1. Securing Sales and Fusion Service
  2. Use Access Groups to Secure Product, Product Group, and Price Book Data

Use Access Groups to Secure Product, Product Group, and Price Book Data

You can use access groups to provide different levels of access to sales catalog data (product, product group, and price book data) for different groups of users in your enterprise.

The Product, Product Group, and Price Book objects were previously unsecured so all users had unrestricted access to sales catalog data. Predefined access group rules still provide all users with unrestricted access to this data, but you can now remove or configure this access using these steps:

  1. Remove users global access to sales catalog data in either of these ways:

    • Disable the association between the predefined rules and the All Users system group.

      The All Users system group includes all authenticated users in your environment.

    • Deactivate the predefined rules that provide access to all data.

  2. Create custom access groups for different groups of users and specify the object access you want to assign to each group. For example, you might want most users to have Read access to all product, product group, or price book data but restrict Update and Delete privileges to administrators.

Here are the steps to secure the Product, Product Group, or Price Book objects using access groups.

Edit the Global Access Rules for Sales Catalog Data

To use access groups to secure product, product group, or price book data, first edit the predefined rule defined for each object that provides all authenticated users with global access. Here are the steps to edit the predefined rule for the Product object to remove all users access to product data.

  1. Navigate to the Access Groups page in the Sales and Service Access Management work area.

  2. On the Access Groups page, select the Object Rules tab.

  3. Select the Product object from the Object list.

    All the rules defined for the object are listed in the Rules section.

  4. Select the All Products system rule. Notice that the Active column is checked.

    Details relating to the rule are displayed on the Edit Rule UI.

  5. Disable the rule for all users by deselecting the Enable check box for the All Users Group in the Action: Assign Access Group region of the page.

    Alternatively, if you don't want to assign global access to product data for any group of users, you can deactivate the rule by deselecting the Active check box for the rule.

  6. Select Save and Close from the Actions menu.

  7. On the Object Sharing Rules page, select Publish Rules from the Actions menu. Keep refreshing the screen, using the circular arrow next to the Rules Last Published field, until you confirm the rule deactivation has been published. You can also drill into the All Products rule to confirm the Published Status field indicates Published.

  8. Click Close.

  9. When the Perform Object Sharing Rule Assignment Processing process next runs, any changes you've made to object record access are applied.

To edit the predefined rules that provide global access to Product Group or Price Book object data, use the same process as outlined above, substituting the appropriate rule names:

  • For the Product Group object, the predefined rule to edit is All Product Groups.

  • For the Price Book object, the predefined rule to edit is All Price Book Headers.

Create Access Groups for Sales Catalog Data

You can now create access groups in the usual way and specify different levels of access to Product, Product Group, and Price Book object data for each group. Here's an example of the high-level steps to follow to configure access for products.

  1. Identify the different access levels to product data you want to configure for users and create an access group for each.

    For example, you might create two groups: one group for specific administrators who are to have full access to product data, and one group for all other users who will have only Read access to product data.

  2. Assign resources to each group.

    You can assign users to a group manually on the UI, or by defining group membership rules, or by importing the users from a file.

  3. For each group, create object sharing rules for the Product object, specifying the type of access to object data group members should have:

    • For the general users access group, create a custom rule for the Product object that provides Read access and assign it to the group.

    • For the administrator users access group, create a custom rule for the Product object that provides Full access and assign it to the group.

  4. Publish the rules.

    When the Perform Object Sharing Rule Assignment Processing process next runs, the access defined in the object sharing rules is applied to group members.

Note: An alternative method of assigning full access to product data for the administration users is to create a custom job role and assign the custom role to the administration users. After the Refresh Access Control Data Process runs, a corresponding system access group is generated for the custom role that contains all the users assigned the custom role. Assign the predefined All Products system rule to the generated system group.

To create custom access groups for access to product group or price book data, follow the same process.

Sales Catalog All Access Duty Role

The Sales Catalog All Access (ORA_QSC_ SALES_ CATALOG_ ALL_ACCESS_DUTY) duty role provides all APPID users with global access to sales catalog data. You can't edit the data security policies provided by this duty role, but you can assign the role to other custom roles to provide users with global access to Sales Catalog data instead of creating an access group for these users.

Related Topics