1. Security Guide
  2. Process Orchestration and Monitoring Cloud Service Authentication & Authorization

5 Process Orchestration and Monitoring Cloud Service Authentication & Authorization

Authentication confirms the identity of a user (is this user John Smith?). Authorization determines what parts of an application a user can access and what actions the user can perform (is John Smith allowed to run a batch job?).

Authentication and IDCS or OCI IAM

As of version 19.0.001, Process Orchestration and Monitoring (POM) Cloud Service Suite uses Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as its identity provider (IDP).

https://www.oracle.com/cloud/paas/identity-cloud-service.html

When a user connects to the POM User Interface, the request is redirected to the IDCS or OCI IAM login screen. IDCS or OCI IAM authenticates the user. When a user logs out of POM, the IDCS or OCI IAM logout is invoked to disable session authentication.

IDCS and OCI IAM

IDCS and OCI IAM are Oracle's cloud native security and identity platforms. They provide a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. IDCS and OCI IAM enable single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate IDCS or OCI IAM with other on-premise applications to extend the scope of this SSO.

IDCS and OCI IAM are available in two tiers: Foundation and Standard.

  • Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionalities, including user management, group management, password management, and basic reporting.

  • Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premises, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.

Details of the specific features available in each tier and IDCS or OCI IAM Standard Tier licensing model are available in Administering Oracle Identity Cloud Service. Process Orchestration and Monitoring Cloud Service Suite only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management and Password Reset, SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of IDCS or OCI IAM to also have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third Party Cloud Services and Custom Applications, Multi-Factor Authentication and generic SCIM Templates.

IDCS or OCI IAM and Oracle Retail Enterprise Roles

When any Oracle Retail cloud service is provisioned, Oracle Retail's Enterprise Roles are seeded into the customer's IDCS or OCI IAM instance as Roles. It is expected that customers will also have other roles defined for other cloud services that use this IDCS or OCI IAM instance.

IDCS or OCI IAM and Application Users

Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.

The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators through IDCS or OCI IAM. A key feature of IDCS or OCI IAM is that basic user maintenance can be further delegated through identity self-service.

When application users are created in IDCS or OCI IAM, they must be associated with an appropriate Oracle Retail Enterprise Role to access Process Orchestration and Monitoring Cloud Service. For more detailed information and procedures, see Managing Oracle Identity Cloud Service Users in Administering Oracle Identity Cloud Service.

Note:

IDCS or OCI IAM username is passed to Process Orchestration and Monitoring (POM) as the application user ID. It will be persisted on the database as part of the basic POM transaction audit trail. If the corporate email address is used as the IDCS or OCI IAM username, that email address is persisted to the POM database. To fully inform POM users that their corporate email address will be saved, we recommend that retailer implements IDCS or OCI IAM Terms of Use functionality. The IDCS or OCI IAM Terms of Use feature enables retailers to set the terms and conditions for users to access an application, based on the user's consent. This feature allows the identity domain administrator to set relevant disclaimers for legal or compliance requirements and enforce the terms by refusing the service. The Terms of Use feature can be used to explicitly obtain user consent to persist corporate email address for POM auditing. See Administering Oracle Identity Cloud Service for more information about Terms of Use.

https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/understand-terms-use.html

JET Security

As mentioned earlier, The Process Orchestration and Monitoring (POM) application features a classic ADF User Interface (UI) that is being deprecated as of POM 19.1.002. It is replaced with a JET based UI.

Oracle POM security requirements come from the need to protect application data from unauthorized changes. This is accomplished by the following security features:

  • Authentication - POM JET UI restrict access to users that have been authenticated by the configured security provider.

  • Authorization - POM JET UI uses enterprise roles to limit what features individual users can access.

  • Origin Control - POM JET UI implements the Cross-Origin Resource Sharing (CORS) protocol to allow only same origin.

  • Transport Security - POM JET UI and services communicate through REST calls. These communications need to be secured.

    • Always use TLS encryption. Endpoints should be HTTPS URLs and the servers should be configured to use trusted certificates.

    • Route access through WTSS or equivalent. Make sure all service URLs are at a location exposed on WTSS, otherwise each endpoint will be independently authenticated.

