Authorization

While IDCS and OCI IAM have some authorization features, as an ADF application, Merchandising Cloud Service Suite manages this type of access functional security using Fusion Middleware's security model. Fusion security supports a role-based, declarative model that employs container-managed security where resources are protected by roles that are assigned to users. Duties and privileges provide a further level of control.

Users are associated with Enterprise Roles in IDCS or OCI IAM. Enterprise Roles are mapped to Duties and Privileges. Default mappings of Enterprise to Duties and Privileges are provided as part of Merchandise Cloud Service provisioning.

Roles

The default configuration includes a number of default roles. This document describes some sample roles for each application in describing the overall security model. For a full set of roles for each Oracle Retail Merchandising Cloud Service, please see the Cloud Service specific Security Guides:

  • Merchandising Cloud Services Security Guide Volume 2 - Merchandising and Import Management

  • Merchandising Cloud Services Security Guide Volume 2 - Pricing

  • Merchandising Cloud Services Security Guide Volume 2 - Sales Audit

  • Merchandising Cloud Services Security Guide Volume 2 - Allocation

  • Merchandising Cloud Services Security Guide Volume 2 - Invoice Matching

Sample roles include but are not limited

  • Application Administrator

  • Data Steward

  • Buyer

  • Inventory Analyst

  • Inventory Manager

  • Corporate Inventory Control Analyst

  • Pricing Analyst

  • Allocator

These roles are used in common terminology throughout the business processes defined in the Oracle Retail Reference Model (see MOS Doc ID 2458078.1)

One important thing to note is that there is also a mirrored set of these Enterprise roles with the suffix _PREPROD (Data Steward_PREPROD, Buyer_PREPROD, Inventory Analyst_PREPROD, etc) available in IDCS or OCI IAM. This set of _PREPROD roles should be used so that users can have different access in non-production vs production systems. For example, it is common for QA employees to have virtually all Enterprise roles, and therefore unlimited access, to non-production systems. However these same QA employees might have limited or no access to production systems.

Duties and Privileges

Within Merchandising Cloud Service Suite, Enterprise Roles are mapped to Duties and Privileges. Privileges are essentially actions that a user can perform. Duties are collections of related privileges.

In Merchandising Cloud Service Suite, role-based security is implemented to control:

  • Access to navigational links/tasks in the application. The role associated with the user (for example a Buyer or Inventory Analyst) determines the set of links visible in the task pane.

  • Access to various UI widgets in the screens like buttons, menu items, LOVs, Panels and so on. The role determines if the UI widgets are to be shown or hidden and if shown whether they need to be enabled or disabled.

  • How the screens will be opened, such as in an edit or view only mode based on the role the user belongs to and the duties and privileges mapped to that role.

Duties are intended to build on one another and work in a hierarchical manner. The example in the table below illustrates how this works using purchase orders as an example. The most basic purchase order duty is Purchase Order Inquiry, which grants the user permission to search and view purchase orders. The next level of access is Purchase Order Management, which grants the user the ability to search and view purchase orders, but also maintain and submit them. The final level of access in this example is Purchase Order Approval, which grants the user the ability to approve orders, in addition to searching, viewing, and maintaining them.

Table 5-1 Duties and Privileges

Duty Privileges

Purchase Order Inquiry

  • Search Purchase Orders

  • View Purchase Orders

Purchase Order Management

  • All Privileges in Purchase Order Inquiry

  • Maintain Purchase Orders

  • Submit Purchase Orders

Purchase Order Approval

  • All Privileges in Purchase Order Management

  • Approve Purchase Orders

The application specific security guides for each solution in the Merchandising Cloud Service Suite describe the Privileges and Duties for each application. See the following documents for more information.

  • Merchandising Cloud Services Security Guide Volume 2 - Merchandising and Import Management

  • Merchandising Cloud Services Security Guide Volume 2 - Pricing

  • Merchandising Cloud Services Security Guide Volume 2 - Sales Audit

  • Merchandising Cloud Services Security Guide Volume 2 - Allocation

  • Merchandising Cloud Services Security Guide Volume 2 - Invoice Matching

Administrator users can change the mappings of Enterprise Roles, Duties and Privileges in the Merchandising Cloud Service Suite user interface. Details about how to manage these application security policies are available in Chapter 2, Manage Security Policies in the Merchandising Cloud Services Administration Guide.