9 Application-Specific Roles
Retail Home
Assigning Oracle Retail Cloud Service Access
Note:
-
PLATFORM_SERVICES_ADMINISTRATOR_ABSTRACT is required by all users who access the Retail Home application.
-
For nonproduction environments, the role names required are suffixed with _PREPROD, for example, RETAIL_HOME_ADMIN_PREPROD.
| Identity Group (Role) | Access Granted in Retail Home (UI or API) |
|---|---|
|
All users who log in to the Retail Home application. |
*Content is shown depending on the role |
|
RETAIL_HOME_ADMIN and PLATFORM_SERVICES_ADMINISTRATOR |
|
|
RH_ROLE_REQUEST_ABSTRACT |
|
|
RH_ROLE_REMOVE_ABSTRACT |
|
|
DATAPRIV_ADMINISTRATOR_REST_API_ROLE |
|
Further details on these roles and their functional access can be found in the Oracle Retail Home Security Guide here https://docs.oracle.com/en/industries/retail/index.html.
Process Orchestration and Monitoring (POM)
Assigning Oracle Retail Cloud Service Access
POM comes available with a set of pre-defined roles; each role is managed as a group in an OCI IAM Domain. There is a group for each role for Stage and Production. If a role is a Stage role, it would be appended with “_PREPROD”.
| Roles/Groups | Description |
|---|---|
|
BATCH_VIEWER_JOB |
The BATCH_VIEWER_JOB group are Retailer business users responsible for just monitoring batch. |
|
BATCH_SCHEDULE_CONFIGURATION_MANAGER_JOB |
Retailer administrators responsible for monitoring batch and configuring external dependencies and callbacks into the company’s systems. |
|
BATCH_SCHEDULE_ADMINISTRATOR_JOB |
Retailer administrators responsible for maintaining monitoring and executing batches. |
|
BATCH_ADMINISTRATOR_JOB |
Retailer administrators who can perform all functions within POM. This role is equivalent to its Oracle AMS counterpart BATCH_ORACLE_AMS_ADMINISTRATOR_JOB described next. |
|
BATCH_ORACLE_AMS_ADMINISTRATOR_JOB |
Oracle AMS administrators who monitor, maintain, and configure the batch schedules. They also maintain POM application configurations for efficient operations. |
Further details on these roles and their functional access can be found in the Oracle Retail Home Security Guide here https://docs.oracle.com/en/industries/retail/index.html.
Oracle Analytics Server (OAS)
Assigning Oracle Retail Cloud Service Access
Most Oracle Retail applications starting with version 22 or later include an instance of Oracle Analytics Server (OAS) as part of the provisioning. This OAS instance is a managed SaaS environment which is administered by Oracle exclusively and you will not have administrative access to the server. Your permissions will be limited to the pre-defined roles for end users to access core OAS functionality like building reports and data visualizations. You will know if you have OAS as part of your environment because your Retail Home may have links to one of these endpoints:
Note:
Only customers who have purchased Retail Insights Cloud Service will get access to the analytics endpoint. All other customers will get only Data Visualization (dv) and Publisher (xmlpserver) access.For users to access Data Visualizer or other components of Oracle Analytics, they must be assigned at least one of a set of roles defined to control access to Oracle Analytics. Group names are prefixed with a unique tenant ID that is specific to your cloud service environment. This is necessary because you will have multiple OAS instances on one IAM tenant (such as Dev, Stage, and Prod environments). The OAS tenant ID is a long string of characters like this:
bd835fj48ffj3lwisda4h
The role names would then look like this:
bd835fj48ffj3lwisda4h-BIConsumer
Table 9-1 OCI IAM Roles and Descriptions
| OCI IAM Role | Description |
|---|---|
| <tenant ID>-DVConsumer | Role granting permission to view visualizations in Data Visualizer. |
| <tenant ID>-DVContentAuthor | Role granting permissions to create data sets and visualizations in the Data Visualizer. |
| <tenant ID>-BIConsumer |
Role granting permission to view reports and dashboards in OAS (Analytics and Publisher). |
| <tenant ID>-BIContentAuthor |
Role granting permission to create reports and dashboards in OAS (Analytics and Publisher). |
Note:
Higher level roles automatically include lower level roles. For example, all users with the DV Content Author are implicit members of DV Consumer as well.
You will see other pre-defined roles in your OCI IAM instance, such as BI Service Administrator, but these roles are reserved for Oracle internal usage and granting them to your own users will not result in administrator level access.
Retail Data Store Cloud Services (RDS)
Assigning Oracle Retail Cloud Service Access
Once Retail Data Store Cloud Services (RDS) is provisioned, each workspace comes with a single user configured in APEX/ORDS. This user is the Workspace Administrator for that workspace. For initial access, you must create a user in OCI IAM for each Workspace Administrator account, you will not be able to access RDS until the OCI IAM users are added. Each workspace administrator user added in OCI IAM must match the username included with the RDS workspace. The Workspace Administrator account passwords and their lifecycle will then be managed in OCI IAM going forward. There is no need to synchronize this user with APEX. The only requirement is the usernames match.
