1. Implementing Enterprise Contracts
  2. Control Access to Contracts Using Access Groups

Control Access to Contracts Using Access Groups

You can now use access groups to control access to contract records. Access groups are an alternative way of granting data permissions to users. After creating an access group and assigning users to it, all group members receive access to contract data based on the object sharing rules defined for the group. These rules decide which contracts users can view and what type of access each user has such as Read or Full access.

Note: Using access groups is required for accessing contracts through the Redwood Contracts UI, and they can also be used with the contracts classic UI. The recommended approach is to move fully to access groups for simpler and more streamlined management. Access groups and data security policies can still be used together when required.

Access groups can supplement existing data security policies. When both access groups and data security policies are configured, users receive the combined visibility granted by both mechanisms. If you want only the access provided by the access group to take effect, you must remove the visibility granted through existing data security policies, such as policies based on contract ownership or Business Unit based security or team membership.

Access groups work alongside functional security. They identify which contract records a user can access, while job roles continue to govern the actions the user can perform on those records.

System Access Groups for Contracts

The following system access groups are created for predefined contract-related roles. Users are added or removed from these groups automatically based on job role assignment.

  • Customer Contract Administrator Group
  • Customer Contract Manager Group
  • Customer Contract Team Member Group
  • Enterprise Contract Administrator Group
  • Enterprise Contract Manager Group
  • Enterprise Contract Team Member Group
  • Supplier Contract Administrator Group
  • Supplier Contract Manager Group
  • Supplier Contract Team Member Group

These groups are listed in the Access Groups section with Type = System Group and can't be modified.

Screenshot highlighting the predefined system groups

Predefined Object Sharing Rules for Contracts

The following predefined rules are available for the Contract object. These rules are automatically associated with the appropriate system access groups and can't be changed.
Contract Area Based Rule Predefined Rule
General Access Rules All Contracts
Contract Owner Based Rules
  • Contract Owner Read Access
  • Contract Owner Full Access
Sales Contract Rules

Business Unit Based

  • Sales Contract by Business Unit

Resource Based

  • Sales Contract Read Access by Resource
  • Sales Contract Full Access by Resource

Resource Ancestor Based

  • Sales Contract Read Access by Resource Ancestors
  • Sales Contract Full Access by Resource Ancestors

Resource Organization Manager / Member / Ancestor / Descendant Based

  • Sales Contract Read Access by Resource Organization Manager
  • Sales Contract Read Access by Ancestor Resource Organization Manager
  • Sales Contract Read Access by Resource Organization Member
  • Sales Contract Read Access by Descendant Resource Organization
  • Sales Contract Full Access by Resource Organization Manager
  • Sales Contract Full Access by Ancestor Resource Organization Manager
  • Sales Contract Full Access by Resource Organization Member
  • Sales Contract Full Access by Descendant Resource Organization
Procurement Contract Rules

Business Unit Based

  • Procurement Contract by Business Unit

Resource Based

  • Procurement Contract Read Access by Resource
  • Procurement Contract Full Access by Resource

Resource Ancestor Based

  • Procurement Contract Read Access by Resource Ancestors
  • Procurement Contract Full Access by Resource Ancestors

Resource Organization Manager / Member / Ancestor / Descendant Based

  • Procurement Contract Read Access by Resource Organization Manager
  • Procurement Contract Read Access by Ancestor Resource Organization Manager
  • Procurement Contract Read Access by Resource Organization Member
  • Procurement Contract Read Access by Descendant Resource Organization
  • Procurement Contract Full Access by Resource Organization Manager
  • Procurement Contract Full Access by Ancestor Resource Organization Manager
  • Procurement Contract Full Access by Resource Organization Member
  • Procurement Contract Full Access by Descendant Resource Organization

Defining Custom Contract Access Rules

You can configure custom contract access rules using a wide range of contract attributes. These attributes allow you to precisely control which contract records an access group can see or act on, based on business criteria.

