About Setup Users and Security
Providing users with the security permissions they need to complete the setup tasks in this guide is very simple if you used Setup Assistant for your initial setup. You just make a couple of entries and click Save. Provisioning rules provided by Oracle do the rest. This topic provides a brief overview of Oracle's security model, lists the permissions that setup users need, and explains how the provisioning process works.
How Permissions Are Grouped and Provisioned
Oracle uses the Role-Based Access Control (RBAC) security industry standard. The permissions are grouped in two types of roles:
-
Job roles, which provide users with the permissions to carry out tasks specific to a job, such as a sales manager or sales administrator
-
Abstract roles, which permit users to complete tasks that are common to all employees or resources
You typically provision salespeople with the job roles corresponding to the roles they play in the sales organization (their resource roles), as well as the employee and resource abstract roles. The employee abstract role provides access to reports and personal profile information. Without the resource abstract role, users can't participate in the sales process, create accounts and opportunities, or be assigned to sales teams. You can find the description of each job and abstract role Oracle provides and all the duties that come with it in security reference guides.
When you create users, the application automatically provisions them with the required job roles and abstract roles using role-provisioning rules. Each role-provisioning rule is made up of the rule conditions and the names of the job roles and abstract roles that are assigned to the user if the conditions are met. In the sales application, the job role and the resource abstract role are assigned to a user based on the resource role. The employee abstract role is provisioned to all users of type employee.
As long as you used Setup Assistant, the application creates all the role-provisioning rules you need for setup users and all the standard sales users. If you set up the company information in a different way, then you must create all the role provisioning rules yourself. That's true if you're setting up the application together with Oracle HCM Cloud or another cloud service. You must also create role-provisioning rules for any additional resource roles you create. You can learn more about role-provisioning rules in the Get Ready to Create Sales Users chapter and in the Securing CX Sales and B2B Service guide.
Security Roles Required by Setup Users
To complete the setup tasks in this guide, you must be provisioned with the security roles listed in the table. The initial user provided by Oracle comes provisioned with only the first three. While the initial user can create other users and perform many setup tasks, the initial user can't complete all the tasks without the additional security roles.
Role |
Type |
Permissions the Role Provides |
---|---|---|
Application Implementation Consultant |
Job Role |
Access all setup tasks across all products |
IT Security Manager |
Job Role |
Access security tasks, including the ability to assign other security roles |
Application Diagnostics Administrator |
Job Role |
Access diagnostic tests and data |
Employee |
Abstract Role |
Access BI reports and run and monitor background processes |
Sales Analyst |
Job Role |
Create sales recommendation rules |
Sales Administrator |
Job Role |
Perform the sales administrator duties |
How You Create and Provision Setup Users
To provision the required security roles, just create setup users as users of type employee and assign them the Sales Setup User resource role. It doesn't matter whether the user you're setting up is an actual employee or not. Provided you used Setup Assistant for your initial setup, Oracle creates two role-provisioning rules that do the rest:
-
The Employee rule automatically assigns the Employee abstract role to all users of type Employee.
-
The Sales Setup User rule automatically assigns all users with the Sales Setup User resource role (the condition), with all of the required job roles.
The setup users you create aren't assigned the Resource abstract role, so they can't participate in the sales process. But there is nothing stopping you from creating other provisioning rules to provision sales administrators or others with the same setup permissions.