3 Managing User Security
All Retail Analytics and Planning applications leverage Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), which is Oracle's cloud-native security and identity platform. This provides a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premise applications. OCI IAM enables single sign-on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate OCI IAM with other on-premise applications to extend the scope of this SSO.
For complete information on Oracle Retail’s authentication policies, pre-defined user roles, and environment setup information, refer to the Oracle Retail Identity Management for OCI IAM Startup Guide. The Startup Guide is the primary source for the latest information about Oracle Retail user and group management practices across all our applications. The chapter in this document only provides supplemental details.
Application Security Policies
Each application in the platform includes user groups, security policies, application permissions that are specific to their business processes, and user interfaces. The section below provides a high-level summary of these areas with references for accessing additional details.
Retail Insights and Oracle Analytics
Retail Insights Cloud Services are built with role-based access to features and functionality. One set of OCI IAM groups is used to control data access to functional areas such as Sales or Inventory. Another set of groups controls the access level for Oracle Analytics components, such as the ability to create new reports or edit reports in the catalog.
For Oracle Analytics Server (OAS) based architecture, the RI and Oracle Analytics group names are prefixed with a unique tenant ID that is specific to your cloud service. This is necessary because the same Oracle Analytics platform can be shared across multiple Oracle Retail solutions now, and you may also have multiple Oracle Analytics instances on one IAM (such as Dev, Stage, and Prod environments). The tenant ID is a long string of characters like this:
bd835fj48ffj3lwisda4hThe role names may look like this:
bd835fj48ffj3lwisda4h-BIConsumer_JOBFor Oracle Analytics Cloud (OAC) based architecture, the tenant ID is a user-friendly environment string instead of the internal code that OAS uses. It follows a naming standard of:
<Customer_Code>_<Env_Type><Index>-<Group Name>The role names may look like this:
XCUST_DEV2-TenderInsights_JOBAdditionally, in OAC environments, it is the customer’s responsibility to create the OCI IAM groups using this format, as Oracle will not automatically create the new groups in the customer tenants.
Refer to the Oracle Retail Identity Management for OCI IAM Startup Guide for the complete list of groups and application roles, steps to set up the OAC environment, and example users and their role assignments.
AI Foundation Cloud Services
Each AI Foundation application on the platform has its own set of groups that determine a user’s
access level to that application’s user interface. Groups are divided based on typical
business tasks and duties that the user is expected to perform, such as one group for
managing markdown optimization configurations and another which only creates and runs
scenarios. The groups shown are for production systems; a similar set of groups are
appended with _PREPROD for use on non-production systems (except for
Oracle Analytics roles).
Refer to the Oracle Retail Identity Management for OCI IAM Startup Guide for example users and their role assignments. For a complete list of available groups, refer to the Retail AI Foundation Cloud Services Administration Guide.
Planning and Optimization Cloud Services
Merchandise Financial Planning, Assortment Planning, and Inventory Planning Optimization-Demand Forecasting all provide default OCI IAM groups to manage access levels in the application. In each application, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within each applicationand synchronize those groups using Online Administration Tasks.
For a complete list of available groups and more details, refer to the Oracle Retail Identity Management for OCI IAM Startup Guide section on “Planning and Optimization Cloud Services”.