1. Using Product Master Data Management
  2. How to Define View-Only Access for Items

How to Define View-Only Access for Items

You can define a custom role that provides view-only access to items.

As described in more detail elsewhere, the security model requires a three-way relationship between users, roles, and data, summarized as: who can do what on which data. For the case of providing view-only access for items, this table summarizes the elements of that relationship:

Security Relationship Element

How To Implement the Element

Do What

1. Create a custom role with only those privileges that provide view access to items.

Who Can

2. Assign the custom role to the users that need view-only access.

On Which Data

3. In the item class for the items that need view-only access, assign only those actions to users that provide view access to items and certain of their components.

Provide view-only data access to items in an inventory organization to users assigned the custom role.

Create a Custom Role

Create a custom role with only those privileges that provide view access to items.

To create the custom role:

  1. Click Navigator > Tools > Security Console.

    You must have the IT Security Manager role to use the Security Console.

  2. Select the Roles tab, then click the Create Role button.

  3. Enter a Role Name. Example: Custom View-Only Item Viewer.

  4. Enter a Role Code. Example: View_Only_Item.

  5. Select this Role Category: SCM-Job Roles

  6. Enter a Description. Example: Custom role that allows view-only access to items.

  7. Click Next to advance to the Function Security Policies role component.

  8. On the Privileges tab, click Add Function Security Policy.

  9. In the Add Function Security Policy dialog box, search for and select privilege names that provide view-only access to items.

    To find and select privileges:

    1. Optionally, set the Search filter to Privileges.

    2. Enter at least 3 characters in the search field until you match the name of the desired privilege.

    3. Select the privilege in the search results, then click Add Privilege to Role.

    Select and add these privileges:

    Privilege

    Purpose

    Monitor Item Work Area

    Allows access to the Product Management group containing the Product Information Management work area from the home page and the Navigator. View-only access to the items themselves is governed by other privileges.

    Browse Item

    Allows access to the Manage Items and Browse Items tasks in the Product Information Management work area, using item class and catalog hierarchies. View-only access to the items themselves is governed by other privileges.

    View Item

    Allows view-only access to item details. The user must have rights to search and view items under your data security policies. Allows view-only access on the item detail page to the Overview, Specifications, Structures, Associations, and Quality tabs.

    The Categories tab isn't available for view-only access. You can add the Manage Item Catalog privilege to your custom role to make the Categories tab available, but that privilege makes categories editable, and defeats the view-only purpose of the role. In addition, that privilege adds the Manage Catalogs task to the task panel of the Product Information Management work area, since it makes catalogs editable.

    View Item Relationship

    Allows access to view item relationships. Allows view-only access on the item detail page to the subtabs of the Relationships tab, with the exception of the Trading Partner Items and GTIN subtabs.

    Manage Item Attachment

    Allows access to view and manage item attachments.

    These privileges are a starting point for defining a custom role with view-only access to items. You can add more privileges to your function security policy for this custom role, as necessary for your business needs.

  10. You can click Next to skip through defining the other components of the new role:

    • Data Security Policies

    • Role Hierarchy

    • Segregation of Duties

    • Users

  11. On the Summary page, click Save and Close.

Assign the Custom Role to Users

Assign the custom role to users that require view-only access to items.

To assign the custom role to a user:

  1. In the Security Console, select the Users tab, then create or update a user account.

    • To create a user, click the Add User Account button. Then, the User Information page, enter the required basic information for users, such as name, email address, user name, and password, as needed.

    • To update a user, search for the user name, then click the display name in the search results.

  2. Click Add Role.

  3. In the Add Role Membership dialog box, search for and select the name of the custom role that you created. Then click Add Role Membership. The role is added to the user account.

Assign View Actions to Users

As you normally do when you set up data security for item classes, assign actions to users and organizations, but this time select only the actions for viewing. This assignment of actions is required for non-public item classes, but not for public item classes. (An item class is public if its Public check box is selected.)

Note: This section applies only if you have enabled either the Data Governance or Data Consolidation functional area within the Product Management offering in the Setup and Maintenance work area. These functional areas are available to users of Oracle Fusion Cloud Product Management.

To assign view-only actions to users for items in an item class:

  1. In the Setup and Maintenance work area, use the Manage Item Classes task:

    • Offering: Product Management

    • Functional Area: Items

    • Task: Manage Item Classes

  2. Select the item class and click Actions > Edit.

  3. On the Edit Item Class page, click the Security tab.

  4. Click Actions > Add Row.

  5. In the Principal field, select Group or or Person, depending on the requirement.

  6. In the Name field, search for and select the view-only custom role you created.

  7. In the Organization field, search for and select the organization in which the custom role's actions apply.

  8. In the Actions table for the custom role, click Actions > Select and Add.

  9. In the Select and Add Actions dialog box, search for and select all the actions that begin with View. You should select these actions:

    • View Item Basic

    • View Item Structure

    • View Item Attribute

    • View Item Pack

  10. Click OK to assign the actions to the role or user in this item class and its child item classes.

  11. Click Save to save your changes to the item class definition.

Synchronize Users and Roles

When you make changes to users and groups in the Security Console, you must synchronize those changes with the HCM tables used by Oracle Fusion Cloud Applications.

To synchronize your custom role and the users you assigned it to with the HCM tables, in the Setup and Maintenance work area use the Run User and Roles Synchronization Process task:

  • Offering: Product Management

  • Functional Area: Initial Users

  • Task: Run User and Roles Synchronization Process

Runtime Access to Items

At runtime, the affected users have only view access to the affected items.

For example, assume that you're the user account described here:

  1. Sign in with the user name defined as having the custom view-only role.

  2. The only tasks available in the task panel are:

    • Manage Items

    • Browse Items

    • Manage Item Relationships

  3. Select the Manage Items task.

  4. Set the current item class to the one that you added view actions for.

  5. Add the search field Organization.

  6. Query for items by these criteria:

    • An organization from the set for which you provided data access.

    • An item belonging to the item class that you defined view actions for.

  7. Select one of the items.

  8. On the item details page, all of the fields are view-only.

  9. Select any of these tabs: Overview, Specifications, Structures, Associations, or Quality.

    All of the fields are view-only.

  10. Sign out.

Related Topics