1An Introduction to Student Management Security in the Cloud

This chapter contains the following:

Overview of Securing Oracle Student Management Cloud

Oracle Student Management Cloud is delivered with security. You need to enable user access to the Student Management functions and data by configuring the various security options. This guide explains how to do so. This topic summarizes the contents of each chapter.

Guide Structure

This table describes the contents of each chapter in this guide.

Chapter Contents

An Introduction to Student Management Security in the Cloud

An overview of the concepts of role-based security and an introduction to the Oracle Cloud Applications Security Console

Implementation Users Management

Why implementation users are needed and how you create them

Applications Security Setup

How you set up the enterprise options on the Security Console and maintain the Oracle Cloud Applications security tables

Application Users Setup

What are the enterprise-wide options that affect application users, and how you set them up

Application Users Management

How you create and manage the accounts for application users

Role Provisioning for Application Users

What are some of the standard role mappings, and how you create and manage them for application users

Location-Based Access

How location-based access works, and what you must do to enable or disable this access, whitelist certain IP addresses, and make certain roles public

Single Sign-On

How you set up single sign-on

Export and Import of Security Data and Role Hierarchy

How you migrate Security Console setup data and custom role hierarchy from one environment to another

Reports for Application Users and Roles

What are the reports that you can look at for user accounts, inactive users, role provisioning, and password changes

Security Console

How you use the Security Console to review role hierarchies and role analytics

Job, Abstract, and Duty Roles

How you create roles either from the beginning or by copying predefined roles, and how you edit custom roles

Roles for Workflow Access

What are the predefined roles that enable access to the Workflow feature

Role Optimization

How you use the optional Role Optimization Report to analyze the role hierarchy for redundancies and other inefficiencies

During implementation, you do certain security-related tasks from a functional area task list or for an implementation project. After the implementation is complete, you can do most of the security-related tasks through the Security Console.

Role-Based Application Security

In Oracle Applications Cloud, users have roles through which they gain access to functions and data. Users can have any number of roles. Roles are grouped hierarchically to reflect lines of authority and responsibility. User access to functions and data is determined by roles, arranged in hierarchies and provisioned to that user.

Role-based security in Oracle Applications Cloud controls who can do what on which data.

Component Description


Role assigned to a user


Function that users with that role can perform

Which Data

Set of data that users with the role can access when performing the function

Here's an example. Assume that a user named Lynda Jones has these three roles.

  • Admissions coordinator, by which she can access applicant functions and data.

  • Employee, by which she can access employee functions and data.

  • Part-time continuing education student, by which she can access student functions and data.

When Lynda Jones signs in to Oracle Student Management Cloud, she doesn't have to select a role. All of her roles, and the related access permissions, are active concurrently. The functions and data that she can access are determined by this combination of roles, which means she can access all of the functions and data relating to applicants, employees, and students.

Predefined Student Management Roles

The security reference implementation in Oracle Student Management Cloud is delivered with several pre-defined roles. Here are some examples:

  • Academic Coordinator

  • Admissions Coordinator

  • Bursar

  • Cashier

  • Higher Education Application Administrator

  • Higher Education Instructor

  • Registrar

  • Student

  • Student Adviser

  • Student Prospect

  • Student Services Manager

Additionally, the security reference implementation includes roles that are common to all Oracle Cloud applications. Here are some examples:

  • Application Implementation Consultant

  • IT Security Manager

You can use these roles as supplied.

Role Types

Oracle Student Management Cloud has these types of roles: job roles, abstract roles, aggregate privileges, and duty roles.

Job Roles

Job roles are for the jobs that people in an organization do. Bursar and Registrar are examples of predefined job roles. You can create your own job roles too.

Abstract Roles

Abstract roles represent people in the enterprise independently of the jobs they do. Employee and Transactional Business Intelligence Worker are examples of predefined abstract roles. You can also create your own abstract roles.

You can assign abstract roles directly to users. You will likely assign at least one abstract role to all users so that they have access to a set of standard functions, such as managing their own information and searching the worker directory.

