1. Securing Sales and Fusion Service
  2. Review a Role's Access to Object Data

Review a Role's Access to Object Data

You can review the visibility provided by job roles to object data by selecting the Manage Data Policies tab on the Sales and Service Access Management page. The Manage Data Policies page displays a read-only view of all the data security policies provided by a predefined or custom role for an object.

You can use this information to query existing policies so you can answer questions such as these:

  • What's the most appropriate role to apply to a set of users?

  • What's the most suitable role to copy when you need to extend the access provided by existing predefined roles?

  • Why can't users access specific data?

By default, active policies are displayed for a role and object but you can also review inactive policies.

Here's how to review data access for a selected role and object:

  1. Sign in to the application as a user who has either the IT Security Manager or Customer Relationship Management Application Administrator job role.

  2. Select Navigator > Tools > Sales and Service Access Management.

    Tip: You can also access the Sales and Service Access Management page from the Setup and Maintenance work area by selecting the Manage Sales and Service Access task in the Users and Security functional area of the Sales offering.
  3. On the Sales and Service Access Management page, click the Manage Data Policies tab.

    The Manage Data Policies page contains two areas: the Active Policies table, which lists each data policy for the selected object and role combination, and the Advanced Permissions table, which shows more detail about any advanced permissions available for a policy selected in the Access Policies table.

  4. Select a role in the Role field.

    You can select either a custom or a predefined role. To search for a role:

    1. In the Role field drop-down list, click Search, then enter the role name in the Role field of the Role dialog box.

    2. Click Search again. From the search results, select the role you want, then click OK. Note that in the search results predefined roles are identified by a Yes in the Predefined role column.

  5. Select an object in the Object field.

    The Object field lists all the sales and service objects the role can access.

    Note: Select the Trading Community Party object to view access policies for both accounts and contacts.

  6. Click Find Policies.

    The Active Policies table now lists all the active data security policies relating to the object you selected for the role you selected. You can view more or less information for the policies in the table by selecting the Columns option in the View menu.

    This information is shown for each active policy in the Access Policies table.

    Field

    Value

    Condition

    Lists the condition that must exist for this data policy to take effect. For example, if you selected the Sales Representative role and the Opportunity object, the condition might state that this policy applies when the user assigned the Sales Representative role is an opportunity sales team member with edit or full access.

    Permissions

    Shows the access provided by the policy. For example, if the Read, Update, and Delete check boxes are selected, then this policy provides a user with read, update, and delete access to the object when the conditions specified in the policy are met, for example, when the user is an opportunity sales team member with edit or full access.

    The Advanced field indicates the number of advanced permissions defined for the policy. Not all objects or policies have advanced permissions.

    Start Date

    Indicates the date when the policy was activated.

    End Date

    Indicates the date when the policy is deactivated.

    Role Code

    Role Name

    Lists the role name and code of the role the policy is associated with. In most cases, the policy relates to the top-level job role you selected in the Role column, but in some cases, the policy is provided by an inherited duty role. A policy can even be provided by both the top-level role and by an inherited role.

    Custom Condition

    Indicates whether the condition specified in the policy is a predefined condition provided by Oracle or is a custom condition that you created previously.

  7. You can limit the policies that are shown for the role and object by clicking the Query By Example filter icon and entering filter text. You can filter by condition, role name, or role code.

    For example, currently the standard Sales Representative job role provides data visibility to all accounts and contacts. To view the conditions that are providing this full access, use these steps:

    1. Select Sales Representative in the Role field, Trading Community Party in the Object field, and click Find Policies.

    2. Click the Query By Example filter icon, and enter the text All records in the query field above the Condition column.

    The page is refreshed and displays two policies that provide all record access. Notice that one policy is provided by the Sales Representative role and the other by an inherited role, Contract View Access Across All Contracts. If you wanted to create a version of the Sales Representative role that had more restricted access to accounts and contacts, you would have to create custom copies of both roles and remove the All records policies from each.

    To remove the filter, click the Clear All icon in the query row.

  8. To view the advanced permissions defined for a selected policy in the Access Policies table, scroll to the Advanced Permissions table.

    Advanced permissions provide a finer-grained method of controlling what the user can do. For example, a policy might provide update access to an opportunity but the advanced permission for the policy might allow you to restrict that update access to specific attributes.

    For each advanced permission, the Advanced Permissions table shows the type of access provided, for example, Read access, and the action it relates to, for example, View Opportunity.

  9. If you want to view the inactive policies for a selected role and object on the Manage Data Policies page, select the Inactive policies check box.

    Inactive policies are policies that you set an end-date for and the end-date has passed. The number of inactive policies for the role and object is shown in parentheses beside the Inactive policies check box. For example, the number 1 indicates that there is only one inactive policy for the role-object combination.