This is the set of Workspace Administrators provided:
| USERNAMES | Description |
|---|---|
|
MFCS_RDS_CUSTOM |
Workspace Administrator provided for Merchandising Foundation Cloud Service. |
|
CE_RDS_CUSTOM |
Workspace Administrator provided for Customer Engagement Cloud Service. |
|
SIOCS_RDS_CUSTOM |
Workspace Administrator provided for Store Inventory Operations Cloud Service. |
|
OB_RDS_CUSTOM |
Workspace Administrator provided for Order Orchestration Cloud Service. |
|
XO_RDS_CUSTOM |
Workspace Administrator provided for Xstore Office Cloud Service. |
|
SE_RDS_CUSTOM |
Workspace Administrator provided for Supplier Evaluation Cloud Service. |
Create each user listed in the first column in your OCI IAM tenant and reset the password for it, and then you may use it to access the associated RDS workspace. For more information about RDS APEX Workspace Administrator users, see the APEX User Management section in the Oracle Retail Data Store Implementation Guide on the Oracle Help Center (docs.oracle.com) at the following URL:
Collect and Receive (CaR)
CaR web services APIs are secured with OAuth 2.0. For further details on web service authentication, see the Oracle Retail Omnichannel Web Service Authentication Configuration Guide found on My Oracle Support DocID 2728265.1.
Managing access to Oracle Analytics
RDS subscriptions include support for use of CaR data in the Oracle Analytics (OAS). In order for users to access the Data Visualizer or other components of Oracle Analytics, they must be assigned at least one of a set roles defined to control access to Oracle Analytics. Refer to the section of this chapter on Oracle Analyics Server for the available roles.
For more information about pre-created user roles in OAS, see the Set Up Security with Users, Groups, and Application Roles chapter in the Managing Security for Oracle Analytics Server document.
https://docs.oracle.com/en/middleware/bi/analytics-server/index.html
Merchandising Cloud Services
Assigning Oracle Retail Cloud Service Access
Oracle Retail Merchandising Cloud Service Suite comes available with a set of pre-defined roles, each role is managed as a group in OCI IAM.
-
There is a group for each role for Stage and Prod. If a role is a Stage role, it would be appended with “_PREPROD”.
-
Users can be assigned to different groups dependent on the access requirements for that user.
For the full list of roles that are seeded with each of the solutions in the suite, see the Volume 2, Security Guides for each solution available here https://docs.oracle.com/en/industries/retail/index.html.
It is recommended to create additional administrators for each service. The groups for each cloud service that represent the administrator are:
| Application | Group |
|---|---|
|
Merchandising |
RMS_APPLICATION_ADMINISTRATOR_JOB |
|
Sales Audit |
RESA_APPLICATION_ADMINISTRATOR_JOB |
|
Allocation |
ALLOCATION_APPLICATION_ADMINISTRATOR_JOB |
|
Invoice Matching |
REIM_APPLICATION_ADMINISTRATOR_JOB |
|
Pricing |
PRICING_APPLICATION_ADMINISTRATOR_JOB |
|
Retail Fiscal Management |
RFM_APPLICATION_ADMINISTRATOR_JOB |
Brand Compliance Management Cloud Service
Creating Users and Assigning Oracle Retail Cloud Service Access
Users are created in ORBC and pushed to OCI IAM. When a new user or external system is created (whether manually, as part of a bulk upload, or by the Users API), a corresponding user profile is automatically created and activated in OCI IAM. The OCI IAM profile is automatically assigned to a group that represents its Brand Compliance user role access rights.
For changes to users there is an hourly sync between ORBC and OCI IAM.
User Access Levels (permissions - user roles, authority profiles, API end point access) are managed on the user record and external system records in ORBC.
Details for ORBC User Administration can be located within the Administration Guide at the following URL:
Supplier Evaluation Cloud Service
Access OCI IAM
For more information about OCI users and roles, see the Access OCI IAM section in the Oracle Retail Supplier Evaluation Cloud Service Administrator Action List and the OCI IAM Integration for Authentication section in the Oracle Retail Supplier Evaluation Cloud Service Administration Guide on the Oracle Help Center (docs.oracle.com) at the following URL:
Customer Engagement Cloud Service
Assigning Oracle Retail Cloud Service Access
ORCE uses application roles in OCI IAM to manage user access to ORCE.
The Oracle Cloud Services application names for ORCE are typically of the format RGBU_CECS_{ENV}
-
where {ENV} can be PRDXX or STGXX or DEVXX
-
where XX represents an index number
-
For example, RGBU_CECS_PRD1 or RGBU_CECS_STG2 and so on.
Further details on the roles and their functional access can be found in the Oracle Retail Customer Engagement Administration Guide.
https://docs.oracle.com/en/industries/retail/index.html
ORCE Webservices APIs are secured with OAuth 2.0. Further details on web service authentication see the Oracle Retail Omnichannel Web Service Authentication Configuration Guide found on My Oracle Support DocID 2728265.1.
Order Orchestration Cloud Service (OOCS)
Assigning Oracle Retail Cloud Service Access
OOCS uses application roles to grant authority to users to login. The application roles of OBCS_Admin, OBCS_User, OBCS_Store_User and OBCS_Vendor_User will provide access to the Order Orchestration UI, store connect and vendor portal features.
| Roles/Groups | Description |
|---|---|
|
OBCS_Admin |
OBCS_Admin/Order Orchestration user can log into Order Orchestration UI with admin authority, including access to the Tenant screen. |
|
OBCS_User |
OBCS_User/Order Orchestration user without admin authority. Additional authority is based on the Roles assigned through the Role Wizard in Order Orchestration. |
|
OBCS_Store_User |
OBCS_Store_User/Store Connect user can log into Store Connect. Assigned to the “OBCS|{ENV}|STC-<system> user” group, where <system> is the system code of the Store Connect default system in your organization. |
|
OBCS_Vendor_User |
OBCS_Vendor_User/Vendor user can log into Vendor Portal and must be associated with a vendor. Assigned to the vendor user group that is created as “OBCS|{ENV}|<system>|vendor”, where <system> is the system code identifying the default vendor system, and <vendor> is the code identifying the vendor. Additional authority is based on the Roles assigned through the Role Wizard in Order Orchestration. |
-
Access to specific OOCS functionality can be tailored within OOCS
-
The Oracle Cloud Services application names for OOCS are typically of the format RGBU_OBCS_{ENV}
-
where {ENV} can be PRDXX or STGXX or DEVXX
-
where XX represents an index number
-
For example, RGBU_OBCS_PRD1 or RGBU_OBCS_STG2 and so on
-
Synchronization between OCI IAM and OOCS can be run on demand or scheduled.
