Using the Security Console
Use the Security Console to manage application security in your Oracle Applications Cloud offering. Use the IT Security Manager role to perform security-related tasks pertinent to role management, role analysis, and user-account management.
Oracle Identity Cloud Service Integration
Oracle Public Sector Licensing and Permitting also supports the use of Oracle Identity Cloud Service (IDCS) as an identify provider platform (IDP). If you are using IDCS, refer to that documentation for tasks related to user management, authentication, resetting passwords, locking accounts, and so on to become familiar with using the Identity Cloud Service Console.
For more information on completing user management tasks in the Identity Cloud Service Console, see the Oracle IDCS administration guide: Administering Oracle Identity Cloud Service.
If you are using Oracle IDCS as your IDP for sign on authentication, you use the Identity Cloud Service Console to manage user authentication, and you’ll use the Fusion Identity Management Security Console to manage roles.
While the data shared by the two systems is synchronized automatically, the synchronization does not occur immediately (in real time). For example, new user accounts will not get activated in real time. You can wait until the user IDs are synchronized between Fusion Identity Management and IDCS, or you can create the same user ID manually using the IDCS user management console.
Security Console Tasks
You can perform these tasks in the Security Console:
|
Security Area |
Tasks |
|---|---|
|
Roles |
|
|
Users |
|
|
Analytics |
|
|
Certificates |
|
|
Administration |
|
Security Console Access
You must have the IT Security Manager role to use the Security Console. This role inherits the following duty roles:
Security Management
Security Reporting
Running Security Background Processes
To prepare the Security Console for use, arrange to run background processes that replenish security data. Also use Security Console Administration pages to select general and role-oriented options, track the status of role-copy jobs, and select, edit, or add notification templates. These generate messages to notify users of events that concern them, such as password-expiration warnings.
Run two background processes:
The Retrieve Latest LDAP Changes process copies data from the LDAP directory to Oracle Cloud Applications Security tables. Run it once, during implementation. Select Setup and Maintenance from the Navigator. In the Setup and Maintenance work area, search for and select the Run User and Roles Synchronization Process task.
The Import User and Role Application Security Data process copies users, roles, privileges, and data security policies from the identity store, policy store, and ApplCore grants schema to Oracle Cloud Applications Security tables. Schedule it to run regularly to update those tables: Select Scheduled Processes in the Tools work area, and then select the process from the Schedule New Process option.
General Administration Options
Select the Security Console Administration tab, and then the General tab on the Administration page, to set these options:
User Preferences
Select the format of the User Name, the value that identifies a user as he signs in. It is generated automatically in the format you select. Options include first and last name delimited by a period, email address, first-name initial and full last name, and person or party number.
Select the check box labeled "Generate system user name when generation rule fails" to enable the automatic generation of User Name values if the selected generation rule cannot be implemented.
Password Policy
Note: If you are using IDCS as your IDP, then the IDCS password policies will be applied. Refer to your IDCS administration documentation.Establish the number of days a password remains valid. Set the number of days before expiration that a user receives a warning to reset the password. And define the period in which a user must respond to a notification to reset his password ("Hours Before Password Reset Token Expiration").
Select a password format.
Determine whether a previous password may be reused.
Determine whether an administrator can manually modify passwords in the Reset Password dialog, available from a given user's record in the Users tab. This option applies only to the manual-reset capability. An administrator can always use the Reset Password dialog to initiate the automatic reset of a user's password.
Certificate Preferences: Set the default number of days for which a certificate remains valid. (Certificates establish keys for the encryption and decryption of data that Oracle Cloud applications exchange with other applications.)
Synchronization Process Preferences: Specify a number of hours since the last run of the Import User and Role Application Security Data process. When a user selects the Security Console Roles tab, a warning message appears if the process has not been run in this period.
Role Administration Options
Select the Security Console Administration tab, and then the Roles tab on the Administration page, to set these options:
Role prefixes and suffixes: Create the prefix and suffix added to the name and code of role copies. Each role has a Role Name (a display name) and a Role Code (an internal name). A role copy adopts the name and code of the source role, with this prefix or suffix (or both) added. The addition distinguishes the copy from its source. By default there is no prefix, the suffix for a role name is "Custom," and the suffix for a role code is "_CUSTOM."
