Está en la página 1de 17

Oracle Sales Cloud

Security Upgrade Guide


Release 13 (updates 17B - 17D)
ORACLE WHITE PAPER | MARCH 2018
Table of Contents

Introduction to the Security Upgrade Guide 2

Before You Start 3

Verifying that Data Security Policies Can Be Edited in the Security Console 3

Run Required Processes 3

Run Retrieve Latest LDAP Changes 3

Run Import User and Role Application Security Data 4

Common Steps to Implement New Features in Custom Roles 6

Adding Functional Security Policies 6

Creating and Editing Data Security Policies 7

Creating a Data Security Policy 7

Editing a Data Security Policy 8

Update Custom Roles for Oracle Sales Cloud 10

Policies for Partner Relationship Management 11

Functional Security Policies 11

Policies for Oracle Sales Cloud Lightbox 12

Functional Security Policies 12

Policies for Quota Management 13

Functional Security Policies 13

Changes to Database Resource Conditions for Opportunities and Leads 14

1 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Introduction to the Security Upgrade Guide
This guide lists security components for new or updated features that were introduced in Release 13 (updates 17B -
17D) for Oracle Sales Cloud and describes the procedures you might need to perform after your environment is
upgraded to add these privileges to custom roles. If you haven’t created any custom roles, then there is nothing you
have to do.

Oracle has adopted a new, more secure model for delivering security updates (patches) and new releases. Starting
with Release 12, predefined roles that are shipped with Oracle Cloud applications are read-only and can’t be
customized. This model ensures safe upgrades to predefined roles because the possibility of conflict with changes
you introduce to these roles is now eliminated. You can however, continue to create your own custom roles and can
adopt new enhancements Oracle delivers with the predefined roles in later releases by doing one of the following:

» Manually add new or updated Release 13 privileges to your existing custom roles.
This document provides instructions for you to perform this task.

» Copy the upgraded Release 13 predefined roles, and reapply your configurations to them.
For information about copying roles, see Oracle Sales Cloud Securing Sales Cloud on Oracle Help Center
at http://docs.oracle.com/.

Note: You can identify predefined roles easily by their role codes, which all have the prefix ORA. During the
upgrade, only roles that begin with the “ORA_” prefix are updated.

2 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Before You Start

To apply Release 13 privileges to your custom roles, you might have to create new data security policies, add
functional security policies, or change the mapping between duty roles. You can use the Security Console to
perform these tasks. This section describes the steps that are required to set up the Security Console before you
begin adding Release 13 privileges to your custom roles.

This section describes the following topics:


» Verifying that Data Security Policies Can Be Edited in the Security Console
» Run Required Processes

Verifying that Data Security Policies Can Be Edited in the Security Console
You can choose whether or not to allow data security policies to be edited and created on the Security Console.
Verify that data security policies can be modified by performing the steps in the following procedure.

Follow these steps:

1. Sign in to the Oracle Sales Cloud application with IT Security Manager privileges.
2. Navigate to the Security Console (Navigator - Tools - Security Console).
3. Select the Administration tab.
4. Select the Roles subtab.
5. Make sure the check box Enable edit of data security policies is selected. This is the default value.
6. Click Save.

Run Required Processes


Before you can use the Security Console in your upgraded environment, you must run these two processes in the
following order:
1. Run Retrieve Latest LDAP Changes
2. Run Import User and Role Application Security Data
Note: Retrieve Latest LDAP Changes must complete successfully before you run Import User and Role Application
Security Data. Do not run these processes in parallel.

You must have the IT Security Manager job role to run these processes.

Run Retrieve Latest LDAP Changes


Follow these steps:
1. Select Navigator - Tools - Scheduled Processes to open the Scheduled Processes work area.
2. Click Schedule New Process. The Schedule New Process dialog box opens.
3. In the Name field, search for and select the Retrieve Latest LDAP Changes process.
4. Click OK to close the Schedule New Process dialog box.
5. In the Process Details dialog box, click Submit.

