Oracle Integration Cloud - Fusion Applications Security Requirements

Introduction

Starting Fusion Application Release 12, the security model has changed significantly. It has also introduced new Security Console to manage roles and users.

The seeded system-to-system integration role “ALL_INTEGRATION_POINTS_ALL_DATA” in Release 11 is not available. Customer must assign appropriate roles to an integration user by reviewing services they want to invoke. Please note that customers upgraded to R12 with integration user created in R11 with “ALL_INTEGRATION_POINTS_ALL_DATA” will continue to work. However, this role is not visible in Security Console and you cannot assign this role to new integration user.

 

This document will guide you on how to assign integration roles based on your product(s) implementation.

 

Security Console Overview

Use the Security Console to mange application security such roles, users, certificates and administration tasks. The Security Console can be accessed in the following ways:

  • Use the Manage Job Roles or Manage Duties tasks in the Setup and Maintenance work area.
  • Select Navigator - Tools - Security Console

Access to the Security Console is provided by the predefined IT Security Manager role.

SeurityConsole.png

Figure 1: Accessing the Security Console from the Navigator

 

For more information, refer Security Console. The following diagram shows “Integration Specialist” role privileges:

 

Integration_Specialist_Search.png

Figure 2: Review Integration Specialist Role privileges

 

Oracle ERP and HCM Cloud Implementation

Oracle provides seeded integration specialist job roles for ERP and HCM products. The following diagram depicts the “Integration Specialist” role:

 

Integration_role_diagram.png

Figure 3: Integration Specialist Role Hierarchy

 

The Integration Specialist role includes ERP and HCM products. This is a job role and does not include data roles. The following are the recommendations:

 

ERP and HCM Implementation

Assign the following roles to integration user:

  1. Assign Integration Specialist role that inherits ERP and HCM product specific roles
  2. Assign ERP specific data access to integration user as per document: Securing Oracle ERP Cloud > Chapter 6 Provisioning Roles to Application Users > Managing Data Access for Users: Explained
  3. Assign HCM specific data access roles on REST services and ATOM feeds, refer Required Role and Privileges. For more information on data roles, refer HCM Data Roles and Security Profiles

HCM Implementation Only

Assign the following roles to integration user:

  1. Assign Human Capital Management Integration Specialist role only
  2. Assign HCM specific data access roles on REST services and ATOM feeds, refer Required Role and Privileges. For more information on data roles, refer HCM Data Roles and Security Profiles

 

Oracle CRM Cloud Implementation

The recommendation is to start with assigning “Customer Relationship Management Application Administrator” role. Refer this for information on this role. Additional roles may be required as per each interface requirements. The following diagram depicts the role search from Security Console:

 

CRM App Admin Role.png

Figure 4: Review Customer Relationship Management Application Administrator privileges

 

Additional Roles for all Implementation

In addition, the integration user must have the following roles:

 

  1. AttachmentsUser (Employee role inherits
  2. SOA Operator Role (SOAOperator)
  3. Manage Webservices Catalog Role (FND_MANAGE_CATALOG_SERVICE_PRIV)

 

AttachmentsUser and UCM Verification

 

In Fusion Applications, ESS job and output files are placed in the Attachments Security group under the Oracle Universal Content Management server (UCM - Oracle WebCenter Content server). You must have access to the security group called Attachments to download the log file or the output file with the ERP Integration Service.

This access can be granted via the security role called AttachmentsUser.

 

The role AttachmentsUser is inherited by the predefined Employee and Contingent Worker roles. You can verify this inheritance by querying the role AttachmentsUser from the Security Console, and use the Expand Toward Users and show the Roles option.

 

AttachmentsUser.png

Figure 5: Verifying inheritance of AttachmentUser role

After reviewing the role inheritance of the AttachmentsUser role, review the users that are currently assigned the AttachmentsUser role.

 

You can verify role assignments to users by querying the role AttachmentsUser from the Security Console and use the Expand Toward Users and show Users option.

 

AttachmentsUser2.png

Figure 6: Review user assignments to AttachmentsUser role

 

In Figure 6 above, the user John.Reese have been assigned the AttachmentsUser role through the predefined Employee role.

Lastly, verify that the Attachments security group is listed in the UCM Search page.

AttachmentUser3.png

Figure 7: Search page for UCM to identify whether user has access to Attachments security group