1. Securing SCM
  2. Data Security

Data Security

By default, users are denied access to all data.

Data security makes data available to users by the following means.

  • Policies that define grants available through provisioned roles

  • Policies defined in application code

You secure data by provisioning roles that provide the necessary access.

Data roles also can be generated based on HCM security profiles. Data roles and HCM security profiles enable defining the instance sets specified in data security policies.

When you provision a job role to a user, the job role limits data access based on the data security policies of the inherited duty roles. When you provision a data role to a user, the data role limits the data access of the inherited job role to a dimension of data.

Data security consists of privileges conditionally granted to a role and used to control access to the data. A privilege is a single, real world action on a single business object. A data security policy is a grant of a set of privileges to a principal on an object or attribute group for a given condition. A grant authorizes a role, the grantee, to actions on a set of database resources. A database resource is an object, object instance, or object instance set. An entitlement is one or more allowable actions applied to a set of database resources.

The following table describes the ways through which data is secured.

Data security feature

Does what?

Data security policy

Defines the conditions in which access to data is granted to a role.

Role

Applies data security policies with conditions to users through role provisioning.

HCM security profile

Defines data security conditions on instances of object types such as person records, positions, and document types without requiring users to enter SQL code

The sets of data that a user can access are defined by creating and provisioning data roles. Oracle data security integrates with Oracle Platform Security Services (OPSS) to entitle users or roles (which are stored externally) with access to data. Users are granted access through the privilege assigned to the roles or role hierarchy with which the user is provisioned. Conditions are WHERE clauses that specify access within a particular dimension, such as by business unit to which the user is authorized.

Data Security Policies

Data security policies articulate the security requirement "Who can do what on which set of data."

For example, warehouse managers can manage inventory transaction data for the inventory organizations in which they can operate.

Who

can do

what

on which set of data

warehouse managers

manage

inventory transactions

for the inventory organizations in which they can operate

A data security policy is a statement in a natural language, such as English, that typically defines the grant by which a role secures business objects. The grant records the following.

  • Table or view

  • Entitlement (actions expressed by privileges)

  • Instance set (data identified by the condition)

For example, disbursement is a business object that an accounts payable manager can manage by payment function for any employee expenses in the payment process.

Note: Some data security policies aren't defined as grants but directly in applications code. The security reference manuals for Oracle Fusion Applications offerings differentiate between data security policies that define a grant and data security policies defined in Oracle Fusion applications code.

A data security policy identifies the entitlement (the actions that can be made on logical business objects or dashboards), the roles that can perform those actions, and the conditions that limit access. Conditions are readable WHERE clauses. The WHERE clause is defined in the data as an instance set and this is then referenced on a grant that also records the table name and required entitlement.

HCM Security Profiles

HCM security profiles are used to secure HCM data, such as people and departments. Data authorization for some roles, such as the Manager role, is managed in HCM, even in ERP and SCM applications. You can use HCM security profiles to generate grants for a job role such as Manager. The resulting data role with its role hierarchy and grants operates in the same way as any other data role.

For example, an HCM security profile identifies all employees in the Finance division.

Applications outside of HCM can use the HCM Data Roles UI pages to give roles access to HR people.

Data Security Considerations for Oracle Product Hub Cloud

Some products within SCM support data security on a combination of dimensions. Oracle Product Hub Cloud enables customers to build flexible, scalable, security solutions for complex access control requirements for managing product information.

Product Hub Data Security is built on a combination of the criteria listed in the following table with examples of the values for those criteria.

Criteria

Example

who

user Eric Boyer

or which job role

or Product Data Steward

for which item organization

for Seattle branch

can perform what actions

is allowed to perform View Item Structure

on which set of Product Hub business objects

for Printer Item Class

Before creating or viewing items, you define data security for each item class and organization. Data security for an item is set up in the corresponding item class, for each person or group and for each inventory or item organization. All items that you create using an item class inherit the item data security that's defined for the item class. You can also define item-specific data security at the item level.

For each user or user group, you can grant view or maintain data level rights to user-defined attributes. To define data security for user-defined attribute groups, you use extensible attribute group security to secure the data of attribute groups by allowing only certain groups or users to have access. After creating data grants for users or roles, you assign the data grants to an attribute group, then assign data grants to specific groups or users.

You can also provide data security for product data uploaded through Oracle Product Hub Portal Cloud, by assigning appropriate item data privileges to supplier users for the specific item classes that the suppliers will upload product data for.

Note: For more details about data security for Oracle Product Hub Cloud and Product Hub Portal Cloud, see the user assistance and implementation course for that product.

Data Security Considerations for Oracle Fusion Supply Chain Orchestration

To use data security, you need to enable it as a feature. There are also a number of setup steps that you must carry out, in the Security Console and Setup and Maintenance work areas. Here's an overview of how you set up data security for Supply Chain Orchestration:

  1. Navigate to the Setup and Maintenance work area.

  2. Enable the Secure Data in the Supply Orchestration Work Area feature.

  3. Navigate to the Security Console work area.

  4. To any user-defined roles, add the Grant on Supply Order for ORA_DOS_SUPPLY_CHAIN_OPERATIONS_MANAGER_JOB global policy. This policy is inherited by predefined SCO roles by default.

