5 Process Orchestration and Monitoring Cloud Service Authentication & Authorization
Authentication confirms the identity of a user (is this user John Smith?). Authorization determines what parts of an application a user can access and what actions the user can perform (is John Smith allowed to run a batch job?).
Authentication and IDCS or OCI IAM
As of version 19.0.001, Process Orchestration and Monitoring (POM) Cloud Service Suite uses Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as its identity provider (IDP).
https://www.oracle.com/cloud/paas/identity-cloud-service.html
When a user connects to the POM User Interface, the request is redirected to the IDCS or OCI IAM login screen. IDCS or OCI IAM authenticates the user. When a user logs out of POM, the IDCS or OCI IAM logout is invoked to disable session authentication.
IDCS and OCI IAM
IDCS and OCI IAM are Oracle's cloud native security and identity platforms. They provide a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. IDCS and OCI IAM enable single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate IDCS or OCI IAM with other on-premise applications to extend the scope of this SSO.
IDCS and OCI IAM are available in two tiers: Foundation and Standard.
-
Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionalities, including user management, group management, password management, and basic reporting.
-
Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premises, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.
Details of the specific features available in each tier and IDCS or OCI IAM Standard Tier licensing model are available in Administering Oracle Identity Cloud Service. Process Orchestration and Monitoring Cloud Service Suite only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management and Password Reset, SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of IDCS or OCI IAM to also have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third Party Cloud Services and Custom Applications, Multi-Factor Authentication and generic SCIM Templates.
IDCS or OCI IAM and Oracle Retail Enterprise Roles
When any Oracle Retail cloud service is provisioned, Oracle Retail's Enterprise Roles are seeded into the customer's IDCS or OCI IAM instance as Roles. It is expected that customers will also have other roles defined for other cloud services that use this IDCS or OCI IAM instance.
IDCS or OCI IAM and Application Users
Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.
The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators through IDCS or OCI IAM. A key feature of IDCS or OCI IAM is that basic user maintenance can be further delegated through identity self-service.
When application users are created in IDCS or OCI IAM, they must be associated with an appropriate Oracle Retail Enterprise Role to access Process Orchestration and Monitoring Cloud Service. For more detailed information and procedures, see Managing Oracle Identity Cloud Service Users in Administering Oracle Identity Cloud Service.
Note:
IDCS or OCI IAM username is passed to Process Orchestration and Monitoring (POM) as the application user ID. It will be persisted on the database as part of the basic POM transaction audit trail. If the corporate email address is used as the IDCS or OCI IAM username, that email address is persisted to the POM database. To fully inform POM users that their corporate email address will be saved, we recommend that retailer implements IDCS or OCI IAM Terms of Use functionality. The IDCS or OCI IAM Terms of Use feature enables retailers to set the terms and conditions for users to access an application, based on the user's consent. This feature allows the identity domain administrator to set relevant disclaimers for legal or compliance requirements and enforce the terms by refusing the service. The Terms of Use feature can be used to explicitly obtain user consent to persist corporate email address for POM auditing. See Administering Oracle Identity Cloud Service for more information about Terms of Use.
https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/understand-terms-use.html
JET Security
As mentioned earlier, The Process Orchestration and Monitoring (POM) application features a classic ADF User Interface (UI) that is being deprecated as of POM 19.1.002. It is replaced with a JET based UI.
Oracle POM security requirements come from the need to protect application data from unauthorized changes. This is accomplished by the following security features:
-
Authentication - POM JET UI restrict access to users that have been authenticated by the configured security provider.
-
Authorization - POM JET UI uses enterprise roles to limit what features individual users can access.
-
Origin Control - POM JET UI implements the Cross-Origin Resource Sharing (CORS) protocol to allow only same origin.
-
Transport Security - POM JET UI and services communicate through REST calls. These communications need to be secured.
-
Always use TLS encryption. Endpoints should be HTTPS URLs and the servers should be configured to use trusted certificates.
-
Route access through WTSS or equivalent. Make sure all service URLs are at a location exposed on WTSS, otherwise each endpoint will be independently authenticated.
-
The JET UI and services communicate through ReST calls which are secured using JAX-RS security implementation.
For more information regarding securing Restful Web Services, refer to https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF113
User Roles
Roles are used to classify users based on job responsibilities and actions to be performed in the Oracle Retail Process Orchestration and Monitoring application (POM). Using roles, a user's access can be restricted to specific areas or functions within the application. In POM, users must be associated with at least one job role in order to access the application.
