Online User Management
To manage online users, several facilities must be configured:
• Maintain users within the Oracle Cloud Infrastructure Identity and Access Management (IAM) as per the Create User Accounts instructions.
• Activate the users within IAM to enable their access. Conversely, deactivating users within IAM disables access to the service.
• Map IAM groups to product template users as outlined in User Provisioning for Oracle Utilities Cloud Services of the Cloud Service Administration Guide.
• Attach user groups to Application Services to define the subset of service and actions valid for that group of users. Refer to Define User Groups to Application Services for more details of this process.
• Attach data access groups to the users to define the subset of data that the user has access. Refer to Define Users to Data Access Groups for more details of this process.
• Attach users to the appropriate user groups to define the subset services and valid actions the users can perform within the Oracle Utilities Cloud Service. Refer to Define Users to User Groups for more details of this process.
User Management
This section describes the User object from the Oracle Utilities Cloud Service. All information is inherited from the User definition in Oracle Cloud Infrastructure Identity and Access Management (IAM). The User object records the security information used for identification of the users and their permissions. Oracle Utilities Cloud Service also provides a function to maintain the following security information for the user:
Field | Description |
|---|---|
Userid | This is the unique user identifier used within the Oracle Utilities Cloud Service for authorization activities. Limited to eight characters. |
Login Id | This is the unique user identifier used within the Oracle Utilities Cloud Service for authentication purposes. This must match the value used in the security repository to successfully use the Oracle Utilities Cloud Service. Limited to 256 characters, which can be similar or different from Userid. |
Last Name | Last name of the user. Limited to 50 characters. |
First Name | First name of the user. Limited to 50 characters. |
User Enable | Indicates whether the user is active or inactive in the security system. Valid values are Yes (default) and No. Yes indicates the user is active and can use the system while No indicates the user is inactive and cannot use the system. Refer to User Enable and Disable for more information. |
User Type | Describes the type of user. Valid values are Blank and Template. Blank refers to normal users. Refer to Template Users for more information about the Template user type. |
Language | Default language used by user. For non-English languages, the Language pack must be installed. |
Display Profile Id | The display profile associated with the user that controls the displayed currency, dates, and so on. |
Time Zone | Time zone assigned to the user account. This is only applicable to specific services. Refer to Oracle Utilities Cloud Service online documentation for more information about its applicability. |
Email Address | Optional email address associated with the user that can be used for interfaces requiring email addresses. |
Dashboard Width | Describes the default width of the Dashboard portal. Setting the value to “0” disables the dashboard. |
Dashboard Location | Indicates the preferred location of the Dashboard portal. This is only enabled for use with the Screen Layout Profile user experience. |
Dashboard State | Indicates the preferred initial state of the Dashboard portal. This is only enabled for use with the Screen Layout Profile user experience. |
Home Page | The default home page associated with the user. |
Portals Profile User Id | The user identifier from which to inherit portal definitions. For more information, refer to Template Users. |
Favorites Profile User Id | The user identifier from which to inherit favorite definitions. For more information, refer to Template Users. |
To Do Summary Age Bar | The color schemes for the To Do Summary portal in the Dashboard. This can be used to indicate relative age of To Do entries. |
User Groups | This is a list of user groups and their associated expiry dates. Refer to Define Users to User Groups for more information. |
Template Users
By default, portal preferences and favorites are set at an individual user level. It is possible to inherit the portal and favorites from other users to reduce the maintenance effort for security information. Changes to the profile user are automatically inherited to any users where the profile user is attached.
To use this functionality, you must perform the following:
• Set up each user to be used as a template and set the User Type to Template.
• For any user that will inherit the portal preferences and favorites, specify the appropriate template user in the following fields:
• Portal Preferences: Use the Portals Profile User Id to specify the Template User to be used to inherit the portal preferences.
• Favorites: Use the Favorites Profile User Id to specify the Template User to be used to inherit the favorites preferences.
• Once changes are made to the Template Users’ portal preferences and favorites, the changes automatically apply to any attached users.
Assign To Do Types
The Oracle Utilities Cloud Service generates To Do records for any function or error condition that requires human intervention. The To Do record contains a type and role to be used assist in assigning the appropriate resources to work on the condition indicated by the To Do.
Note: You can explicitly assign To Do records to users or user groups. This section covers the latter condition. To Do Roles must be set up prior to using this function. Refer to the online Administration Help for a discussion about the To Do function.
