| Oracle® Fusion Applications Security Guide 11g Release 1 (11.1.1.5.0) Part Number E16689-01 | Contents | Previous | Next |
This chapter contains the following:
Scope of the Security Reference Implementation: Explained
Role Types in the Security Reference Implementation: Explained
Function Security in the Security Reference Implementation: Explained
Data Security in the Security Reference Implementation: Explained
Segregation ofDuties in the Security ReferenceImplementation: Explained
Extending the Security Reference Implementation: Critical Choices
Turning the Security Reference Implementation Into Your Enterprise Security Implementation: Explained
FAQs for Security Reference Implementation
Scope of the Security Reference Implementation: Explained
The Oracle Fusion Applications security referenceimplementation consists of predefined business processes, roles, role memberships, entitlement, and policies.
The security reference implementation includes thefollowing.
A business process model (BPM)
Predefined data
Security policies
Security rules
Security implementation life cycle
The security reference implementation in Fusion Applicationsprovides a predefined security implementation that is applicable tothe needs of midsized (generally between 250 and 10,000 employees),horizontal enterprises and can be changed or scaled to accommodateexpansion into vertical industries such as health care, insurance,automobiles, or food manufacturing.
Predefined Data
The security reference implementation associatesa full range of predefined roles with the business process model (BPM)levels. When assigned to users, the enterprise roles guide and controlaccess to the task flows of the BPM and associated data. At the tasklevel, task flows define the business actions that fulfill the intentof the BPM.
A security reference manual (SRM) for each offering presents all predefined roles, role hierarchies, business objects the roles mustaccess, segregationof duties policies, and jobs that may have conflicting duties according to those policies.The reference implementation also can be viewed using the integratedAuthorization Policy Manager (APM) and Oracle Identity Management(OIM) user interface pages to manage security policies, users, and identities.
Business Process
The Oracle Fusion Applications security reference implementationprovides predefined roles assigned to a business process model ofactivities and tasks.
For example, the IT Security Manager role is assignedto the Manage Job Roles task in the Implement Function Security Controlsactivity, which belongs to the Manage IT Security detailed businessprocess of the Information Technology Management business process.In Oracle Fusion Applications, you perform the Manage Job Roles taskusing Oracle Identity Management (OIM).
Security Policies
The Oracle Fusion Applications security referenceimplementation provides predefined policies for data security, function security, segregation of duties, and implementation life cycle management. An enterprise sets policiesfor authorization, authentication, and privacy.
The predefined security policies of the security referenceimplementation form the foundation of Oracle Fusion Applications securityand can be inspected and confirmed to be suitable or the basis forfurther implementation with the Application Authorization Policy Manager.
Predefined segregation of duties policies prevent errorsand fraud caused by giving a user control over two or more phasesof secured business transactions or operations, such as custody, authorizationor approval, and recording or reporting of related transactions affectingan asset.
Predefined information life cycle management policiessecure data from live database, through backup, archive, and purge.
Predefined authorization policies are the functionand data security of the security reference implementation. The policiesdefine permissions for an entity to perform some action, such as view,update, or personalize, against some resource, such as a task flow.The permissions are grouped as privileges, which comprise the entitlement granted to duty roles.Access Control Rule and grants of entitlement together identify theactions allowed on an entity by a resource.
Authentication policies certify the trustworthinessof an identity. Oracle Identity Management (OIM) stores passwordsin encrypted form in Lightweight Directory Access Protocol (LDAP).OIM can delegate authentication to Oracle Access Manager.
Predefined privacy policies protect sensitive informationabout an identity.
Other Rules That Affect the Security Reference Implementation
The security reference implementation doesnot include predefined provisioning rules or auditing rules.
In Oracle Fusion General Ledger, accounting flexfieldsegment security rules secure balancing segment values.
Security Implementation Life Cycle
At a high level, the security implementationlife cycle follows the same phases as other aspects of informationtechnology.
A planning phase allows for understanding the securityrequirements of your enterprise and mapping those to Oracle FusionApplications security as reflected in the reference implementation.The implementation phase fulfills those requirements and a deploymentphase puts your Oracle Fusion Applications implementation into securedproduction with your users, customers, and partners. The maintenancephase addresses security upgrades and modifications as your enterpriseand Oracle Fusion Applications evolve.