The following topics are covered in this chapter:
-
Roles
-
Functional Access by Role
Roles
POM comes available with a set of pre-defined roles described in the table below. In addition to the roles, the table contains an alias for each role which is used in the next section for easier reading.
Note:
The first two roles have thus far been associated with POM's classic user interface and are being deprecated along with the classic user interface itself. Customers need to migrate to the other four roles before those classic roles are removed.
These roles have been given similar access in the new user interface as the access they had in the classic user interface.
Table 5-1 Roles
Role | Alias | Description |
---|---|---|
BATCH_MONITORING_JOB |
Monitor |
One of the classic user interface roles. Users within this role are typically retailer administrators responsible for monitoring and executing batch. They can perform select activities on the Batch Monitor screen to move the schedule along. |
BATCH_BUSINESS_JOB |
Business User |
Another one of the classic user interface roles. Users within this role are typically retailer business users responsible for just monitoring batch and configuring POM to enable callbacks into the Company's systems. |
BATCH_ADMINISTRATOR_JOB |
Administrator |
Users within this role are retailer administrators with full access to all POM actions. They monitor, maintain and configure the batch schedules. They may also maintain POM application configurations for efficient operations. They troubleshoot batch issues and work with Oracle support personnel to address those issues. Finally, they may apply batch schedule patches and upgrades. Additionally, users assigned this role are given access to the Oracle AMS Utilities screen. |
BATCH_VIEWER_JOB |
Viewer |
Users within this role are retailer business users responsible for just monitoring batch. They have view access to all POM screens except AMS Utilities. |
BATCH_SCHEDULE_CONFIGURATION_MANAGER_JOB |
Schedule Config Mgr |
Users within this role are typically retailer administrators responsible for just monitoring batch and configuring external dependencies and callbacks into the Company's systems. They have view access to all POM screens except AMS Utilities. |
BATCH_SCHEDULE_ADMINISTRATOR_JOB |
Schedule Admin |
Users within this role are typically retailer administrators responsible for maintaining monitoring and executing batch. They have view access to all POM screens except AMS Utilities. They can perform select activities on the Batch Monitor screen to move the schedule along. They also have update access to the Batch Administration screen. They can also configure some application properties and can configure a new schedule |
BATCH_ORACLE_AMS_ADMINISTRATOR_JOB |
AMS Admin |
Users within this role are typically Oracle AMS administrators who monitor, maintain and configure the batch schedules. They also maintain POM application configurations for efficient operations. They troubleshoot batch issues and work with other Oracle development and support personnel to address those issues. Finally they apply POM and batch schedule patches and upgrades. |
Functional Access by Role
This section lists all roles that have update access for each functional aspect of every screen. It is organized by screen, except for the first two tables.
Table 5-2 External Integration
Feature | Roles (aliases) with access |
---|---|
Invoking batch execution from an external system Requesting the status of a batch execution Releasing dependency on an external process |
Monitor Schedule Admin Administrator AMS Admin |
Table 5-3 POM Task Menu
Feature | Roles (aliases) with access |
---|---|
Show Batch Monitoring task |
Monitor Business User Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show System Configuration task |
Business User Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show Batch Administration task |
Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show Scheduler Administration task |
Administrator Monitor Schedule Admin AMS Admin |
Show Schedule Maintenance task |
Administrator Viewer Schedule Config Mgr Schedule Admin AMS Admin |
Show AMS Utilities task |
AMS Admin |
Table 5-4 Screen: Batch Monitoring
Feature | Roles (aliases) with update access |
---|---|
Buttons for Create Schedule, Close Schedule and Restart Schedule |
Monitor Schedule Admin Administrator AMS Admin |
Jobs table on Batch Monitoring screen - Buttons for Run, Rerun, Hold, Release, Skip, Release Skip, and action for Add Comments |
Monitor Schedule Admin Administrator AMS Admin |
Jobs table Actions menu on Batch Monitoring screen - Edit Parameters (for selected job) |
Monitor Schedule Admin Administrator AMS Admin |
Job Details screen - Enable/Disable External Dependencies |
Monitor Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Job Details screen - Retry Schedule Link button |
Monitor Administrator AMS Admin |
Job Details screen - Retry Callback button |
Monitor Administrator AMS Admin |
