Function Access Restriction

Each user that has authenticated successfully, needs to be authorized for accessing system functions. This page describes the concepts of authorization, the steps to set up and typical use cases.

Concepts

Access to all UI pages is protected. Each page is represented by an access restriction of type Function. So a user can only access pages he has been granted access to via one of his roles. Function access is granted on the level of a page. It is not possible to give access to certain parts of a page. For example, when the user has access to the persons page, he can access all parts of that page like person data, person addresses, person bank accounts and so on.

A user can be granted Retrieve access to a page, and optionally also Create, Update, and/or Delete access. Create access means that new rows can be added, regardless whether it is a new row in the main entity of the page, or if it is a new row in a detail entity of the page. Delete access means that rows can be deleted, regardless in which entity of the page. Dynamic fields and multi-select drop down lists are considered attributes of an entity, if the user has Update access to the page he can add/remove such attributes even if he does not have Create or Delete access.

Access to list of value (LOV) pages is not restricted and therefore there is no need to grant access to LOV pages. When a user can access a page, he can also access all the LOVs used in that page.

Menu options to which the user does not have access, are hidden. On a page to which the user has access, add / delete / save buttons are hidden if the user does not have access rights for that operation. If the user does not have update access, fields are displayed as read-only.

If a link on a page to which the user has access, brings the user to a page to which he does not have access, an access denied page is shown.

See "User Access Restriction Model" page in the User Access chapter of the Security Guide for details of the relation of access restrictions, access roles and users and explanation of their fields.

Setup

The setup of function authorization requires the following steps:

  1. Access restrictions of type function are loaded into Oracle Health Insurance during installation. No manual installation is required.

  2. Define the access roles using the setup access role function, and assign access restrictions to each access role. Specify create, retrieve, update and delete flags for each access restriction.

  3. Define roles in the external identity store. Note that the User Provisioning Service will match Access Roles using the code field. So make sure to enter the code of the Oracle Health Insurance access role as an attribute of the role definition in the external identity store.

  4. Create users in the external identity store and grant roles to them.

  5. Provision the users to Oracle Health Insurance by using the Provisioning Integration Point.

  6. The provisioned users now have access to the functions they are authorized for.

Use Cases

This use case describes the steps to set up the Access Role 'Relation Pages Readonly'. This role gives access to the Relations, Persons and Organizations pages, but only for retrieving data.

Define Access Role

Relations Read-only Role

Using the Setup Access Role page, create a new Access Role with following values:

  • Code = 'RELATION PAGES READONLY'

  • Name = 'Relation Pages Readonly'

  • Descr ='This role gives readonly access to relations, organizations and persons pages'

Create the following access restriction grants for this Access Role

  • Persons

  • Relations

  • Organizations

Only set the Retrieve? flag for these access restriction grants, not the Create?, Update? or Delete? flags.

Relations Update-only Role

Using the Setup Access Role page, create a new Access Role with following values:

  • Code = 'RELATION PAGES UPDATE ONLY'

  • Name = 'Relation Pages Update Only'

  • Descr ='This role gives update-only access to relations, organizations and persons pages'

Create the following access restriction grants for this Access Role

  • Persons

  • Relations

  • Organizations

Only set the Retrieve? and the Update? flags for these access restriction grants, not the Create? or Delete? flags.

Setup External Identity Store and Provision

Create the new Access Roles in the external identity store. Make sure to store 'RELATION PAGES READONLY' and 'RELATION PAGES UPDATE ONLY' respectively as an attribute of the new roles.

Assign the roles to users in the external identity store. Run the Provisioning Integration Point.

Access to Oracle Health Insurance

Login to Oracle Health Insurance using a user that only has the RELATION PAGES READONLY role. This user only sees the persons, relations and organizations menu options. All other menu options are invisible. All create, update and delete options in the persons, relations and organizations pages are disabled.

Login to Oracle Health Insurance using a user that only has the RELATION PAGES UPDATE ONLY role. This user can update existing persons and organizations, and can add/remove person titles for existing persons, and can add/remove dynamic field values for existing persons, organizations, addresses, bank account numbers, etc. This user is not able to add or delete persons or organizations, and is not able to add new addresses or other details to existing persons, and is not able to delete existing addresses or other details.