Patches to the security reference implementation preserveyour changes to the implementation. Patching the security referenceimplementation preserves enterprise security changes of the referenceimplementation because your enterprise' security implementation isa copy of the reference implementation with changes.
Role Types in the Security Reference Implementation: Explained
Oracle Fusion Applications security providesfour types of roles: abstract, job, duty, and data.
The reference implementation contains predefined abstract, job, and duty roles in hierarchies that streamline provisioning accessto users.
Abstract roles
Job roles
Duty roles
Data roles
Role hierarchies
For example, a worker may be provisioned with theEmployee abstract role. In addition, the worker may be an accountspayable manager for the US business unit. Since the reference implementationprovides for a data role to be generated based on the Financials CommonModule Template for Business Unit Security role template, the workeris also provisioned with the Accounts Payable Manager - US data role.That data role inherits the Accounts Payables Manager job role ina role hierarchy, which includes descendent duty roles that an accountspayable manager requires to perform the duties of the job.
Note
Abstract, job, and data roles are enterprise roles in Oracle FusionApplications. Oracle Fusion Middleware products such as Oracle IdentityManager (OIM) and Authorization Policy Manager (APM) refer to enterpriseroles as external roles. Duty roles are implemented as application roles in APM andscoped to individual Oracle Fusion Applications.
Abstract Roles in the Reference Implementation
An abstract role is a type of enterprise rolethat is not specific to a particular job.. The reference implementationcontains predefined abstract roles, such as Employee or ContingentWorker.
Abstract roles inherit duty roles as a means of accessingapplication functions and data that users require to perform the tasksassociated with the duties of work not specific to a particular job.
Provision abstract roles directly to users.
Some Oracle Business Intelligence Foundation Suitefor Oracle Applications (OBIFA) abstract roles provide the job rolesthat inherit them with access to reports and analytics.
Job Roles in the Reference Implementation
Job roles are a type of enterprise role, calledan external role in OIM and APM. The reference implementation containspredefined job roles.
Job roles inherit duty roles as a means of accessingapplication functions that users require to perform the tasks associatedwith the duties of the job. Job roles are not assigned entitlementto access functions directly. You change job roles by changing theirhierarchy of inherited abstract and duty roles. Job roles may inheritother job roles, abstract roles, and duty roles.
The job roles in the reference implementation grantno explicit access to data. To grant access to specific data for ajob role, you can define a data role.
You can provision job roles directly to users, andwould do so if no data roles are available that inherit the job role.Job roles may grant access to data implicitly through data securitypolicies defined for the duty roles that the job role inherits.
Important
As a security guideline, if data roles are associatedwith a job role, provision the data role to the user instead of thejob role.
Duty Roles in the Reference Implementation
Duty roles are a type of application role.The reference implementation contains predefined duty roles. For example,the Accounts Payable Manager job role inherits the Approving PayablesInvoices Duty role. For example, the Human Resource Specialist jobrole inherits the Worker Administration Duty role.
Duty roles provide access to the application functionsthat users require to perform the tasks associated with the duty.The access is defined as entitlement, which consist of privileges.
Duty roles are the building blocks of role based accesscontrol and cannot be changed. For reasons of security life cyclemanagement, Oracle Fusion Applications implementations should usethe predefined duty roles and not add custom duty roles unless youare adding custom application functions that require a new or modifiedduty role.
All predefined duty roles respect the segregation of duties constraintsdefined in the reference implementation.
Note
Duties or tasks carried by Oracle Fusion Applicationsenterprise roles may be incompatible according to the segregationof duties policies of the reference implementation, but any singleduty role is free from an inherent segregation of duties violation.
Data Roles in the Reference Implementation
Data roles are a type of enterprise role, calledan external role in OIM and APM. The reference implementation doesnot contain predefined data roles. Data roles are specific to an enterprise. Data role templates in the reference implementation provide predefined structures fordefining data roles.