Further details on the roles and their functional access can be found in the Oracle Retail Order Orchestration Cloud Service Administration Guide https://docs.oracle.com/en/industries/retail/index.html.
OOCS REST APIs are secured with OAuth 2.0. Further details on web service authentication see the Oracle Retail Omnichannel Web Service Authentication Configuration Guide found on My Oracle Support DocID 2728265.1 .
Order Administration Cloud Service (OACS)
Assigning Oracle Retail Cloud Service Access
Order Administration uses application roles to manage user access to Order Administration.
| Roles/Groups | Description |
|---|---|
|
OMCS_User |
Order Administration uses application roles to manage user access to Order Administration. The user record will be created in Order Administration with default authority. |
|
OMCS_Admin |
Order Administration uses application roles to manage user access to Order Administration The user record will be created in Order Administration with full administrative authority |
Authorization to specific Order Administration functionality can be configured within the Order Administration application
The Oracle Cloud Services application names for Order Administration are typically of the format RGBU_OMCS_{ENV}
-
where {ENV} can be PRDXX or STGXX or DEVXX
-
where XX represents an index number
For example, RGBU_OMCS_PRD1 or RGBU_OMCS_STG2 and so on. Synchronization between OCI IAM and Order Administration can be run on demand or scheduled.
Further details on the roles and their functional access can be found in the Oracle Retail Order Administration Cloud Service Administration Guide https://docs.oracle.com/en/industries/retail/index.html.
Order Administration REST APIs are secured with OAuth 2.0
-
Additional application-level authorization is done via custom AppRole
Further details on web service authentication see the Oracle Retail Omnichannel Web Service Authentication Configuration Guide found on My Oracle Support DOCID: 2728265.1 .
Xstore Office Cloud Service (XOCS)
Assigning Oracle Retail Cloud Service Access
For a user to access Xadmin the user must be granted the User Access application role for the relevant environment within OCI IAM. The Oracle Cloud Services application names for Xstore Office are typically of the format
-
RGBU_XTROFFCS_{ENV}_XOFFICE
-
where {ENV} can be PRD or UAT or DEV or PRDXX or STGXX or DEVXX
-
where XX represents an index number
-
For example, RGBU_XTROFFCS_UAT_XOFFICE or RGBU_XTROFFCS_PRD_XOFFICE or RGBU_XTROFFCS_PRD1_XOFFICE or RGBU_XTROFFCS_STG2_XOFFICE and so on.
-
Once the user is synced with Xadmin (every hour) the administration user can work on assigning organizations, a role and org nodes to each user to control what functionality will be available to them.
Xcenter REST APIs are secured with OAuth 2.0
-
Additional application-level authorization is done via custom AppRoles.
Further details on the roles and their functional access can be found in the Oracle Retail Xstore Office Cloud Service Security Guide and the Oracle Retail Xstore Office Cloud Service Administration Guide https://docs.oracle.com/en/industries/retail/index.html
Further details on web service authentication see the Oracle Retail Omnichannel Web Service Authentication Configuration Guide found on My Oracle Support DOCID: 2728265.1 .
Store Inventory Operations Cloud Service (SIOCS)
Assigning Oracle Retail Cloud Service Access
Oracle Retail Enterprise Inventory Cloud Service (EICS) comes available with a set of pre-defined roles, each role is managed as an “Application Role” in OCI IAM. Each environment will have an application record in OCI IAM, for example: RGBU_SIOCS_<ENV>_EICS or RGBU_SIOCS_<ENV>.
Users can be assigned to different app roles within each app dependent on the access requirements for that user.
| App Roles | Description |
|---|---|
|
All |
The IDCS or OCI IAM application role all_users is required to access SIOCS. This app role should be assigned to all users. |
|
Admin |
The IDCS or OCI IAM application role admin_users is required for access to administration tasks, such as managing configuration settings or translations. This IDCS or OCI IAM application role should only be assigned to system operators and administrators. |
|
Batch |
This IDCS or OCI IAM application role should only be assigned to system operators and batch administrators. The IDCS or OCI IAM application role batch_users is required for access to batch related tasks, such as job management or scheduling. |
|
Full Permission |
The IDCS or OCI IAM application role full_permission_users allows the user to gain access to all available permissions without any database role assignment. This IDCS or OCI IAM application role should only be assigned to system operator and initial customer admin user. This full permissions IDCS or OCI IAM application role does not provide full data permission access. For performing administration operations, user should be assigned ADMINISTRATOR SIOCS application role in SIOCS application. |
|
Global Store User |
The IDCS or OCI IAM application role global_store_users grants the user access to all store locations. This IDCS or OCI IAM application role should only be assigned to system operators, and administrators or special users requiring access to all store locations. |
|
Integration |
The IDCS or OCI IAM application role integration_users is required for accessing integration resources, such as web services. This IDCS or OCI IAM application role should only be assigned to users designated for application integration, not those requiring access to the application UI. Users that are only integrating with SIOCS are considered integration users, for example, the RIB injection user is a typical case of an integration user. These users do not require access to the SIOCS client applications, and therefore do not require store assignments or role assignments (permissions). |
|
MPS |
The IDCS or OCI IAM application role mps_users is required for access to MPS (message processing service) related tasks, such as staged message maintenance or work type management. This IDCS or OCI IAM application role should only be assigned to system operators and MPS administrators. |
|
Security |
The IDCS or OCI IAM application role security_users is required for access to security management tasks, such as role maintenance and user role/store assignments. This IDCS or OCI IAM application role should only be assigned to system operators and security administrators. Users accessing application UI features that are restricted by group access must also be granted the relevant permissions through role and store assignments. A regular store user should not require this assignment for accessing the application UI. |
|
System Operator |
The IDCS or OCI IAM application role sysop_users is required for access to restricted areas of the application, such as certain system configuration settings. This IDCS or OCI IAM application role should only be assigned to system operators, which are typically the cloud operator. Note: The sysop_users IDCS or OCI IAM application role is for internal use by Oracle team only and should not be assigned to customer users. |
Two OCI IAM groups are used for special purpose access. These groups can be found under Groups section in the OCI IAM Domain.
| Roles/groups | Description |
|---|---|
|
psraf_users |
The group psraf_users is required to access platform features, for example, Favorites. This group should be assigned to all users. The naming convention for the group is <EICS_IAM_APP_DISPLAY_NAME>.psraf_users, for example: RGBU_SIOCS_<ENV>_EICS.psraf_users or RGBU_SIOCS_<ENV>.psraf_users |
|
psraf_admin_users |
The group psraf_admin_users is required to access platform features, for example, Favorites. This group should be assigned to all users. The naming convention for the group is <EICS_IAM_APP_DISPLAY_NAME>.psraf_admin_users, for example: RGBU_SIOCS_<ENV>_EICS.psraf_admin_users or RGBU_SIOCS_<ENV>.psraf_admin_users. |
|
retail_home_users |
The group retail_home_users is required for Retail Home application users to access SIOCS tile APIs. This group should be assigned to all Retail Home users that need access to SIOCS tiles. The naming convention for the group is <EICS_IAM_APP_DISPLAY_NAME>.retail_home_users, for example: RGBU_SIOCS_<ENV>_EICS.retail_home_users or RGBU_SIOCS_<ENV>.retail_home_users. |
Common user types and the associated roles they could be granted for SIOCS access are detailed in the FAQ. Further details on these roles and their functional access can be found in the Enterprise Inventory Cloud Service Administration Guide here https://docs.oracle.com/en/industries/retail/index.html.
Retail AI Foundation Cloud Service
The Oracle Retail AI Foundation Cloud Service (AIF) combines AI, machine learning, and decision science with data captured from Oracle Retail SaaS applications and third-party data. The unique property of AIF Cloud Service, a learning-enabled application, is that it detects trends, learns from results, and increases its accuracy the more it is used, adding massive amounts of contextual data to obtain a clearer picture on what motivates outcomes.
The Oracle Retail AI Foundation Cloud Services are composed of the following Cloud Services:
-
Oracle Retail AI Foundation Cloud Service (AIF)
-
Oracle Retail Assortment and Space Optimization Cloud Service (RASO)
-
Oracle Retail Promotion, Markdown and Offer Optimization Cloud Service (RPMO)
-
Retail Offer Optimization Cloud Service (OO)
-
Oracle Retail Inventory Optimization Cloud Service (IO)
Managing Access to Oracle Analytics and Data Visualizer
AI Foundation Cloud Service subscriptions include use of application results in Oracle Analytics Data Visualizer (DV). In order for users to access the Data Visualizer or other components of Oracle Analytics, they must be assigned at least one of the roles defined to control access to Oracle Analytics. Refer to the section earlier in this document on Oracle Analytics Server for the available roles.
Assigning Innovation Workbench Access
AI Foundation Cloud Service subscriptions include use of Oracle Application Express (APEX) and other tools which are collectively referred to as Innovation Workbench (IW). Once AI Foundation is provisioned, you will have a single workspace defined in APEX called the Retailer Workspace. The workspace comes with a single initial user configured in APEX. This user is the Workspace Administrator for that workspace. For initial access, you must create a user in OCI IAM for the Workspace Administrator account, you will not be able to access APEX until the OCI IAM user is added. The Workspace Administrator account passwords and their lifecycle will then be managed in OCI IAM going forward. There is no need to synchronize this user with APEX. The only requirement is the usernames match what Oracle has defined.
| Username | Description |
|---|---|
|
rtlwsp_admin |
Workspace Administrator for Innovation Workbench |
Create each user listed in the first column in your OCI IAM tenant and reset the password for it, and then you may use it to access the associated IW workspace. For more information about IW APEX Workspace Administrator users, see the Managing APEX and Extensions section in the Oracle Retail Analytics and Planning Administration Guide on the Oracle Help Center (listed within the AI Foundation document library) at the following URL:
Assigning Oracle Retail Cloud Service Access
Each AI Foundation application on the platform has its own set of groups that determine a user’s access level to that application’s user interface. Groups are divided based on typical business tasks and duties that the user is expected to perform, such as one group for managing markdown optimization configurations and another which only creates and runs scenarios. The groups shown are for production systems; a similar set of groups are appended with _PREPROD for use on non-production systems (except for OAS/DV roles, which are described in a separate section of this chapter for Oracle Analytics Server).
