3 Managing User Security
All Retail Analytics and Planning applications leverage Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), which is Oracle's cloud-native security and identity platform. This provides a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premise applications. OCI IAM enables single sign-on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate OCI IAM with other on-premise applications to extend the scope of this SSO.
OCI IAM are available in five tiers:
-
Free
-
Oracle Apps
-
Oracle Apps Premium
-
Premium
-
External User
Along with any Oracle Retail subscription you will get the Oracle Apps tier of OCI IAM. You may choose to increase your OCI IAM subscription to a higher tier if you require the added functionalities the higher level brings. For details on all the features in each tier, review the OCI IAM Feature Summary.
Review the table below for common OCI IAM administrative tasks available with the Oracle Apps tier which a typical Administrator will be expected to perform:
Task | More Information |
---|---|
Create, modify, or remove user accounts |
|
Add or remove users from groups |
|
Reset passwords for users |
|
Resend user account activation email |
|
Bulk import of users and groups |
Application Security Policies
Each application in the platform includes user groups, security policies, application permissions that are specific to their business processes, and user interfaces. The section below provides a high-level summary of these areas with references for accessing additional details.
Platform Components
Each of the common tools and components used by the platform has OCI IAM groups to control access to those interfaces and
functionality. The most commonly used groups are listed below. The groups shown are for production systems; a similar set
of groups are appended with _PREPROD
for use on non-production systems.
Table 3-1 Common Components User Groups
Example User | OCI IAM Groups | Description |
---|---|---|
Batch Administrator |
BATCH_ADMINISTRATOR_JOB PROCESS_SERVICE_ADMIN_JOB |
Full access to the POM application to monitor and update Oracle Retail batch schedules. For a complete list of groups, see the POM Implementation Guide. |
Retail Home Administrator |
RETAIL_HOME_ADMIN PLATFORM_SERVICES_ADMINISTRATOR PLATFORM_SERVICES_ADMINISTRATOR_ABSTRACT |
Full access to the Retail Home application configurations for dashboards, notifications, resource bundles, and customer module setup. |
APEX/IW Administrator |
DATA_SCIENCE_ADMINISTRATOR_JOB DATA_SCIENCE_OLDS_ADMIN_JOB |
Full access to APEX and Python Notebook administration options. |
RI/RSP Systems Implementer |
ADMINISTRATOR_JOB |
Has access to the Tactical and Control Center in the RSP UI, where RI and RSP configurations are managed. |
Retail Insights and Oracle Analytics
Retail Insights Cloud Services are built with role-based access to features and functionality. One set of OCI IAM groups is used to control data access to functional areas such as Sales or Inventory. Another set of groups controls the access level for Oracle Analytics components, such as the ability to create new reports or edit reports in the catalog.
Unlike previous-generation architecture, the RI, OAS, and DV group names are prefixed with a unique tenant ID that is specific to your cloud service. This is necessary because the same Oracle Analytics platform can be shared across multiple Oracle Retail solutions now, and you may also have multiple OAS instances on one IAM (such as Dev, Stage, and Prod environments). The tenant ID is a long string of characters like this:
bd835fj48ffj3lwisda4h
The role names may look like this:
bd835fj48ffj3lwisda4h-BIConsumer_JOB
A typical Retail Insights user might have the following groups assigned to them:
Table 3-2 Example Retail Insights User Groups
Example User | OCI IAM Groups | Description |
---|---|---|
RI Application Administrator |
<tenant ID>-BIConsumer_JOB <tenant ID>-BIAuthor_JOB <tenant ID>-RIApplicationAdministrator_JOB <tenant ID>-DVContentAuthor <tenant ID>-RetailAnalysts_JOB RETAIL_HOME_ADMIN |
This user has access to all functional areas in RI and can manage Agents and modify and delete objects in the /Shared Folders/Custom/ space in the catalog. |
Junior Merchandiser |
<tenant ID>-BIConsumer_JOB <tenant ID>-BIAuthor_JOB <tenant ID>-DVContentAuthor <tenant ID>-SalesInsights_JOB <tenant ID>-InventoryInsights_JOB <tenant ID>-SupplierInsights_JOB |
This user has access to the Sales, Inventory, and Supplier areas in RI, which are typically required for basic reporting on merchandise. The user can create reports, but not agents. |
AI Foundation Applications
Each AI Foundation application on the platform has its own set of groups that determine a user’s access level to that application’s
user interface. Groups are divided based on typical business tasks and duties that the user is expected to perform, such as
one group for managing markdown optimization configurations and another which only creates and runs scenarios. The groups
shown are for production systems; a similar set of groups are appended with _PREPROD
for use on non-production
systems (except for OAS/DV roles).
