, and configure functional security in the Roles section of the Define Policies page. This step isn't related to access group security (data security), but it's a required step so that the right roles can see the custom object's user interface pages (functional security).

After you enable access group security for a custom object, you work with it just like a standard object. Create your object sharing rules for access groups, and all group members are given access to that custom object's data according to the rules.

Tip: When configuring data security, you can optionally configure owner security instead of access group security. With owner security, for example, you can provide create and read access to all users, update access to the record's owner and owner management chain, and delete access to only the owner. You configure owner security in the Roles section of the Define Policies page.

If you configure both owner and access group security, then your users will see data from both their owner management chain as well as from access groups that they're members of.

Disabling Access Group Security for a Custom Object

You can disable access group security for a custom object, too.

  1. In the Sales and Service Access Management work area, inactivate the object sharing rules for the custom object.

  2. Run the Perform Object Sharing Rule Assignment Processing process for the custom object.

  3. Cancel all future object sharing scheduled processes for the object.

  4. Next, go to Application Composer:

    1. Navigate back to the object's Security node in an active sandbox.

    2. Confirm that the Enable Access Group Security check box isn't selected and that its data security policy is configured properly for each role.

    3. Publish the sandbox.

  5. Finally, back in the Sales and Service Access Management work area, select the Synchronize Custom Objects and Fields item from the Actions menu on the Object Sharing Rules page. This hides the custom object and its rules.

System Groups and Predefined Rules for Custom Objects

When you create a new custom object in Application Composer and enable it for access group security, a system access group, Custom Object Administration Group, is automatically created that corresponds to the Custom Objects Administration job role. Predefined rules are also automatically generated for the new custom object and assigned to the Custom Objects Administration Group system group.

The predefined rules provide the same access to the custom object data as the Custom Objects Administration job role provides so rules are generated that provide access using these access paths

  • Custom_Object Owner

  • Custom_Object Owner Hierarchy

  • All Custom_Objects

You can choose whether or not to activate each of the predefined rules generated for the custom object, and whether or not to enable the association between the Custom Object Administration Group and the generated rules. For additional information, see the section Manage System Access Groups.

Import and Export Access Groups, Members, and Rules

You can use the standard export and import framework to export and import access groups objects.

  • You can import and export access groups and access group members.

    For example, if there are thousands of sales representatives in your organization and you want to assign them to an access group, you could search for all users who are assigned the Sales Representative role and export this list of users to a CSV file. You could then edit the file to specify the name of the access group the users are to be assigned to, then import the updated CSV file.

  • You can also export access group rules, including group membership rules and object sharing rules, to a CSV file. You can then use the file to review and analyze all the rules in your environment.

    You can't import access group rules; you must create these individually in the Object Sharing Rules UI or the Group Membership Rules UI.

For additional information about importing and exporting data, see the topics in this section and the guide Understanding Import and Export Management for CX Sales and B2B Service on Oracle Help Center.

Import Access Groups and Group Members

You can import access groups and group members into your sales environment rather than performing these tasks manually in the UI. To import access groups and group members, create two import files, one for each of the following objects:

  • Access Groups

  • Access Group Members

Import the access groups first, then the group members.

Note: You can't import system groups or add members to system groups using the import functionality. If you export a system access group and then import the group data, the group is created as a custom group.

Import Access Groups

  1. Create a CSV file containing the list of the access groups you want to import.

    Create columns to specify these values for each group you import:

    • A name for the group (Name)

    • A number for the group (AccessGroupNumber)

    You can optionally enter a group description (Description) and a column to indicate if the group is active or not (ActiveFlag).

  2. Navigate to the Manage Imports page (Tools > Import Management), then click Create Import Activity.

  3. Assign a name to the import in the Name field.

  4. In the Object field, select Access Groups.

  5. In the File Name field, select the CSV file you created in step 1, then click Next.

  6. On the Create Import Activity: Map Fields page, review the field mappings, then click Next.

  7. On the Create Import Activity: Review and Submit page, click Submit.

Import Access Group Members

  1. Create a CSV file containing the list of access group members you want to import.

    For each group member, create columns to specify these values:

    • PartyNumber column. This is the user's resource registry ID. This value is available on the Add: Group Members UI in the Sales and Service Access Management work area.

    • AccessGroupNumber column. The number of the group you want to assign the user to. This number must match the number of one of the groups you previously imported.

  2. Navigate to the Manage Imports page (Tools > Import Management), then click Create Import Activity.

  3. Assign a name to the import in the Name field.

  4. In the Object field, select Access Group Members.

  5. In the File Name field, select the CSV file you created in step 1, then click Next.

  6. On the Create Import Activity: Map Fields page, review the field mappings, then click Next.

  7. On the Create Import Activity: Review and Submit page, click Submit.

Navigate to the Access Groups page and verify that you can see the access groups you imported and that they're assigned the correct members. Notice that imported users are listed in the Member Type column as Manual users because they weren't added to the group through group membership rule processing.

Export Access Groups, Members, and Rules

Using the export management framework, you can export access group objects from your sales environment into CSV files. The access group objects you can export include:

  • Access groups

  • Access group members

  • Access group rules (group membership rules, and predefined and custom object sharing rules)

    Each access group rule can have multiple rule conditions and can be assigned to multiple access groups (rule candidates) so you can also choose to export only rule conditions or only rule candidates.

    Note: You can't export access extension rules.

