Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Verifying that Data Security Policies Can Be Edited in the Security Console 3
Oracle has adopted a new, more secure model for delivering security updates (patches) and new releases. Starting
with Release 12, predefined roles that are shipped with Oracle Cloud applications are read-only and can’t be
customized. This model ensures safe upgrades to predefined roles because the possibility of conflict with changes
you introduce to these roles is now eliminated. You can however, continue to create your own custom roles and can
adopt new enhancements Oracle delivers with the predefined roles in later releases by doing one of the following:
» Manually add new or updated Release 13 privileges to your existing custom roles.
This document provides instructions for you to perform this task.
» Copy the upgraded Release 13 predefined roles, and reapply your configurations to them.
For information about copying roles, see Oracle Sales Cloud Securing Sales Cloud on Oracle Help Center
at http://docs.oracle.com/.
Note: You can identify predefined roles easily by their role codes, which all have the prefix ORA. During the
upgrade, only roles that begin with the “ORA_” prefix are updated.
To apply Release 13 privileges to your custom roles, you might have to create new data security policies, add
functional security policies, or change the mapping between duty roles. You can use the Security Console to
perform these tasks. This section describes the steps that are required to set up the Security Console before you
begin adding Release 13 privileges to your custom roles.
Verifying that Data Security Policies Can Be Edited in the Security Console
You can choose whether or not to allow data security policies to be edited and created on the Security Console.
Verify that data security policies can be modified by performing the steps in the following procedure.
1. Sign in to the Oracle Sales Cloud application with IT Security Manager privileges.
2. Navigate to the Security Console (Navigator - Tools - Security Console).
3. Select the Administration tab.
4. Select the Roles subtab.
5. Make sure the check box Enable edit of data security policies is selected. This is the default value.
6. Click Save.
You must have the IT Security Manager job role to run these processes.
Once the Retrieve Latest LDAP Changes process completes successfully, you can run the next process.
It is recommended that you schedule the Import User and Role Application Security Data process to run at the same
frequency as the Retrieve Latest LDAP Changes and Send Pending LDAP Requests processes. For example, if
these latter processes run twice a day in your environment, then schedule the Import User and Role Application
Security Data process to run twice a day.
If the related appendix indicates that you must add a functional security policy to a role to implement new
functionality, then perform the steps in Adding Functional Security Policies.
If the related appendix indicates that you must create or edit data security policies to implement new functionality,
then perform the steps in Creating and Editing Data Security Policies.
Privilege Name Privilege Code Target Custom Role Name Target Custom Role Code
Grant on Opportunity Access the opportunity View Opportunity; Sales Manager Custom ZBS_SALES_MANAGER_
Opportunity for Table for table MOO_OPTY Read; JOB_CUSTOM
MOO_OPTY where they are member
or in management chain
of opportunity sales
team with view, edit or
full access, member of
territory team or upward
territory hierarchy
Note: To create data security policies in the Security Console, the Enable edit of data security policies check box
must be selected. For information, see Verifying that Data Security Policies Can Be Edited in the Security
Console.
1. Sign in to the Oracle Sales Cloud application with IT Security Manager privileges.
2. Navigate to the Security Console (Navigator - Tools - Security Console).
This section lists security components for the following new or updated features that were introduced in Release:
» Policies for Partner Relationship Management
» Policies for Oracle Sales Cloud Lightbox
» Policies for Quota Management
» Changes to Database Resource Conditions for Opportunities and Leads
Privilege Name Privilege Code Target Role Name Target Role Code
Enter Trading
HZ_ENTER_TRADING_COMM
Community
UNITY_PERSON_PRIV
Person
Manage
HZ_MANAGE_TRADING_COM
Trading
MUNITY_GROUP_DETAILS_P
Community
RIV
Group Details
View Trading
HZ_VIEW_TRADING_COMMU
Community
NITY_RESOURCE_DETAILS_
Resource
PRIV
Details
If you have created custom versions of any of the following duty roles, then add the functional policies listed in this
appendix to your custom version of the role:
» Sales Representative
» Sales Manager
» Sales Administrator
» Sales VP
» Customer Relationship Management Application Administrator
Note: The Feedback tab is enabled through Application Composer. Feedback for Sales Cloud Lightbox documents
can only be created through Sales Cloud Lightbox presentation session REST APIs.
