A record of each user is stored in the User entity, which defines the attributes of the user including identifier, name, Portal preferences, Favorites, Display Profile (such as format of dates and so on), Language used for screens and messages, and other attributes. Users are attached to To Do Roles that allow the user to process any error records for background processes. For example, if the XXX background process produces an error, it is possible to define the users that will process and address it.

User Groups are a mechanism for grouping users, usually around job roles. Users are attached to User Groups through a relationship that is effective-dated, which means that the date period it is active across is also defined. This can be useful for the attachment of temporary employees such as contractors or for people who change roles regularly.

Each User Group is authorized to access certain Application Services, which are the functions within Oracle Utilities Operational Device Management. Loosely, these correspond to each of the accessible screens. Application Services have valid Access Modes with standards being Add, Modify, Read and Delete.

Additionally, it is possible to define authorization levels to functions for the User Groups. For example, you may find that a certain group of users can only approve payments of a certain level unless additional authorization is obtained. The Authorization Level is associated with a Security Type, which defines the rules for a given Application Service.

Services can be attached to individual Menus, Batch Controls, Maintenance Objects, Business Objects, Business Services and Scripts to denote the service to be used to link user groups to access these objects. In this case Business Object security overrides any Maintenance Object security. The same applies to Business Services security overriding the Application Service it is based upon.

The Oracle Utilities Application Framework allows you to limit a user's access to specific data entities to prevent users without appropriate rights from accessing specific data. By granting a user access rights to an account, you are granting the user access rights to the account’s bills, payment, adjustments, orders, and so on.

An Access Group defines a group of accounts that have the same type of security restrictions. A Data Access Role defines a group of Users that have the same access rights (in respect of access to entities that include access roles). When you grant a data access role rights to an access group, you are giving all users in the data access role rights to all entities in the access group.

The following points summarize the data relationships involved with data security: