How to Modify Data Security in Fusion Applications
- by Elie Wazen
The reference implementation in Fusion Applications is designed with built-in data security on business objects that implement the most common business practices. For example, the “Sales Representative” job has the following two data security rules implemented on an “Opportunity” to restrict the list of Opportunities that are visible to an Sales Representative:
Can view all the Opportunities where they are a member of the Opportunity Team
Can view all the Opportunities where they are a resource of a territory in the Opportunity territory team
While the above conditions may represent the most common access requirements of an Opportunity, some customers may have additional access constraints.
This blog post explains:
How to discover the data security implemented in Fusion Applications.
How to customize data security
Illustrative example.
a.) How to discover seeded data security definitions
The Security Reference Manuals explain the Function and Data Security implemented on each job role. Security Reference Manuals are available on Oracle Enterprise Repository for Oracle Fusion Applications.
The following is a snap shot of the security documented for the “Sales Representative” Job. The two data security policies define the list of Opportunities a Sales Representative can view.
Here is a sample of data security policies on an Opportunity.
Business Object
Policy Description
Policy Store Implementation
Opportunity
A Sales Representative can view opportunity where they are a territory resource in the opportunity territory team
Role: Opportunity Territory Resource Duty Privilege: View Opportunity (Data) Resource: Opportunity
A Sales Representative can view opportunity where they are an opportunity sales team member with view, edit, or full access
Role: Opportunity Sales Representative Duty Privilege: View Opportunity (Data) Resource: Opportunity
Description of Columns
Column Name
Description
Policy Description
Explains the data filters that are implemented as a SQL Where Clause in a Data Security Grant
Policy Store Implementation
Provides the implementation details of the Data Security Grant for this policy.
In this example the Opportunities listed for a “Sales Representative” job role are derived from a combination of two grants defined on two separate duty roles at are inherited by the Sales Representative job role.
b.) How to customize data security
Requirement 1:
Opportunities should be viewed only by members of the opportunity team and not by all the members of all the territories on the opportunity. Solution:
Remove the role “Opportunity Territory Resource Duty” from the hierarchy of the “Sales Representative” job role. Best Practice:
Do not modify the seeded role hierarchy.
Create a custom “Sales Representative” job role and build the role hierarchy with the seeded duty roles. Requirement 2:
Opportunities must be more restrictive based on a custom attribute that identifies if a Opportunity is confidential or not.
Confidential Opportunities must be visible only the owner of the Opportunity. Solution:
Modify the (2) data security policy in the above example as follows:
A Sales Representative can view opportunity where they are a territory resource in the opportunity territory team and the opportunity is not confidential.
Implementation of this policy is more invasive. The seeded SQL where clause of the data security grant on “Opportunity Territory Resource Duty” has to be modified and the condition that checks for the confidential flag must be added. Best Practice:
Do not modify the seeded grant.
Create a new grant with the modified condition.
End Date the seeded grant.
c.) Illustrative Example (Implementing Requirement 2)
A data security policy contains the following components:
Role
Object
Instance Set
Action
Of the above four components, the Role and Instance Set are the only components that are customizable. Object and Actions for that object are seed data and cannot be modified.
To customize a seeded policy, “A Sales Representative can view opportunity where they are a territory resource in the opportunity territory team”,
Find the seeded policy
Identify the Role, Object, Instance Set and Action components of the policy
Create a new custom instance set based on the seeded instance set.
End Date the seeded policies
Create a new data security policy with custom instance set
c-1: Find the seeded policy
Step 1:
1. Find the Role
2. Open
3. Find Policies
Step 2:
Click on the Data Security Tab
Sort by “Resource Name”
Find all the policies with the “Condition” as “where they are a territory resource in the opportunity territory team”
In this example, we can see there are 5 policies for “Opportunity Territory Resource Duty” on Opportunity object.
Step 3:
Now that we know the policy details, we need to create new instance set with the custom condition.
All instance sets are linked to the object.
Find the object using global search option. Open it and click on “condition” tab
Sort by Display name
Find the Instance set
Edit the instance set and copy the “SQL Predicate” to a notepad.
Create a new instance set with the modified SQL Predicate from above by clicking on the icon as shown below.
Step 4:
End date the seeded data security policies on the duty role and create new policies with your custom instance set.
Repeat the navigation in step
Edit each of the 5 policies and end date them
3. Create new custom policies with the same information as the seeded policies in the “General Information”, “Roles” and “Action” tabs.
4. In the “Rules” tab, please pick the new instance set that was created in Step 3.