The JET UI and services communicate through ReST calls which are secured using JAX-RS security implementation.

For more information regarding securing Restful Web Services, refer to https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF113

User Roles

Roles are used to classify users based on job responsibilities and actions to be performed in the Oracle Retail Process Orchestration and Monitoring application (POM). Using roles, a user's access can be restricted to specific areas or functions within the application. In POM, users must be associated with at least one job role in order to access the application.

The following topics are covered in this chapter:

  • Roles

  • Functional Access by Role

Roles

POM comes available with a set of pre-defined roles described in the table below. In addition to the roles, the table contains an alias for each role which is used in the next section for easier reading.

Note:

The first two roles have thus far been associated with POM's classic user interface and are being deprecated along with the classic user interface itself. Customers need to migrate to the other four roles before those classic roles are removed.

These roles have been given similar access in the new user interface as the access they had in the classic user interface.

Table 5-1 Roles

Role Alias Description

BATCH_MONITORING_JOB

Monitor

One of the classic user interface roles. Users within this role are typically retailer administrators responsible for monitoring and executing batch. They can perform select activities on the Batch Monitor screen to move the schedule along.

BATCH_BUSINESS_JOB

Business User

Another one of the classic user interface roles. Users within this role are typically retailer business users responsible for just monitoring batch and configuring POM to enable callbacks into the Company's systems.

BATCH_ADMINISTRATOR_JOB

Administrator

Users within this role are retailer administrators with full access to all POM actions. They monitor, maintain and configure the batch schedules. They may also maintain POM application configurations for efficient operations. They troubleshoot batch issues and work with Oracle support personnel to address those issues. Finally, they may apply batch schedule patches and upgrades.

Additionally, users assigned this role are given access to the Oracle AMS Utilities screen.

BATCH_VIEWER_JOB

Viewer

Users within this role are retailer business users responsible for just monitoring batch. They have view access to all POM screens except AMS Utilities.

BATCH_SCHEDULE_CONFIGURATION_MANAGER_JOB

Schedule Config Mgr

Users within this role are typically retailer administrators responsible for just monitoring batch and configuring external dependencies and callbacks into the Company's systems. They have view access to all POM screens except AMS Utilities.

BATCH_SCHEDULE_ADMINISTRATOR_JOB

Schedule Admin

Users within this role are typically retailer administrators responsible for maintaining monitoring and executing batch. They have view access to all POM screens except AMS Utilities. They can perform select activities on the Batch Monitor screen to move the schedule along. They also have update access to the Batch Administration screen. They can also configure some application properties and can configure a new schedule

BATCH_ORACLE_AMS_ADMINISTRATOR_JOB

AMS Admin

Users within this role are typically Oracle AMS administrators who monitor, maintain and configure the batch schedules. They also maintain POM application configurations for efficient operations. They troubleshoot batch issues and work with other Oracle development and support personnel to address those issues. Finally they apply POM and batch schedule patches and upgrades.

Functional Access by Role

This section lists all roles that have update access for each functional aspect of every screen. It is organized by screen, except for the first two tables.

Table 5-2 External Integration

Feature Roles (aliases) with access

Invoking batch execution from an external system

Requesting the status of a batch execution

Releasing dependency on an external process

Monitor

Schedule Admin

Administrator

AMS Admin

Table 5-3 POM Task Menu

Feature Roles (aliases) with access

Show Batch Monitoring task

Monitor

Business User

Administrator

Viewer

Schedule Config Mgr

Schedule Admin

AMS Admin

Show System Configuration task

Business User

Administrator

Viewer

Schedule Config Mgr

Schedule Admin

AMS Admin

Show Batch Administration task

Administrator

Viewer

Schedule Config Mgr

Schedule Admin

AMS Admin

Show Scheduler Administration task

Administrator

Monitor

Schedule Admin

AMS Admin

Show Schedule Maintenance task

Administrator

Viewer

Schedule Config Mgr

Schedule Admin

AMS Admin

Show AMS Utilities task

AMS Admin

Table 5-4 Screen: Batch Monitoring

Feature Roles (aliases) with update access

Buttons for Create Schedule, Close Schedule and Restart Schedule

Monitor

Schedule Admin

Administrator

AMS Admin

Jobs table on Batch Monitoring screen - Buttons for Run, Rerun, Hold, Release, Skip, Release Skip, and action for Add Comments