The complete list of roles is provided below, separated out by the application or module of AI Foundation that uses it.
| Application or Modules | OCI IAM Role | Description |
|---|---|---|
|
Advanced Clustering |
CLUSTERING_ADMINISTRATOR_JOB |
Responsible for planning, building, and analyzing store clusters based on a variety of store and category attributes to support assortment, pricing, and space planning business processes in the Store Clustering Module. |
|
Advanced Clustering |
MERCHANDISER_JOB |
A Store Merchandiser (or In-Store Merchandiser) is an hourly employee who executes the placement and assembly of retail fixtures, adjustment of shelves and arrangement and placement of product on the shelves in accordance with CAD drawings and planograms. |
|
Advanced Clustering |
IN-STORE_MERCHANDISER_JOB |
Deprecated role for Advanced Clustering (no longer used). |
|
Affinity Analysis |
MARKET_BASKET_ANALYSIS_JOB |
A user who understands the retailer's business, has some business analytics training, and is responsible for reviewing sales transaction affinity analysis. |
|
Assortment & Space Optimization |
CATEGORY_MANAGER_JOB |
Product-assortment-centric user who is interested in viewing ASO results and in the translation of data between CMPO, Retail Analytics, and ASO. |
|
Assortment & Space Optimization |
SPACE_PLANNER_JOB |
A Store Planner is a corporate employee with responsibility for designing the layout of floor plans, department sizes and locations, the layout of fixtures and aisles, applying health, safety and welfare guidelines, and managing and publishing floor-plan versions. This user is also responsible for the day-to-day micro-space optimization activities. |
|
Assortment & Space Optimization |
MERCHANDISING_ANALYST_JOB |
Main business user responsible for day-to-day micro-space optimization activities. |
|
Assortment & Space Optimization |
SPACE_ADMINISTRATOR_JOB |
Responsible for general system setup and configuration tasks related to the business. |
|
Assortment & Space Optimization |
FORECAST_MANAGER_JOB |
Responsible for analytical configuration, testing, and model diagnosis. |
|
Attribute Binning |
ATTRIBUTE_BINNING_JOB |
A user who understands the retailer's business, has some business analytics training, and has been trained in the use of the CDT application and attribute binning application. |
|
Attribute Extraction |
ATTRIBUTE_EXTRACTION_JOB |
A user who is familiar with the retailer's product categories and has been trained in the use of the Attribute Extraction. |
|
Customer Decision Trees, Demand Transference |
ANALYTIC_EXPERT_JOB |
Responsible for understanding the retailer's business, has some business analytics training, and has been trained in the use of the CDT and DT applications. |
|
Control & Tactical Center |
ADMINISTRATOR_JOB |
A user who understands all the parameters driving the application and is responsible for their configuration as well as managing the credential store for CE, RPM, and so on. |
|
Customer Segmentation |
CUSTOMER_ANALYST_JOB |
Develops customer segments and analyzes their customer shopping and buying behavior to determine customer differentiation, trends, and opportunities in Customer Segmentation Module. |
|
Customer Segmentation |
CUSTOMER_SEGMENT_ADMINISTRATOR_JOB |
Responsible for analytical defaults and configuration, testing, and model diagnosis. This includes Filter, Sampling and Attribute Mining in the Customer Segmentation Module. |
|
Customer Segmentation |
MARKET_ANALYST_JOB |
Reviews customer segments with business experts, suited (distinctly) for targeted promotion, category and assortment planning, targeted pricing, customer, and market basket analytics in Customer Segmentation module. |
|
Data Lake |
DATA_LAKE_HUE_ADMIN_JOB |
Deprecated role for Data Lake service (no longer used). |
|
Data Lake |
DATA_LAKE_HUE_ANALYST_JOB |
Deprecated role for Data Lake service (no longer used). |
|
Demand Transference |
ASSORTMENT_PLANNER_JOB |
The Assortment Planner is responsible for creating the category assortments, to meet the roles, strategies, and tactics set for the category by the Category Manager. Multiple category assortments are created, for each cluster or store. One planner can be responsible for multiple categories. |
|
Forecasting |
FORECAST_ANALYST_JOB |
Reviews and approves forecasts on a day-to-day basis. An advanced forecast analyst may also be responsible for forecast parameter maintenance and demand modeling activities. |
|
Innovation Workbench |
DATA_SCIENCE_ANALYST_JOB |
Data Science Analyst role for a retailer using Innovation Workbench using APEX retailer workspace. |
|
Innovation Workbench |
DATA_SCIENCE_ADMINISTRATOR_JOB |
Data Science Administration role for Retailer using Innovation Workbench using APEX retailer workspace. |
|
Innovation Workbench |
DATA_SCIENCE_ORCL_ADMIN_JOB |
Data Science Cloud Administration role for a retailer using Innovation Workbench using APEX retailer workspace. |
|
Innovation Workbench |
DATA_SCIENCE_OLDS_ADMIN_JOB |
Role to enable the administration of python notebook service under Innovation Workbench. |
|
Innovation Workbench |
DATA_SCIENCE_OLDS_ANALYST_JOB |
Role to enable the Python notebook for an analyst under Innovation Workbench. |
|
Lifecycle Pricing Optimization |
CHATBOT_QNA_VIEW_JOB |
Conversational AI role to enable frequently asked question types of bot conversation. |
|
Lifecycle Pricing Optimization |
CHATBOT_SERVICE_JOB |
Conversational AI role to enable integration between AI Foundation Cloud Services and Oracle Chatbot. |
|
Lifecycle Pricing Optimization |
CHATBOT_VIEW_JOB |
Conversational AI role to enable real time bot conversations. |
|
Lifecycle Pricing Optimization |
TARGETED_OFFER_JOB |
User who probably works in the marketing department and who is responsible for accepting or rejecting targeted offers that are sent out to customers. |
|
Lifecycle Pricing Optimization |
BUYER_JOB |
Responsible for a department or departments and makes the budget decisions for pricing recommendations. Approves or rejects an OO run. Responsible for the translation of data between OO and Oracle Retail Price Management (RPM) and Oracle Retail Customer Engagement (CE). |
|
Lifecycle Pricing Optimization |
PRICING_ANALYST_JOB |
Main business user responsible for day-to-day pricing optimization activities (e.g., creating scenarios). |
|
Lifecycle Pricing Optimization |
PRICING_MANAGER_JOB |
Responsible for analytical configuration, testing, and model diagnosis. Oversees the work done by the pricing analyst. |
|
Lifecycle Pricing Optimization |
PRICING_ADMINISTRATOR_JOB |
Responsible for the general system setup and configuration tasks related to the business. |
|
Lifecycle Pricing Optimization |
REGULAR_PRICE_JOB |
The regular price role develops strategies for setting up regular price for items to maximize sales and profits. |
|
Profile Science |
SIZE_PROFILE_ANALYST_JOB |
Responsible for system parameter maintenance to support size profile calculations. May also be responsible for approval of size profiles. A user who understands size and profile estimations and is able to review and submit them for the retailer's business. |
|
Profile Science |
SIZE_PROFILE_OPT_JOB |
A user who understands size and profile estimations and is able to review and submit them for the retailer's business. |
|
Return Logistics |
RETURN_LOGISTICS_JOB |
Deprecated role for Return Logistics module (no longer used). |
|
Social Analytics |
SOCIAL_ANALYTICS_JOB |
Deprecated role for Social Analytics module (no longer used). |
|
Xstore Integration |
POSLOGS_SERVICE_JOB |
Point of Sales broadcast listener roles to enable integration between Retail Science and Oracle Xstore. |
Retail Insights Cloud Service
Assigning Oracle Retail Cloud Service Access
Retail Insights uses a combination of Oracle Analytics groups and RI-specific groups which give access to sets of metrics and attributes in RI in an additive fashion. For the base Oracle Analytics groups, refer to the section above on Oracle Analytics Server.
