How do I troubleshoot user access issues?

Troubleshoot data access issues for users using the access explorer.

On the Explore page, you can view all the access group rules and data security policies that affect a user's ability to view an object record and see whether or not each rule or policy has been granted to the user. You can use this information to find answers to questions such as these:

What access policy do I have to grant to give the user access to a specific record?
Which granted rule do I have to remove from the user so that the user can no longer access a record?

Note: The Explore UI shows the data access users receive through the Oracle CX roles they’re assigned. It doesn’t show users access to object records provided by non-CX roles, such as Oracle HCM roles, that they might also be provisioned with.

To discover why there are issues with a user's access to a specific object record, you need to know:

The user name of the user.
The name of the object.
The Public Unique Identifier (PUID) of the record.

For information on how to find the PUID of a record, see the topic Display Public Unique Identifiers for Object Records.

Note: Some objects don't support PUIDs. You can't investigate a user's access to a specific record for these objects.

Use these steps to review all the rules and policies that affect a user's access to a specific object record.

On the Sales and Service Access Management page, click Explore Access.
On the Explore page, select the name of a user in the User Name field.
Select an object in the Object field.
Enter the PUID of the relevant record in the Public Unique Identifier field.

The Public Unique Identifier field is unavailable if the object doesn't support public unique identifiers.
Click the Explore button.

By default, all the rules and data security polices defined for the object that grant access to the record are listed in the Access Groups table and the Data Security Policies table respectively. Review the information in the Status column of each table to see which of these rules and policies the user is granted.

Tip: You can display additional data for each rule or policy by selecting options from the View menu of each table.

Select the information you're interested in viewing in each table.

You can display different views of the user's access to the object record by changing the selections in the filters available for each table.

For example, if a user can't access the record, it might be because the user isn't granted access to the record, or because the user is granted access but the relevant rule or policy is inactive, or because the relevant data security policy is future dated. Select these filter options to figure out the cause of the issue.

Rules or Policies to View	Filter Options to Select
All the rules or policies that provide record access that the user isn't assigned	Not granted option from the Show Access list (Access Groups table) or the Show Conditions list (Data Security Policies table) Yes option from the Provides Record Access list
All the inactive rules or policies assigned to the user that provide record access	Granted and inactive option from the Show Access list or the Show Conditions list Yes option from the Provides Record Access list
All the future dated policies assigned to the user that provide record access	Granted and future dated option from the Show Conditions list Yes option from the Provides Record Access list

Rules or Policies to View

Filter Options to Select

All the rules or policies that provide record access that the user isn't assigned

Not granted option from the Show Access list (Access Groups table) or the Show Conditions list (Data Security Policies table)
Yes option from the Provides Record Access list

All the inactive rules or policies assigned to the user that provide record access

Granted and inactive option from the Show Access list or the Show Conditions list
Yes option from the Provides Record Access list

All the future dated policies assigned to the user that provide record access

Granted and future dated option from the Show Conditions list
Yes option from the Provides Record Access list

In the Access Groups table, you can review the following information for each rule.

Field	Description
Status	This field can have one of these values: Active. The rule is granted to the user, the rule is active, and the rule is enabled for an active access group. Inactive. The rule is granted to the user but the rule is inactive, the access group the rule is associated with is inactive, or the rule to group association is disabled. Not granted. The user isn't granted the rule.
Provides Record Access	This field indicates if a rule grants access to the record specified in the Public Unique Identifier field. A check mark indicates that the rule provides record access; if the field is empty, the rule doesn't provide access to the record. In the Access Groups table, this field can also be set to Not Applicable. This value is displayed for inactive custom rules. You must activate custom rules to see whether or not they provide record access.
Rule Name and Group Name	For rules that are granted to the user, these fields show the name of the rule and the name of the access group through which the user is assigned the rule. For rules that aren't granted to the user, only the rule name is shown. Tip: You can click the Rule Name or Group Name fields to drill down to the edit rule or edit group pages on the Access Groups UI if you have the Manage Group Access privilege ( ZCA_MANAGE_GROUP_ACCESS_PRIV). This is useful if, for example, you want to investigate why a rule is inactive, or if you want to change the activation status of a rule. See the Access Groups chapter for information about editing access groups and rules.
Permissions	For rules that are granted to the user, you can review the type of access provided by the rule.

In the Data Security Policies table, you can review the following information for each policy.

Field	Description
Status	This field can have one of these values: Active. The policy is active and is granted to the user. Inactive. The policy is granted to the user but is inactive. Future dated. The policy is granted to the user but the policy Start Date is set to a date in the future so the policy isn't yet active. Not granted. The user isn't granted the policy.
Provides Record Access	This field indicates if a policy grants access to the record specified in the Public Unique Identifier field. A check mark indicates that the rule provides record access; if the field is empty, the rule doesn't provide access to the record.
Role	The name of the role or roles that provide the policy. The role name is displayed only for policies that are granted to the user.
Permissions	For policies that are granted to the user, you can review the type of access provided by the policy.

You can use the information from the Status and Provides Record Access fields to figure out what you have to do to provide a user with record access or to remove record access. But you can't edit data security policies on the Explore page.

For example, you might find that a policy that provides a sales manager with access to their subordinates opportunity records is future dated. In this case, note the name of the role providing the policy and edit the role on the Manage Data Policies page or on the Security Console to change the Start Date of the policy to the current date.