For security purposes, users need to be attached to the relevant roles for the To Do facility to limit which To Do Types an individual user can work upon. To manage the To Do Roles to be assigned to users, navigate to the To Do Roles tab of the User Maintenance function and select the Add or Delete icon. You can use the Search icon to find existing To Do Roles. Once users have been attached to the To Do Roles, they can access the associated To Do Types assigned to the role or any To Do directly assigned to them.
Assign User Portal Preferences
The Oracle Utilities Cloud Service user interface is made up of portals containing individual zones. Each portal and zone can be associated with an Application Service for security purposes. Users attached to the User Groups and Application Services can view and use the portals and zones.
Note: Portal preferences can be inherited from other users if Template Users are used.
The order of display and other factors are defined at an individual user basis. To define the portal preferences for a user, navigate to the Portal Preferences tab of the User Maintenance function, select a portal, and set your zone preferences:
Field | Description |
|---|---|
Display | Indicates whether to include the zone or exclude it from the portal. Refer to Zone Visibility of the online Administration Guide for more information. |
Initially Collapsed | Indicates whether to display the zone in collapse or expand mode during the initial load. Zones are collapsed only when expanded Marking zones as “initially collapsed” speeds up the portal loading time. |
Sequence | Defines the relative order of the zones within the portal. A value of zero takes the default sequence from the portal definition. |
Refresh Seconds | Defines the zone automatic refresh rate but is only applicable to a subset of zone types. A value of zero disables auto-refresh. |
Security Access | Indicates whether the zone is accessible or not to the user. It is possible to for a zone to have zones that are not accessible to an individual user. |
Assign Bookmarks
You can attach bookmarks to your user profile to access pages including the context of the pages. You can use the Bookmark button to define bookmarks that attach the page and context to the user profile.
Note: Bookmarks are added at runtime by end users using the Bookmark button. This function only displays or deletes the bookmarks assigned by the user.
It is possible to view and remove bookmarks on the use profile by navigating to the Bookmarks tab of the User Maintenance function. You can set your bookmark preferences through the following fields:
Field | Description |
|---|---|
Sequence | Internal sequence used for sorting. |
Name | The name of the bookmark. The URL for the bookmark is hidden and is not editable. |
You can use the Delete icon to remove existing bookmarks from your list.
Assign Favorite Links
Users can set several favorite functions or menu items that they can access using keyboard shortcuts or via the Favorites zone on the Dashboard.
Note: Favorites can be inherited from other users if Template Users are used.
Configuration of favorite functions or menu items is through the Favorite Links tab of the User Maintenance function. Users can set favorite link preferences through the following fields:
Field | Description |
|---|---|
Sequence | The relative sequence number of the favorite link used for sorting purposes. |
Navigation Option | The navigation option to display the favorite links. This can reference the zone or maintenance function to display after selecting the favorite link. |
Security Access | Indicates whether the Navigation Option is accessible or not to the user. |
To manage the Favorites to be assigned to users, select the Add icon to assign the favorite link with the appropriate Navigation Option and Sequence or select the Delete icon to remove an existing Navigation Option from the list. You can use the Search icon to find existing Navigation Options.
Assign Favorite Scripts
Users can set several Favorite BPA Scripts that they can access using the Favorite Scripts zone of the Dashboard.
Note: Favorites can be inherited from other users if Template Users are used.
Configuration of favorite scripts is through the Favorite Scripts tab of the User Maintenance function. Users can set favorite script preferences through the following fields:
Field | Description |
|---|---|
Sequence | The relative sequence number of the favorite used for sorting purposes. |
Script | The BPA script to use to display the favorite function or menu items. |
Security Access | Indicates whether the BPA script is accessible or not to the user. |
To manage the Favorites to be assigned to users, select the Add icon to assign the favorite link with the appropriate Script and Sequence or select the Delete icon to remove an existing Script from the list. You can use the Search icon to find existing BPA scripts.
Assign User Characteristics
Oracle Utilities Cloud Service can extend objects within Oracle Utilities Cloud Service with Characteristics, which act as additional data attributes for providing more information or custom algorithms for processing.
Note: Oracle Utilities Cloud Service ships with a predefined set of Characteristic Types. To use User Characteristics, the appropriate characteristic types must be created and attached to the user object. Refer to the online Administration documentation for more information.
