1. Securing Sales and Fusion Service
  2. Overview of System Access Groups

Overview of System Access Groups

System access groups and rules provide users with access to object data on the basis of the job and abstract roles that users are assigned.

If you're using the sales application for the first time in Update 22B or later, system access groups and their associated object sharing rules are used to manage users' access to data by default. If you were provisioned with Oracle Sales or Fusion Service before Update 22B, it's recommended that you use system groups and rules instead of data security policies to manage data access.

Oracle creates two types of system access groups for you:

  • Groups for predefined roles. An access group is generated for each of the predefined sales and service job roles in your environment and for the Resource and Authenticated User abstract roles.

    Predefined object sharing rules are assigned to each group. The rules provide group members with the access to the data that they require. These predefined rules are active by default.

  • Groups for custom roles. An access group is generated for each of the custom job roles in your environment.

    The access groups generated for custom roles aren't associated with object sharing rules. You must manually add predefined or custom rules to these groups. You can also copy rules from another access group, such as the access group generated for the source role you copied, to provide group members with access to data.

On the UI, you can distinguish between the two types of system access groups as follows:

  • ORA_ prefix: The numbers assigned to system access groups generated for predefined job roles or for the Resource and Authenticated User abstract roles start with the ORA_ prefix. The numbers assigned to access groups generated for your custom job roles don't include the ORA_ prefix.

  • The Predefined check box is checked for system access groups generated for the predefined job roles and for the Resource and Authenticated User abstract roles. This check box isn't checked for groups that are generated for your custom job roles.

System Access Group Members

Any user you assign to a predefined or custom job role is automatically included as a member of the associated system access group. All authenticated users, including users who aren't resources, are also automatically added to the All Users system access group. You can use the All Users system access group to provide all authenticated users of your application with access to object records.

Note: System access groups are generated only for job roles that have at least one user associated to them. If no users are assigned a specific job role, a system access group isn't generated for the role.

The Refresh Access Control Data process automatically runs every hour to update system groups with changes to the custom job roles and user-job role assignments in your environment. But you can also run the process at any time from the Access Groups main page by selecting the Update Groups and Members option from the Actions menu.

What Changes Can You Make to System Groups?

You can add additional predefined or custom object sharing rules to system groups.

However, you can't create new system groups or delete existing system groups. You also can't add or delete members of system groups, either manually, through group membership rules, or through import and export functionality. Users are automatically added to, or removed from, system access groups according to the job roles they're assigned.