Privilege Name Privilege Code Target Role Name Target Role Code
Administrator ORA_ZCA_CUSTOMER_RELATIONSHIP_M
ANAGEMENT_APPLICATION_ADMINISTRA
TOR_JOB
If you created a custom version of this role, then add the policy listed in this section to your custom version of the
role.
Privilege Name Privilege Code Target Role Name Target Role Code
In the Oracle Sales Cloud security implementation, a data security policy specifies a role that can perform an action
on a database object based on a resource condition that controls access to specific instances of that object. You
can define the resource condition using either a simple XML filter or an SQL predicate (WHERE clause) that queries
the attributes of the resource. A condition or predicate describes the access path between an object and a user. For
example, the following condition allows Sales Managers to view opportunities their reports can view:
Where they are in the management chain of an opportunity sales team member with
view, edit, or full access
To improve performance, the predicates in some queries defined for the Opportunity and Leads database resources
have been combined (denormalized), thereby reducing the time it takes the database to execute the query.
Denormalized predicates are only available for Read actions.
All the denormalized predicates are provided in data security policies defined for each of the following job roles:
» Sales Representative
» Sales Manager
» Sales VP
» Sales Restricted User
If you have created and are using a custom version of any of these roles, then to use any of the denormalized
predicates you must edit the relevant data security policies associated with your custom version of the role. For
detailed instructions, see Creating and Editing Data Security Policies.
Table 8 lists each of the denormalized SQL predicates defined for Opportunities and Leads, and the original
predicates that the denormalized predicates replace.
TABLE 8. SQL PREDICATES FOR THE OPPORTUNITY AND LEADS DATABASE RESOURCES
Database
Object Name Resource Display Denormalized SQL Predicate Original SQL Predicates
Name
Opportunity Opportunity for Where they are member • Where they are an opportunity sales team
Table or in management chain member with view, edit, or full access
of opportunity sales team
MOO_OPTY with view, edit or full • Where they are a territory resource in the
access, member of opportunity territory team or a territory
territory team or upward resource with a descendant territory in the
territory hierarchy
opportunity territory team
• Where they are a territory resource in the
opportunity sales account territory team or a
territory resource with a descendant territory in
the opportunity sales account territory team
• Where they are in the management chain of an
opportunity sales team member with view, edit,
or full access
Opportunity Opportunity for Where they are member • Where they are a member of the opportunity
Table or in management chain sales account team
of opportunity account
MOO_OPTY team, account territory
*Denormalized predicates are available only for the Sales Lead object. Denormalized predicates are not available
for related objects such as Sales Lead Resource, Sales Lead TCA Party, and so on.
Editing Custom Roles to use the Denormalized Predicates when Original Data Security Policies Are Unchanged
If you have created a custom role but have not changed any of the data security policies associated with the role, to
use the denormalized predicates, replace (end-date) the existing policies with the new policy that contains the new
denormalized predicates.
Use Table 8 to determine the original predicates that you need to end-date. For example, in the case of Opportunity,
if you have not modified any of the four original predicates listed in the first row, you can end-date all four of them
and replace them with a data security policy that you create that includes the denormalized predicate for Opportunity
that is listed in the same row. For information on end dating an existing data security policy and creating a new
policy that uses a denormalized predicate, see Creating and Editing Data Security Policies.
Editing Custom Roles to use the Denormalized Predicates When Original Data Security Policies Have Been
Changed
If your custom role contains data security policies that have been amended to remove some or all of the original
predicates that have been denormalized, then editing your custom role to use the denormalized predicate that
corresponds to the original predicate(s) that you removed could result in losing the customization.
For example, if you modified any of the original predicates in the first row of Table 8, then, you cannot use the
denormalized predicate listed in that row because that would restore the access you have removed. However, you
can still use the denormalized predicates in the second and third rows of Table 8.
CONNECT W ITH US
blogs.oracle.com/oracle
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
facebook.com/oracle warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means,
twitter.com/oracle electronic or mechanical, for any purpose, without our prior written permission.
oracle.com Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116