1An Introduction to Student Management Security in the Cloud

This chapter contains the following:

Overview of Securing Oracle Student Management Cloud

Oracle Student Management Cloud is secured as delivered. You need to enable user access to the Student Management functions and data by configuring the various security tasks. This guide explains how to do so. This topic summarizes the contents of each chapter.

Guide Structure

This table describes the contents of each chapter in this guide.

Chapter Contents

An Introduction to Student Management Security in the Cloud

An overview of the concepts of role-based security and an introduction to the Oracle Cloud Applications Security Console

Implementation Users Management

Why implementation users are needed and how you create them

Applications Security Setup

How you set up the enterprise options on the Security Console and maintain the Oracle Cloud Applications security tables

Application Users Setup

What are the enterprise-wide options that affect application users, and how you set them up

Application Users Management

How you create and manage the accounts for application users

Role Provisioning for Application Users

What are some of the standard role mappings, and how you create and manage them for application users

Location-Based Access

How location-based access works, and what you must do to enable or disable this access, allowlisting certain IP addresses, and making certain roles public

Single Sign-On

How you set up single sign-on

Export and Import of Security Data and Role Hierarchy

How you migrate Security Console setup data and custom role hierarchy from one environment to another

Reports for Application Users and Roles

What are the reports that you can look at for user accounts, inactive users, role provisioning, and password changes

Security Console

How you use the Security Console to review role hierarchies and role analytics

Job, Abstract, and Duty Roles

How you create roles either from the beginning or by copying predefined roles, and how you edit custom roles

Roles for Workflow Access

What are the predefined roles that enable access to the Workflow feature

Role Optimization

How you use the optional Role Optimization Report to analyze the role hierarchy for redundancies and other inefficiencies

During implementation, you do certain security-related tasks from a functional area task list or for an implementation project. After the implementation is complete, you can do most of the security-related tasks through the Security Console.

Role-Based Application Security

In Oracle Applications Cloud, users have roles through which they gain access to functions and data. Users can have any number of roles. Roles are grouped hierarchically to reflect lines of authority and responsibility. User access to functions and data is determined by roles, arranged in hierarchies and provisioned to that user.

Role-based security in Oracle Applications Cloud controls who can do what on which data.

Component Description


Role assigned to a user


Function that users with that role can perform

Which Data

Set of data that users with the role can access when performing the function

Here's an example. Assume that a user named Lynda Jones has these three roles.

  • Admissions coordinator, by which she can access applicant functions and data.

  • Employee, by which she can access employee functions and data.

  • Part-time continuing education student, by which she can access student functions and data.

When Lynda Jones signs in to Oracle Student Management Cloud, she doesn't have to select a role. All of her roles, and the related access permissions, are active concurrently. The functions and data that she can access are determined by this combination of roles, which means she can access all of the functions and data relating to applicants, employees, and students.

Predefined Student Management Roles

The security reference implementation in Oracle Student Management Cloud is delivered with several pre-defined roles. Here are some examples:

  • Academic Coordinator

  • Admissions Coordinator

  • Bursar

  • Cashier

  • Higher Education Application Administrator

  • Higher Education Instructor

  • Registrar

  • Student

  • Student Adviser

  • Student Prospect

  • Student Services Manager

Additionally, the security reference implementation includes roles that are common to all Oracle Cloud applications. Here are some examples:

  • Application Implementation Consultant

  • IT Security Manager

You can use these roles as supplied.

Role Types

Oracle Student Management Cloud has these types of roles: job roles, abstract roles, and duty roles.

Job Roles

Job roles are for the jobs that people in an organization do. Bursar and Registrar are examples of predefined job roles. You can create your own job roles too.

Abstract Roles

Abstract roles represent people in the enterprise independently of the jobs they do. Employee and Transactional Business Intelligence Worker are examples of predefined abstract roles. You can also create your own abstract roles.

You can assign abstract roles directly to users. You will likely assign at least one abstract role to all users so that they have access to a set of standard functions, such as managing their own information and searching the worker directory.

Duty Roles

Duty roles are for a logical collection of privileges that grant access to tasks. Instruct Class and Fee Assessment are examples of predefined duty roles.

You don't assign duty roles directly to users. Job roles and abstract roles can inherit duty roles directly or indirectly.

Duty roles differ from aggregate privileges in these ways:

  • You can create duty roles, and edit, and copy them. Aggregate privileges, however, are predefined, and you can't create, modify, or copy them.

  • Duty roles inherit aggregate privileges and other duty roles. Aggregate roles don't.

  • Duty roles include multiple function security privileges.

Summary of differences

Here are the differences between the role types.

Role type Create Predefined Assign directly to users

Job role




Abstract role




Duty role




Role Inheritance

Almost every role is a hierarchy or collection of other roles. When you assign roles, this is how users inherit all of the data and function security associated with those roles:

  • Job roles and abstract roles can inherit duty roles.

