Data Security Privileges for Accessing Items

Data Security and Function Security

Item information is controlled through function security and data security.

Function security is a statement of what tasks and actions users can perform in pages.
Data security is a statement of what action users can take against which data. In Oracle Product Hub, data security involves providing users with item data grants to perform operations on certain items.

For complete information on function security, data security, and their associated privileges, refer to the Oracle Fusion Cloud SCM Security Reference for Product Management guide and the Oracle Fusion Cloud Applications Security Reference for Common Features guide.

Job Roles, Duty Roles, and Security

Functional privileges are associated to different duty roles and jobs, and these privileges control the access to the tasks. If you have functional privileges, you can grant data security to other users.

The Manage Item Classes privilege allows the user add data grants at the item class level.
The Manage Item People privilege allows the user to add data grants at the item level.

These privileges are available for product data stewards and product managers.

For complete information on job roles, duty roles, and their associated privileges, refer to the Oracle Fusion Cloud SCM: Security Reference for Product Management guide and the Oracle Fusion Cloud Applications Security Reference for Common Features guide.

Managing Item Extensible Attributes Data Security

The IT security manager provides access to the Oracle Authorization Policy Manager application where security is managed. Using the relevant job role, you can create data security privileges on the required item EFF tables.

The Enable Database Resource Management privilege provides you the access to:
- Edit database resources in Authorization Policy Manager. You can create data security privileges on the required item EFF tables.
- Manage item EFF attribute groups. You can create required attribute groups and define security conditions. The data privileges created in APM can be associated with the EFF attribute groups.
The Manage Item Class functional privilege provides you the access to the Manage Item Classes task. This task manages the item-class level data security. The Manage Item People functional privilege provides access to the Manage Item security task. This task manages the item-level data security and you can access the task from the Actions menu in the Edit Items page.

Notes on Item Data Security Privileges

The following list contains important information on significant item data security privileges and granting privileges for items:

The Create Item Class Item (Data) privilege is granted at the item class level and gives you the access to create items within the item class.
The View Item Basic Data is a basic privilege that you should have in order to search for the item and access it.
For managing item details such as relationships, attachments, or associations, you must have the View Item Basic Data and the Maintain Item Basic Data privilege in addition to the required functional privileges.
EFF Privilege is user-defined and controls access to item EFF attribute groups.
All operational attributes require specific attribute group-level privileges to edit the attributes within the group. View Item Basic Data privilege provides access to view all the operational attributes.

Note: To control the access to extensible attributes groups, you can create a separate and specific view and edit privileges through the Oracle Security Console.
The View Item Structure Data and the Maintain Item Structure Data privileges are required to view and manage item structures. In addition, users must have the View Item Basic Data privilege in order to access the item.
The View Item Pack Data and the Maintain Item Pack Data privileges are required to view and manage item packs. In addition users must have the View Item Basic Data privilege in order to access the item.
The Maintain Item People Data privileges allow users to view and manage item data security at the individual item level. In addition users must have the View Item Basic Data privilege in order to access the item.

Note: For operational attribute groups, the Maintain privileges don't include view access. Corresponding view privileges needs to be granted to user explicitly so users can view and make required updates.

Managing Data Security Privileges at the Item Class Level

You can manage the item access at the item class level. You can provide access to a user or a user group for all items created within an item class at the item class level. The Public check box at the item class level indicates the state of the data security for the items created within the item class. When the item class Public check box is selected, then all users and groups can access the items created within the item class. If you want to access the extensible attribute group, then you must setup data grants for the extensible attribute groups.

When the Public check box for the item class is deselected, then you must set up data security for all users and groups that want to control access to the items created within the item class.

Navigate to the Security tab on the Edit Item Class page to add users and specify security privileges.
For each user or user group, grant specific item security privileges allowing them to gain access to only relevant information.

You must specify an organization for the item data grants. The data grant will provide users and user groups with access to the items in that organization. This allows multiple users and user groups to access the same item in different organizations.

The privileges that you grant at the parent item class are inherited by the child item classes. You can't alter the inherited privilege grants at child item-class levels. However, you can manage additional grants at the child item-class levels.

Managing Data Security Privileges at the Item Level

You can also manage the Item access at the individual item level.

Click Item Security from the Actions drop-down list. The Item Security dialog box opens.

Note: If the Public check box is selected, it indicates that the item is publicly accessible. You can deselect the Public check box to enable data security for the specific item. The item becomes private and the owner data grants are created for the logged in user. Only the owner can access the item at this time.
If the item is private, then for each user or user group, grant specific item-security privileges allowing the user or the user group to gain access to only the relevant information.
If the item is public, then for each user or user group, grant specific item-security privileges allowing the user or the user group to gain access to extensible attributes.

Privileges granted at the item-class level are inherited by all items and can't be edited at the item level. However, you can manage additional privilege grants at the item level.

Note: Organization stripping isn't available at the item level. This is because you're managing grants at the individual item level, which is always in the context of an organization.

Managing Security Privileges for Product Hub Portal

The product data stewards provide the required supplier product administration privileges to the supplier users to access the Product Hub Portal.

The assignment of the job role to the supplier can be done in following ways:

From Oracle Fusion Cloud Procurement Supplier Portal, while setting up the supplier and its users. This flow is specific to Supplier Portal and not controlled by Product Hub.
From Security Console, by searching the supplier user and assigning the relevant supplier product administration role to the user. This role is common to all Oracle Fusion Cloud Applications.

You also need to provide data security privileges at the item class level to the supplier product administrators. Refer to the preceding section, Managing Data Security Privileges at the Item Class Level, for information on how to assign data security privileges to users.