The data roles that product family implementation usersdefine for the enterprise carry explicit data access grants and mayinherit abstract, duty or job roles. Provisioning a user with a datarole augments the inherited abstract, duty or job roles with entitlementto access data. The access is explicit because the grant is definedbased on the needs and data of the enterprise. For example, AccountsPayable Manager - US Business Unit data role is given explicit accessto the US accounts payable data and inherits the job role AccountsPayable Manager. US Business Unit represents data determined by yourenterprise and is not part of the Oracle Fusion reference implementation.
Provision data roles directly to users. As a securityguideline, provision a data role, rather than also provisioning ajob role that the data role inherits.
Data roles can be defined as a hierarchy of data roles.
Role Hierarchies in the Reference Implementation
Role hierarchies are structured to reflectyour enterprise.
Job roles inherit duty roles. For example, the AccountsPayable Specialist job role inherits the Invoice Reviewer Duty andInvoice Receiver Duty roles.
Job roles can inherit one or more other job roles.For example, the Chief Financial Officer job role inherits the Controllerjob role, and the Applications Implementation Consultant role inheritsthe Application Administrator roles of the product families, suchas the Human Capital Management Application Administrator job rolerequired for core HCM setup.
Job roles can inherit abstract roles, such as the AccountsPayable Specialist and Accounts Payable Manager job roles inheritingthe Employee abstract role, and a Warehouse Manager inheriting theContingent Worker abstract role.
Important
To give enterprises the flexibility to decide if,for example, a job role is filled by employees or contingent workers,the reference implementation contains no predefined role hierarchiesin which a job role inherits an abstract role.
Most job roles do not grant access to data. To providedata access for such job roles, you must generate data roles usingthe data role templates provided by the reference implementation.The data roles you generate inherit the base job role.
Abstract roles can inherit one or more other abstractroles. The Employee abstract role inherits the Procurement Requesterabstract role.
Abstract roles can inherit one or more other dutyroles. The Employee role inherits the Worker Duty role.
Abstract roles make use of implicit data securityand generally are not inherited by data roles. For example, user contextdetermines which data the Employee abstract role can access.
The predefined roles and role hierarchies are listedin the Oracle Fusion Applications Security Reference Manual for each offering.
Function Security in the Security Reference Implementation: Explained
In the security referenceimplementation, function security policies entitle a role to access a functionin Oracle Fusion Applications unconditionally.
Predefined function security consists of roles andsecurity policies. Details of the security reference implementationcan be viewed in security reference manuals (SRM) for each offering and in the AuthorizationPolicy Management.
Functions are secured with the following standard approaches.
Role-based access control
Set of job roles
Duty roles and role hierarchy for each job and abstract role
Access entitlement granted to each dutyrole
Segregation of duties policies
If the roles of your enterprise fall outside the scopeof the security reference implementation, you may need to extend yourOracle Fusion Applications and predefined function security with newjob and duty roles.
Function Access Based on Job and Duty Roles
The duties that define jobs consist of accessto those application functions that are used to perform the duty.
Predefined function security policies give grants ofentitlement to access functions for the purpose of carrying out theactions associated with a duty. Duties are segregated to prevent combininggrants in a duty role that should be separated across multiple roles,such as approving, recording, processing, and reconciling results.
Extending the Function Security of the ReferenceImplementation
The predefined security reference implementationis a general case representing security guidelines. Your enterprisemay require additional roles with specific constraints on accessingapplication functions.
For example, your enterprise is a bank with a bankmanager job role. Create this new job role as a new group in the LightweightDirectory Access Protocol (LDAP) identity store by performing theManage Job Roles or Create Job Roles tasks in Oracle Identity Management(OIM). Define the job role to inherit the duties of a bank manager,as defined by the available predefined duty roles. Create the rolehierarchy of duty roles for the new job role using the Manage Dutiestask in Authorization Policy Manager (APM)..
If your enterprise is a pharmaceutical company, youmay have users who must perform clinical trial administration duties. If the applications that a user must access to administer a clinicaltrial are already part of Oracle Fusion Applications, a new duty canbe created in Authorization Policy Manager with entitlement to theresource code or functions users need to access for performing clinicaltrial administration duties. The new duty role is then associatedwith an enterpriserole, which is represented by a group in LDAP and thereby madeavailable for provisioning to users.
The security reference implementation can be viewedin the user interfaces where security tasks are performed or in thesecurity reference implementation manual (SRM) for each Oracle FusionApplications offering.