Graph node limit: Set the maximum number of nodes a visualization graph can display. When a visualization graph would contain a greater number of nodes, the visualizer displays a message advising the user to select the table view.
Enable edit of data security policies: Determine whether users can enter data in the Data Security Policies page of the role-creation and role-edit trains available from the Roles tab.
Enable edit of user role membership: Determine whether users can enter data in the Users page of the role-creation and role-edit trains available from the Roles tab.
Enable default table view: Determine whether visualizations generated from the Roles tab default to the table view or, if this option is cleared, the radial graph view.
Role Copy Status
Select the Security Console Administration tab, and then the Role Copy Status tab on the Administration page, to view records of jobs to copy roles. These jobs are initiated in the Roles page. Job status is updated automatically until a final status, typically Completed, is reached. You can delete the row representing a copy job; click its x icon.
Running Retrieve Latest LDAP Changes
Information about users and roles in your LDAP directory is available automatically to Oracle Cloud Applications. However, in specific circumstances you're recommended to run the Retrieve Latest LDAP Changes process. This topic describes when and how to run Retrieve Latest LDAP Changes.
You run Retrieve Latest LDAP Changes if you believe data-integrity or synchronization issues may have occurred between Oracle Cloud Applications and your LDAP directory server. For example, you may notice differences between roles on the Security Console and roles on the Create Role Mapping page. On-premises customers should also run this process after applying monthly updates.
Sign in with the IT Security Manager job role and follow these steps:
Open the Scheduled Processes work area.
Click Schedule New Process in the Search Results section of the Overview page.
The Schedule New Process dialog box opens.
In the Name field, search for and select the Retrieve Latest LDAP Changes process.
Click OK to close the Schedule New Process dialog box.
In the Process Details dialog box, click Submit.
Click OK, then Close.
On the Scheduled Processes page, click the Refresh icon.
Repeat this step periodically until the process completes.
Security Visualizations
A Security Console visualization graph consists of nodes that represent security items. These may be users, roles, privileges, or aggregate privileges. Arrows connect the nodes to define relationships among them. You can trace paths from any item in a role hierarchy either toward users who are granted access or toward the privileges roles can grant.
You can select either of two views:
Radial: Nodes form circular (or arc) patterns. The nodes in each circular pattern relate directly to a node at the center. That focal node represents the item you select to generate a visualization, or one you expand in the visualization.
Layers: Nodes form a series of horizontal lines. The nodes in each line relate to one node in the previous line. This is the item you select to generate a visualization, or the one you expand in the visualization.
For example, a job role might consist of several duty roles. You might select the job role as the focus of a visualization (and set the Security Console to display paths leading toward privileges):
The Radial view would initially show nodes representing the duty roles encircling a node representing the job role.
The Layers view would initially show the duty-role nodes in a line after the job-role node.
You can then manipulate the image, for example by expanding a node to display the items it consists of.
As an alternative, you can generate a visualization table that lists items related to an item you select. For example, a table may list the roles that descend from a role you select, or the privileges inherited by the selected role. You can export tabular data to an Excel file.
Working with a Visualization Graph
Within a visualization graph, you can select the Radial or Layers view. In either view, you can zoom in or out of the image. You can expand or collapse nodes, magnify them, or search for them. You can also highlight nodes that represent types of security items.
To select one of the views, click Switch Layout in the Control Panel, which is a set of buttons on the visualization. Then select Radial or Layers.
Node Labels
You can enlarge or reduce a visualization, either by expanding or collapsing nodes or by zooming in or out of the image. As you do, the labels identifying nodes change:
If the image is large enough, each node displays the name of the item it represents.
If the image is smaller, symbols replace the names: U for user, R for role, S for predefined role, P for privilege, and A for aggregate privilege.
If the image is smaller still, the nodes are unlabeled.