3 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


6. Click OK to close the confirmation message.
7. On the Scheduled Processes page, click the Refresh icon to update the process status.

Once the Retrieve Latest LDAP Changes process completes successfully, you can run the next process.

Run Import User and Role Application Security Data


The Import User and Role Application Security Data process copies users, roles, privileges, and data security
policies from the identity store, policy store, and ApplCore grants schema to Oracle applications security tables.

It is recommended that you schedule the Import User and Role Application Security Data process to run at the same
frequency as the Retrieve Latest LDAP Changes and Send Pending LDAP Requests processes. For example, if
these latter processes run twice a day in your environment, then schedule the Import User and Role Application
Security Data process to run twice a day.

Follow these steps:


1. In the Scheduled Processes work area, click Schedule New Process. The Schedule New Process
dialog box opens.
2. In the Name field, search for and select the Import User and Role Application Security Data process.
3. Click OK to close the Schedule New Process dialog box.
4. In the Process Details dialog box, click Submit.

4 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


5. Click OK to close the confirmation message.
6. On the Scheduled Processes page, click the Refresh icon to update the process status. Once the Import
User and Role Application Security Data process completes successfully, you can update custom roles
with the Release 13 privileges you want to implement.

5 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Common Steps to Implement New Features in Custom Roles
This section outlines procedures for updating custom roles with Release 13 privileges. The security components for
each new or updated feature are outlined in the related appendix as indicated in Table 1.

TABLE 1. SECURITY COMPONENTS FOR NEW OR UPDATED FEATURES IN RELEASE 13

Feature Area How the Feature is Secured

Account Team Policies for Partner Relationship Management


Lightbox Feedback Policies for Oracle Sales Cloud Lightbox
Quota Management Policies for Quota Management
Denormalized Predicates for Opportunities Changes to Database Resource Conditions for
and Leads Opportunities and Leads

If the related appendix indicates that you must add a functional security policy to a role to implement new
functionality, then perform the steps in Adding Functional Security Policies.

If the related appendix indicates that you must create or edit data security policies to implement new functionality,
then perform the steps in Creating and Editing Data Security Policies.

Adding Functional Security Policies


This example uses the details in Table 2 to add a functional security policy to a custom version of the Partner Sales
Party Management duty role.

TABLE 2. ADDING A PRIVILEGE TO A CUSTOM ROLE

Privilege Name Privilege Code Target Custom Role Name Target Custom Role Code

Enter Trading ZCM_PARTNER_SALES_PARTY_MANAGEM


HZ_ENTER_TRADING_COMM Partner Sales Party
Community ENT_DUTY_CUSTOM
UNITY_ORGANIZATION_INFO Management Custom
Organization
RMATION_PRIV
Information

To add functional security policies:


1. Sign in to the Oracle Sales Cloud application with IT Security Manager privileges.
2. Navigate to the Security Console (Navigator - Tools - Security Console).
3. On the Roles page, search for the role that you want to add the security policy to; in this case, search for
your custom version of the Partner Sales Party Management role. (This value is the name of the role as it
appears in the Target Custom Role Name column in Table 2.)
Depending on the enterprise setting, either a table or a graphical representation of the role hierarchy
appears.
4. In the search results, click the down arrow for the selected role and select Edit Role.
5. On the Edit Role: Basic Information screen, click Next.
The Edit Role: Function Security Policies page is displayed showing the functional privileges assigned to
the role.

