1. Securing Sales and Fusion Service
  2. Manage Database Resources

Manage Database Resources

Data security policies secure your database resources. You can configure database resources if you want to define and secure a new database resource, or if the predefined data security conditions for a database resource don't meet your needs.

Using the Manage Database Resources and Policies page of the Security Console, you can:

  • Define a new database resource

  • Create data security policies to secure a new database resource

  • Create database resource conditions for a database resource

To perform the tasks in this topic, you must have the IT Security Manager job role.

Note: It's recommended that you use custom access groups to configure your users access to data whenever possible. Access groups provide better performance than custom data security policies and are easier to manage. Use the procedures in this topic to configure data security only if your requirements can't be achieved using access groups. For additional information about access groups, see the Access Groups chapter.

Define Database Resources

A database resource is a database table or view that corresponds to a business object. When you create a custom business object that you want to secure, you must define its associated database table or view as a database resource. To define a table or view as a database resource, you must:

  • Specify the primary key column of the database resource

  • Filter columns of the database resource to exclude columns from being included in the row instance sets that can be made available to users through data security policies

  • Identify conditions and actions for the database resource to determine what portions of the resource you can secure with data security policies and the operations that can be performed on the data

The following procedure describes each of these tasks.

To define a new database resource:

  1. On the Security Console Administration tab, select the General subtab, then click Manage Database Resources.

    The Manage Database Resources and Policies page is displayed.

  2. In the Search Results region, click the Create icon.

    The Create Database Resource page is displayed. The General Information subtab is selected by default.

  3. Enter the values for the new database resource.

    The following table describes the field values to specify for the new database resource.

    Field

    Value

    Object Name

    The name of the custom business object you want to define as a database resource.

    Display Name

    The display name of the business object.

    Data Object

    Select the data resource (table or view) that the custom business object represents.

    When you select a value for the Data Object field, the Primary Key Columns and Filter Column Details areas are displayed.

    Module

    Select the user module associated with the resource.

  4. Click the Function Security Enabled check box if functional security policies have been defined for the business object.

  5. In the Primary Key Columns area, click the Create icon.

  6. In the Primary Key field, select the primary key column of the database table or view that the business object represents.

  7. In the Filter Column Details area, select columns you want to exclude from the row instance sets defined by data security policies. The data from filtered columns isn't accessible by users. To select a column as a data filter, move it from the Available Columns list to the Selected Columns list.

  8. Click the Condition subtab to create conditions for the new database resource, then click the Create icon.

    The Create Database Resource Condition dialog box is displayed. Conditions specify the rows of the database resource that can be secured by data security policies.

  9. Create resource conditions as described in the procedure Creating Conditions for a Database Resource later in this topic.

  10. Click the Action subtab.

    You define actions on the database resource to specify the operations data security policies can secure on a business object. For example, you can specify whether a user might have read, update, or delete access by naming actions for each of these and granting them in a data security policy to a particular role. An action must correspond with an operation that the business object implements.

  11. Click the Add Row icon.

  12. Enter a value in the Name and Display Name fields. The action name you enter must match an operation name defined for the corresponding business object. Actions act on the row instance sets specified by the database resource conditions that you define in a data security policy, that is, conditions determine the row instance set available to a user for a given action.

    You can specify more than one action.

  13. Click Submit.

  14. When the confirmation dialog box is displayed confirming that the database resource was created, click OK.

Create Conditions for a Database Resource

Database resource conditions define what portions of a database resource can be secured by data security policies. You can't edit the predefined conditions provided by Oracle but you can create new conditions for a predefined database resource or for a database resource you've created.

A condition is a group of row instances that are determined by a simple XML filter or an SQL predicate (WHERE clause) that queries the attributes of the resource itself. You can define a condition to specify multiple row instance sets using an SQL WHERE clause with parameters. You don't need to define a condition for single row instance conditions (single value) or for all row instance conditions (all values). Both the single-value case and the all-values case can be easily defined when you create the data security policy.

Caution: It's recommended that you avoid creating custom SQL predicates because they can have a negative impact on application performance. If you do use custom SQL predicates, you are responsible for creating and maintaining them yourself.