For each object you choose to export, you can select the data attributes you want to download for data analysis. You can also use filters to specify the range of access groups, members or rules to export. For example, you can use filters to export object access group rules for specific objects, such as Account. Ensure that any custom objects or attributes are synchronized before you export your access group rules.

Here's how to export access group object details to a CSV file.

  1. Navigate to Tools > Export Management.

  2. On the Manage Exports page, click Create Export Activity.

  3. On the Create Export Activity: Enter Export Options page, select a name for the export job in the Name field.

  4. From the Object drop-down list, select one of the access group objects:

    • Access Groups

    • Access Group Members

    • Access Group Rule

    • Access Group Rule Candidate

    • Access Group Rule Condition

    Access Group Rule Candidate and Access Group Rule Condition are child objects of Access Group Rule so you can export all three objects at the same time by selecting the Access Group Rule object. You can also export each object individually.

    The File Name field is automatically filled with a file name to reflect the object type you selected. For example, if you selected Access Group Rule as the object to export, a file name similar to AccessGroupRule20200731_1307.zip is generated for you. If you select Access Group Rule Candidate, then a file name such as AccessGroupRuleCandidate20200731_1310.zip is automatically entered.

  5. In the Advanced Options region, select Language Independent Header to ensure that column headers display correctly in the exported CSV file, then click Next.

  6. On the Create Export Activity: Map Fields page, you can select the fields to export.

    Alternatively, you can select an existing mapping from the Export Mapping drop-down list which shows the maps that were used in earlier export jobs.

  7. In the Export Objects area, select the child objects, if any, that you want to export by selecting the Enabled check box.

  8. In the Attributes area, select the attributes you want to export for the selected object or objects by double-clicking the attribute in the Available Fields list or manually moving the attribute from the Available Fields list to the Selected Fields list.

    For example, for the Access Group object, you might select these fields: Number, Name, Description, Active.

  9. You must provide a filter criterion for at least the top-level object. To filter the records to export using conditions, in the Export Objects area, click the Filter Name icon to display the Filter Name dialog box.

  10. To create the filter:

    1. On the Fields tab select the attribute you want to use to filter the access group data that's exported and click the Insert button.

    2. In the Script Edit window, provide the filter conditions for the selected attribute using the available operators such as AND, OR, =, and !=.

    3. After creating the filter criteria script, click Validate Script.

    Here are some examples of filter criteria you might define for different access group objects.

    Access Group Export Object Filter Condition Filter Script

    Access Group Rule

    Export all access group rules including object sharing rules and group membership rules.

    ObjectName != 'Null'

    Access Group Rule

    Export group membership rules only.

    Export object sharing rules only.

    ObjectName = 'Resources'

    ObjectName != 'Resources'

    Access Group Rule

    Export access group rules for the Account object.

    ObjectName = 'Account'

    Access Groups

    Export data for a specific access group.

    GroupName='France_Admin_Group'

    Access Groups and Access Group Members

    Export all access groups with a specific member.

    EmailAddress='email_address'

  11. If the script validates successfully, click Save and Close to save the filter, then click Next.

  12. On the Create Export Activity: Review and Submit page, review the export activity configuration, then click Submit to activate the export activity.

  13. On the Manage Exports page, review the export job and when it completes, click the ZIP file link in the Exported Data File column to download the exported file. Verify that the file contains all the information you wanted to export.

Migrate Access Group Rules Setup Data

You can migrate object sharing rules setup data from one environment to another using the setup import and export functionality available in the Setup and Maintenance work area. If you export and import rules setup data using this option, make sure that any access groups and group members that exist in the source environment are created in the target environment before you import the object sharing rules. Otherwise, the rules aren't assigned correctly.

Perform the migration steps in this sequence:

  1. (Optional) Perform a configuration set migration to move any configurations you have made in the source environment, such as creating custom objects or attributes, to the target environment.

    For information on this step, see the guide Configuring and Extending Applications.

  2. Synchronize all custom objects and attributes you migrated in the previous step using the Manage Object Sharing Assignment Objects task in the Setup and Maintenance work area:

    1. Sign in as a setup user and navigate to the Setup and Maintenance work area.

    2. Select the Sales offering, then search for and select the Manage Object Sharing Assignment Objects task.

    3. From the Actions menu, select Export to CSV File.

    4. Once the rules are exported, download and extract the CSV file.

    5. In the target environment, import the CSV file you just extracted by selecting the Manage Object Sharing Assignment Objects task in the Setup and Maintenance work area.

    6. From the Actions menu, select Import from CSV File.

      You don't have to run the Synchronize Custom Objects and Fields option on the Object Sharing Rules page in the target environment after the import process completes.

  3. Export and then import access groups and group members from your source environment to your target environment using the standard export and import framework. See the import and export topics in this chapter for information on these tasks.

  4. Export and import object sharing rules:

    1. In your source environment, export object sharing rules by navigating to the Setup and Maintenance work area, then selecting the Sales offering.

    2. Search for and select the Manage Object Sharing Rules task.

    3. From the Actions menu, select Export to CSV File.

    4. Once the rules are exported, download and extract the CSV file.

    5. In your target environment, import the CSV file containing the object sharing rules you just exported by selecting the Manage Object Sharing Rules task in the Setup and Maintenance work area.

    6. From the Actions menu, select Import from CSV File.

    7. Once the rules are imported, verify that the object sharing rules and group membership rules are displaying correctly in your environment.

For detailed information on importing and exporting setup data, see the topic Export and Import CSV File Packages. For an example of importing and exporting assignment manager objects, see the topic Example of Uploading Assignment Objects and Rules Setup Data to a CSV File.