6 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


6. To remove a privilege from the role, select the privilege and click the X icon. In this example, to add a
privilege to the role, click the Add Function Security Policy button. The Add Function Security Policy
dialog box is displayed.
7. Search for the policy you want to add to the role. In this example, search for the Enter Trading Community
Organization Information privilege. (This value is the name of the privilege as it appears in the Privilege
Name column in Table 2).
8. In the Search Results list, select the Enter Trading Community Organization Information privilege, then
click Add Privilege to Role.
9. Click OK when the Confirmation dialog box is displayed, then click X to close the Add Function Security
Policy dialog box.
10. On the Edit Role: Function Security Policies page, you can view the function security policy you just added
by scrolling to the end of the list of policies.
11. Click the Summary and Impact Report train stop.
12. On the Edit Role: Summary and Impact Report page, expand the Function Security Policies row to verify
that the privilege was added to the role.
13. Click Save and Close.

Creating and Editing Data Security Policies


Follow the procedures in this section to create and edit data security policies. The examples in this section describe
how to edit a custom role to:

» Add a data security policy containing a new denormalized predicate


» End-date an existing policy containing the original predicate that is no longer required

Creating a Data Security Policy


This example uses the details in Table 3 to create a data security policy for a custom version of the Sales Manager
role. The new data security policy includes a denormalized predicate for the Opportunity object. For additional
information, see Changes to Database Resource Conditions for Opportunities and Leads.

TABLE 3. CREATING A DATA SECURITY POLICY FOR A CUSTOM ROLE

Policy Database Target Custom Role Target Custom Role


Condition Actions
Name Resource Name Code

Grant on Opportunity Access the opportunity View Opportunity; Sales Manager Custom ZBS_SALES_MANAGER_
Opportunity for Table for table MOO_OPTY Read; JOB_CUSTOM
MOO_OPTY where they are member
or in management chain
of opportunity sales
team with view, edit or
full access, member of
territory team or upward
territory hierarchy

Note: To create data security policies in the Security Console, the Enable edit of data security policies check box
must be selected. For information, see Verifying that Data Security Policies Can Be Edited in the Security
Console.

To create a data security policy:

7 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


1. Sign in to the Oracle Sales Cloud application with IT Security Manager privileges.
2. Navigate to the Security Console (Navigator - Tools - Security Console).
3. On the Roles page, search for the custom role that you are creating the data security policy for; in this
case, search for your custom version of the Sales Manager role.
(This value is the role name as it appears in the Target Custom Role Name column in Table 3).
4. In the search results, click the down arrow for the selected role and then select the Edit Role option.
5. On the Edit Role: Basic Information screen, click the Data Security Policies train stop link. The Edit
Role: Data Security Policies page is displayed showing the data policies assigned to the role.
6. Create a new data security policy that uses a denormalized predicate by clicking the Create Data
Security Policy button.
7. Enter values in the Policy Name, Start Date and Description fields.
8. Choose a Database Resource. In this example, search for Opportunity for Table MOO_OPTY and
select it.
9. Choose Select by instance set for the Data Set field.
10. In the Condition Name drop-down, search for and select the denormalized predicate as listed in the
Condition column in Table 3.
11. Since the denormalized predicates are only available for Read actions, select View Opportunity and
Read in the Actions field. Click OK.
12. Repeat steps 6-11 for any other denormalized predicates that you want to use.
13. Navigate to the Summary and Impact Report train stop.
14. On the Edit Role: Summary and Impact Report page, expand the Data Security Policies row to verify
that the policy is added to the role.
15. Click Save and Close. A confirmation dialog box is displayed indicating that the role changes were
saved.

Editing a Data Security Policy


This example uses the details in Table 4 to end-date a data security policy for a custom version of the Sales
Manager role. The data security policy defines a predicate for the Opportunity object that is not required if the
denormalized predicate in Table 3 is implemented. For additional information, see Changes to Database
Resource Conditions for Opportunities and Leads.

TABLE 4. END-DATING AN OPPORTUNITY DATA SECURITY POLICY

Policy Database Target Custom Role Target Custom Role


Condition
Name Resource Name Code

Grant on Opportunity Sales Manager Custom ZBS_SALES_MANAGER_


Where they are an
Opportunity for Table JOB_CUSTOM
MOO_OPTY opportunity sales team
member with view, edit,
or full access

To end-date a data security policy:

1. Sign in to the Oracle Sales Cloud application with IT Security Manager privileges.
2. Navigate to the Security Console (Navigator - Tools - Security Console).

