How do I create and manage access groups?
You can use access groups to give sales resources more data permissions, beyond the access provided by the supplied data security policies.
Create an Access Group
After you've identified the group of users that need more access to object data, create an access group for those users. Here's how:
- Sign in to the application as the sales administrator or as a setup user.Note: The user must have the IT Security Manager job role or the Sales Administrator job role to create and manage access groups.
- Go to the Access Groups page: Click .Here's how the UI is mapped to the two roles mentioned here:
- The Sales Administrator job role sees the Access Groups page in the Sales and Service Access Management work area.
- The IT Security Manager job role sees the Sales and Service Access Management main page and uses the Configure Groups tab to display the Access Groups page.
- Click Create.
- In the Create Access Group page, enter the group name and make sure the Active check box is checked.
- Save your new group.
Create Object Sharing Rules for the Group
Next, create the object sharing rules that grant access to object records.
- In the Edit Access Group: Overview page click .
- In the Create Object Sharing Rule page, select the object you're creating the rule for from the Object drop-down list. For example, select Opportunity.
- Enter a Name for your new rule, for example,
Opportunity_Open. - In the Access Level field, select the type of object access you want to give group members.
- Make sure that the Active check box for the rule is checked.
- In the Conditions area, specify the rule conditions.
For example, you might specify that group members have access to opportunity records that have a Status attribute equal to Open.
- Select Save and Publish from the Actions menu to publish the rule so that it's available for assignment processing.
- After the status indicator shows that the publish process has completed, save your work.
- If this is the first custom rule you've created, you must also publish the new
rule using the Object Sharing Rules page. To publish a rule for the first time,
select the Object Rules tab, and then select
Publish Rules from the Actions menu.
For more rules that you create, this step isn't required. You only need to publish the rule once as described earlier in this procedure.
- Now run the Perform Object Sharing Rule Assignment Processing scheduled process to ensure that the object sharing rules for each object are assigned properly.
Add Members to the Group
- Manually adding users in the UI
- Creating group membership rules to automatically add users
- Using Import Management
Here are the steps to create group membership rules to add users to your group.
- In the Edit Access Group: Overview page, click the Member Rules tab.
- Click Create Rule.
- In the Create Group Membership Rule page, enter a Name for the rule, for example, enter Sales_Support_Resources.
- Select the rule conditions. The conditions determine which resources are added
or removed as members of the group.
For example, you might specify that all resources that have an Organization attribute equal to Sales Support are added to the group.
- Select Save and Publish from the Actions menu to publish the rule.
- Save your work.
- Now run the Run Access Group Membership Rules scheduled process to ensure that
the access group membership rules are assigned and resources are added to the
group.
The Run Access Group Membership Rules scheduled process automatically runs every hour to update access groups with changes to the group membership. But, you can also run the process at any time from the Access Groups main page by selecting the Update Groups and Members option from the Actions menu.
After the rules you created for your new access group are processed, all the users in the Sales Support organization have access to all open opportunities.
Edit Access Groups
After you create a custom access group, you can edit the group details. For example, you might want to add new object sharing rules or add or remove members.
Here's how to edit access groups:
- Navigate to the Access Groups page in the Sales and Service Access Management work area.
- Select the access group.
Custom access groups show by default. But, to see system (predefined) access groups, select System Groups - Role from the List drop-down list.
- What you can do depends on whether you're editing a custom or a system group.
- System groups:
You can review system group details, but you can't change any of the information or delete the group. System groups are predefined by Oracle and are automatically created and updated to reflect the job roles and user-job role assignments in your environment.
- Custom groups:
For custom groups, you can:
- Change the group name or description.
- Activate or inactivate a group: If you inactivate a group, group members lose any data access provided by the group.
- Add group members by clicking Add Members.
- Remove all group members who were added to the group manually by
clicking Remove Members, or delete
individual members from the group by clicking the
Remove icon in the member row. Note: You can't remove members added through group membership rules.
- Delete the group by selecting Delete Group from the Actions menu.
- System groups:
- Click the Object Rules subtab to view any predefined or
custom object sharing rules defined for the group.
You can make these changes for both system and custom access groups:
- Enable or disable a predefined or custom rule for the access group by selecting or deselecting the Enable check box.
- Remove a custom rule or a predefined rule you added to the access group.
Click the rule and in the Edit Object Sharing Rule page, select
Delete from the
Actions menu.
The rule is deleted for the group you're editing, but not for any other groups that the rule is associated with.
- Add a preexisting rule to the access group. Click Add Rule, and then, in the search dialog box, search for and select the rule you want to add.
- Create a new rule for the access group. Click Create Rule, and then define the new rule in the Create Object Sharing Rule page.
- Change the access level provided by the rule for this group by selecting a new value from the rule's Access Level drop-down list.
Note: If you're editing a system access group, a Lock icon is displayed for any predefined rules that are associated with the group as part of the default security configuration. For these rules, you can't change the access level for the group and you can't remove the rule from the group. The only change you can make is to enable or disable the rule for the group. - Click the Member Rules subtab to view any group
membership rules defined for the access group. Note: You can't add members to system groups using group membership rules, so the Member Rules subtab isn't available for system groups.
You can edit an existing rule from the Member Rules subtab by clicking the rule name link, or you can create a new rule by clicking Create Rule.
If you select an existing rule to edit, the Access Group: Edit Group Membership Rule page appears, where you can edit or delete any of the rule details.
- When you're finished editing the group details, click Save and
Close.
Changes you make to object sharing rules or group membership rules are processed when the Object Sharing Rule Assignment Process or the Access Group Membership Rules Process is next run.
Delete a Custom Access Group
You can delete a custom access group if you have the Delete Access Group privilege. Here's how to delete a custom access group:
- Navigate to the Access Groups page in the Sales and Service Access Management work area.
- Select the access group you want to delete from the groups listed.
On the Edit Access Group: Group_Name page, select Delete Group from the Actions menu.
- In the confirmation dialog, click Yes to confirm your
choice.
The group is deleted and is no longer available on the Access Groups page.