Some common attributes available for rule definition include:

  • Business Unit
  • Contract Status
  • Intent
  • Contract Type
  • Contract Class
  • Legal Entity
  • Version Type
  • Template Flag
  • Contract Number
  • Contract ID
  • Created Date
  • Amount
  • Hold Reason
  • All Extensible Attributes
  • All Descriptive Flexfields

Once a custom rule is defined, one or more access groups can be assigned to it with the appropriate Read or Full level of access. You can also reference predefined system rules as predefined conditions when creating a custom contract access rule.

After you change access groups or object sharing rules for contracts, you must run the required scheduler jobs from the following four tabs in the Monitor section to ensure the changes are applied. These scheduler jobs include the following processes:

  1. Update Groups and Members
    • Run when user or role assignments change.
  2. Publish Rules
    • Run when object sharing rules or rule assignments are changed.
  3. Synchronize Custom Objects and Fields
    • Run when custom objects, attributes are updated
  4. Perform Object Sharing Rule Assignment (Contract Object)
    • Run to populate object sharing assignments

Running all applicable jobs ensures that access group membership, rule conditions, and contract visibility are fully synchronized across the application. The Perform Object Sharing Rule Assignment job, in particular, should be scheduled to run frequently, typically every 15 to 30 minutes, to keep contract access assignments up to date.

For more details about Sales and Service Access Management, see the Access Groups Oracle documentation:Overview of Access Groups.

Object Sharing Rules Example

You can use the following steps to create a rule to restrict access to confidential contracts using a Descriptive Flexfield (DFF) attribute. A descriptive flexfield is a configurable field you can add to your contracts object to captured business-specific data that's not delivered in the standard data model.

This rule ensures that users can access all contracts that belong to their own Business Unit, except contracts marked as Confidential. If a contract’s Confidential DFF attribute is set to Yes, it's hidden from the user even if the user normally has visibility to all other contracts in that Business Unit.

Here are the steps:

  1. Create a new user.

    1. Go to Tools, open the Security Console, and then select Users.

    2. Create User, fill required fields (User Name, Email, Resource and so on).

    3. Save the user.

  2. Deep Copy the standard Customer Contract Administrator role

    1. Go to Tools, open the Security Console, and then select Roles.

    2. Search for the predefined Customer Contract Administrator role.

    3. Use Copy to create a new custom role (for example, Customer Contract Administrator Custom Role).

      1. Select Copy Role.

        Copy Customer Contract Administrator Custom Role to create a new custom role.

      2. Select Copy top role and inherited roles and then select Copy Role from the Copy Options dialog.

      3. Change the role name and role code based on your requirement and select Next.

      4. Keep the Functional Security Policies and Permission Groups as is and select Next.

  3. Remove Data Security Policies from the copied role.

    1. Remove any data security policy (DSP) grants that directly provide contract visibility (you'll provide visibility through access groups). Keep functional privileges required to view or edit contracts.

    2. From the Data Security Policies section, search for Grant on Contract for the Policy Name.

      1. Remove all Grant on Contract policies from the Actions menu, by selecting Remove Data Security Policies.

      2. In this example, we've 2 DSPs which are of policy name Grant on Contract, so remove them and select Next.

  4. Add and Remove Roles from Role Hierarchy

    1. From the Role Hierarchy search for the ZCA_ACCESS_GROUPS_ENABLEMENT_DUTY_CUSTOM role code and delete it.

      1. “”

      2. Then, select Add Role, search for the ORA_ZCA_ACCESS_GROUPS_ENABLEMENT_DUTY role, add it and select Next.

  5. Select Submit and Close.

  6. Add your newly created user (who's defined as a resource and employee) to the custom role. Also, you can add any other required users, provided they're defined as resources and employees.

    Screenshot showing the addition of new and existing users to the custom role

  7. After the custom role is created remove Grant on Contract policies from each of these custom roles, ensuring grants aren't given to the Customer Contract Administrator Custom Role indirectly.

    1. In this example, remove the Grant on Contract policies from these custom roles:

      1. OKC_CONTRACT_AUTHORING_DUTY_CUSTOM

      2. OKC_CONTRACT_SEARCH_VIEW_DUTY_CUSTOM

      3. OKC_CONTRACT_AMENDMENT_DUTY_CUSTOM

    2. Search for each of these roles from Roles, select Actions and then Edit Role. In this example we're searching for OKC_CONTRACT_AMENDMENT_DUTY_CUSTOM.