8 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


3. On the Roles page, search for the custom role that contains the data security policy that you want to end-
date. In this case, search for your custom version of the Sales Manager role.
4. In the Search results, click the drop-down arrow next to the role and select Edit Role.
5. Navigate to the Edit Role: Data Security Policies page.
6. Search for the data security policy that you want to end-date. In this example, search for the policy in
Table 4.
You can use the filters at the top of the columns to locate relevant policies. For the Opportunity object in
this example, use the following filters:
• Data Resource column: Opportunity for Table MOO_OPTY
• Privilege column. Read: View Opportunity
If you wanted to end-date a policy for the Lead object, you would use filters similar to the following:
• Data Resource column. Sales Lead
• Privilege column. Read; View Lead
Note: Denormalized predicates are only available for Read actions, so only end-date policies that contain
Read actions. Some data security policies have Read actions in addition to Delete and Manage actions; do
not end-date these policies.
7. Once you have found the relevant policy, click the drop-down arrow to the right of it and select Edit Data
Security Policy.
8. In the End Date field, select an end-date for this policy, then click OK.
9. Repeat steps 6-8 for all the data security policies you want to end-date for your custom role.
10. Navigate to the Summary and Impact Report train stop and click Save and Close.

9 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Update Custom Roles for Oracle Sales Cloud
During the upgrade process, new privileges become available which correspond to new features and functionality in
Release 13 or to changes in existing functionality. These privileges are automatically added to the appropriate
predefined reference roles during the upgrade process. If you are using custom versions of the predefined roles,
however, to implement new features and privileges you must manually add new or updated privileges to the custom
roles.

This section lists security components for the following new or updated features that were introduced in Release:
» Policies for Partner Relationship Management
» Policies for Oracle Sales Cloud Lightbox
» Policies for Quota Management
» Changes to Database Resource Conditions for Opportunities and Leads

10 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Policies for Partner Relationship Management
This section lists the functional security policies that were added in Release 13 for Partner Relationship
Management functionality. These policies provide the following roles with the functionality indicated:

» Partner Administrator role


Access to the Account Team subtab in the Edit Partner details UI.
» Partner Sales Party Management role
Ability to invoke TCA Web service operations and Resource REST calls.
If you created a custom version of either of these roles, then add the policies listed in this section to your custom
version of the role.

Functional Security Policies


Add the functional security policies for Partner Relationship Management listed in Table 5 to your custom roles. For
detailed instructions, see Adding Functional Security Policies.

TABLE 5. FUNCTIONAL SECURITY POLICIES FOR PARTNER RELATIONSHIP MANAGEMENT

Privilege Name Privilege Code Target Role Name Target Role Code

View Partner ZPM_VIEW_PARTNER_ACCOUNT Partner Administrator ORA_ZPM_PARTNER_ADMINISTRATOR_


Account Team _TEAM_PRIV JOB

Enter Trading ORA_ZCM_PARTNER_SALES_PARTY_MAN


HZ_ENTER_TRADING_COMM Partner Sales Party
Community AGEMENT_DUTY
UNITY_ORGANIZATION_INFO Management
Organization
RMATION_PRIV
Information

Enter Trading
HZ_ENTER_TRADING_COMM
Community
UNITY_PERSON_PRIV
Person

Manage
HZ_MANAGE_TRADING_COM
Trading
MUNITY_GROUP_DETAILS_P
Community
RIV
Group Details

View Trading
HZ_VIEW_TRADING_COMMU
Community
NITY_RESOURCE_DETAILS_
Resource
PRIV
Details

11 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Policies for Oracle Sales Cloud Lightbox
This section lists the functional security policies that are added in Release 13 for Sales Cloud Lightbox and the roles
to which these policies are assigned. Sales Cloud Lightbox is a content library for storing and sharing business
documents and collaterals. These policies provide privileges to create and view feedback for Sales Cloud Lightbox
documents.