The User object in Oracle Utilities Cloud Service can also be customized using characteristics by navigating to the Characteristics tab of the User Maintenance function. The following fields can be set for the favorites:
Field | Description |
|---|---|
Characteristic Type | The characteristic type associated with the User object. |
Sequence | The relative sequence number of the characteristic used for processing purposes. |
Characteristic Value | Depending on the configuration of the characteristic type, the characteristic value may be free-formatted, an attachment, in a specific format, or a specific set of values. |
To manage the Characteristics to be assigned to users, select the Add icon to assign the characteristic (indicating the characteristic type) with the appropriate Sequence or select the Delete icon to remove an existing characteristic from the list.
Define Users to User Groups
Access to Oracle Utilities Cloud Service services requires User Group connections that are connected to Application Services. The connections define the linkage for functions that are accessible to users.
The attributes of the user-user group links are as follows:
• The link is subject to an expiry date to allow representation of transient security configurations.
• Each link is owned and subject to Data Ownership Rules. By default, all site-created links are owned as Customer Modifications.
• User groups are set up according to site preferences. These can be job related, organization level-related, or a combination of factors.
• A user must be a member of user group to access the system. A user can be a member of multiple user groups.
• Users can be members of user groups with overlapping permissions to Application Services. In cases of overlapping permissions, the highest valid permission is used.
You can manage the user and user group link by navigating to the Main tab of the User Maintenance function. You can use the Add icon to insert a user group with the appropriate expiry date or use the Delete icon to remove existing user groups from the list. Use the Calendar icon to select the expiry date and set the link’s effective date. Use the Context Menu icon to navigate to the user group details to review more information. The user’s security is referenced for menu and function access regardless of the access channel (online, web service, or batch) used.
Define User Groups to Application Services
One of the fundamental Oracle Utilities Cloud Service security configuration is to define user groups to Application Services. The Application Service can represent an Oracle Utilities Cloud Service service, a menu, or an object. Linking a user group to a service allows Access Mode configuration, which defines the valid actions that the user group can perform against the service.
Note: Oracle Utilities Cloud Service ships will all the Application Services predefined for base functions. These can be used or replaced with custom definitions. A starter set of User Groups is loaded with Oracle Utilities Cloud Service that can be used as basis for further security user groups.
Additionally, each service can specify Security Types that allow for custom security rules to be applied at runtime. Refer to Security Types for more information.
The methods used to maintain the links between user groups and Application Services are the Application Service Portal and User Group Maintenance. These methods are valid for most sites and can be used to manage the same information from different prospective.
Application Service Portal
The Application Service portal enables you to define an application service, set the access modes for the Application Service, and specify the user groups to which to connect the Application Service.
You can configure the following Main tab settings by navigating to Administration then Application Services:
Field | Description |
|---|---|
Application Service | The unique identifier of the Application Service used in configuration of security on objects, menus, services, and so on. For custom definitions, Oracle recommends adding a “CM” prefix to distinguish these from Application Services provided by OUCS. |
Description | A brief description for documentation purposes that appears on security screens when the Application Service is specified. |
Access Modes | Lists the valid access modes for the Application Service. The modes must match the internal actions supported by the objects used by the Application Service. Use the Add icon to insert an access mode. Note that an access mode can only be defined once on an Application Service. Use the Delete icon to remove an existing access mode from the list. The Access Mode link to the Application Service is ownership-controlled and by default, all created links are owned as Customer Modifications. Refer to Data Ownership Rules for more information. |
You can also configure the following zones in the Application Security tab to display user group memberships and manage relationships:
Field | Description |
|---|---|
Application Service Details | Summarizes the access modes and security types of the Application Service. |
User Groups With Access | Lists the user groups with access to the Application Service, along with the associated expiry dates, access modes, security types, and associated authorization levels. Use the Deny Access function to limit the access of user groups to the Application Service. |
User Groups Without Access | Lists the user groups without access to the Application Service. Use the Grant Access function to allow user groups to access the Application Service. |
After granting access to user groups, you can set the access mode and security group specifications for the user group:
Field | Description |
|---|---|
Expiry Date | Specifies the date when access to the user group expires. |
Access Mode | Shows the access mode defined on the Application Service definition. Use the Add icon to insert an access mode or use the Delete icon to remove an existing access mode from the list. |
Owner | Ownership of the link. Refer to Data Ownership Rules for more information. |
Security Type | The security type code associated with the Application Service. Use the Add icon to insert a security type or use the Delete icon to remove an existing security type from the list. |
Authorization Level | The authorization level assigned to the user group when running the Application Service for the security type. |
User Group Maintenance
The User Group Maintenance allows you to define the Application Services that user groups can access and to connect users to user groups. You can manage the user groups by navigating to Administration, selecting the User Group menu item, and perform the following actions :
• Use the Context Menu icon to edit existing permissions .