Monitor

Schedule Admin

Administrator

AMS Admin

Jobs table Actions menu on Batch Monitoring screen - Edit Parameters (for selected job)

Monitor

Schedule Admin

Administrator

AMS Admin

Job Details screen - Enable/Disable External Dependencies

Monitor

Administrator

Schedule Config Mgr

Schedule Admin

AMS Admin

Job Details screen - Retry Schedule Link button

Monitor

Administrator

AMS Admin

Job Details screen - Retry Callback button

Monitor

Administrator

AMS Admin

Execution Engine display Configuration

AdministratorAMS Admin

Download Job Log

All authenticated users

Download Cycle Summary

All authenticated users

Scheduler Tasks Monitoring and actions

Monitor

Administrator

Schedule Admin

AMS Admin

Table 5-5 Screen: System Configuration

Feature Roles (aliases) with update access

System tab - Update actions

Administrator

AMS Admin

Schedule tab - Update actions for general & environment settings

Administrator

AMS Admin

Schedule tab - Job admin system options dialog

Administrator

AMS Admin

Schedule tab - Update actions for MDF configuration

Administrator

AMS Admin

Schedule tab - Update actions for job admin throttling configuration

Administrator

AMS Admin

System tab - Update actions for external configurations

Business User

Administrator

Schedule Config Mgr

Schedule Admin

AMS Admin

Global Edit - Settings updates

Administrator

AMS Admin

Global Edit - External Configuration updates

Business User

Administrator

Schedule Config Mgr

Schedule Admin

AMS Admin

Configure New Schedule

Administrator

Schedule Admin

AMS Admin

Table 5-6 Screen: Batch Administration

Feature Roles (aliases) with update access

Export Config and Import Config buttons

Administrator

Schedule Admin

AMS Admin

Enable/disable switch on each of the Recurring Flows and Jobs within each Flow

Administrator

Schedule Admin

AMS Admin

Jobs table on main UI - Edit and Enable/Disable actions

Administrator

Schedule Admin

AMS Admin

Batch Job Details - Enable/Disable Dependencies

Administrator

AMS Admin

Batch Job Details - Create/Enable/Disable/Delete Inter-Schedule Dependencies

Administrator

AMS Admin

Batch Job Details - Create/Enable/Disable/Delete Schedule links

Administrator

AMS Admin

Batch Job Details - Create/Enable/Disable/Delete External Dependencies

Administrator

Schedule Config Mgr

Schedule Admin

AMS Admin

Table 5-7 Screen: Scheduler Administration

Feature Roles (aliases) with update access

All Functions on the Scheduler Administration screen

Monitor

Administrator

Schedule Admin

AMS Admin

Table 5-8 Screen: Schedule Maintenance

Feature Roles (aliases) with update access

All actions: Import Latest Schedule button,

Upgrade, Retry buttons in table row

Download Configuration and download POM seed data

Administrator

AMS Admin

Table 5-9 Screen: AMS Utilities

Feature Roles (aliases) with update access

Manual Job Run

Override Job Status

Override Execution Request Status

Administrator

AMS Admin

Table 5-10 Screen: Application Properties

Feature Roles (aliases) with update access

Application Properties

Schedule Admin

Administrator

AMS Admin

Private Data REST Services

This section contains details about the REST Services flavor of the Private Data Services and Tools documented by framework team.

Retailers must call the Private Data REST Service endpoints with the following request headers:

Table 5-11 Request Header

Name Value Required Description

Accept

application/json

OR application/xml

Yes

Tells the server the MIME-type of the re-source.

Authorization

Base64 encoded credentials string

Yes

Authenticates a user agent with the server

List of Endpoints

The table below shows the details of calling the Private Data Service APIs through REST endpoints:

Action Endpoint Path Description

Get a List of Query Group Types

/privatedata/config/{action}

Returns the valid ID types that can be used in private data calls.