Aggregate Privileges

Aggregate privileges are roles that combine the functional privilege for an individual task or duty with the relevant data security policies. Functions that aggregate privileges might grant access to include task flows, application pages, work areas, dashboards, reports, batch programs, and so on.

Aggregate privileges don't inherit other roles. All aggregate privileges are predefined, and you can neither create nor edit them.

Although you can't create aggregate privileges, you can include the predefined aggregate privileges in custom job, abstract, and duty roles. You don't assign aggregate privileges directly to users.

Duty Roles

Duty roles are for a logical collection of privileges that grant access to tasks. Instruct Class and Fee Assessment are examples of predefined duty roles.

You can create your own duty roles as well. You can use duty roles in these ways:

  • Group multiple function security privileges.

  • Make them inherit aggregate privileges and other duty roles.

  • Copy and edit them.

You don't assign duty roles directly to users. Job roles and abstract roles can inherit duty roles directly or indirectly.

Duty roles differ from aggregate privileges in these ways:

  • You can create duty roles, and edit, and copy them. Aggregate privileges, however, are predefined, and you can't create, modify, or copy them.

  • Duty roles inherit aggregate privileges and other duty roles. Aggregate roles don't.

  • Duty roles include multiple function security privileges.

Summary of differences

Here are the differences between the role types.

Role type Create Predefined Assign directly to users

Job role




Abstract role




Duty role




Aggregate privileges




Role Inheritance

Almost every role is a hierarchy or collection of other roles. When you assign roles, this is how users inherit all of the data and function security associated with those roles:

  • Job roles and abstract roles inherit aggregate privileges. They can also inherit duty roles.

    You can directly grant many function security privileges and data security policies to job roles and abstract roles. Use the Security Console to explore the complete structure of a job role or abstract role.

  • Duty roles can inherit other duty roles and aggregate privileges.

Duty Role Components

A typical duty role comprises two components, namely, data security policies and functional security privileges. Duty roles can also inherit aggregate privileges and other duty roles.

Data Security Policies

For a duty role, you can create any number of data security policies. For each policy, you specify two things:

  • A set of data needed for the duty to be completed

  • The actions that people can do on that data

A duty role can acquire data security policies indirectly from its aggregate privileges.

Each data security policy has these items:

  • A duty role, for example Expense Entry Duty.

  • A business object that's being accessed, for example Expense Reports.

  • The condition, if any, that controls access to specific instances of the business object. For example, you can create a condition that allows managers to access all data pertaining to people who report to them.

  • A data security privilege, which defines what can be done with the specified data, for example Manage Expense Report.

Function Security Privileges

You can grant function security privileges directly to a duty role. Additionally, duty roles acquire function security privileges indirectly from aggregate privileges.

Each function security privilege secures the code resources that create the relevant pages, such as the Manage Grades and Manage Locations pages.

Tip: The predefined duty roles represent logical groupings of privileges that you might want to manage as a group. They also represent real-world groups of tasks. For example, the predefined General Accountantjob role inherits the General Ledger Reporting duty role. To create your own General Accountant job role with no access to reporting structures, copy the predefined job role and remove the General Ledger Reporting duty role from the role hierarchy.

Aggregate Privileges

Aggregate privileges are a type of role. Each aggregate privilege combines a single function security privilege with related data security policies. All aggregate privileges are predefined. Let's see how aggregate privileges are named and used.

Aggregate Privilege Names

An aggregate privilege is named after the function security privilege that it includes. For example, the Manage Accounts Payable Accounting Period Status aggregate privilege includes the Manage Accounting Period Status function security privilege.

Aggregate Privileges in the Role Hierarchy

Job roles and abstract roles inherit aggregate privileges directly. Duty roles may also inherit aggregate privileges. However, aggregate privileges can't inherit other roles of any type. As most function and data security in job and abstract roles is provided by aggregate privileges, the role hierarchy has few levels. This flat hierarchy is easy to manage.

Use of Aggregate Privileges in Custom Roles

You can include aggregate privileges in the role hierarchy of a custom role. Treat aggregate privileges as role building blocks.