To create conditions for a database resource:

  1. On the General subtab of the Security Console Administration tab, click Manage Database Resources.

    The Manage Database Resources and Policies page is displayed.

  2. Search for the database resource whose conditions you want to edit.

  3. In the Search Results list, select the appropriate database resource, then click the Edit icon.

    The Edit Data Security page is displayed.

  4. Select the Condition subtab to define a new condition for the resource.

    Any existing conditions defined for the database resource are displayed. You can't delete or edit any predefined conditions.

  5. Click the Create icon.

    The Create Database Resource Condition dialog box is displayed.

  6. Enter a name and display name for the condition.

  7. For the Condition Type, select one of the following:

    • Select Filter if you want to use the attribute picker to define a simple condition. If you select the filter condition type, you also must specify the following values:

      • For the Match option, select the All option if you want the filter conditions to include AND clauses or select the Any option if you want the filter conditions to include OR clauses.

      • In the Conditions area, click the Add icon.

      • Define the filter values.

        The following table describes the filter values for each field.

        Field

        Value

        Column Name

        Select the column for which you're defining the filter.

        Tree Operators

        Select this option if the operator you want to use in the filter is a tree operator.

        Operator

        Choose the operator for the selected column filter.

        Value

        Enter a value as the test for the operator.

        If you specified the Tree Operators option, click the Search icon. The Select Tree Node dialog box is displayed allowing you to choose the operator value.

      • Click Save.

    • Select SQL Predicate if you know the attribute names of your condition and you want to use an SQL predicate consisting of a query on the table or view named by the database resource. Enter the SQL values in the SQL Predicate field.

  8. Click Save to save the new condition.

Create a Data Security Policy for a Database Resource

When you register a new business object as a database resource, users will initially be prevented from initiating the operations of the business object or from accessing the data of the resource. You define data security policies to make the data of a custom business object available to the users of the application.

Before you create a data security policy, make sure that the following tasks have been completed:

  • Identify the business object that you want to secure and register its associated database table or view as a database resource.

  • Identify and define any conditions that you want to make available for the database resource.

  • Identify and register the actions that you want to secure for this database resource.

To create a policy for a database resource:

  1. On the General subtab of the Security Console Administration tab, click Manage Database Resources.

    The Manage Database Resources and Policies page is displayed.

  2. Search for the database resource that you want to secure by defining a policy.

  3. In the Search Results list, select the database resource, then scroll down to the Policies Details area.

    All the policies defined for the database resource are displayed.

  4. You can select an existing policy for editing by selecting the policy then clicking the Edit icon. In this case, however, click the Create icon to create a new policy.

    The Create Policy dialog box is displayed with the General subtab selected.

  5. Specify the following information for the new policy:

    • In the Name field, enter a name for the policy.

    • In the Start Date field, enter the date on which the policy is to become active.

    The Module field is pre-filled with the name of the module associated with the database resource for which you're creating the policy but you can change this value.

  6. Click the Role subtab, then click the Add icon to select the roles that are to be assigned the new policy.

    The Select and Add: Roles dialog box is displayed.

  7. Select the roles to be assigned the new policy as follows:

    • In the Role Name field, enter the name of the role.

    • In the Application field, enter the application stripe of the role, for example, CRM, HCM, or FSCM, then click Search.

    • Select a role from the list of roles displayed, then click Apply to associate the role with the new policy.

    • Select any additional roles from the list and, when you have finished adding roles, click OK.

    All users assigned the roles you select are provided with access to the data defined in the policy.

  8. Click the Rule subtab to define a rule to specify the rows of the database resource to which the policy applies.

  9. Select one of the following values in the Row Set field:

    • To secure a specific row, select Single Value, then search for and select the row you want to secure in the Row field.

    • To secure all rows in the resource, select All Values.

    • To secure a subset of the data in the data resource select Multiple Values, then search for and select the condition that defines the subset of the data to be secured in the Condition field.

  10. Click the Action subtab, then move actions from the Available Actions list to the Selected Actions list to specify the actions, applicable to the data secured on the database resource, which you want to grant to the role.

  11. Click Save and Close.