Execution Engine display Configuration |
AdministratorAMS Admin |
Download Job Log |
All authenticated users |
Download Cycle Summary |
All authenticated users |
Scheduler Tasks Monitoring and actions |
Monitor Administrator Schedule Admin AMS Admin |
Table 5-5 Screen: System Configuration
Feature | Roles (aliases) with update access |
---|---|
System tab - Update actions |
Administrator AMS Admin |
Schedule tab - Update actions for general & environment settings |
Administrator AMS Admin |
Schedule tab - Job admin system options dialog |
Administrator AMS Admin |
Schedule tab - Update actions for MDF configuration |
Administrator AMS Admin |
Schedule tab - Update actions for job admin throttling configuration |
Administrator AMS Admin |
System tab - Update actions for external configurations |
Business User Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Global Edit - Settings updates |
Administrator AMS Admin |
Global Edit - External Configuration updates |
Business User Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Configure New Schedule |
Administrator Schedule Admin AMS Admin |
Table 5-6 Screen: Batch Administration
Feature | Roles (aliases) with update access |
---|---|
Export Config and Import Config buttons |
Administrator Schedule Admin AMS Admin |
Enable/disable switch on each of the Recurring Flows and Jobs within each Flow |
Administrator Schedule Admin AMS Admin |
Jobs table on main UI - Edit and Enable/Disable actions |
Administrator Schedule Admin AMS Admin |
Batch Job Details - Enable/Disable Dependencies |
Administrator AMS Admin |
Batch Job Details - Create/Enable/Disable/Delete Inter-Schedule Dependencies |
Administrator AMS Admin |
Batch Job Details - Create/Enable/Disable/Delete Schedule links |
Administrator AMS Admin |
Batch Job Details - Create/Enable/Disable/Delete External Dependencies |
Administrator Schedule Config Mgr Schedule Admin AMS Admin |
Table 5-7 Screen: Scheduler Administration
Feature | Roles (aliases) with update access |
---|---|
All Functions on the Scheduler Administration screen |
Monitor Administrator Schedule Admin AMS Admin |
Table 5-8 Screen: Schedule Maintenance
Feature | Roles (aliases) with update access |
---|---|
All actions: Import Latest Schedule button, Upgrade, Retry buttons in table row Download Configuration and download POM seed data |
Administrator AMS Admin |
Table 5-9 Screen: AMS Utilities
Feature | Roles (aliases) with update access |
---|---|
Manual Job Run Override Job Status Override Execution Request Status |
Administrator AMS Admin |
Table 5-10 Screen: Application Properties
Feature | Roles (aliases) with update access |
---|---|
Application Properties |
Schedule Admin Administrator AMS Admin |
Private Data REST Services
This section contains details about the REST Services flavor of the Private Data Services and Tools documented by framework team.
Retailers must call the Private Data REST Service endpoints with the following request headers:
Table 5-11 Request Header
Name | Value | Required | Description |
---|---|---|---|
Accept |
application/json OR application/xml |
Yes |
Tells the server the MIME-type of the re-source. |
Authorization |
Base64 encoded credentials string |
Yes |
Authenticates a user agent with the server |
List of Endpoints
The table below shows the details of calling the Private Data Service APIs through REST endpoints:
Action | Endpoint Path | Description |
---|---|---|
Get a List of Query Group Types |
/privatedata/config/{action} |
Returns the valid ID types that can be used in private data calls. Method
Accept
Path Parameters
Response Codes
Success Payloads { "types": [ "raf", "supplier", "customer" ] } |
Get Query Group Type Information (for example, Lookup customer ID) |
/privatedata/config/{action}/ {id_type} |
Returns details of the query group type including the customer ID format required to access or re-move PII data. Method
Accept
Path Parameters
Response Codes
Success Payloads { "customerIdFormat": "{%cus-tomer-Id%}::{%divisionId%}::{%groupId%}", "type": "customer" } |
Access PII |
/privatedata/{id_type} |
Retrieves PII in the system Method
Accept
Path Parameters
Query Parameters
Response Codes and Error Mes-sages
Success Payloads
|
Remove PII |
/privatedata/{id_type} |
Removes PII from the system. Method
Accept
Path Parameters
Query Parameters
Response Codes
|
Validate If PII Can Be Removed |
/privatedata/{id_type}/ validate-Forget |
Validates whether a customer can be removed from the system. Method
Accept
Path Parameters
Query Parameters
Response Codes
|
Output Format for Accessing PII
The following output formats are supported by the REST endpoint for accessing PII:
Format | Description |
---|---|
Concise JSON (default) |
Human readable JSON format. Concise but cannot be parsed into a generic stucture at runtime. |
Full JSON |
Full JSON format that can be parsed electronically. Ideal for importing data into the system (a future functionality) |
Human Readable HTML |
Human readable HTML format. |