Managing User Security

3 Managing User Security

All Retail Analytics and Planning applications leverage Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), which is Oracle's cloud-native security and identity platform. This provides a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premise applications. OCI IAM enables single sign-on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate OCI IAM with other on-premise applications to extend the scope of this SSO.

OCI IAM are available in five tiers:

Free
Oracle Apps
Oracle Apps Premium
Premium
External User

Along with any Oracle Retail subscription you will get the Oracle Apps tier of OCI IAM. You may choose to increase your OCI IAM subscription to a higher tier if you require the added functionalities the higher level brings. For details on all the features in each tier, review the OCI IAM Feature Summary.

Review the table below for common OCI IAM administrative tasks available with the Oracle Apps tier which a typical Administrator will be expected to perform:

Task	More Information
Create, modify, or remove user accounts	Create User Accounts Edit Attribute Values for the User Account Deactivate User Accounts
Add or remove users from groups	Assign Groups to the User Account Remove Groups from the User Account
Reset passwords for users	Reset Passwords for User Accounts
Resend user account activation email	Send Invitations to Users to Activate Their Accounts
Bulk import of users and groups	Import User Accounts Import Groups

Application Security Policies

Each application in the platform includes user groups, security policies, application permissions that are specific to their business processes, and user interfaces. The section below provides a high-level summary of these areas with references for accessing additional details.

Platform Components

Each of the common tools and components used by the platform has OCI IAM groups to control access to those interfaces and functionality. The most commonly used groups are listed below. The groups shown are for production systems; a similar set of groups are appended with _PREPROD for use on non-production systems.

Table 3-1 Common Components User Groups

Example User	OCI IAM Groups	Description
Batch Administrator	BATCH_ADMINISTRATOR_JOB PROCESS_SERVICE_ADMIN_JOB	Full access to the POM application to monitor and update Oracle Retail batch schedules. For a complete list of groups, see the POM Implementation Guide.
Retail Home Administrator	RETAIL_HOME_ADMIN PLATFORM_SERVICES_ADMINISTRATOR PLATFORM_SERVICES_ADMINISTRATOR_ABSTRACT	Full access to the Retail Home application configurations for dashboards, notifications, resource bundles, and customer module setup.
APEX/IW Administrator	DATA_SCIENCE_ADMINISTRATOR_JOB DATA_SCIENCE_OLDS_ADMIN_JOB	Full access to APEX and Python Notebook administration options.
RI/RSP Systems Implementer	ADMINISTRATOR_JOB	Has access to the Tactical and Control Center in the RSP UI, where RI and RSP configurations are managed.

Retail Insights and Oracle Analytics

Retail Insights Cloud Services are built with role-based access to features and functionality. One set of OCI IAM groups is used to control data access to functional areas such as Sales or Inventory. Another set of groups controls the access level for Oracle Analytics components, such as the ability to create new reports or edit reports in the catalog.

Unlike previous-generation architecture, the RI, OAS, and DV group names are prefixed with a unique tenant ID that is specific to your cloud service. This is necessary because the same Oracle Analytics platform can be shared across multiple Oracle Retail solutions now, and you may also have multiple OAS instances on one IAM (such as Dev, Stage, and Prod environments). The tenant ID is a long string of characters like this:

bd835fj48ffj3lwisda4h

The role names may look like this:

bd835fj48ffj3lwisda4h-BIConsumer_JOB

A typical Retail Insights user might have the following groups assigned to them:

Table 3-2 Example Retail Insights User Groups

Example User	OCI IAM Groups	Description
RI Application Administrator	<tenant ID>-BIConsumer_JOB <tenant ID>-BIAuthor_JOB <tenant ID>-RIApplicationAdministrator_JOB <tenant ID>-DVContentAuthor <tenant ID>-RetailAnalysts_JOB RETAIL_HOME_ADMIN	This user has access to all functional areas in RI and can manage Agents and modify and delete objects in the /Shared Folders/Custom/ space in the catalog.
Junior Merchandiser	<tenant ID>-BIConsumer_JOB <tenant ID>-BIAuthor_JOB <tenant ID>-DVContentAuthor <tenant ID>-SalesInsights_JOB <tenant ID>-InventoryInsights_JOB <tenant ID>-SupplierInsights_JOB	This user has access to the Sales, Inventory, and Supplier areas in RI, which are typically required for basic reporting on merchandise. The user can create reports, but not agents.

Example User

OCI IAM Groups

Description

RI Application Administrator

<tenant ID>-BIConsumer_JOB

<tenant ID>-BIAuthor_JOB

<tenant ID>-RIApplicationAdministrator_JOB

<tenant ID>-DVContentAuthor

<tenant ID>-RetailAnalysts_JOB

RETAIL_HOME_ADMIN

This user has access to all functional areas in RI and can manage Agents and modify and delete objects in the /Shared Folders/Custom/ space in the catalog.