You can also set up a role to accommodate a data security policy. You need to complete this setup in the Security Console work area and in the Setup and Maintenance work area. Here's an overview of the setup:

Actions in the Security Console work area:

Create roles, users, and data security policies.

  1. Use the Roles page to create and save a role. You can also create a data security policy using a predefined condition while creating the role.

  2. On the Administration page, click Manage Database Resources to create and save a data security policy. Do so if you need to create additional data security policies and assign them to existing roles. You can also add user-defined conditions to the policy.

  3. Use the Users page to create a user and assign a role to that user.

Actions in the Setup and Maintenance work area:

Manage data access for users, and bind users and roles to organizations or business units.

  1. In the Setup and Maintenance work area, use this path:

    • Offering: Manufacturing and Supply Chain Materials Management

    • Functional Area: Supply Chain Orchestration

    • Task: Manage Data Access for Users

  2. On the Manage Data Access for Users page, select the Users with Data Access radio button.

  3. Click the Add icon.

  4. In the Create Data Access for Users dialog box, enter required details.

Note: If a predefined condition uses the Organization attribute, bind the user and role to an organization. If a predefined condition uses the Business Unit attribute, bind the user and role to a business unit.

Actions in the Scheduled Processes work area:

Run the Import User and Role Application Security Data scheduled process so that the security changes are refreshed automatically

Conditions for Data Security Policies in Supply Chain Orchestration

You use conditions to restrict data access to users. These conditions may be predefined or user-defined.

Predefined conditions for data security:

The predefined conditions you might use for your data security policies are of three types:

  • Predefined conditions that are ready-to-use without additional setup: Conditions for users authorized as Preparer are ready-to-use.

  • Predefined conditions that must configured in the Security Console work area before use: You must specify an additional parameter while defining the data security policies for certain users:

    • For users authorized for a specific supply type. The values are MAKE, BUY, TRANSFER, ATP, and UNASSIGNED.

    • For users authorized for orders from a specific source. The values are INV, EXT, POR, DOO, YPS, WIE, DOS, and YPR.

    • For users authorized for orders from a specific customer. The value is Customer Name.

    • For users authorized for orders containing configured items. The values are Y and N.

    • For users authorized for back-to-back orders. The values are Y and N.

    • For users authorized for contract manufacturing orders. The values are Y and N.

    • For users authorized for outside processing orders. The values are Y and N.

  • Predefined conditions that must be configured in the Setup and Maintenance work area before use:

    • For users associated with a specific organization. If a predefined condition uses the Organization attribute, bind the user and role to an organization.

    • For users associated with a specific business unit. If a predefined condition uses the Business Unit attribute, bind the user and role to a business unit.

User-defined conditions for data security:

You can use the Security console work area to create your own conditions and assemble them into data security policies. While creating user-defined conditions you get to use additional attributes, and the AND operator. The user-defined conditions you might use for your data security policies are of two types, Filter and SQL Predicate.

  • Filter conditions are set up by selecting one or more attributes from the underlying data resource and creating statements using operators and allowable values. While defining Filter conditions, you must select from only these attributes for your policy:

    • back_to_back_flag

    • config_item_flag

    • contract_manufacturing_flag

    • outside_processing_flag

    • supply_order_source

    • preparer_id

    • customer_id

    • destination_organization_id

    • destination_bu_id

    • supply_type

  • Predicate conditions are SQL query statements appended to a Supply Chain Orchestration UI

Data Security Considerations for Oracle Fusion Cloud Supply Chain Planning

In Oracle Fusion Cloud Supply Chain Planning, users are given full access to all data by default. You need to set up data security to restrict data access.

Oracle Fusion Cloud Supply Chain Planning is another product within SCM that supports data security on a combination of dimensions. Oracle Supply Chain Planning has a flexible model of filters and rules for configuring data access for different users based on their role in the organization.

You enable data security for Supply Chain Planning when you administer planning security, as part of plan inputs. You can then select whether to allow full access, read only access or no access, for any entity.

Users can be granted access based on one of the following:

  • Organizational structure, such as organization or business unit

  • Product structure, such as product line or category

  • Sales organizations

  • Access to specific trading partners, such as customers or suppliers

  • Access to specific measure groups

You can define data access sets, which define the visibility for any job role, using the one of the following criteria:

  • Products

  • Inventory organizations

  • Customers

  • Suppliers

In each of the criteria, you can set up filters at the lowest level (such as Item) or at a higher level (such as Category) by selecting the appropriate hierarchy. Data access sets are then assigned to different users to provide access.

Note: For more details about data security for Supply Chain Planning, see the user assistance and implementation course for that product.