How to Secure a Data Role by Multiple Business Units
- by Elie Wazen
In this post we will see how a Role can be data secured by multiple Business Units (BUs). Separate Data Roles are generally created for each BU if a corresponding data template generates roles on the basis of the BU dimension. The advantage of creating a policy with a rule that includes multiple BUs is that while mapping these roles in HCM Role Provisioning Rules, fewer number of entires need to be made. This could facilitate maintenance for enterprises with a large number of Business Units.
Note: The example below applies as well if the securing entity is Inventory Organization.
Let us take for example the case of a user provisioned with the "Accounts Payable Manager - Vision Operations" Data Role in Fusion Applications. This user will be able to access Invoices in Vision Operations but will not be able to see Invoices in Vision Germany.
Figure 1. A User with a Data Role restricting them to Data from BU: Vision Operations
With the role granted above, this is what the user will see when they attempt to select Business Units while searching for AP Invoices.
Figure 2.The List Of Values of Business Units is limited to single one. This is the effect of the Data Role granted to that user as can be seen in Figure 1
In order to create a data role that secures by multiple BUs, we need to start by creating a condition that groups those Business Units we want to include in that data role.
This is accomplished by creating a new condition against the BU View . That Condition will later be used to create a data policy for our newly created Role.
The BU View is a Database resource and is accessed from APM as seen in the search below
Figure 3.Viewing a Database Resource in APM
The next step is create a new condition, in which we define a sql predicate that includes 2 BUs ( The ids below refer to Vision Operations and Vision Germany).
At this point we have simply created a standalone condition. We have not used this condition yet, and security is therefore not affected.
Figure 4. Custom Role that inherits the Purchase Order Overview Duty
We are now ready to create our Data Policy. in APM, we search for our newly Created Role and Navigate to “Find Global Policies”. we query the Role we want to secure and navigate to view its global policies.
Figure 5. The Job Role we plan on securing
We can see that the role was not defined with a Data Policy . So will create one that uses the condition we created earlier.
Figure 6. Creating a New Data Policy
In the General Information tab, we have to specify the DB Resource that the Security Policy applies to: In our case this is the BU View
Figure 7. Data Policy Definition - Selection of the DB Resource we will secure by
In the Rules Tab, we make the rule applicable to multiple values of the DB Resource we selected in the previous tab.
This is where we associate the condition we created against the BU view to this data policy by entering the Condition name in the Condition field
Figure 8. Data Policy Rule
The last step of Defining the Data Policy, consists of explicitly selecting the Actions that are goverened by this Data Policy. In this case for example we select the Actions displayed below in the right pane. Once the record is saved , we are ready to use our newly secured Data Role.
Figure 9. Data Policy Actions
We can now see a new Data Policy associated with our Role.
Figure 10. Role is now secured by a Data Policy
We now Assign that new Role to the User. Of course this does not have to be done in OIM and can be done using a Provisioning Rule in HCM.
Figure 11. Role assigned to the User who previously was granted the Vision Ops secured role.
Once that user accesses the Invoices Workarea this is what they see:
In the image below the LOV of Business Unit returns the two values defined in our data policy namely: Vision Operations and Vision Germany
Figure 12. The List Of Values of Business Units now includes the two we included in our data policy. This is the effect of the data role granted to that user as can be seen in Figure 11
