1. Security Guide
  2. Compute Tier Security
  3. User and Group Management

User and Group Management

Users of RPASCE applications are created and managed within OCI IAM. RPASCE allows administrators to create user groups within the application that correspond to roles defined in OCI IAM. When a user logs into the RPASCE application, the application will check to see if that user belongs to any roles that correspond to a group defined in the application and assign the user the privileges granted to those groups.

User groups are typically assigned based on a common business role such as Planners in order to facilitate managing the authorization settings at the group level. However, users will also have certain roles that server non-business purposes, as described "Non-Business Roles".

When a user is added, either through the Synch Users task or when a user logs into the application for the first time, a position is created for the user in the metadata dimension User. Similarly, when a group is added, that group is assigned a position in the metadata dimension Group.

User Life Cycle

As users enter the OCI IAM system, they can be granted both the application authorization role and one or more of the business roles. Once granted appropriate roles, users will be able to access the RPASCE application with the corresponding access rights. However, some additional administrative setup is required for a user accessing the system for the first time.

Position security is not role-based and is not managed through OCI IAM. It is therefore necessary for an administrative user to set the position access rights for a new user in order for that user to be able to interact with data in the application. Additionally, new users will not have access to the Dashboard in the RPASCE client until a dashboard workbook has been prepared for them. When a new user first logs in, that user will receive a message from the application to contact their administrator to complete these setup processes.

During the lifetime of a user within the system, any changes to that user's responsibilities can be accommodated by updating the set of roles assigned to the user in OCI IAM. If the set of roles possessed by a user change, those changes will automatically result in a change to that user's access rights when that user next logs in that reflect the access rights of the new set of roles they possess.

When a user should no longer be granted access to the application, the application authorization role can be revoked in OCI IAM or, if appropriate, the user can be dropped from OCI IAM entirely. No subsequent login attempts by that user will succeed, and they will no longer have access to the application and its data.

When a user is removed from the system, the system may continue to hold resources created by and for that user in the form of workbooks, saved formatting, and so on. To allow these resources to be reclaimed, a pair of administrative utilities can be run. First, the Sync Users from OCI IAM utility will query OCI IAM for the set of users authorized for the application. Any users who no are longer authorized for the application because of role changes or as a result of being removed from OCI IAM will be flagged within the application as expired.

A second utility, Manage Users, can then be executed. This utility will drop all workbooks and reclaim all other resources associated with the expired users and will purge them from the system. The purpose of this two-step process is to safeguard against the loss of user information as a result of accident. Purging a user from the system and deleting all that user's work may result in a significant loss of time and effort. As such, it is recommended that the two utilities be scheduled to run separately in order to provide a chance for error remediation prior to the irrevocable deletion of user data.

Non-Business Roles

Two special roles are associated with an RPASCE application using AUM: the first is the authentication role and the second is the application administration role. These roles are do not relate to the business processes of the application, but are instead used to manage access to the application and determine which users have administrative privileges within the application.

The names for these roles are not fixed and will vary between RPASCE applications and between the different environments (production, stage, and so on) making up a customer instance. For new customers, the role names will be provided during the provisioning and deployment process. For existing customers migrating to AUM, they are created as a part of the migration process.

Application Authorization Role

In order for users authenticated by OCI IAM to be allowed access to the RPASCE application, they must belong to the application authorization role. Users who do not possess the authentication role will not be allowed access to the application, even if they possess one or more of the roles defined and granted rights in the application. In this way, a single set of business-related roles can be managed across multiple RPASCE application instances but access can still be limited for an application instance to a subset of all users. It can be useful, for example, to share user roles between a stage and a production environment but grant access to the stage environment to a subset of users.

Application Administrative Role

Under the AUM model, users are no longer granted administrative privileges through the setting of the admin flag within the user management templates. Instead, users possessing the administrative role for a given application instance will be granted admin rights for that application instance. These rights can then be managed by assigning a user the administrative role or revoking that role, with the changes taking effect automatically when the user next accesses the RPASCE application.

Deactivating User Accounts

User accounts can be marked as deactivated by the administrator in the OCI IAM console. This prevents the user from logging on with the RPASCE Client. The account remains locked until the administrator re-activates the user.

Roles Created in OCI IAM

A number of roles are created within OCI IAM as part of the provisioning process that are used to support the RPASCE Cloud subscriptions. Some of these roles are created to support user operations and must be assigned to users in the system. Other roles are created within OCI IAM to support the integration of the RPASCE systems with other systems and components within the Cloud environment. These roles are used by the internal processes of the system and, in general, do not need to be assigned to users of the system.

Information on the roles created for the various components of an Oracle Retail cloud subscription can be found in the Oracle Retail Identity Management for OCI IAM. Readers are encouraged to review not only the sections pertaining to the cloud services for which they have subscriptions but also the sections detailing role information for common components that are a part of every subscription, such as Retail Home, Process Orchestration and Monitoring, and Retail AI Foundation Cloud Service.