Table 3-3 Example AI Foundation User Groups
Example User | OCI IAM Groups | Description |
---|---|---|
System Implementer / Business Administrator |
ADMINISTRATOR_JOB |
User has access to the Tactical and Control Center for modifying system configurations and creating forecasts. |
Inventory Analyst |
INVENTORY_ANALYST_JOB <tenant ID>-DVContentAuthor |
User has access to the Inventory Optimization application screens as well as the Data Visualizer tool for viewing/editing reports. |
Size Profile Analyst |
SIZE_PROFILE_ANALYST_JOB |
Responsible for system parameter maintenance to support size profile calculations. May also be responsible for the approval of size profiles. |
For a complete list of available groups, refer to the Retail AI Foundation Cloud Services Administration Guide.
Merchandise Financial Planning
Merchandise Financial Planning provides default OCI IAM groups to manage access levels in the application. In MFP, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within MFP and synchronize those groups using Online Administration Tasks.
Example User | OCI IAM Groups | Description |
---|---|---|
MFP Prod Users |
MFP_AUTH_PROD |
Grants MFP access to a production environment |
MFP Stage Users |
MFP_AUTH_STAGE |
Grants MFP access to a stage (non-production) environment |
Application Administrator |
MFP_ADMIN_PROD MFP_ADMIN_STAGE |
The administrator will have access to all templates within the application, and can schedule Online Administration Tasks. |
MFP Planners/MFP Approvers |
MFP_USERS MFP_PLANNERS MFP_BUYERS MFP_APPROVERS |
MFP user permissions are given by administrators at the template level. Users within each of these groups will only have access to the associated templates. |
For a complete list of available groups and more details, refer to the RPASCE Administration Guide and MFP Administration Guide.
Demand Forecasting
Demand Forecasting provides default OCI IAM groups for managing access levels in the application. In RDF, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within RDF and synchronize those groups using Online Administration Tools (OAT).
Example User | OCI IAM Groups | Description |
---|---|---|
RDF Prod Users |
RDF_AUTH_PROD |
Grants RDF access to a production environment. |
RDF Stage Users |
RDF_AUTH_STAGE |
Grants RDF access to a stage (non-production) environment. |
Application Administrator |
RDF_ADMIN_PROD RDF_ADMIN_STAGE |
An administrator has access to all templates within the application and can schedule Online Administration Tasks. |
RDF Analysts/Managers |
RDF_ANALYSTS RDF_MANAGERS |
RDF user permissions for non-admin users. |
For a complete list of available groups and more details, refer to the RPASCE Administration Guide and RDF Administration Guide.
Assortment Planning
Assortment Planning provides default OCI IAM groups for managing access levels in the application. In AP, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within AP and synchronize those groups using Online Administration Tools (OAT).
Example User | OCI IAM Groups | Description |
---|---|---|
AP Users |
AP_AUTH_PROD AP_AUTH_STAGE |
Grants AP access to a production or non-prod environment. |
Application Administrator |
AP_ADMIN_PROD AP_ADMIN_STAGE |
An administrator has access to all templates within the application and can schedule Online Administration Tasks. |
AP Planners/Approvers |
AP_USERS AP_PLANNERS AP_BUYERS AP_APPROVERS |
AP user permissions for non-admin users. |
For a complete list of available groups and more details, refer to the RPASCE Administration Guide and AP Administration Guide.