11Configuring Security

This chapter contains the following:

Managing Data Security Policies

By default, users are denied access to all data.

Data security makes data available to users by the following means.

  • Policies that define grants available through provisioned roles

  • Policies defined in application code

You secure data by provisioning roles that provide the necessary access.

Data roles also can be generated based on HCM security profiles. Data roles and HCM security profiles enable defining the instance sets specified in data security policies.

When you provision a job role to a user, the job role limits data access based on the data security policies of the inherited duty roles. When you provision a data role to a user, the data role limits the data access of the inherited job role to a dimension of data.

Data security consists of privileges conditionally granted to a role and used to control access to the data. A privilege is a single, real world action on a single business object. A data security policy is a grant of a set of privileges to a principal on an object or attribute group for a given condition. A grant authorizes a role, the grantee, to actions on a set of database resources. A database resource is an object, object instance, or object instance set. An entitlement is one or more allowable actions applied to a set of database resources.

The following table describes the ways through which data is secured.

Data security feature Does what?

Data security policy

Defines the conditions in which access to data is granted to a role.

Role

Applies data security policies with conditions to users through role provisioning.

HCM security profile

Defines data security conditions on instances of object types such as person records, positions, and document types without requiring users to enter SQL code

The sets of data that a user can access are defined by creating and provisioning data roles. Oracle data security integrates with Oracle Platform Security Services (OPSS) to entitle users or roles (which are stored externally) with access to data. Users are granted access through the privilege assigned to the roles or role hierarchy with which the user is provisioned. Conditions are WHERE clauses that specify access within a particular dimension, such as by business unit to which the user is authorized.

Data Security Policies

Data security policies articulate the security requirement "Who can do what on which set of data."

For example, warehouse managers can manage inventory transaction data for the inventory organizations in which they can operate.

Who can do what on which set of data

warehouse managers

manage

inventory transactions

for the inventory organizations in which they can operate

A data security policy is a statement in a natural language, such as English, that typically defines the grant by which a role secures business objects. The grant records the following.

  • Table or view

  • Entitlement (actions expressed by privileges)

  • Instance set (data identified by the condition)

For example, disbursement is a business object that an accounts payable manager can manage by payment function for any employee expenses in the payment process.

Note: Some data security policies aren't defined as grants but directly in applications code. The security reference manuals for Oracle Fusion Applications offerings differentiate between data security policies that define a grant and data security policies defined in Oracle Fusion applications code.

A data security policy identifies the entitlement (the actions that can be made on logical business objects or dashboards), the roles that can perform those actions, and the conditions that limit access. Conditions are readable WHERE clauses. The WHERE clause is defined in the data as an instance set and this is then referenced on a grant that also records the table name and required entitlement.

HCM Security Profiles

HCM security profiles are used to secure HCM data, such as people and departments. Data authorization for some roles, such as the Manager role, is managed in HCM, even in ERP and SCM applications. You can use HCM security profiles to generate grants for a job role such as Manager. The resulting data role with its role hierarchy and grants operates in the same way as any other data role.

For example, an HCM security profile identifies all employees in the Finance division.

Applications outside of HCM can use the HCM Data Roles UI pages to give roles access to HR people.

Data Security Considerations for Oracle Product Hub Cloud

Some products within SCM support data security on a combination of dimensions. Oracle Product Hub Cloud enables customers to build flexible, scalable, security solutions for complex access control requirements for managing product information.

Product Hub Data Security is built on a combination of the criteria listed in the following table with examples of the values for those criteria.

Criteria Example

who

user Eric Boyer

or which job role

or Product Data Steward

for which item organization

for Seattle branch

can perform what actions

is allowed to perform View Item Structure

on which set of Product Hub business objects

for Printer Item Class

Before creating or viewing items, you define data security for each item class and organization. Data security for an item is set up in the corresponding item class, for each person or group and for each inventory or item organization. All items that you create using an item class inherit the item data security that's defined for the item class. You can also define item-specific data security at the item level.

For each user or user group, you can grant view or maintain data level rights to user-defined attributes. To define data security for user-defined attribute groups, you use extensible attribute group security to secure the data of attribute groups by allowing only certain groups or users to have access. After creating data grants for users or roles, you assign the data grants to an attribute group, then assign data grants to specific groups or users.

You can also provide data security for product data uploaded through Oracle Product Hub Portal Cloud, by assigning appropriate item data privileges to supplier users for the specific item classes that the suppliers will upload product data for.

Note: For more details about data security for Oracle Product Hub Cloud and Product Hub Portal Cloud, see the user assistance and implementation course for that product.

Data Security Considerations for Oracle Fusion Planning Central

Oracle Fusion Planning Central is another product within SCM that supports data security on a combination of dimensions. Planning Central has a flexible model of filters and rules for configuring data access for different users based on their role in the organization.

You enable data security for Planning Central when you administer planning security, as part of plan inputs. You can then select whether to allow full access, or no access, for any entity for which no data access condition is defined.

Users can be granted access based on one of the following:

  • Organizational structure, such as organization or business unit

  • Product structure, such as product line or category

  • Access to specific trading partners, such as customers or suppliers

You can define data access sets, which define the visibility for any job role, using the one of the following criteria:

  • Products

  • Inventory organizations

  • Customers

  • Suppliers

In each of the criteria, you can set up filters at the lowest level (such as Item) or at a higher level (such as Category) by selecting the appropriate hierarchy. Data access sets are then assigned to different users to provide access.

Note: For more details about data security for Oracle Fusion Planning Central, see the user assistance and implementation course for that product.

