1. Security Guide – volume 1
  2. Merchandising Cloud Service Suite Authentication, Authorization and Data Filtering

5 Merchandising Cloud Service Suite Authentication, Authorization and Data Filtering

Authentication confirms the identity of a user (is this user John Smith?). Authorization determines what parts of an application a user can access and what actions the user can perform (is John Smith allowed to create a purchase order?). Data Filtering is not strictly part of the Merchandising Cloud Service Suite security model, but can be implemented to further reduce attack surface (John Smith is allowed to create a purchase order, but only for items in Department 1234).

Authentication and OCI IAM

As of version 23.0.000, Merchandising Cloud Service Suite uses Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as its identity provider (IDP):

When a user connects to the Merchandising Cloud Service UI, Merchandising Cloud Service Suite redirects application URL requests to the OCI IAM login screen. OCI IAM authenticates the user. When a user logs out of the Merchandising Cloud Service, Merchandising invokes an OCI IAM logout to disable session authentication.

OCI IAM

OCI IAM is Oracle's cloud native security and identity platform. It provides a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. OCI IAM enables single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate OCI IAM with other on premise applications to extend the scope of this SSO.More information about OCI IAM is available athttps://docs.oracle.com/en-us/iaas/Content/Identity/home.htm

OCI IAM and Oracle Retail Enterprise Roles

When any Oracle Retail cloud service is provisioned, Oracle Retail's Enterprise Roles are seeded into the customer's IDCS or OCI IAM instance as Roles. It is expected that customers will also have other roles defined for other cloud services that use this IDCS or OCI IAM instance. More information is available in Retail Identity Management via OCI IAMhttps://docs.oracle.com/en/industries/retail/retail-identity-management/latest/books.html

OCI IAM and Application Users

Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.

The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators via OCI IAM. A key feature of OCI IAM is that basic user maintenance can be further delegated via identity self-service.

When application users are created in OCI IAM, they must be associated with an appropriate Oracle Retail Enterprise Role to access Merchandising Cloud Service Suite.

Note:

OCI IAM username will be passed to Merchandising as the application user id. It will be persisted on the database as part of the basic Merchandising transaction audit trail. If corporate email address is used as the OCI IAM username, corporate email address will be persisted to the Merchandising database. To fully inform Merchandising users that their corporate email address will be saved, we recommend that retailers implement OCI IAM Terms of Use functionality. TheOCI IAM Terms of Use feature enables retailers to set the terms and conditions for users to access an application, based on the user's consent. This feature allows the identity domain administrator to set relevant disclaimers for legal or compliance requirements and enforce the terms by refusing the service. The Terms of Use feature can be used to explicitly obtain user consent to persist corporate email address for Merchandising auditing. See Managing Terms of Use for more information.

https://docs.oracle.com/en-us/iaas/Content/Identity/termsofuse/manage-terms-use.htm

Authorization

While OCI IAM has some authorization features, as an ADF application, Merchandising Cloud Service Suite manages this type of access functional security using Fusion Middleware's security model. Fusion security supports a role-based, declarative model that employs container-managed security where resources are protected by roles that are assigned to users. Duties and privileges provide a further level of control.

Users are associated with Enterprise Roles in OCI IAM. Enterprise Roles are mapped to Duties and Privileges. Default mappings of Enterprise to Duties and Privileges are provided as part of Merchandise Cloud Service provisioning.

Roles

The default configuration includes a number of default roles. This document describes some sample roles for each application in describing the overall security model. For a full set of roles for each Oracle Retail Merchandising Cloud Service, please see the Cloud Service specific Security Guides:

  • Merchandising Cloud Services Security Guide Volume 2 - Merchandising and Import Management

  • Merchandising Cloud Services Security Guide Volume 2 - Pricing

  • Merchandising Cloud Services Security Guide Volume 2 - Sales Audit

  • Merchandising Cloud Services Security Guide Volume 2 - Allocation

  • Merchandising Cloud Services Security Guide Volume 2 - Invoice Matching

Sample roles include but are not limited

  • Application Administrator

  • Data Steward

  • Buyer

  • Inventory Analyst

  • Inventory Manager

  • Corporate Inventory Control Analyst

  • Pricing Analyst

  • Allocator

These roles are used in common terminology throughout the business processes defined in the Oracle Retail Reference Model (see MOS Doc ID 2458078.1)

One important thing to note is that there is also a mirrored set of these Enterprise roles with the suffix _PREPROD (Data Steward_PREPROD, Buyer_PREPROD, Inventory Analyst_PREPROD, etc) available in IDCS or OCI IAM. This set of _PREPROD roles should be used so that users can have different access in non-production vs production systems. For example, it is common for QA employees to have virtually all Enterprise roles, and therefore unlimited access, to non-production systems. However these same QA employees might have limited or no access to production systems.