    You can directly grant many function security privileges and data security policies to job roles and abstract roles. Use the Security Console to explore the complete structure of a job role or abstract role.

  • Duty roles can inherit other duty roles and aggregate privileges.

Duty Role Components

A typical duty role comprises two components, namely, data security policies and functional security privileges. Duty roles can also inherit other duty roles.

Data Security Policies

A data security policy assigned to a duty role has the components listed below. For example, the duty role Student Party View has:

  • A business object that's being accessed, such as Trading Community Party.

  • The condition, if any, that controls access to specific instances of the business object. For example, you can create a condition that allows managers to access all data pertaining to people who report to them.

  • A data security privilege, which defines what can be done with the specified data, such as View Trading Community Person (Data).

Function Security Privileges

A function privilege assigned to a duty role secures user interfaces, such as Maintain Grade Roster and Maintain Class Roster pages.

Tip: The predefined duty roles represent logical groupings of privileges that you might want to manage as a group. They also represent real-world groups of tasks. For example, the predefined Higher Education Instructorjob role inherits the Student Detail View duty role. To create your own Higher Education Instructor job role with no access to personal information of students, copy the predefined job role and remove Student Detail View duty role from the role hierarchy.

Overview of Security Configuration

During implementation, you evaluate the predefined roles and decide whether changes are needed. If the predefined security reference implementation doesn't fully represent your enterprise, you can change it.

For example, the predefined Admissions Coordinator job role includes View Student Management Rules privileges. If some of your admissions coordinators don't handle rules, you can create a admissions coordinator role without this privilege. To create a role, you can either copy an existing role and edit it, or create a new one.

All predefined roles have many function security privileges and data security policies. They also inherit duty roles.

You can identify predefined application roles easily by their role codes, which all have the prefix ORA_. For example, the role code of the Admissions Coordinator application job role is ORA_HEQ_ADMISSIONS_COORDINATOR_JOB.

If you need only minor changes to a predefined job or abstract role, copy the role and edit the copy to add or remove duty roles, function security privileges, and data security policies, as appropriate.

Consider creating a role if it has very few privileges and you can identify them easily.

Options for Reviewing Predefined Roles

You need information about predefined roles so that you can identify which users need each role and whether to make any changes before provisioning roles. Use the Security Console to review this information.

The Security Console

On the Security Console, you can do these things:

  • Review the role hierarchy of any job, abstract, or duty role.

  • Extract the role hierarchy to a spreadsheet.

  • Identify the function security privileges and data security policies granted to a role.

  • Compare roles to identify differences.

Tip: Role codes of all predefined roles have the ORA_ prefix.


To see the the function security privileges and data security policies for a specified role, all roles, a specified user, or all users, you can run the User and Role Access Audit Report, which is in the XML format.

The Security Reference Manuals

Two manuals describe the security reference implementation for Oracle Student Management Cloud users:

  • The Security Reference for Oracle Applications Cloud includes descriptions of all predefined security data that's common to Oracle Fusion Applications.

  • The Security Reference for Oracle Student Management Cloud includes descriptions of all predefined security data for Oracle Student Management Cloud.

These components are described.

  • Duty roles and aggregate privileges

  • Role hierarchy

  • Function security privileges

  • Data security policies

The security reference manuals are at https://docs.oracle.com.

Overview of Security Console

Use the Security Console to manage application security in your Oracle Applications Cloud service. You can do tasks related to role management, role analysis, user-account management, and certificate management.

Security Console Access

You must have the IT Security Manager role to use the Security Console. This role inherits the Security Management and Security Reporting duty roles.

Security Console Tasks

You can do these tasks on the Security Console:

  • Roles

    • Create job, abstract, and duty roles.

    • Edit custom roles.

    • Copy roles.

    • Compare roles.

    • Visualize role hierarchies and assignments to users.

    • Review Navigator menu items available to roles or users.

    • Identify roles that grant access to Navigator menu items and privileges required for that access.

  • Users

    • Create user accounts.

    • Review, edit, lock, or delete existing user accounts.

    • Assign roles to user accounts.

    • Reset users' passwords.

  • Analytics

    • Review statistics of role categories, the roles belonging to each category, and the components of each role.

    • View the data security policies, roles, and users associated with each database resource.

  • Certificates

    • Generate, export, or import PGP or X.509 certificates, which establish encryption keys for data exchanged between Oracle Cloud applications and other applications.

    • Generate signing requests for X.509 certificates.

  • Administration

    • Establish rules for the generation of user names.

    • Set password policies.

    • Create standards for role definition, copying, and visualization.

    • Review the status of role-copy operations.

    • Define templates for notifications of user-account events, such as password expiration.