Data Security in the Security Reference Implementation: Explained
The reference implementation contains a set of data security policies that can be inspected and confirmedto be suitable or a basis for further implementation using the AuthorizationPolicy Manager (APM).
The security implementation of an enterprise is likelya subset of the reference implementation, with the enterprise specificsof duty roles, datasecurity policies, and HCM security profiles provided by the enterprise.
The business objects registered as secure in the reference implementationare database tables and views.
Granting or revoking object entitlement to a particular useror group of users on an object instance or set of instances extendsthe base Oracle Fusion Applications security referenceimplementation without requiring customization of the applicationsthat access the data.
Data Security Policies in the Security ReferenceImplementation
The data security policies in the reference implementationentitle the grantee (a role) to access instance sets of data based on SQL predicates in a WHERE clause.
Tip
When extending the reference implementation with additionaldata security policies, identify instance sets of data representingthe business objects that need to be secured, rather than specificinstances or all instances of the business objects.
Predefined data security policies are stored in thedata security policy store, managed in the Authorization Policy Manager(APM), and described in the Oracle Fusion Applications Security ReferenceManual for each offering. A data security policy for a duty role describes an entitlementgranted to any job role that includes that duty role.
Warning
Review but do not modify HCM data security policiesin APM except as a custom implementation. Use the HCM Manage DataRole And Security Profiles task to generate the necessary data securitypolicies and data roles.
The reference implementation only enforces a portionof the data security policies in business intelligence that is consideredmost critical to risk management without negatively affecting performance.For performance reasons it is not practical to secure every levelin every dimension. Your enterprise may have a different risk tolerance than assumedby the security reference implementation.
HCM Security Profiles in the Security ReferenceImplementation
The security reference implementation includes somepredefined HCM securityprofiles for initial usability. For example, a predefined HCMsecurity profile allows line managers to see the people that reportto them.
The IT security manager uses HCM security profilesto define the sets of HCM data that can be accessed by the roles thatare provisioned to users
Data Roles
The security reference implementation includesno predefined data roles to ensure a fully secured initial OracleFusion Applications environment.
The security reference implementation includes data role templates that you can use to generate a set of data roles with entitlementto perform predefined business functions within data dimensions suchas business unit. Oracle Fusion Payables invoicing and expense managementare examples of predefined business functions. Accounts Payable Manager- US is a data role you might generate from a predefined data roletemplate for payables invoicing if you set up a business unit calledUS.
HCM provides a mechanism for generating HCM relateddata roles.
Segregation ofDuties in the Security ReferenceImplementation: Explained
Segregation of duties (SOD)is a special case of function security enforcement. A segregation of duties conflictoccurs when a single user is provisioned with a role or role hierarchy that authorizestransactions or operations resulting in the possibility of intentionalor inadvertent fraud.
The predefined SOD policies result in duty separationwith no inherent violations. For example, an SOD policy prevents auser from entitlement to create both payables invoices and payablespayments.
However, the most common duties associated with some job and abstract roles could conflict withthe predefined segregation of duties. A predefined role hierarchyor job or abstract role may include such common duties that are incompatible accordingto a segregation of duties policy. For example, the predefined AccountsPayable Supervisor job role includes the incompatible duties: PayablesInvoice Creation Duty and Payables Payment Creation Duty.
Every single predefined duty role is free from an inherentsegregation of duties violation. For example, no duty role violatesthe SOD policy that prevents a user from entitlement to both createpayables invoices and payables payments.
Jobs in the reference implementation may contain violations against the implemented policies and requireintervention depending on your risk tolerance, even if you defineno additional jobs or SOD policies.
Provisioning enforces segregation of duties policies.For example, provisioning a role to a user that inherits a duty rolewith entitlement to create payables invoices enforces the segregationof duties policy applied to that duty role and ensures the user isnot also entitled to create a payables payment. When a role inheritsseveral duty rules that together introduce a conflict, the role isprovisioned with a violation being raised in the Application AccessControls Governor (AACG). If two roles are provisioned to a user andintroduce a segregation of duties violation, the violation is raisedin AACG.
Note
SOD policies are not enforced at the time of role definition.
