1. Securing Sales and Fusion Service
  2. Duty Role Components

Duty Role Components

If you want to configure the predefined security model by creating your own duty roles, then it's important to understand how duty roles are constructed.

A typical duty role consists of two components: data security policies, and function security privileges. Duty roles can also inherit other duty roles.

Function Security Policies

Function security policies permit a user who's assigned a duty role to access different user interface elements, Web services, tasks flows, and other functions. For example, a sales manager who has the Delete Opportunity functional policy can view and click the Delete button. Removing that policy removes the button from view. A function security policy is composed of:

  • A duty role name. The name of the duty where the policy applies, for example, Opportunity Sales Manager.

  • A functional privilege that specifies the application features that are being secured, for example, Delete Opportunity.

Some user interfaces aren't subject to data security so some function security privileges don't have an equivalent data security policy.

In the security reference manuals, functional privileges are listed in the Privileges section.

Data Security Policies

Data security policies specify the roles that can perform a specified action on an object, and the conditions under which the action can be carried out. A data security policy is composed of:

  • A role name. The name of the role the data security policy is granted to. The role can be a duty role, a job role or an abstract role. For example, the Opportunity Sales Manager duty role.

  • The business object that's being accessed, for example, opportunity. The data security policy identifies the object by its table name, for example, MOO_OPTY for opportunity.

  • A data privilege that defines the actions permitted on the data. For example, View Opportunity.

  • The condition that must be met for access to the business object to be granted. For example, sales managers can view opportunities provided they're in the management chain or are members of the sales team for the opportunity.

    If the View All condition is specified, the role provides access to all data of the relevant type.

Data privileges are listed in the Data Security Policies section of the security reference manuals.

Policy Store

The policy store is the repository of all roles for Oracle Cloud Applications. The policy store is also where the security policies defined for each role are stored. The Security Console is a tool for managing the policy store for Oracle Cloud applications.