• Use the Delete icon to remove the association between the user group and Application Service.
• Use the Add icon to associate a user group with an Application Service.
Adding or editing associations automatically displays the Application Services tab, which enables you to maintain the access modes and security types for the association through the following fields:
Field | Description |
|---|---|
Expiry Date | Specifies the date when access to the user group expires. |
Access Mode | Shows the access mode defined on the Application Service definition. Use the Add icon to insert an access mode or use the Delete icon to remove an existing access mode from the list. |
Owner | Ownership of the link. Refer to Data Ownership Rules for more information. |
Security Type | The security type code associated with the Application Service. Use the Add icon to insert a security type or use the Delete icon to remove an existing security type from the list. |
Authorization Level | The authorization level assigned to the user group when running the Application Service for the security type. |
You can manage the users associated with the user groups through the Users tab fields:
Field | Description |
|---|---|
User | The authorization user identifier to associate with the user group. |
Expiration Date | Indicates the date when the association between the user and user group expires. |
Owner | Ownership of the link. Refer to Data Ownership Rules for more information. |
Define Users to Data Access Groups
Data Access Groups define the subset of data objects that are accessible to the users. The levels of data access definition are as follows:
• Data Access Roles: These define the groups of data permissions that are accessible to users. Users are connected to Data Access Roles and Data Access Roles are connected to Data Access Groups.
• Data Access Groups: These are tags attached to Oracle Utilities Cloud Service entities that implement data security. Note that attaching a Data Access Group to an Oracle Utilities Cloud Service entity does not automatically implement data security. Queries for the object must be altered to be consider the Data Access Group. Refer to the online Administration Guide for more information.
Note: Only some services support Data Access Roles and Data Access Groups. Refer to the online Administration Guide for more information.
This image illustrates the relationship between Data Access Roles and Data Access Groups:
You can maintain Data Access Roles and Data Access Groups in the Access Security tab of the User Maintenance function. You can use the Add icon to insert a data access role and these fields to configure the settings or use the Delete icon to remove an existing data access role from the list.
Field | Description |
|---|---|
Default Access Group | The default access group for a new user-created object that is subject to Access Security. This can be overridden by logic within the object if necessary. |
Data Access Role | Lists of data access roles to which the user is attached. |
Expiration Date | The date when the association between the user and data access role will expire. |
User Enable and Disable
One feature of security is to attach user records to some objects (automatic or configurable) for audit purposes. You cannot delete a user record if the user performs any work in Oracle Utilities Cloud Service and is attached to some audit objects across Oracle Utilities Cloud Service.
Note: Activating or deactivating users within Oracle Cloud Infrastructure Identity and Access Management (IAM) enables or disables users from using Oracle Utilities Cloud Service.
The User Enable function on the User object allows you to activate or deactivate a user by setting the appropriate value for User Enable. The implications of the User Enable value are as follows:
Value | Implications |
|---|---|
Enable | • The user can access the system. • The user can process records according to the authorization model. • The user must be active in the Security Repository to fully access Oracle Utilities Cloud Service. |
Disable | • The user cannot access the system regardless of the security setup. • The user record is retained for audit purposes only. • The user does not have to exist in the Security Repository. The key use cases for this option are as follows: • Support for personnel (permanent or temporary) leaving: Manually deactivate users once they leave the organization and keep their information for auditing purposes. • Logical deletion: If the user record needs to be deleted for any reason, selecting this option logically removes the user record, preventing access to the system. • Temporary disablement: If business rules need to isolate the user record, selecting this option for the appropriate users can effectively deactivate their access to Oracle Utilities Cloud Service. Note: Deactivation of the user record will take effect when the user logs in to the system or after the security cache refreshes. |
Advanced User Management
The User Group Portal supports multiple actions including:
• Setting an expiration date across multiple user group access modes for multiple application services.
• Removing multiple access modes for multiple application services from user groups.
• Adding multiple permissions from multiple application services.
• Maintaining multiple security types across multiple application services