Professional Documents
Culture Documents
Revision History 1
Introduction 2
Solution Overview 3
To minimize upgrade impact, data security policies are shipped against predefined roles that need to access
employees, workers, and users to provide access to all employees by default.
To implement enhanced data segregation, these predefined data security policies need to be replaced with data
security policies that are more restrictive. Since predefined roles cannot be modified, such changes need to be
made against copies of the predefined roles.
Note: Predefined roles in Expenses, including Corporate Card Administrator, Expense Auditor, Expense Audit
Manager, and Expense Manager, do not include predefined data security policies that provide access to all
employees by default. Follow the instructions given in the Enabling Enhanced Data Segregation on Custom
Roles section to enable these roles for enhanced data segregation for employees.
a. In the Security Console, search the predefined role. For more information on using the Security Console, see
the Oracle ERP Cloud Securing Oracle ERP Cloud guide.
b. Select the predefined role from the search results and click the Actions list.
c. Click Copy Role as shown in the following figure.
The Copy Options dialog window appears.
d. Select Copy top role if no other changes are required, otherwise, select the desired copy option.
The Copy Role <role name>: Basic Information window appears.
e. Enter the role name, role code, and description under Basic Information as shown in the following figure.
f. For implementing data segregation, you need to configure a single data security policy, so click Next and
navigate to the Data Security Policies section.
g. Use query by example to locate the data security policy for the data resource Public Person with privilege
Choose Public Person. This particular data security policy governs selectable employees in list of values.
i. Data segregation is achieved by changing the Data Security Policy access to a more restrictive access using
a condition, known as instance set. That is, change the value of the Data Set field from All values to Select
by instance set. For example, to restrict employees based on legal employer, select the Condition Name as
Access Public Persons From My Own Legal Employer as shown in the following figure.
j. Make other changes as needed, such as function security policy or role hierarchy changes.
k. Click OK to return to the Copy Role window.
l. You can also assign users to the custom role directly, click Next to navigate to the Users section as shown in
the following figure.
If you haven't assigned or removed users in the previous step, revoke the seeded role from users and assign them
the newly created custom role.
You can either use the Manage User Accounts option in the Security Console to assign users individually or
perform a mass revoke and update at the role level using Edit Role section in the Security Console.
Note: Before performing a mass update, run the User Role Membership Report to get a list of users that are
assigned the seeded role for your records before performing the mass revoke.
To implement enhanced data segregation on custom roles, you do not have to create a copy of the custom role.
You can simply edit the role, and create or modify the necessary data security policy.
To enable enhanced data segregation on custom roles, follow the given steps:
The data security policy that governs the selectable employees in list of values is against data resource Public
Person and privilege Choose Public Person Data.
If another data security policy already exists for this data resource and privilege, you will need to modify that data
security policy.
You can search for this data security policy by using the Edit Role option, and proceed directly the Data Security
Policies. Use query by example to search for data security policies for this data resource and privilege.
If a matching data security policy is found, click the Actions drop-down list and then click Edit Data Security
Policy. If no matching data security policy is found, click Create Data Security Policy.
Whether you are creating a new data security policy or modifying an existing one, use the following values:
Field Value
Database Resource Public Person
Data Set Select by instance set
Actions Choose Public Person
Condition Name As desired, for example, to restrict selectable employer by legal employer, use
Access Public Persons From My Own Legal Employer.
CONNECT W ITH US
blogs.oracle.com/oracle
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only,
and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject
facebook.com/oracle to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and
conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this
document, and no contractual obligations are formed either directly or indirectly by this document. This document may not
twitter.com/oracle be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior
written permission.
oracle.com
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under
license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the
AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of
The Open Group. 1117