Managing User Security

2 Managing User Security

All applications in the Retail Analytics Platform leverage Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), which are Oracle's cloud-native security and identity platforms. They provide a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premise applications. IDCS and OCI IAM enable single sign-on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate IDCS or OCI IAM with other on-premise applications to extend the scope of this SSO.

IDCS and OCI IAM are available in two tiers: Foundation and Standard.

Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionalities, including user management, group management, password management, and basic reporting.
Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premise, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.

The Retail Analytics Platform only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management, Password Reset, and SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of IDCS or OCI IAM to have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third-Party Cloud Services, and Custom Applications, Multi-Factor Authentication and generic SCIM Templates.

Review the table below for common IDCS and OCI IAM administrative tasks available with the Foundation tier which a typical Administrator will be expected to perform:

Task	More Information
Create, modify, or remove user accounts	Create User Accounts Edit Attribute Values for the User Account Deactivate User Accounts
Add or remove users from groups	Assign Groups to the User Account Remove Groups from the User Account
Reset passwords for users	Reset Passwords for User Accounts
Resend user account activation email	Send Invitations to Users to Activate Their Accounts
Bulk import of users and groups	Import User Accounts Import Groups

Application Security Policies

Each application in the platform includes user groups, security policies, application permissions that are specific to their business processes, and user interfaces. The section below provides a high-level summary of these areas with references for accessing additional details.

Platform Components

Each of the common tools and components used by the platform has IDCS or OCI IAM groups to control access to those interfaces and functionality. The most commonly used groups are listed below.

Table 2-1 Common Components User Groups

Example User	IDCS or OCI IAM Groups	Description
Batch Administrator	BATCH_ADMINISTRATOR_JOB	Full access to the POM application to monitor and update Oracle Retail batch schedules. For a complete list of groups, see the POM Implementation Guide.
Retail Home Administrator	RETAIL_HOME_ADMIN PLATFORM_SERVICES_ADMINISTRATOR	Full access to the Retail Home application configurations for dashboards, notifications, resource bundles, and customer module setup.
APEX/IW Administrator	DATA_SCIENCE_ADMINISTRATOR_JOB DATA_SCIENCE_OLDS_ADMIN_JOB	Full access to APEX and Python Notebook administration options.
RI/RSP Systems Implementer	ADMINISTRATOR_JOB	Has access to the Tactical and Control Center in the RSP UI, where RI and RSP configurations are managed.

Retail Insights

Retail Insights Cloud Services are built with role-based access to features and functionality. One set of IDCS or OCI IAM groups is used to control data access to functional areas such as Sales or Inventory. Another set of groups controls the access level for Oracle Analytics components, such as the ability to create new reports or edit reports in the catalog. A typical Retail Insights user might have the following groups assigned to them:

Table 2-2 Example Retail Insights User Groups

Example User	IDCS or OCI IAM Groups	Description
RI Application Administrator	BIConsumer_JOB BIAuthors_JOB RIApplicationAdministrator_JOB RetailAnalysts_JOB RETAIL_HOME_ADMIN	This user has access to all functional areas in RI and can manage Agents and modify and delete objects in the /Shared Folders/Custom/ space in the catalog.
Junior Merchandiser	BIConsumer_JOB BIAuthors_JOB SalesInsights_JOB InventoryInsights_JOB SupplierInsights_JOB	This user has access to the Sales, Inventory, and Supplier areas in RI, which are typically required for basic reporting on merchandise. The user can create reports, but not agents.

Example User

IDCS or OCI IAM Groups

Description

RI Application Administrator

BIConsumer_JOB

BIAuthors_JOB

RIApplicationAdministrator_JOB

RetailAnalysts_JOB

RETAIL_HOME_ADMIN

This user has access to all functional areas in RI and can manage Agents and modify and delete objects in the /Shared Folders/Custom/ space in the catalog.

Junior Merchandiser

BIConsumer_JOB

BIAuthors_JOB

SalesInsights_JOB

InventoryInsights_JOB

SupplierInsights_JOB

This user has access to the Sales, Inventory, and Supplier areas in RI, which are typically required for basic reporting on merchandise. The user can create reports, but not agents.

