Review a User's Access to Object Data

You can view all the access group rules and data security policies that currently affect the visibility a user has to an object, and the names of all the access groups and roles (Oracle CX roles or custom roles) that provide each rule or policy, using the access explorer.

Being able to identify all the access paths through which a user gains access to object records is essential when you want to remove a user's access to a set of data. Here's how to review all the policies and rules assigned to a user:

1. On the Sales and Service Access Management page, click Explore Access.

2. On the Explore page, select the name of the user whose access you're investigating in the User Name field.

3. Select an object from the Object field, for example, select the Opportunity object.

   Don't enter a value in the Public Unique Identifier field. You only enter a value in this field if you want to investigate a user's access to a specific record.

4. Click Explore.

   The Access Groups and Data Security Policies tables are displayed showing all the active rules and policies that are granted to the user, providing you with an overall view of the user's access to data for the selected object. In each table, you can display more or less data for each rule or policy by selecting options from the View drop-down list for the table.

   Note: The Provides Record Access column in each table indicates if a policy provides access to the record specified in the Public Unique Identifier field. Because you haven't entered a value for this field, the Provides Record Access column is empty and the Provides Record Access drop-down list, which lets you filter values for the Provides Record Access column, is inactive.

   • By default, the following information is displayed in the Access Groups table for each active rule the user is assigned through their access group membership.

     Field	Description
     Status	The status of the rule. By default, active rules are displayed. A rule is active and provides the user with object access if the following conditions are met: The rule is active The rule is enabled for an access group the user is a member of The access group is active
     Rule Name	The name of the rule that provides object access. Provided you have the Manage Group Access privilege (ZCA_MANAGE_GROUP_ACCESS_PRIV), you can review or edit the rule by drilling down on the rule name link. The access group Object Sharing Rules page is displayed allowing you to edit the rule in the context of an access group. See the Access Groups chapter for additional information.
     Permissions (Read, Update, Delete)	The object permissions provided by the rule.
     Group Name and Number	The name and number of the access group that provides the rule. Provided you have the Manage Group Access privilege (ZCA_MANAGE_GROUP_ACCESS_PRIV), you can review or edit the group by drilling down on the group name link. The access group Edit Access Group page is displayed allowing you to edit the group in the context of an access group. See the Access Groups chapter for additional information.

   • Data Security Policies and Advanced Permissions tables.

     By default, the following information is displayed in the Data Security Policies table for each active policy the user is assigned, either directly or indirectly. The advanced permissions defined for a selected policy in the Data Security Policies table are shown in the Advanced Permissions table.

     Field	Description
     Status	The status of the policy. By default, active policies are displayed.
     Condition	The condition that must be satisfied for the data security policy to take effect.
     Permissions (Read, Update, Delete, Advanced)	The access provided by the policy.
     Start Date End Date	Indicates the policy activation start and end dates.
     Role Name Role Code	The name and code of the role that provides the policy. If the user inherits the policy from more than one role, click the link beside the role name to see a list of all roles.
     Custom Condition	Indicates whether the condition is a predefined condition or a custom condition that you created.

5. Once you have reviewed all the active policies or rules assigned to the user, you can select options from the Show Access drop-down list (Access Groups table) or the Show Conditions drop-down list (Data Security Policies table) to view rules and policies available for the object that the user isn't assigned or isn't receiving access from.

   For example, a user might be assigned a rule through group membership, but if the group isn't active, the user doesn't receive the access provided by the rule. Using these options can help you identify both gaps in a user's data access, and access a user doesn't require.

   This table shows the options available.

   Filter Option	Description ( Data Security Policies Table)	Description (Access Groups Table)
   All	Display all policies defined for the object, including policies that are granted to the user and policies that aren't granted.	Display all rules that are defined for the object, including rules that are granted to the user and rules that aren't granted.
   Granted and active	Display all active policies for the object that are granted to the user. This is the default value.	Display all active rules the user is assigned.
   Granted and inactive	Display all inactive policies defined for the object that are granted to the user.	Display any rule that the user is assigned where the rule is inactive, where the group associated with the rule is inactive, or where the rule isn't enabled for the group.
   Granted and future dated	Display all inactive policies defined for the object that are granted to the user which are set to become active at some date in the future.	Not applicable to rules.
   Not granted	Display all policies defined for the object that aren't currently granted to the user.	Display any rule that provides object access that isn't granted to the user through access group membership.