Regardless of labeling, you can hover over a node to display the name and description of the user, role, or privilege it represents.
Nodes for each type of item are visually depicted such that item types are easily distinguished.
Expanding or Collapsing Nodes
To expand a node is to reveal roles, privileges, or users to which it connects. To collapse a node is to hide those items. To perform these actions:
Select a node and right-click.
Select one of these options:
Expand reveals nodes to which the selected node connects directly, and Collapse hides those nodes.
Expand All reveals all generations of connecting nodes, and Collapse All hides those nodes.
Alternatively, double-click a collapsed node to expand it, or an expanded node to collapse it.
Using Control Panel Tools
Apart from the option to select the Radial or Layers view, the Control Panel contains these tools:
Zoom In: Enlarge the image. You can also use the mouse wheel to zoom in.
Zoom Out: Reduce the image. You can also use the mouse wheel to zoom out.
Zoom to Fit: Center the image and size it so that it is as large as it can be while fitting entirely in its display window. (Nodes that you have expanded remain expanded.)
Magnify: Activate a magnifying glass, then position it over nodes to enlarge them temporarily. You can use the mouse wheel to zoom in or out of the area covered by the magnifying glass. Click Magnify a second time to deactivate the magnifying glass.
Search: Enter text to locate nodes whose names contain matching text. You can search only for nodes that the image is currently expanded to reveal.
Control Panel: Hide or expose the Control Panel.
Using the Legend
A Legend lists the types of items currently on display. You can:
Hover over the entry for a particular item type to locate items of that type in the image. Items of all other types are grayed out.
Click the entry for an item type to disable items of that type in the image. If an item of that type has child nodes, it is grayed out. If not, it disappears from the image. Click the entry a second time to restore disabled items.
Hide or expose the Legend by clicking its button.
Using the Overview
On the image, click the plus sign to open the Overview, a thumbnail sketch of the visualization. In it, click any area of the thumbnail to focus the actual visualization on that area.
As an alternative, click the background of the visualization, and move the entire image in any direction.
Refocusing the Image
You can select any node in a visualization as the focal point for a new visualization: Right-click a node, then select Set as Focus.
Working with a Visualization Table
A visualization table contains records of roles, privileges, or users related to a security item you select. The table displays records for only one type of item at a time:
If you select a privilege as the focus of your visualization, select the Expand Toward Users option. Otherwise the table shows no results. Then use the Show option to list records of either roles or users who inherit the privilege.
If you select a user as the focus of your visualization, select the Expand Toward Privileges option. Otherwise the table shows no results. Then use the Show option to list records of either roles or privileges assigned to the user.
If you select any type of role or an aggregate privilege as the focus of your visualization, you can expand in either direction.
If you expand toward privileges, use the Show option to list records of either roles lower in hierarchy, or privileges related to your focus role.
If you expand toward users, use the Show option to list records of either roles higher in hierarchy, or users related to your focus role.
Tables are all-inclusive:
A Roles table displays records for all roles related directly or indirectly to your focus item. For each role, inheritance columns specify the name and code of a directly related role.
A Privileges table displays records for all privileges related directly or indirectly to your focus item. For each privilege, inheritance columns display the name and code of a role that directly owns the privilege.
A Users table displays records for all users assigned roles related directly or indirectly to your focus item. For each user, Assigned columns display the name and code of a role assigned directly to the user.
Use a field on a column to enter search text, then press Enter. The table displays records whose column values contain text matching your search text.
You can export a table to Excel. Click the Export to Excel button. You may either open the Excel file directly or save it. If you opt to save the file, you're prompted to define a path.
Generating a Visualization
To generate a visualization:
Select the Roles tab in the Security Console.
Search for the security item on which you want to base the visualization.
In a Search field, select any combination of item types, for example job role, duty role, privilege, or user.
In the adjacent field, enter at least three characters. The search returns items of the types you selected, whose names contain the characters you entered.
Select one of those items. Or, click the Search button to load all the items in a Search Results column, and select an item there.
Select either a Show Graph button or a View as Table button.