      1. Go to Data Security Policies, search for Grant on Contract policy name and then delete all the policies under the name Grant on Contract.

      2. Repeat this for OKC_CONTRACT_SEARCH_VIEW_DUTY_CUSTOM and OKC_CONTRACT_AMENDMENT_DUTY_CUSTOM

    3. Similarly, when you deep copy any other contract-related predefined role, the resulting custom duty roles will still contain the original Grant on Contract data security policies. To ensure that Access Groups fully control contract visibility, Grant on Contract policies must be removed from the corresponding custom duty roles.

  8. Run these scheduled process:

    1. Import User and Role Application Security Data

    2. Retrieve Latest LDAP Changes
      Note: Once these jobs are completed, run the Update Groups and Members job from the Monitor tab of Sale and Services Access Management.

  9. The above custom role gets created as a system group under access groups. You can verify the access groups as follows:

    1. Go to Tools, open Sales and Service Access Management, then select Configure Groups and navigate to the Access Groups page.

    2. You'll see that the Customer Contract Administrator Custom Role Group is created as a system group

    3. You can add additional group members as needed, and you'll also notice that the user included during the deep copy role creation is already present in the group

  10. Create an object sharing rule for the Contract object

    1. Go to Object Rules, select the object as Contracts and then you can either add a predefined rule or custom rule by clicking on Add Rule or create your own custom rule using Create Rule.

      • Creating an object sharing rule

        Object Rules creation page

    2. For this use case, create a custom rule by clicking on “Create Rule”:

      • Enter the name of the rule, select the object as “Contract”,

      • Select the DFF attributes as Confidential Contract

      • Put the values as “Yes

      • This signifies - if your contract contains a DFF attribute (for example, Confidential Contract) with the value Yes, the custom object sharing rule can use this attribute to grant access. Users who are members of the corresponding access group will then be able to view those restricted contracts.

      • If needed you can also add a predefined condition. Expanding the dropdown gives you the list of predefined rules.

      • Adding BU related Predefined rule leveraging Predefined Condition

        Adding BU related Predefined rule leveraging Predefined Condition

      • Custom Rule on Confidential Contract DFF

        Custom Rule on Confidential Contract DFF

  11. Publish the rule

    1. Ensure the rule is active and click on Publish from Actions menu. Alternatively, you can run the below “Publish Rules” ESS job from Monitor tab to publish the rules.

    2. Saving and Publishing the created rule

      Saving and Publishing the created rule

  12. To process and apply the above custom rules:

    1. Go to the Monitor tab.

    2. Run the required ESS jobs from all four subtabs as applicable:

      1. Update Groups and Members

      2. Publish Rules

      3. Synchronize Custom Objects and Fields

      4. Perform Object Sharing Rule Assignment (Contract Object)

    3. Schedule these processes to run at regular intervals to support near real-time access updates. The Perform Object Sharing Rule Assignment job, in particular, should be scheduled to run frequently, typically every 15 to 30 minutes, to keep contract access assignments up to date.

  13. Test user access

    1. Log in as the test user

    2. Navigate to:Contractsfrom Contracts List Page

    3. Create or identify two sample contracts in the same Business Unit as the test user:

      1. Contract A (Confidential): Set Confidential Contract = Yes

      2. Contract B (Non-Confidential): Set Confidential Contract = No

    4. Ensure the user belongs to the access group where the BU + “Confidential Contract = No” rule is implemented.

    5. Run required ESS jobs (Perform Object Sharing Rule Assignment, Publish Rules, etc.) so the rule is applied.

    6. Verify expected access behavior:

      1. The test user should see Contract B (Restricted Contract = No).

      2. The test user should NOT see Contract A (Restricted Contract = Yes), even though both contracts belong to their BU.

      3. This confirms that the Access Group rule correctly excludes confidential contracts from the user’s visibility.