Aspects of segregation of duties policies in the securityreference implementation involve the following.
Application Access Controls Governor(AACG)
Conflicts defined in segregation ofduties policies
Violations of the conflicts definedin segregation of duties policies
Application Access Controls Governor (AACG)
AACG is a component of the Governance, Risk,and Compliance Controls (GRCC) suite of products where segregationof duties policies are defined.
Define SOD controls at any level ofaccess such as in the definition of an entitlement or role.
Simulate what-if SOD scenarios to understandthe effect of proposed SOD control changes.
Use the library of built-in SOD controlsprovided as a security guideline.
Your risk tolerance determines how many duties to segregate.The greater the segregation, the greater the cost to the enterprisein complexity at implementation and during maintenance. Balance thecost of segregation with the reduction of risk based on your businessneeds.
Conflicts
An intra-role conflict occurs when a segregationof duties policy expresses constraints within the construct of a singlerole (entitlement and duties) that creates violations.
Tip
As a security guideline, use only the predefined dutyroles, unless you have added new applications functions. The predefinedduty roles fully represent the functions and data that must be accessedby application users and contain all appropriate entitlement. Thepredefined duty roles are inherently without segregation of duty violationsof the constraints used by the Application Access Controls Governor.
Violations
A segregation of duties violation occurs whena policy is defined that allows a segregation of duties conflict tooccur.
Notifications report conflicts to the requester ofthe transaction that raised the violation. Oracle Identity Management(OIM) shows the status of role requests indicating if a segregationof duties violation has occurred.
For information on configuring audit policies, seethe Oracle Fusion Applications Administrator's Guide.
For more information on managing segregation of duties,see the Oracle Application Access Controls Governor ImplementationGuide and Oracle Application Access Controls Governor User's Guide.
Extending the Security Reference Implementation: Critical Choices
In general, the security referenceimplementation is designed to require only small deltas toadjust the Oracle Fusion Applications security approach for a specificenterprise.
Most commonly, the security reference implementationis extended with the following.
Roles for vertical industries such as pharmaceuticals
Data Roles
Role hierarchies that leveragepredefined roles or make use of newly created roles
The predefined duty roles and entitlement represent all functions in Oracle Fusion Applicationsand do not require extension except where custom application developmentintroduces new functions. Custom functions require custom entitlementdefinitions. Custom tables and objects may also require protections.Objects extended or created by an enterprise are preserved duringupgrade and patching.
Making No Modifications
As a security guideline, use the predefinedsecurity reference implementation.
The predefined security reference implementation doesnot include data roles, but does provide extensive data role templates that createdata roles based on your enterprise setup. The roles and role hierarchiesof the predefined security reference implementation may not adequatelysecure the function and data of a vertical industry enterprise ora custom deployment of applications.
Assess the security reference implementation duringplanning. The security reference implementation can be viewed in theuser interfaces where security tasks are performed or in the securityreference manual (SRM) for each Oracle Fusion Applications offering.
Adding New Roles
As a security guideline, copy an existing roleand make changes to the copy as a way to modify an existingrole to better fit your enterprise, or create a new role for yourenterprise.
Modifications include the following actions
Changing a predefined enterprise role or creating anew enterprise role modeled on the existing one, and applying modificationsto the new role
Adding a data role by using a predefineddata role template
The IT Security Manager and IT Security Administratorroles are authorized to add new roles.
To change a predefined enterprise role by making acopy and modifying the copy use the Authorization Policy Manager.
Create a new job role, which createsa new group in the Lightweight Directory Access Protocol (LDAP) store.
Map the duties to the new job rolein the role hierarchy.
Define data security policies referencingthe new job role.
New job roles or copies of seeded job roles modifiedto fit your enterprise should be distinct by including new data securitypolicies.
As a security guideline, if the new role is a datarole, generate the data role using the predefined data role templatesor Human Capital Management (HCM) data role management. To add adata role by using a predefined data role templates, use the AuthorizationPolicy Manager.
Creating a new data role template to accommodate thedata needs of your enterprise is a custom activity.
Modifying Role Hierarchies
As a security guideline, , create a new jobrole that contains a hierarchy of roles modeled on an existing rolehierarchy, but with the desired modifications.
