1. How do I create and manage security access groups in Oracle CX?
  2. Overview of System Access Groups

Overview of System Access Groups

System access groups and rules provide users with access to object data based on the job and abstract roles that users are assigned.

If you're using the sales application for the first time in Update 22B or later, system access groups and their associated object sharing rules are used to manage users' access to data by default. If you were provisioned with Oracle Sales or Fusion Service before Update 22B, it's recommended that you use system groups and rules instead of data security policies to manage data access.

Oracle supplies two types of system access groups for you:

  • Groups for predefined roles. An access group is generated for each of the predefined sales and service job roles in your environment and for the Resource and Authenticated User abstract roles.

    Predefined object sharing rules are assigned to each group. The rules provide group members with the access to the data that they require. These predefined rules are active by default.

  • Groups for custom roles. An access group is generated for each of the custom job roles in your environment.

    The access groups generated for custom roles aren't associated with object sharing rules. You must manually add predefined or custom rules to these groups. You can also copy rules from another access group, such as the access group generated for the source role you copied, to provide group members with access to data.

On the UI, you can tell which access groups are predefined: The numbers assigned to system access groups generated for predefined job roles or for the Resource and Authenticated User abstract roles start with the ORA_ prefix and have the Predefined checkbox checked.

System Access Group Members

Any user you assign to a predefined or custom job role is automatically included as a member of the associated system access group. All authenticated users, including users who aren't resources, are also automatically added to the All Users system access group. You can use the All Users system access group to provide all authenticated users of your application with access to object records.

Note: System access groups are generated only for job roles that have at least one user associated with them. If no users are assigned a specific job role, a system access group isn't generated for the role.

The Refresh Access Control Data process automatically runs every hour to update system groups with changes to the custom job roles and user-job role assignments in your environment. But you can also run the process at any time from the Access Groups main page by selecting the Update Groups and Members option from the Actions menu.

What You Can Change for System Access Groups

You can add more predefined or custom object sharing rules to system groups.

However, you can't create system groups or delete existing system groups. You also can't add or delete members of system groups, either manually, through group membership rules, or through import and export functionality.