As an alternative (or in addition) to those base groups which are provided with OAS, RI also comes packaged with several custom OAS groups that have the same access levels within OAS but can also be used in the Catalog to manage permissions on reports and visualizations at a group level.
Table 9-2 OCI IAM Roles and Descriptions
| OCI IAM Role | Description |
|---|---|
| <tenant ID>-BIConsumer_JOB | Includes similar permissions as BI Consumer. |
| <tenant ID>-BIAuthors_JOB | Includes similar permissions as BI Content Author. |
| <tenant ID>-BIAuthorsCustom_JOB | Deprecated role, in prior versions was used to limit the scope of metrics shown in RI for BI authors. |
| <tenant ID>-BIAdministrators_JOB | Administrator role for Oracle internal use. |
| <tenant ID>-BIImpersonate_JOB | Administrator role for Oracle internal use. |
| <tenant ID>-RetailVisualAnalyzer_JOB | Includes similar permissions as DV Content Author. |
| <tenant ID>-RIApplicationAdministrators_JOB | Customer administrator role which has the ability to create BI agents and BI publisher jobs and access the RI administration subject areas. |
Table 9-3 OCI IAM Roles and Corresponding Application Roles
| OCI IAM Role | Corresponding Application Role (as seen in OAS UI) |
|---|---|
| <tenant ID>-AltHierarchyInsights_JOB | AltHierarchyInsights |
| <tenant_ID>-APInsights_JOB | AP User Role |
| <tenant ID>-ConsumerInsights_JOB | ConsumerInsights |
| <tenant ID>-CustomerInsights_JOB | CustomerInsights |
| <tenant ID>-CustomerDetailInsights_JOB | CustomerDetailInsights |
| <tenant ID>-CustomerLoyaltyInsights_JOB | CustomerLoyaltyInsights |
| <tenant ID>-CustomerOrderInsights_JOB | CustomerOrderInsights |
| <tenant ID>-CustomerSegmentInsights_JOB | CustomerSegmentInsights |
| <tenant ID>-EmployeeInsights_JOB | EmployeeInsights |
| <tenant ID>-Flex1Insights_JOB | Flex1Insights |
| <tenant ID>-Flex2Insights_JOB | Flex2Insights |
| <tenant ID>-Flex3Insights_JOB | Flex3Insights |
| <tenant ID>-Flex4Insights_JOB | Flex4Insights |
| <tenant ID>-FranchiseInsights_JOB | FranchiseInsights |
| <tenant ID>-InventoryInsights_JOB | InventoryInsights |
| <tenant_ID>-IPOInsights_JOB | IPO User Role |
| <tenant_ID>-LPOInsights_JOB | LPO User Role |
| <tenant_ID>-MFPInsights_JOB | MFP User Role |
| <tenant ID>-PlanningInsights_JOB | PlanningInsights |
| <tenant ID>-PromotionInsights_JOB | PromotionInsights |
| <tenant ID>-PurchaseOrderInsights_JOB | PurchaseOrderInsights |
| <tenant ID>-SalesInsights_JOB | SalesInsights |
|
<tenant ID>-ScienceInsights_JOB |
ScienceInsights |
| <tenant ID>-SupplierInsights_JOB | SupplierInsights |
| <tenant ID>-RetailAnalysts_JOB | RetailAnalyst |
| <tenant ID>-TenderInsights_JOB | TenderInsights |
Using a combination of the RI groups above will grant access to sets of metrics and attributes in RI in an additive fashion. One exception is the CustomerDetailInsights_JOB role, which is a special role intended to grant access to detailed customer information, such as their name and phone number. This role must be used in combination with the CustomerInsights_JOB role to get access to these attributes and can be limited to a subset of RI users. Without the additional role, the CustomerInsights role only grants access to basic non-identifying customer information such as the customer ID and user-defined attributes.
