How to Secure a Data Role by Multiple Business Units

Posted by Elie Wazen on Oracle Blogs See other posts from Oracle Blogs or by Elie Wazen
Published on Fri, 7 Sep 2012 17:16:51 +0000 Indexed on 2012/09/07 21:44 UTC
Read the original article Hit count: 455

Filed under:

In this post we will see how a Role can be data secured by multiple Business Units (BUs).  Separate Data Roles are generally created for each BU if a corresponding data template generates roles on the basis of the BU dimension. The advantage of creating a policy with a rule that includes multiple BUs is that while mapping these roles in HCM Role Provisioning Rules, fewer number of entires need to be made. This could facilitate maintenance for enterprises with a large number of Business Units.

Note: The example below applies as well if the securing entity is Inventory Organization.

Let us take for example the case of a user provisioned with the "Accounts Payable Manager - Vision Operations" Data Role in Fusion Applications. This user will be able to access Invoices in Vision Operations but will not be able to see Invoices in Vision Germany.

dif1.jpg

Figure 1. A User with a Data Role restricting them to Data from BU: Vision Operations


With the role granted above, this is what the user will see when they attempt to select Business Units while searching for AP Invoices.

dif2.jpg

Figure 2.The List Of Values of Business Units is limited to single one. This is the effect of the Data Role granted to that user as can be seen in Figure 1

In order to create a data role that secures by multiple BUs,  we need to start by creating a condition that groups those Business Units we want to include in that data role.

This is accomplished by creating a new condition against the BU View .  That Condition will later be used to create a data policy for our newly created Role. 

The BU View is a Database resource and  is accessed from APM as seen in the search below

dif2.jpg

Figure 3.Viewing a Database Resource in APM

The next step is create a new condition,  in which we define a sql predicate that includes 2 BUs ( The ids below refer to Vision Operations and Vision Germany). 

At this point we have simply created a standalone condition.  We have not used this condition yet, and security is therefore not affected.

dif2.jpg

Figure 4. Custom Role that inherits the Purchase Order Overview Duty

We are now ready to create our Data Policy.  in APM, we search for our newly Created Role and Navigate to “Find Global Policies”.  we query the Role we want to secure and navigate to view its global policies.

dif2.jpg

Figure 5. The Job Role we plan on securing

We can see that the role was not defined with a Data Policy . So will create one that uses the condition we created earlier.  


dif2.jpg

Figure 6. Creating a New Data Policy

In the General Information tab, we have to specify the DB Resource that the Security Policy applies to:  In our case this is the BU View

dif2.jpg

Figure 7. Data Policy Definition - Selection of the DB Resource we will secure by

In the Rules Tab, we  make the rule applicable to multiple values of the DB Resource we selected in the previous tab. 

This is where we associate the condition we created against the BU view to this data policy by entering the Condition name in the Condition field

dif2.jpg

Figure 8. Data Policy Rule

The last step of Defining the Data Policy, consists of  explicitly selecting  the Actions that are goverened by this Data Policy.  In this case for example we select the Actions displayed below in the right pane. Once the record is saved , we are ready to use our newly secured Data Role.


dif2.jpg

Figure 9. Data Policy Actions

We can now see a new Data Policy associated with our Role. 

dif2.jpg

Figure 10. Role is now secured by a Data Policy

We now Assign that new Role to the User.  Of course this does not have to be done in OIM and can be done using a Provisioning Rule in HCM.

dif2.jpg

Figure 11. Role assigned to the User who previously was granted the Vision Ops secured role.

Once that user accesses the Invoices Workarea this is what they see:

In the image below the LOV of Business Unit returns the two values defined in our data policy namely: Vision Operations and Vision Germany

dif2.jpg

Figure 12. The List Of Values of Business Units now includes the two we included in our data policy. This is the effect of the data role granted to that user as can be seen in Figure 11


© Oracle Blogs or respective owner

Related posts about /Security