Advanced Data Security

Advanced Data Security offers two types of added data protection. Database Vault protects data from access by highly privileged users and Transparent Data Encryption encrypts data at rest. Advanced Data Security is available for Oracle Applications Cloud by subscription to Break-Glass service.

Oracle Database Vault

Database Vault reduces the risk of highly privileged users such as database and system administrators accessing and viewing your application data. This feature restricts access to specific database objects, such as the application tables and SOA objects.

Administrators can perform regular database maintenance activities, but can't select from the application tables. If a DBA requires access to the application tables, request temporary access to the Oracle Fusion schema at which point keystroke auditing is enabled.

Transparent Data Encryption

Transparent Data Encryption (TDE) protects Oracle Fusion Applications data which is at rest on the file system from being read or used. Data in the database files (DBF) is protected because DBF files are encrypted. Data in backups and in temporary files is protected. All data from an encrypted tablespace is automatically encrypted when written to the undo tablespace, to the redo logs, and to any temporary tablespace.

Advanced security enables encryption at the tablespace level on all tablespaces which contain applications data. This includes SOA tablespaces which might contain dehydrated payloads with applications data.

Encryption keys are stored in the Oracle Wallet. The Oracle Wallet is an encrypted container outside the database that stores authentication and signing credentials, including passwords, the TDE master key, PKI private keys, certificates, and trusted certificates needed by secure sockets layer (SSL). Tablespace keys are stored in the header of the tablespace and in the header of each operating system (OS) file that makes up the tablespace. These keys are encrypted with the master key which is stored in the Oracle Wallet. Tablespace keys are AES128-bit encryption while the TDE master key is always an AES256-bit encryption.

How Database Resources and Data Security Policies Work Together

A data security policy applies a condition and allowable actions to a database resource for a role. When that role is provisioned to a user, the user has access to data defined by the policy. In the case of the predefined security reference implementation, this role is always a duty role.

The database resource defines an instance of a data object. The data object is a table, view, or flexfield.

The following figure shows the database resource definition as the means by which a data security policy secures a data object. The database resource names the data object. The data security policy grants to a role access to that database resource based on the policy's action and condition.

The figure illustrates the relation between database
resource and data security policy. Database resource is a table or
view in the database, on which a data security policy is defined that
consists of a condition, an action, and a role.

Database Resources

A database resource specifies access to a table, view, or flexfield that's secured by a data security policy.

  • Name providing a means of identifying the database resource

  • Data object to which the database resource points

Data Security Policies

Data security policies consist of actions and conditions for accessing all, some, or a single row of a database resource.

  • Condition identifying the instance set of values in the data object

  • Action specifying the type of access allowed on the available values

Note: If the data security policy needs to be less restrictive than any available database resource for a data object, define a new data security policy.

Actions

Actions correspond to privileges that entitle kinds of access to objects, such as view, edit, or delete. The actions allowed by a data security policy include all or a subset of the actions that exist for the database resource.

Conditions

A condition is either a SQL predicate or an XML filter. A condition expresses the values in the data object by a search operator or a relationship in a tree hierarchy. A SQL predicate, unlike an XML filter, is entered in a text field in the data security user interface pages and supports more complex filtering than an XML filter, such as nesting of conditions or sub queries. An XML filter, unlike a SQL predicate, is assembled from choices in the UI pages as an AND statement.

Note: An XML filter can be effective in downstream processes such as business intelligence metrics. A SQL predicate can't be used in downstream metrics.

FAQs for Configuring Security

What's the difference between function security and data security?

Function security is a statement of what actions you can perform in which user interface pages.

Data security is a statement of what action can be taken against which data.

Function security controls access to user interfaces and actions needed to perform the tasks of a job. For example, a warehouse manager can manage inventory transactions. The Warehouse Manager role provisioned to the warehouse manager authorizes access to the functions required to manage inventory transactions.

Data security controls access to data. In this example, the warehouse manager for M1 Inventory Organization can manage inventory transactions in the M1 Inventory Organization. Objects are secured by the data security policies of the job role.

Both function and data are secured through role-based access control.

How can I design roles?

You can simulate menus that existing roles present to users to determine how the access they provide may be expanded. Create a visualization, or populate the Search Results column with a selection of roles or users. Select the user or role and click the Actions menu. A menu appears, click Simulate Navigator.

A simulated Navigator menu appears, listing menu and task entries. If the menu item appears without a lock, the menu isn't authorized for the role or user. If the menu item appears with a lock, the menu is authorized for the role or user. Click any menu item and select either of two options. One lists roles that grant access to the menu item. The other lists privileges required for access to the menu item.

How can I mask data in an environment?

To have an environment created with the data masked, create a service request using the Production to Test (P2T) template. Before you submit the request, be sure you select the Data Mask check box.

To have the data in an existing nonproduction environment masked, create a standard service request. Enter the following as the service request title: Data Mask for Environment: Name_of_The_Environment_To_Mask

How do I create a role hierarchy?

The most efficient way to create role hierarchies is to use the Security Console. You use the Edit Role action to navigate through the steps and add roles and privileges in the visualizer or table view.

Why would I need to remove duty roles from a role hierarchy?

If your custom duty roles enable actions and user interface features that your enterprise doesn't want users to perform in your application.

Note: Don't remove duty roles from predefined job or abstract roles in the reference implementation. In the Security Console, you can identify predefined application roles by the ORA_ prefix in the Role Code field. You must copy any role that doesn't match your needs, and then edit the copy.

How do I create a new job role?

Click the Create Role button in the Security Console to create job roles. Enter a job role category in the Create Roles page and then navigate to each subsequent page that you see in the page header. You can add functional and data security policies, roles, and privileges to create the job role.