1. Integration Security Guide
  2. Integration Cloud Service Authentication and Authorization

6 Integration Cloud Service Authentication and Authorization

Authentication confirms the identity of a user (is this user John Smith?). Authorization determines what parts of an application a user can access and what actions the user can perform (is John Smith allowed to create a purchase order?).

Authentication and OCI IAM

As of version 22.1.201.0, Integration Cloud Service uses Oracle Identity and Access Management (OCI IAM) as its identity provider (IDP).

https://www.oracle.com/cloud/paas/identity-cloud-service.html

When a user connects to the Integration Cloud Service UI, Integration Cloud Services redirects application URL requests to the OCI IAM login screen. OCI IAM authenticates the user. When a user logs out of the Integration Cloud Service, Integration invokes an OCI IAM logout to disable session authentication.

OCI IAM

OCI IAM is Oracle's cloud native security and identity platform. It provides a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. OCI IAM enables single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate OCI IAM with other on premise applications to extend the scope of this SSO.OCI IAM is available in two tiers: Foundation and Standard.

  • Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionalities, including user management, group management, password management, and basic reporting.

  • Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premises, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.

  • Details of the specific features available in each tier and OCI IAM Standard Tier licensing model are available in Administering Oracle Identity Cloud Service. Integration Cloud Services only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management and Password Reset, SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of OCI IAM to also have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third Party Cloud Services and Custom Applications, Multi-Factor Authentication and generic SCIM Templates.

OCI IAM and Oracle Retail Enterprise Roles

When any Oracle Retail cloud service is provisioned, Oracle Retail's Enterprise Roles are seeded into the customer's OCI IAM instance as Roles. It is expected that customers will also have other roles defined for other cloud services that use this OCI IAM instance.

OCI IAM and Application Users

Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.

The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators through OCI IAM. A key feature of OCI IAM is that basic user maintenance can be further delegated via identity self-service.

When application users are created in OCI IAM, they must be associated with an appropriate Oracle Retail Enterprise Role to access Integration Cloud Services. For more detailed information and procedures, see "Managing Oracle Identity Cloud Service Users" in Administering Oracle Identity Cloud Service.

Authorization

While OCI IAM has some authorization features, as an ADF application, Integration Cloud Services manages this type of access functional security using Fusion Middleware's security model. Fusion security supports a role-based, declarative model that employs container-managed security where resources are protected by roles that are assigned to users. Duties and privileges provide a further level of control.

Users are associated with Enterprise Roles in OCI IAM. Enterprise Roles are mapped to Integration Cloud Services Duties and Privileges. Default mappings of Enterprise to Integration Cloud Services Duties and Privileges are provided as part of Integration Cloud Service provisioning.

Roles

The default configuration includes the eleven predefined Enterprise security roles listed below:

  • Application Administrator

  • Application Operator

  • Application Monitor

These roles are used in common terminology throughout the business processes defined in the Oracle Retail Reference Model (see MOS Doc ID 2458078.1)

One important thing to note is that there is also a mirrored set of these Enterprise roles with the suffix _PREPROD (Administrator_PREPROD, Operator_PREPROD, Monitor_PREPROD, and so on) available in OCI IAM. This set of _PREPROD roles should be used so that users can have different access in non-production vs production systems. For example, it is common for QA employees to have virtually all Enterprise roles, and therefore unlimited access, to non-production systems. However, these same QA employees might have limited or no access to production systems.

Duties and Privileges

Within Integration Cloud Service, Enterprise Roles are mapped to Duties and Privileges. Privileges are essentially actions that a user can perform. Duties are collections of related privileges.

In Integration Cloud Services, role-based security is implemented to control:

  • Access to navigational links/tasks in the application. The role associated with the user (for example a Buyer or Inventory Analyst) determines the set of links visible in the task pane.

  • Access to various UI widgets in the screens like buttons, menu items, LOVs, Panels and so on. The role determines if the UI widgets are to be shown or hidden and if shown whether they need to be enabled or disabled.

  • How the screens will be opened, such as in an edit or view only mode based on the role the user belongs to and the duties and privileges mapped to that role.

Table 6-1 Duties and Privileges

Duty Privileges

Administrator

Access to all operations.

Operator

Access to all operations except create/update/delete operations.

Access to start a Process Flow/Job.

Monitor

Only able to view information.

Administrator users can change the mappings of Enterprise Roles, Duties and Privileges in the Integration Cloud Services User Interface. Details about how to manage these application security policies are available in Chapter 2, "Manage Security Policies" in the Integration Cloud Services Administration Guide.