Junior Merchandiser

<tenant ID>-BIConsumer_JOB

<tenant ID>-BIAuthor_JOB

<tenant ID>-DVContentAuthor

<tenant ID>-SalesInsights_JOB

<tenant ID>-InventoryInsights_JOB

<tenant ID>-SupplierInsights_JOB

This user has access to the Sales, Inventory, and Supplier areas in RI, which are typically required for basic reporting on merchandise. The user can create reports, but not agents.

AI Foundation Applications

Each AI Foundation application on the platform has its own set of groups that determine a user’s access level to that application’s user interface. Groups are divided based on typical business tasks and duties that the user is expected to perform, such as one group for managing markdown optimization configurations and another which only creates and runs scenarios. The groups shown are for production systems; a similar set of groups are appended with _PREPROD for use on non-production systems (except for OAS/DV roles).

Table 3-3 Example AI Foundation User Groups

Example User	OCI IAM Groups	Description
System Implementer / Business Administrator	ADMINISTRATOR_JOB	User has access to the Tactical and Control Center for modifying system configurations and creating forecasts.
Inventory Analyst	INVENTORY_ANALYST_JOB <tenant ID>-DVContentAuthor	User has access to the Inventory Optimization application screens as well as the Data Visualizer tool for viewing/editing reports.
Size Profile Analyst	SIZE_PROFILE_ANALYST_JOB	Responsible for system parameter maintenance to support size profile calculations. May also be responsible for the approval of size profiles.

Example User

OCI IAM Groups

Description

System Implementer / Business Administrator

ADMINISTRATOR_JOB

User has access to the Tactical and Control Center for modifying system configurations and creating forecasts.

Inventory Analyst

INVENTORY_ANALYST_JOB

<tenant ID>-DVContentAuthor

User has access to the Inventory Optimization application screens as well as the Data Visualizer tool for viewing/editing reports.

Size Profile Analyst

SIZE_PROFILE_ANALYST_JOB

Responsible for system parameter maintenance to support size profile calculations. May also be responsible for the approval of size profiles.

For a complete list of available groups, refer to the Retail AI Foundation Cloud Services Administration Guide.

Merchandise Financial Planning

Merchandise Financial Planning provides default OCI IAM groups to manage access levels in the application. In MFP, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within MFP and synchronize those groups using Online Administration Tasks.

Example User	OCI IAM Groups	Description
MFP Prod Users	MFP_AUTH_PROD	Grants MFP access to a production environment
MFP Stage Users	MFP_AUTH_STAGE	Grants MFP access to a stage (non-production) environment
Application Administrator	MFP_ADMIN_PROD MFP_ADMIN_STAGE	The administrator will have access to all templates within the application, and can schedule Online Administration Tasks.
MFP Planners/MFP Approvers	MFP_USERS MFP_PLANNERS MFP_BUYERS MFP_APPROVERS	MFP user permissions are given by administrators at the template level. Users within each of these groups will only have access to the associated templates.

For a complete list of available groups and more details, refer to the RPASCE Administration Guide and MFP Administration Guide.

Demand Forecasting

Demand Forecasting provides default OCI IAM groups for managing access levels in the application. In RDF, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within RDF and synchronize those groups using Online Administration Tools (OAT).

Example User	OCI IAM Groups	Description
RDF Prod Users	RDF_AUTH_PROD	Grants RDF access to a production environment.
RDF Stage Users	RDF_AUTH_STAGE	Grants RDF access to a stage (non-production) environment.
Application Administrator	RDF_ADMIN_PROD RDF_ADMIN_STAGE	An administrator has access to all templates within the application and can schedule Online Administration Tasks.
RDF Analysts/Managers	RDF_ANALYSTS RDF_MANAGERS	RDF user permissions for non-admin users.

For a complete list of available groups and more details, refer to the RPASCE Administration Guide and RDF Administration Guide.

Assortment Planning

Assortment Planning provides default OCI IAM groups for managing access levels in the application. In AP, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within AP and synchronize those groups using Online Administration Tools (OAT).

Example User	OCI IAM Groups	Description
AP Users	AP_AUTH_PROD AP_AUTH_STAGE	Grants AP access to a production or non-prod environment.
Application Administrator	AP_ADMIN_PROD AP_ADMIN_STAGE	An administrator has access to all templates within the application and can schedule Online Administration Tasks.
AP Planners/Approvers	AP_USERS AP_PLANNERS AP_BUYERS AP_APPROVERS	AP user permissions for non-admin users.

Example User

OCI IAM Groups

Description

AP Users

AP_AUTH_PROD

AP_AUTH_STAGE

Grants AP access to a production or non-prod environment.

Application Administrator

AP_ADMIN_PROD

AP_ADMIN_STAGE

An administrator has access to all templates within the application and can schedule Online Administration Tasks.

AP Planners/Approvers

AP_USERS

AP_PLANNERS

AP_BUYERS

AP_APPROVERS

AP user permissions for non-admin users.

For a complete list of available groups and more details, refer to the RPASCE Administration Guide and AP Administration Guide.