Brand Compliance Cloud Service Authentication and Authorization

5 Brand Compliance Cloud Service Authentication and Authorization

Authentication confirms the identity of a user (is this user John Smith?). Authorization determines what parts of an application a user can access and what actions the user can perform (is John Smith allowed to create a supplier account?).

Authentication and IDCS or OCI IAM

Brand Compliance Cloud Service uses either Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as its identity provider (IDP):

Oracle Identity Cloud Service (IDCS):

https://www.oracle.com/cloud/paas/identity-cloud-service.html
Oracle Cloud Infrastructure Identity and Access Management (OCI IAM):

https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm

When a user connects to the Brand Compliance Cloud Service UI, application UR requests are redirected to the IDCS or OCI IAM login screen. IDCS or OCI IAM authenticates the user. When a user logs out of the Brand Compliance Cloud Service, Brand Compliance invokes an IDCS or OCI IAM logout to disable session authentication.

IDCS and OCI IAM

IDCS and OCI IAM are Oracle's cloud native security and identity platforms. They provide a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. Both IDCS and OCI IAM enable single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate IDCS or OCI IAM with other on premise applications to extend the scope of this SSO.

Both IDCS and OCI IAM are available in two tiers: Foundation and Standard.

Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionality, including user management, group management, password management, and basic reporting.
Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premises, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.

Details of the specific features available in each tier and IDCS or OCI IAM Standard Tier licensing model are available in Administering Oracle Identity Cloud Service. Brand Compliance Cloud Service only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management and Password Reset, SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of IDCS or OCI IAM to also have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third Party Cloud Services and Custom Applications, Multi-Factor Authentication, and generic SCIM Templates.

IDCS, OCI IAM, and Application Users

Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.

The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators by using IDCS or OCI IAM. A key feature of IDCS or OCI IAM is that basic user maintenance can be further delegated through identity self-service.

When application users are created in IDCS or OCI IAM, they must be associated with an appropriate Oracle Retail Enterprise Role to access Brand Compliance Cloud Service. For more detailed information and procedures, see Managing Oracle Identity Cloud Service Users in Administering Oracle Identity Cloud Service.

Note:

IDCS or OCI IAM username will be passed to Brand Compliance as the application user id. It will be persisted on the database as part of the basic Brand Compliance transaction audit trail. If corporate email address is used as the IDCS or OCI IAM username, corporate email address will be persisted to the Brand Compliance database.

To fully inform Brand Compliance users that their corporate email address will be saved, we recommend that retailers implement IDCS or OCI IAM Terms of Use functionality.

The IDCS or OCI IAM Terms of Use feature enables retailers to set the terms and conditions for users to access an application, based on the user's consent. This feature allows the identity domain administrator to set relevant disclaimers for legal or compliance requirements and enforce the terms by refusing the service. The Terms of Use feature can be used to explicitly obtain user consent to persist corporate email address for Brand Compliance auditing. See Administering Oracle Identity Cloud Service for more information about Terms of Use.

https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/understand-terms-use.html

Authorization

While IDCS and OCI IAM have some authorization features, Brand Compliance Cloud Service manages application functional security using a role-based model that employs permissions security where resources are protected by roles and authority profiles that are assigned to users. The application includes a number of default roles.