Creating, Editing, or Copying Aggregate Privileges

You can't create, edit, or copy aggregate privileges, nor can you grant the privileges from an aggregate privilege to another role. The purpose of an aggregate privilege is to grant a function security privilege only in combination with a specific data security policy. Therefore, you must use the aggregate privilege as a single entity.

If you copy a job or abstract role, then the source role's aggregate privileges are never copied. Instead, role membership is added automatically to the aggregate privilege for the copied role.

Overview of Security Configuration

During implementation, you evaluate the predefined roles and decide whether changes are needed. If the predefined security reference implementation doesn't fully represent your enterprise, you can change it.

For example, the predefined Line Managerabstract role includes compensation management privileges. If some of your line managers don't handle compensation, you can create a line manager role without those privileges. To create a role, you can either copy an existing role and edit it, or create a role.

All predefined roles have many function security privileges and data security policies. They also inherit aggregate privileges and duty roles.

You can identify predefined application roles easily by their role codes, which all have the prefix ORA_. For example, the role code of the Payroll Manager application job role is ORA_PAY_PAYROLL_MANAGER_JOB.

If you need only minor changes to a predefined role, copy the role and edit the copy to add or remove aggregate privileges, duty roles, function security privileges, and data security policies, as appropriate.

Consider creating a role if it has very few privileges and you can identify them easily. However, a typical implementation doesn't use custom duty roles. Remember that you can't create aggregate privileges.

Options for Reviewing Predefined Roles

You need information about predefined roles so that you can identify which users need each role and whether to make any changes before provisioning roles. Use the Security Console to review this information.

The Security Console

On the Security Console, you can do these things:

  • Review the role hierarchy of any job, abstract, or duty role.

  • Extract the role hierarchy to a spreadsheet.

  • Identify the function security privileges and data security policies granted to a role.

  • Compare roles to identify differences.

Tip: Role codes of all predefined roles have the ORA_ prefix.


To see the the function security privileges and data security policies for a specified role, all roles, a specified user, or all users, you can run the User and Role Access Audit Report, which is in the XML format.

The Security Reference Manuals

Two manuals describe the security reference implementation for Oracle Student Management Cloud users:

  • The Security Reference for Oracle Applications Cloud includes descriptions of all predefined security data that's common to Oracle Fusion Applications.

  • The Security Reference for Oracle Student Management Cloud includes descriptions of all predefined security data for Oracle Student Management Cloud.

These components are described.

  • Duty roles and aggregate privileges

  • Role hierarchy

  • Function security privileges

  • Data security policies

The security reference manuals are at https://docs.oracle.com.

Overview of Security Console

Use the Security Console to manage application security in your Oracle Applications Cloud service. You can do tasks related to role management, role analysis, user-account management, and certificate management.

Security Console Access

You must have the IT Security Manager role to use the Security Console. This role inherits the Security Management and Security Reporting duty roles.

Security Console Tasks

You can do these tasks on the Security Console:

  • Roles

    • Create job, abstract, and duty roles.

    • Edit custom roles.

    • Copy roles.

    • Compare roles.

    • Visualize role hierarchies and assignments to users.

    • Review Navigator menu items available to roles or users.

    • Identify roles that grant access to Navigator menu items and privileges required for that access.

  • Users

    • Create user accounts.

    • Review, edit, lock, or delete existing user accounts.

    • Assign roles to user accounts.

    • Reset users' passwords.

  • Analytics

    • Review statistics of role categories, the roles belonging to each category, and the components of each role.

    • View the data security policies, roles, and users associated with each database resource.

  • Certificates

    • Generate, export, or import PGP or X.509 certificates, which establish encryption keys for data exchanged between Oracle Cloud applications and other applications.

    • Generate signing requests for X.509 certificates.

  • Administration

    • Establish rules for the generation of user names.

    • Set password policies.

    • Create standards for role definition, copying, and visualization.

    • Review the status of role-copy operations.

    • Define templates for notifications of user-account events, such as password expiration.