To modify an existing role hierarchy, use the AuthorizationPolicy Manager.
Adding Security Provisioning Rules
You can extend the Oracle Fusion Applicationssecurity implementation with provisioning rules, such as automatic role provisioning rules in HCM and Customer Relationship Management (CRM).
Turning the Security Reference Implementation Into Your Enterprise Security Implementation: Explained
The scope of the security referenceimplementation typically exceeds the needs of a real worldenterprise. For example, every feature in a Oracle Fusion Applicationdeployment corresponds to one or more duty roles predefined to use the feature.When your enterprise does not use every feature, it does not needto provision every predefined duty role.
Types of Changes
The common decisions made to match an enterprise tothe security reference implementation include the following:
Do the predefined job roles match the equivalent job rolesin your enterprise?
Do the jobs in your enterprise existin the security reference implementation?
Do the duties performed by the jobsin your enterprise match the duties in the security reference implementation?
In the figure, various tasks correspond to the decisionsyou make about changing the security reference implementation.
The following figure shows some examples of changesthat may be required to match the security reference implementationjob roles to the job roles of your enterprise.
Add duty roles to a predefined job role hierarchy.
Remove duty roles from a predefinedjob role hierarchy to include as a new, separate job role.
Create a new job role with a hierarchyof predefined duty roles.
All functions and actions in Oracle Fusion Applications that need to be securedare covered by the reference implementation. In some cases, especiallywith function customizations, a new duty role may be needed.
Changes to data security require changing data security policies andthe data rolestemplates.
Implementation Flow
The security reference implementation remains an intactreference that is always up to date with the latest security patches.Oracle Fusion Applications manages the changes you make to the referenceimplementation as a copy. Your functional setup of the mapping betweenfeatures and duty roles determines what roles are present and whatupdates are applied to your deployment. Change management and reconciliationkeep your deployment up to date with the reference implementation.
The following figure shows three types of changeswithin the process for implementing Oracle Fusion Applications security.Managing data role templates for new enterprise roles and managingHuman Capital Management (HCM) security profiles specifiesthe conditions needed by role changes in the reference implementation.Creating data security policies for new enterprise roles establishesaccess controls where no data roles are available.
Note
Data roles are automatically generated based on enterpriseset up and the predefined data role templates, and manually createdusing the HCM Manage Data Role and Security Profiles task.
The figure shows the security implementation flowfrom creating users for implementation to provisioning users with roles so they can implement the deployment for their enterprise.Most of the tasks in the flow after creating users for implementationsand before setting up the enterprise are optional. In particular,you only need to manage data role templates and data security policiesif you have data security needs not addressed by the security referenceimplementation.
The security reference implementation can be viewedin the user interfaces where security tasks are performed or in thesecurity reference implementation manual (SRM) for each Oracle FusionApplications offering.
For information on securing new business objects in CustomerRelationship Management (CRM) Application Composer and securing newbusiness objects in an extended application, see the Oracle FusionApplications Extensibility Guide.
FAQs for Security Reference Implementation
What's an entitlement?
An action that is conditionally or unconditionally granted toa user or role to accessfunctions and data. In most contexts, entitlement is equivalent to privilege.
Entitlement provides the means necessary to accessor act upon businessobjects, including Oracle Business Intelligence FoundationSuite for Oracle Applications (OBIFA) objects. There is a one-to-onemapping between an operation and entitlement. For example, the CreatePurchase Order operation is granted as a privilege to a role withentitlement to approve a purchase order.
In function security, entitlement is a set of privileges. Eachprivilege enables a single action, such as Enter Payable Invoice.A single action consists of permissions on the resources relevantto the action.
In datasecurity, entitlement is conditionally granted to a role ona named set of data. For example, a Payables Accountant is entitledto delete an invoice with invoice_id=100. The entitlement includesthe privilege that allows the accountant to read this invoice withthe delete function enabled.
Governance Risk and Compliance Controls (GRCC) entitlementis a set of permissions defined in the Oracle Application Access ControlsGovernor (AACG) to participate in segregation of duties policies.
|  Copyright© 2011,Oracleand/oritsaffiliates.Allrightsreserved. |
|