For a detailed mapping of roles to RI subject areas, refer to the Metrics and Attributes Catalog (MAC) document in My Oracle Support (Doc ID 2539848.1).
| Example User | OCI IAM Groups | Description |
|---|---|---|
|
RI Application Administrator |
<tenant ID>-BIConsumer_JOB <tenant ID>-BIAuthor_JOB <tenant ID>-RIApplicationAdministrator_JOB <tenant ID>-DVContentAuthor <tenant ID>-RetailAnalysts_JOB RETAIL_HOME_ADMIN |
This user has access to all functional areas in RI and can manage Agents and modify and delete objects in the /Shared Folders/Custom/ space in the catalog. |
|
Junior Merchandiser |
<tenant ID>-BIConsumer_JOB <tenant ID>-BIAuthor_JOB <tenant ID>-DVContentAuthor <tenant ID>-SalesInsights_JOB <tenant ID>-InventoryInsights_JOB <tenant ID>-SupplierInsights_JOB |
This user has access to the Sales, Inventory, and Supplier areas in RI, which are typically required for basic reporting on merchandise. The user can create reports, but not agents. |
|
Merchandise Planner |
<tenant ID>-DVContentAuthor <tenant_ID>-MFPInsights_JOB |
This user has access to Data Visualization to create and view reports and will have access to RI measures specific to the MFP application data requirements (sales, inventory, plan outputs, and so on) |
Managing Catalog Access
Retail Insights also provides a set of OCI IAM groups and associated Analytics application roles which can be used to assign catalog permissions. These groups have no functionality assigned to them initially, it is up to the user to include them or not as part of their catalog structure. In Data Visualizer (DV), catalog permissions are assigned by accessing the right-click or “…” menu on a report or folder and selecting the Inspect option, then going to the Access tab. From here, you can choose which users and roles may interact with that object. Restricting access to the object at a group level involves two steps:
-
Search for an application role in the Access tab in DV and add it to the list with Read/Write or Read Only permissions.
-
Login to OCI IAM and locate the Group name in the table below which is linked to the application role, then add users to this group.
The table below lists the OCI IAM groups and the associated Application Role names which can be used for this purpose. The group names appear only in OCI IAM while the application role names appear only in Oracle Analytics and DV user interfaces.
| OCI IAM Group | OAS Application Role |
|---|---|
|
RI_EXEC_CATALOG_JOB |
RI Executive Catalog |
|
RI_STORE_CATALOG_JOB |
RI Stores Catalog |
|
RI_AUDIT_CATALOG_JOB |
RI Audit Catalog |
|
RI_COMM_CATALOG_JOB |
RI Commercial Catalog |
|
RI_FINANCE_CATALOG_JOB |
RI Finance Catalog |
|
RI_IT_CATALOG_JOB |
RI IT Catalog |
|
RI_MARKETING_CATALOG_JOB |
RI Marketing Catalog |
|
RI_OPERATIONS_CATALOG_JOB |
RI Operations Catalog |
|
RI_SUPPLY_CHAIN_CATALOG_JOB |
RI Supply Chain Catalog |
Inventory Planning Optimization Cloud Service
Inventory Planning Optimization (IPO) provides default OCI IAM groups for managing access levels in the application. In the IPO modules that leverage Retail Predictive Application Server (RPAS), user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within IPO and synchronize those groups using Online Administration Tasks.
This table shows the example users, OCI IAM Groups and their descriptions.
| Example User | OCI IAM Groups | Descriptions |
|---|---|---|
|
IPO Prod Users |
IPO_AUTH_PROD |
Grants IPO access to a production environment. |
|
IPO Stage Users |
IPO_AUTH_STAGE |
Grants IPO access to a stage (non-production) environment. |
|
Application Administrator |
IPO_ADMIN_PROD IPO_ADMIN_STAGE |
An administrator has access to all templates within the application and can schedule Online Administration Tasks |
|
Configuration Administrator |
ADMINISTRATOR_JOB ADMINISTRATOR_JOB_PREPROD |
An administrator that needs to access the Control & Tactical Center screens of AI Foundation, which includes optimization and forecast configurations and overall platform setup. |
|
IPO Inventory Analyst |
INVENTORY_ANALYST_JOB INVENTORY_ANALYST_JOB_PREPROD |
A non-admin user responsible for configuring and running inventory optimizations and generating recommendations within the Optimization module. |
|
IPO Forecast Administrator/Forecast Analyst/Supply Chain Administrator/IPO Supply Chain Analyst |
IPO_FORECASTADMIN, IPO_FORECASTANALYST, IPO_SUPPLYCHAINADMIN, IPO_SUPPLYCHAINANALYST |
Additional IPO user permissions for non-admin users. |
For a complete list of available groups and more details, refer to the Oracle Inventory Planning Optimization Cloud Service Administration Guide.
Inventory Planning Cloud Services
| Example Users | OCI IAM Group | Description |
|---|---|---|
|
IP Inventory Plan Viewers |
IP_INVENTORY_PLAN_VIEWER |
Read only access to Inventory Plan View, override previews, alerts, view Help pages. |
|
IP Inventory Plan Editors |
IP_INVENTORY_PLAN_EDITOR |
In addition to VIEWER role, this role provides access to editing policies on the Advanced Options Panel. |
|
IP System Administrators |
IP_SYSTEM_ADMINISTRATOR |
Provides access to view and configure application properties, view Help pages. This role does not provide access that the VIEWER or EDITOR role provide. |
|
IP DV Viewer |
IP_DV_VIEWER |
Provides access to the Oracle Analytics link on Retail Home. |
Planning and Optimization Cloud Services
Oracle Retail Planning and Optimization Cloud Services comprise the following services:
Note:
Additional information on managing users, groups and permissions for Planning and Optimization cloud services can be found within application Administration Guides and the Oracle Retail Predictive Application Server and Applications Cloud Edition Security Guide.
