About Setup Users and Security

Providing users with the security permissions they need to complete the setup tasks in this guide is very simple if you used Setup Assistant for your initial setup. You just make a couple of entries and click Save. Provisioning rules provided by Oracle do the rest. This topic provides a brief overview of Oracle's security model, lists the permissions that setup users need, and explains how the provisioning process works.

How Permissions Are Grouped and Provisioned

Oracle uses the Role-Based Access Control (RBAC) security industry standard. The permissions are grouped in two types of roles:

Job roles, which provide users with the permissions to carry out tasks specific to a job, such as a sales manager or sales administrator
Abstract roles, which permit users to complete tasks that are common to all employees or resources

You typically provision salespeople with the job roles corresponding to the roles they play in the sales organization (their resource roles), as well as the employee and resource abstract roles. The employee abstract role provides access to reports and personal profile information. Without the resource abstract role, users can't participate in the sales process, create accounts and opportunities, or be assigned to sales teams. You can find the description of each job and abstract role Oracle provides and all the duties that come with it in security reference guides.

When you create users, the application automatically provisions them with the required job roles and abstract roles using role-provisioning rules. Each role-provisioning rule is made up of the rule conditions and the names of the job roles and abstract roles that are assigned to the user if the conditions are met. In the sales application, the job role and the resource abstract role are assigned to a user based on the resource role. The employee abstract role is provisioned to all users of type employee.

As long as you used Setup Assistant, the application creates all the role-provisioning rules you need for setup users and all the standard sales users. If you set up the company information in a different way, then you must create all the role provisioning rules yourself. That's true if you're setting up the application together with Oracle HCM Cloud or another cloud service. You must also create role-provisioning rules for any additional resource roles you create. You can learn more about role-provisioning rules in the Get Ready to Create Sales Users chapter and in the Securing CX Sales and B2B Service guide.

Security Roles Required by Setup Users

To complete the setup tasks in this guide, you must be provisioned with the security roles listed in the table. The initial user provided by Oracle comes provisioned with only the first three. While the initial user can create other users and perform many setup tasks, the initial user can't complete all the tasks without the additional security roles.

Role	Type	Permissions the Role Provides
Application Implementation Consultant	Job Role	Access all setup tasks across all products
IT Security Manager	Job Role	Access security tasks, including the ability to assign other security roles
Application Diagnostics Administrator	Job Role	Access diagnostic tests and data
Employee	Abstract Role	Access BI reports and run and monitor background processes
Sales Analyst	Job Role	Create sales recommendation rules
Sales Administrator	Job Role	Perform the sales administrator duties

Important: For licensing reasons, use the Application Implementation Consultant role only for the initial setup tasks.

How You Create and Provision Setup Users

To provision the required security roles, just create setup users as users of type employee and assign them the Sales Setup User resource role. It doesn't matter whether the user you're setting up is an actual employee or not. Provided you used Setup Assistant for your initial setup, Oracle creates two role-provisioning rules that do the rest:

The Employee rule automatically assigns the Employee abstract role to all users of type Employee.
The Sales Setup User rule automatically assigns all users with the Sales Setup User resource role (the condition), with all of the required job roles.

This diagram shows a sales setup user being provisioned using the two provisioning rules described in the text when that setup user is created as a person of type Employee with the Sales Setup User resource role.

The setup users you create aren't assigned the Resource abstract role, so they can't participate in the sales process. But there is nothing stopping you from creating other provisioning rules to provision sales administrators or others with the same setup permissions.