If you have created custom versions of any of the following duty roles, then add the functional policies listed in this
appendix to your custom version of the role:

» Sales Representative
» Sales Manager
» Sales Administrator
» Sales VP
» Customer Relationship Management Application Administrator
Note: The Feedback tab is enabled through Application Composer. Feedback for Sales Cloud Lightbox documents
can only be created through Sales Cloud Lightbox presentation session REST APIs.

Functional Security Policies


Add the functional security policies for Sales Cloud Lightbox listed in Table 6 to your custom roles. For detailed
instructions, see Adding Functional Security Policies.

TABLE 6. FUNCTIONAL SECURITY POLICIES FOR SALES CLOUD LIGHTBOX

Privilege Name Privilege Code Target Role Name Target Role Code

Create Lightbox ZSO_CREATE_SESSION_ Sales Representative ORA_ ZBS_ SALES_ REPRESENTATIVE_


Feedback FEEDBACK_PRIV
Sales Manager JOB

Sales VP ORA_ ZBS_ SALES_ MANAGER_ JOB


ORA_ZBS_SALES_VP_JOB

View Lightbox ZSO_VIEW_SESSION_ Sales Representative ORA_ ZBS_ SALES_ REPRESENTATIVE_


Feedback FEEDBACK_PRIV
Sales Manager JOB

Sales VP Sales ORA_ ZBS_ SALES_ MANAGER_ JOB

Sales Administrator ORA_ZBS_SALES_VP_JOB

Customer Relationship ORA_ ZBS_ SALES_ ADMINISTRATOR_


Management Application JOB

Administrator ORA_ZCA_CUSTOMER_RELATIONSHIP_M
ANAGEMENT_APPLICATION_ADMINISTRA
TOR_JOB

12 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Policies for Quota Management
This appendix lists the functional security policy that was added in Release 13 for Quota Management functionality.
This policy provides the following role with the ability to run a process to publish or revise the territory quotas for all
descendants of a chosen territory:

» Quota Management Enterprise Administration

If you created a custom version of this role, then add the policy listed in this section to your custom version of the
role.

Functional Security Policies


Add the functional security policy for Quota Management listed in Table 7 to your custom role. For detailed
instructions, see Adding Functional Security Policies.

TABLE 7. FUNCTIONAL SECURITY POLICY FOR QUOTA MANAGEMENT

Privilege Name Privilege Code Target Role Name Target Role Code

Run Publish or ORA_MOT_QM_RUN_PUBLISH_ Quota Management ORA_MOT_QUOTA_MANAGEMENT_ENTER


Revise Hierarchy REVISE_HIERARCHY_QUOTA_ Enterprise Administration PRISE_ADMINISTRATION_DUTY
Quotas PRIV

13 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Changes to Database Resource Conditions for Opportunities and Leads
This section lists changes to database resource conditions made in Release 13 for Opportunities and Leads.

In the Oracle Sales Cloud security implementation, a data security policy specifies a role that can perform an action
on a database object based on a resource condition that controls access to specific instances of that object. You
can define the resource condition using either a simple XML filter or an SQL predicate (WHERE clause) that queries
the attributes of the resource. A condition or predicate describes the access path between an object and a user. For
example, the following condition allows Sales Managers to view opportunities their reports can view:
Where they are in the management chain of an opportunity sales team member with
view, edit, or full access
To improve performance, the predicates in some queries defined for the Opportunity and Leads database resources
have been combined (denormalized), thereby reducing the time it takes the database to execute the query.
Denormalized predicates are only available for Read actions.