Note:

Pre-production environment groups use the _PREPROD notation at the end of the role names, such as SalesInsights_JOB_PREPROD. For a full list of user groups in Retail Insights, refer to the Retail Insights Administration Guide.

Science Applications

Each Science application on the platform has its own set of groups that determine a user’s access level to that application’s user interface. Groups are divided based on typical business tasks and duties that the user is expected to perform, such as one group for managing markdown optimization configurations and another which only creates and runs scenarios. Just like Retail Insights, these groups also use the _PREPROD notation for non-production environment permissions.

Table 2-3 Example Science User Groups

Example User	IDCS or OCI IAM Groups	Description
System Implementer / Business Administrator	ADMINISTRATOR_JOB	User has access to the Tactical and Control Center for modifying system configurations and creating forecasts.
Inventory Analyst	INVENTORY_ANALYST_JOB RetailVisualAnalyzer_JOB	User has access to the Inventory Optimization application screens as well as the Data Visualizer tool for viewing/editing reports.
Size Profile Analyst	SIZE_PROFILE_ANALYST_JOB	Responsible for system parameter maintenance to support size profile calculations. May also be responsible for the approval of size profiles.

Example User

IDCS or OCI IAM Groups

Description

System Implementer / Business Administrator

ADMINISTRATOR_JOB

User has access to the Tactical and Control Center for modifying system configurations and creating forecasts.

Inventory Analyst

INVENTORY_ANALYST_JOB

RetailVisualAnalyzer_JOB

User has access to the Inventory Optimization application screens as well as the Data Visualizer tool for viewing/editing reports.

Size Profile Analyst

SIZE_PROFILE_ANALYST_JOB

Responsible for system parameter maintenance to support size profile calculations. May also be responsible for the approval of size profiles.

For a complete list of available groups, refer to the Retail Science Cloud Service Administration Guide.

Merchandise Financial Planning

Merchandise Financial Planning provides default IDCS or OCI IAM groups to manage access levels in the application. In MFP, user access to various templates can be controlled at the user-group level, and those groups are aligned with IDCS or OCI IAM. Aside from the default IDCS or OCI IAM groups, administrators can also create new user groups directly within MFP and synchronize those groups using Online Administration Tasks.

Example User	IDCS or OCI IAM Groups	Description
MFP Prod Users	MFP_AUTH_PROD	Grants MFP access to a production environment
MFP Stage Users	MFP_AUTH_STAGE	Grants MFP access to a stage (non-production) environment
Application Administrator	MFP_ADMIN_PROD MFP_ADMIN_STAGE	The administrator will have access to all templates within the application, and can schedule Online Administration Tasks.
MFP Planners/MFP Approvers	MFP_USERS MFP_PLANNERS MFP_BUYERS MFP_APPROVERS	MFP user permissions are given by administrators at the template level. Users within each of these groups will only have access to the associated templates.

For a complete list of available groups and more details, refer to the RPASCE Administration Guide and MFP Administration Guide.

Demand Forecasting

Demand Forecasting provides default IDCS or OCI IAM groups for managing access levels in the application. In RDF, user access to various templates can be controlled at the user-group level, and those groups are aligned with IDCS or OCI IAM. Aside from the default IDCS or OCI IAM groups, administrators can also create new user groups directly within RDF and synchronize those groups using Online Administration Tools (OAT).

Example User	IDCS or OCI IAM Groups	Description
RDF Prod Users	RDF_AUTH_PROD	Grants RDF access to a production environment.
RDF Stage Users	RDF_AUTH_STAGE	Grants RDF access to a stage (non-production) environment.
Application Administrator	RDF_ADMIN_PROD RDF_ADMIN_STAGE	An administrator has access to all templates within the application and can schedule Online Administration Tasks.
RDF Analysts/Managers	RDF_ANALYSTS RDF_MANAGERS	RDF user permissions for non-admin users.

For a complete list of available groups and more details, refer to the RPASCE Administration Guide and RDF Administration Guide.