Duties and Privileges

Within Merchandising Cloud Service Suite, Enterprise Roles are mapped to Duties and Privileges. Privileges are essentially actions that a user can perform. Duties are collections of related privileges.

In Merchandising Cloud Service Suite, role-based security is implemented to control:

  • Access to navigational links/tasks in the application. The role associated with the user (for example a Buyer or Inventory Analyst) determines the set of links visible in the task pane.

  • Access to various UI widgets in the screens like buttons, menu items, LOVs, Panels and so on. The role determines if the UI widgets are to be shown or hidden and if shown whether they need to be enabled or disabled.

  • How the screens will be opened, such as in an edit or view only mode based on the role the user belongs to and the duties and privileges mapped to that role.

Duties are intended to build on one another and work in a hierarchical manner. The example in the table below illustrates how this works using purchase orders as an example. The most basic purchase order duty is Purchase Order Inquiry, which grants the user permission to search and view purchase orders. The next level of access is Purchase Order Management, which grants the user the ability to search and view purchase orders, but also maintain and submit them. The final level of access in this example is Purchase Order Approval, which grants the user the ability to approve orders, in addition to searching, viewing, and maintaining them.

Table 5-1 Duties and Privileges

Duty Privileges

Purchase Order Inquiry

  • Search Purchase Orders

  • View Purchase Orders

Purchase Order Management

  • All Privileges in Purchase Order Inquiry

  • Maintain Purchase Orders

  • Submit Purchase Orders

Purchase Order Approval

  • All Privileges in Purchase Order Management

  • Approve Purchase Orders

The application specific security guides for each solution in the Merchandising Cloud Service Suite describe the Privileges and Duties for each application. See the following documents for more information.

  • Merchandising Cloud Services Security Guide Volume 2 - Merchandising and Import Management

  • Merchandising Cloud Services Security Guide Volume 2 - Pricing

  • Merchandising Cloud Services Security Guide Volume 2 - Sales Audit

  • Merchandising Cloud Services Security Guide Volume 2 - Allocation

  • Merchandising Cloud Services Security Guide Volume 2 - Invoice Matching

Administrator users can change the mappings of Enterprise Roles, Duties and Privileges in the Merchandising Cloud Service Suite user interface. Details about how to manage these application security policies are available in Chapter 2, Manage Security Policies in the Merchandising Cloud Services Administration Guide.

Data Security/Filtering

Oracle Retail Cloud Service offers an additional optional layer of data filtering. Data filtering in the application UI limits the data end users see by levels in the merchandise and organizational hierarchies.

Note:

Data Filtering is implemented in all Merchandising Cloud Service Suite applications, with the exception of Allocation.

Data level security is configured by assigning users to a data security group within Merchandising Cloud Service Suite. All users within a group would have similar access to a particular section of the merchandise or organizational hierarchy. For example, a group may be defined for a particular division, giving users across Application Roles access to the departments, classes, subclasses, and items in that division.

To implement data security/filtering, Data Security Groups must be defined in Merchandising Cloud Service Suite. These groups are associated with levels of the merchandise and organizational hierarchies. Every application user must also be defined in Merchandising Cloud Service Suite and assigned to Data Security Groups. The processes for defining these groups, hierarchy associations and users is detailed in Chapter 3, Data Security/Filtering in the Merchandising Cloud Services Administration Guide.

Note:

Adding these users to Merchandising Cloud Services for data security/filtering purposes is a manual process (via spreadsheet upload). Users are not automatically loaded from OCI IAM for data security purposes.

When considering whether to implement data filtering/security, customers should consider the benefits of data filtering and the processes they would need to implement to synchronize Merchandising Cloud Service Suite with OCI IAM. As authentication is based on user definition in OCI IAM (which includes Enterprise Role), it is possible that a user could authenticate correctly and reach Merchandise Cloud Service and based on the mapping of their Enterprise Role to Application Role, be authorized to access various user interfaces. However, if the data filtering/security is in use, and the user is defined in Merchandising Cloud Service Suite or not associated with a Data Security Group, the user may not see certain types of data in the application.