You are on page 1of 14

Enhanced Data Segregation for Third-Party

Service Providers – Implementation Guide


Release 12 or above
ORACLE WHITE PAPER | NOVEMBER 2017
Table of Contents

Revision History 1

Introduction 2

Solution Overview 3

Implementing Enhanced Data Segregation 4

Enabling Enhanced Data Segregation on Predefined Roles 4

Step 1: Identify impacted roles 4

Step 2: Make a copy of the role in the Security Console 4

Step 3: Assign users to the newly created custom role 9

Step 4: Update role provisioning rules 9

Enabling Enhanced Data Segregation on Custom Roles 10

Step 1. Identify impacted roles 10

Step 2. Identify existing data security policies 10

Step 3. Create or modify data security policy 11


Revision History
This document will continue to evolve as existing sections change and new information is added. All
updates are logged below, with the most recent updates at the top.

Date What's Changed Notes

October 2017 Initial Document Creation

1 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Introduction
In Oracle Financials Cloud, many transactions, such as payables invoices, payment requests, assets,
and expense reports, include references to employees or persons. We allow any employees or
persons defined in Oracle Financials Cloud to be referenced in these transactions. For Third-Party
Service Providers, additional restrictions may be required. With this enhancement, we have enabled
data security to these references. This document discusses how to implement this enhanced data
segregation.

2 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Solution Overview
Enhanced data segregation allows you to enable data security for references on employees, workers, and users,
such as requestor on payable invoices. The following table lists the places where data security for references on
employees, workers, and users is enabled.
Table 1

Product Task Field


Assets Asset Inquiry Employee
Add Asset Employee
Prepare Source Lines Preparer
Manage All Books Preparer
Add Asset in Spreadsheet Preparer
Employee
Transfer Assets Employee (Asset Selection Criteria)
Employee (Transfer Details)
Perform What-If Analysis Employee
Manage Asset Distribution Sets Employee
Receivables Manager Customer -> Edit Customer Credit Analyst (Profile History)
Manager Customer -> Edit Account Credit Analyst (Profile History)
Manage Customer -> Edit Site Credit Analyst (Profile History)
Credit Reviews Credit Analyst
Manage Receivables Customer Profile Class Credit Analyst
Manage Approval Limits User
Collections Manage Collectors Employee
Payables Create Payables Invoice Preparer
Import Payables Invoice Preparer
Submit Payment Process Request First Approver
Manage Payment Process Request Template First Approver
Expense Manage Corporate Cards Employee
Manage Historical Credit Card Transactions Employee
Review Corporate Card Transactions Employee
Manage Expense Reports Employee
Manage Expense Audit List Membership Employee
Manage Cash Advances Employee
Manage Expenses Contingent Worker Employee
Review Payment Requests Employee
Review Invoices Contingent Worker
Manage Expense Reports Employee
About Me -> Manage Delegates Person

To minimize upgrade impact, data security policies are shipped against predefined roles that need to access
employees, workers, and users to provide access to all employees by default.

To implement enhanced data segregation, these predefined data security policies need to be replaced with data
security policies that are more restrictive. Since predefined roles cannot be modified, such changes need to be
made against copies of the predefined roles.

3 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Implementing Enhanced Data Segregation
The following are instructions to implement enhanced data segregation on predefined roles as well as custom roles.

Enabling Enhanced Data Segregation on Predefined Roles


To enable enhanced data segregation on predefined roles, follow the given steps:

Step 1: Identify impacted roles


To allow selection of all persons, the following predefined roles now include a new data security policy:

» Accounts Payable Manager


» Accounts Payable Specialist
» Accounts Payable Supervisor
» Accounts Receivable Manager
» Accounts Receivable Specialist
» Asset Accountant
» Asset Accounting Manager
» Collections Manager
» Financial Application Administrator

Note: Predefined roles in Expenses, including Corporate Card Administrator, Expense Auditor, Expense Audit
Manager, and Expense Manager, do not include predefined data security policies that provide access to all
employees by default. Follow the instructions given in the Enabling Enhanced Data Segregation on Custom
Roles section to enable these roles for enhanced data segregation for employees.

Step 2: Make a copy of the role in the Security Console

Follow the given steps to copy a predefined role:

a. In the Security Console, search the predefined role. For more information on using the Security Console, see
the Oracle ERP Cloud Securing Oracle ERP Cloud guide.
b. Select the predefined role from the search results and click the Actions list.
c. Click Copy Role as shown in the following figure.
The Copy Options dialog window appears.