Assigning Oracle Retail Cloud Service Access
Further details on these roles and their functional access can be found in the Oracle Retail AI Foundation Cloud Service Administration Guide here https://docs.oracle.com/en/industries/retail/index.html
Planning & Optimization uses Groups in an OCI IAM Domain to manage user access to planning.
| Roles/Groups | Descriptions |
|---|---|
|
PLATFORM_SERVICE_ADMINISTRATOR_ABSTRACT PLATFORM_SERVICE_ADMINISTRATOR_ABSTRACT_PREPPROD RPAS_WS_ADMIN |
These groups apply if the user is an RPAS administrator. |
|
RPAS_ORDS_GROUP |
Oracle REST Data Services for RPAS Planning Data Store |
For application access following groups apply
-
{APP}_AUTH_{ENV} : Provides general application access
-
{APP}_ADMIN_{ENV} : Provides administration level access in addition to the general access
Where {APP} represents the planning cloud service e.g., MFPEECS, APEECS, RDFCS and {ENV} represents the environment for example, PROD or STAGE.
Note:
For non-PROD environments:
For example, the RetailHomeConfig.json could have a tile state entry like this:
"name": "edge.tileStates.mfp.sixmetricTile1",
"type": "six-metric",
"testLabel": "Financial Plan - Six Metric",
"roles": "MFP_PLANNERS, MFP_USERS",
This means that a user who has the roles MFP_PLANNERS or MFP_USERS can see the tile state with id edge.tileStates.mfp.sixmetricTile1. Accordingly, the following groups need to be created in IDCS:
MFP_PLANNERS_PREPROD
MFP_USERS_PREPROD
Next, users need to be added to one or more of the above groups. A user who is a member of MFP_PLANNERS_PREPROD will be considered to have the role MFP_PLANNERS for Retail Home purpose.
Managing access to Oracle Analytics and the Data Visualizer
Planning and Optimization Cloud Service subscriptions include support for use of planning data in the Oracle Analytics (OAS) and the Data Visualizer (DV). In order for users to access the Data Visualizer or other components of Oracle Analytics, they must be assigned at least one of a set roles defined to control access to Oracle Analytics.
Refer to the section earlier in this document on Oracle Analytics Server for the available roles.
Merchandise Financial Planning Cloud Service
Merchandise Financial Planning provides default OCI IAM groups to manage access levels in the application. In MFP, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within MFP and synchronize those groups using Online Administration Tasks.
| Example User | OCI IAM Groups | Descriptions |
|---|---|---|
|
MFP Prod Users |
MFP_AUTH_PROD |
Grants MFP access to a production environment |
|
MFP Stage Users |
MFP_AUTH_STAGE |
Grants MFP access to a stage (non-production) environment |
|
Application Administrator |
MFP_ADMIN_PROD MFP_ADMIN_STAGE |
The administrator will have access to all templates within the application and can schedule Online Administration Tasks. |
|
MFP Planners/MFP Approvers |
MFP_USERS MFP_PLANNERS MFP_BUYERS MFP_APPROVERS |
MFP user permissions are given by administrators at the template level. Users within each of these groups will only have access to the associated templates. |
For a complete list of available groups and more details, refer to the Oracle Retail Merchandise Financial Planning Cloud Service Administration Guide.
Demand Forecasting Cloud Service 19.x
Demand Forecasting provides default OCI IAM groups for managing access levels in the application. In RDF, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within RDF and synchronize those groups using.
| Example User | OCI IAM Groups | Descriptions |
|---|---|---|
|
RDF Prod Users |
RDF_AUTH_PROD |
Grants RDF access to a production environment. |
|
RDF Stage Users |
RDF_AUTH_STAGE |
Grants RDF access to a stage (non-production) environment. |
|
Application Administrator |
RDF_ADMIN_PROD RDF_ADMIN_STAGE |
An administrator has access to all templates within the application and can schedule Online Administration Tasks |
|
RDF Analysts/Managers |
RDF_ANALYSTS RDF_MANAGERS |
RDF user permissions for non-admin users. |
For a complete list of available groups and more details, refer to the Oracle Retail Demand Forecasting Cloud Service Administration Guide.
Assortment Planning Cloud Service
Assortment Planning provides default OCI IAM groups for managing access levels in the application. In AP, user access to various templates can be controlled at the user-group level, and those groups are aligned with OCI IAM. Aside from the default OCI IAM groups, administrators can also create new user groups directly within AP and synchronize those groups using.
| Example User | OCI IAM Groups | Descriptions |
|---|---|---|
|
AP Users |
AP_AUTH_PROD AP_AUTH_STAGE |
Grants AP access to a production or non-prod environment. |
|
Application Administrator |
AP_ADMIN_PROD AP_ADMIN_STAGE |
An administrator has access to all templates within the application and can schedule Online Administration Tasks. |
|
AP Planners/Approvers |
AP_USERS AP_PLANNERS AP_BUYERS AP_APPROVERS |
AP user permissions for non-admin users. |
For a complete list of available groups and more details, refer to the Oracle Retail Assortment Planning Cloud Service Administration Guide.
Retail Integration Cloud Service (RICS)
Assigning Oracle Retail Cloud Service Access
RICS comes available with a set of pre-defined roles, each role is managed as a group in OCI IAM. There is a group for each role for Stage and Prod. If a role is a Stage role, it would be appended with “_PREPROD”.
Users can be assigned to different groups dependent on the access requirements for that user.
| RICS Role | OCI IAM Groups | Descriptions |
|---|---|---|
|
Application Administrator |
RicsAdminGroup |
Access to all operations. |
|
Application Operator |
RicsOperatorGroup |
Access to all operations except create/update/delete operations. Access to start a Process Flow/Job. |
|
Application Monitor |
RicsMonitorGroup |
Only able to view information. |
Administrator users can change the mappings of Roles, Duties and Privileges in the RICS User Interface. Details about how to manage these application security policies are available in the RICS Security Guide available here, https://docs.oracle.com/en/industries/retail/index.html.