Method

  • _GET

Accept

  • _application/json

Path Parameters

  • _action: The private data action for which query group types are being inquired. Valid values include:

    access: access PII data

    forget: remove PII data

    validateForget: check to see if PII data can be removed.

Response Codes

  • _200 - Success

  • _500 - Internal Server Errors - for all other types of errors (for example, config errors, SQL errors, and so on).

Success Payloads 

{ 
"types": [ 
"raf", 
"supplier", 
"customer" 
] 
}

Get Query Group Type Information (for example, Lookup customer ID)

/privatedata/config/{action}/ {id_type}

Returns details of the query group type including the customer ID format required to access or re-move PII data.

Method

  • _GET

Accept

  • _application/json

Path Parameters

  • _action: The data privacy action being attempted on the query group type. Valid values include:

    access: access PII data

    forget: remove PII data

    validateForget: check to see if PII data can be removed.

  • _id_type: The query group type.

Response Codes

  • _200 - Success

  • _400 - Bad Request - Produced for the following situations:

    Invalid input type

  • _500 - Internal Server Errors - for all other types of errors (for example, config errors, SQL errors, and so on).

Success Payloads 

{ 
"customerIdFormat": "{%cus-tomer-Id%}::{%divisionId%}::{%groupId%}", 
"type": "customer" 
}

Access PII

/privatedata/{id_type}

Retrieves PII in the system

Method

  • _GET

Accept

  • _application/json

  • _application/xml

Path Parameters

  • _id_type: The query group type for which PII is to be retrieved.

Query Parameters

  • _customer_id: (required) The customer ID string to be used in looking up PII. The format of this string must conform to the format indicated for the query group type.

  • _jsonFormat : The type of JSON format to return. Valid values: "concise" (default) , "full". Applicable only if Ac-cept=application/json.

Response Codes and Error Mes-sages

  • _200 - Success

  • _400 - Bad Request - Produced for the following situations: o Customer ID does not match the required format

    Invalid input type

    Missing customer ID

    Invalid jsonFormat

  • _500 - Internal Server Errors - for all other types of errors (for example, config errors, SQL errors, and so on).

Success Payloads

  • _When Accept=application/json, this API will return PII in JSON format.

  • _When Accept=application/xml, this API will return PII formatted as an HTML page.

  • _Refer to section Output Format for Accessing PII for more details.

Remove PII

/privatedata/{id_type}

Removes PII from the system.

Method

  • _DELETE

Accept

  • _application/json

Path Parameters

  • _id_type: The query group type for which PII is to be removed.

Query Parameters

  • _customer_id: (required) The customer ID string to be used in looking up PII. The format of this string must conform to the format required for the query group type.

Response Codes

  • _200 - Success - Delete successful

  • _412 - Precondition Failed - Una-ble to delete.

  • _400 - Bad Request - Produced for the following situations: o Customer ID does not match the required format

    Invalid input type

    Missing customer ID

  • _500 - Internal Server Errors - for all other types of errors (for example, config errors, SQL errors, and so on).

Validate If PII Can Be Removed

/privatedata/{id_type}/ validate-Forget

Validates whether a customer can be removed from the system.

Method

  • _GET

Accept

  • _application/json

Path Parameters

  • _id_type: The query group type for which PII is to be removed.

Query Parameters

  • _customer_id: (required) The customer ID string to be used in looking up PII. The format of this string must conform to the format required for the query group type.

Response Codes

  • _200 - Success - Person can be deleted

  • _412 - Precondition Failed - Per-son cannot be deleted

  • _400 - Bad Request - Produced for the following situations: o Customer ID does not match the required format

    Invalid input type

    Missing customer ID

  • _500 - Internal Server Errors - for all other types of errors (for example, config errors, sql errors, amd so on).

Output Format for Accessing PII

The following output formats are supported by the REST endpoint for accessing PII:

Format Description

Concise JSON (default)

Human readable JSON format.

Concise but cannot be parsed into a generic stucture at runtime.

Full JSON

Full JSON format that can be parsed electronically.

Ideal for importing data into the system (a future functionality)

Human Readable HTML

Human readable HTML format.