4 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Figure 1: Copy predefined roles

d. Select Copy top role if no other changes are required, otherwise, select the desired copy option.
The Copy Role <role name>: Basic Information window appears.

Figure 2: Copy options

e. Enter the role name, role code, and description under Basic Information as shown in the following figure.

5 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Figure 3: Copy Role - Basic Information

f. For implementing data segregation, you need to configure a single data security policy, so click Next and
navigate to the Data Security Policies section.

g. Use query by example to locate the data security policy for the data resource Public Person with privilege
Choose Public Person. This particular data security policy governs selectable employees in list of values.

Figure 4: Copy Role - Data Security Policies

h. Choose Edit Data Security Policy from the drop-down list.


The Edit Data Security Policy dialog window appears.

6 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Figure 5: Edit Data Security Policy

i. Data segregation is achieved by changing the Data Security Policy access to a more restrictive access using
a condition, known as instance set. That is, change the value of the Data Set field from All values to Select
by instance set. For example, to restrict employees based on legal employer, select the Condition Name as
Access Public Persons From My Own Legal Employer as shown in the following figure.

Figure 6: Change Data Set and update Condition Name

j. Make other changes as needed, such as function security policy or role hierarchy changes.
k. Click OK to return to the Copy Role window.
l. You can also assign users to the custom role directly, click Next to navigate to the Users section as shown in
the following figure.

7 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Figure 7: Copy Role - Users

m. Click Next to navigate to the Summary and Impact Report section.


n. Review the changes and click Submit and Close to complete the copy role process.

Figure 8: Copy Role - Summary and Impact Report

8 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Step 3: Assign users to the newly created custom role

If you haven't assigned or removed users in the previous step, revoke the seeded role from users and assign them
the newly created custom role.

You can either use the Manage User Accounts option in the Security Console to assign users individually or
perform a mass revoke and update at the role level using Edit Role section in the Security Console.

Note: Before performing a mass update, run the User Role Membership Report to get a list of users that are
assigned the seeded role for your records before performing the mass revoke.

Figure 9: Remove and assign users to the custom role

Step 4: Update role provisioning rules


If you use Role Provisioning Rules for the predefined roles, replace the predefined role in any rule with the new
custom role using the Manage Role Provisioning Rules task from the Setup and Maintenance work area. You
can query role provisioning rules by role.

9 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Figure 10: Manage role mappings

Enabling Enhanced Data Segregation on Custom Roles

To implement enhanced data segregation on custom roles, you do not have to create a copy of the custom role.
You can simply edit the role, and create or modify the necessary data security policy.

To enable enhanced data segregation on custom roles, follow the given steps:

Step 1. Identify impacted roles


Based on the impacted tasks in Table 1, identify any custom roles that provide access to such tasks.

Step 2. Identify existing data security policies

The data security policy that governs the selectable employees in list of values is against data resource Public
Person and privilege Choose Public Person Data.

If another data security policy already exists for this data resource and privilege, you will need to modify that data
security policy.

You can search for this data security policy by using the Edit Role option, and proceed directly the Data Security
Policies. Use query by example to search for data security policies for this data resource and privilege.

10 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Figure 11: Edit Role – Data Security Policies

Step 3. Create or modify data security policy

If a matching data security policy is found, click the Actions drop-down list and then click Edit Data Security
Policy. If no matching data security policy is found, click Create Data Security Policy.

Figure 12: Edit data security policy

Whether you are creating a new data security policy or modifying an existing one, use the following values:

Field Value
Database Resource Public Person
Data Set Select by instance set
Actions Choose Public Person
Condition Name As desired, for example, to restrict selectable employer by legal employer, use
Access Public Persons From My Own Legal Employer.

11 | ENHANCED DATA SEGREGATION FOR THIRD-PARTY SERVICE PROVIDERS – IMPLEMENTATION GUIDE


Oracle Corporation, World Headquarters Worldwide Inquiries
500 Oracle Parkway Phone: +1.650.506.7000
Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

CONNECT W ITH US

blogs.oracle.com/oracle
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only,
and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject
facebook.com/oracle to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and
conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this
document, and no contractual obligations are formed either directly or indirectly by this document. This document may not
twitter.com/oracle be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior
written permission.
oracle.com
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under
license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the
AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of
The Open Group. 1117

Enhanced Data Segregation for Third-Party Service Providers – Implementation Guide


November 2017

You might also like