Note: In a page for role administration, you can determine which of these is the default view.In the Expand Toward list, select Privileges to trace paths from your selected item toward items lower in its role hierarchy. Or select Users to trace paths from your selected item toward items higher in its hierarchy.
If the Table view is active, select an item type in the Show list: Roles, Privileges, or Users. (The options available to you depend on your Expand Toward selection.) The table displays records of the item type you select. Note that an aggregate privilege is considered to be a role.
Security Console Analytics for Roles
You can review statistics about the roles that exist in your Oracle Cloud instance. Select the Analytics tab, and then the Roles tab on the Analytics page. Then view these analyses:
Role Categories. Each role belongs to a category that defines some common purpose. Typically, a category contains a type of role configured for an application, for example "Financials - Duty Roles."
For each category, a Roles Category grid displays the number of:
Roles
Role memberships (roles belonging to other roles within the category)
Security policies created for those roles
In addition, a Roles by Category pie chart compares the number of roles in each category with those in other categories.
Roles in Category. Click a category in the Role Categories grid to list roles belonging to that category. For each role, the Roles in Category grid also shows the number of:
Role memberships
Security policies
Users assigned the role
Individual role statistics. Click the name of a role in the Roles in Category grid to list the security policies and users associated with the role. The page also presents collapsible diagrams of hierarchies to which the role belongs.
Click Export to export data from this page to a spreadsheet.
Data Security Policies
You can review information about data security policies that grant access to a database resource, or about roles and users granted access to that resource.
To begin, select the Analytics tab, and then the Database Resources tab on the Analytics page. Select the resource you want to review in the Database Resource field. Then click Go.
The Data Security Policies table documents policies that grant access to the selected database resource.
Each row documents a policy, specifying by default:
The data privileges it grants.
The condition that defines how data is selected from the database resource.
The policy name and description.
A role that includes the policy.
For any given policy, this table may include multiple rows, one for each role in which the policy is used.
Authorized Roles
The Authorized Roles table documents roles with direct or indirect access to the selected database resource. Any given role may:
Include one or more data security policies that grant access to the database resource. The Authorized Roles table includes one row for each policy belonging to the role.
Inherit access to the database resource from one or more roles in its hierarchy. The Authorized Roles table includes one row for each inheritance.
By default, each row specifies:
The name of the role it documents.
The name of a subordinate role from which access is inherited, if any. (If the row documents access provided by a data security policy assigned directly to the subject role, this cell is blank.)
The data privileges granted to the role.
The condition that defines how data is selected from the database resource.
Authorized Users
The Authorized Users table documents users who are assigned roles with access to the selected database resource.
By default, each row specifies a user name, a role the user is assigned, the data privileges granted to the user, and the condition that defines how data is selected from the database resource. For any given user, this table may include multiple rows, one for each grant of access by a data security policy belonging to, or inherited by, a role assigned to the user.
Manipulating the Results
In any of these three tables, you can:
Add or remove columns. Select View - Columns.
Search among the results. Select View - Query by Example to add a search field on each column in a table.
Export results to a spreadsheet. Select the Export to Excel option available for each table.
Types of Secured Information
Information can be private, personally identifiable, or sensitive information.
Private information is confidential in some contexts.
Personally identifiable information (PII) identifies or can be used to identify, contact, or locate the person to whom the information pertains.
Some PII information is sensitive.
A person's name is not private. It is PII but not sensitive in most contexts. The names and work phone numbers of employees may be public knowledge within an enterprise, so not sensitive but PII. In some circumstances it is reasonable to protect such information.
Some data is not PII but is sensitive, such as medical data, or information about a person's race, religion or sexual orientation. This information cannot generally be used to identify a person, but is considered sensitive.
Some data is not private or personal, but is sensitive. Salary ranges for grades or jobs may need to be protected from view by users in those ranges and only available to senior management.
Some data is not private or sensitive except when associated with other data the is not private or sensitive. For example, date or place of birth is not a PII attribute because by itself it cannot be used to uniquely identify an individual, but it is confidential and sensitive in conjunction with a person's name.