All the denormalized predicates are provided in data security policies defined for each of the following job roles:

» Sales Representative
» Sales Manager
» Sales VP
» Sales Restricted User
If you have created and are using a custom version of any of these roles, then to use any of the denormalized
predicates you must edit the relevant data security policies associated with your custom version of the role. For
detailed instructions, see Creating and Editing Data Security Policies.

Table 8 lists each of the denormalized SQL predicates defined for Opportunities and Leads, and the original
predicates that the denormalized predicates replace.

TABLE 8. SQL PREDICATES FOR THE OPPORTUNITY AND LEADS DATABASE RESOURCES

Database
Object Name Resource Display Denormalized SQL Predicate Original SQL Predicates
Name
Opportunity Opportunity for Where they are member • Where they are an opportunity sales team
Table or in management chain member with view, edit, or full access
of opportunity sales team
MOO_OPTY with view, edit or full • Where they are a territory resource in the
access, member of opportunity territory team or a territory
territory team or upward resource with a descendant territory in the
territory hierarchy
opportunity territory team
• Where they are a territory resource in the
opportunity sales account territory team or a
territory resource with a descendant territory in
the opportunity sales account territory team
• Where they are in the management chain of an
opportunity sales team member with view, edit,
or full access
Opportunity Opportunity for Where they are member • Where they are a member of the opportunity
Table or in management chain sales account team
of opportunity account
MOO_OPTY team, account territory

14 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


team or upward territory • Where they are in the management chain of an
hierarchy. opportunity sales account team member
Leads Sales Lead* Where they are member • Where they are a resource in the lead sales
or in management chain team
of lead sales team,
member of territory team • Where they are a resource in the territory
or upward territory assigned to the sales lead
hierarchy • Where they are a territory resource in the sales
lead territory team or a territory resource with a
descendant territory in the sales lead territory
team
• Where they are an administrator of the
resource organization in the primary assignment
of the owner
• Where they are the owner of the sales lead
• Where they are a manager in the management
hierarchy of a resource in the lead sales team
• Where they are a manager in the management
hierarchy of the owner of the sales lead

*Denormalized predicates are available only for the Sales Lead object. Denormalized predicates are not available
for related objects such as Sales Lead Resource, Sales Lead TCA Party, and so on.

Editing Custom Roles to use the Denormalized Predicates when Original Data Security Policies Are Unchanged

If you have created a custom role but have not changed any of the data security policies associated with the role, to
use the denormalized predicates, replace (end-date) the existing policies with the new policy that contains the new
denormalized predicates.

Use Table 8 to determine the original predicates that you need to end-date. For example, in the case of Opportunity,
if you have not modified any of the four original predicates listed in the first row, you can end-date all four of them
and replace them with a data security policy that you create that includes the denormalized predicate for Opportunity
that is listed in the same row. For information on end dating an existing data security policy and creating a new
policy that uses a denormalized predicate, see Creating and Editing Data Security Policies.

Editing Custom Roles to use the Denormalized Predicates When Original Data Security Policies Have Been
Changed

If your custom role contains data security policies that have been amended to remove some or all of the original
predicates that have been denormalized, then editing your custom role to use the denormalized predicate that
corresponds to the original predicate(s) that you removed could result in losing the customization.

For example, if you modified any of the original predicates in the first row of Table 8, then, you cannot use the
denormalized predicate listed in that row because that would restore the access you have removed. However, you
can still use the denormalized predicates in the second and third rows of Table 8.

15 | ORACLE SALES CLOUD SECURITY UPGRADE GUIDE RELEASE 13


Oracle Corporation, World Headquarters Worldwide Inquiries
500 Oracle Parkway Phone: +1.650.506.7000
Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

CONNECT W ITH US

blogs.oracle.com/oracle
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
facebook.com/oracle warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means,
twitter.com/oracle electronic or mechanical, for any purpose, without our prior written permission.

oracle.com Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116

Oracle Sales Cloud Security Upgrade Guide Release 12


January 2017

También podría gustarte