Friday, June 24, 2016

DATA ROLE AND DATA ACCESS SET IN ORACLE FUSION APPLICATIONS

In this training article we will learn about system generated Data Roles and Data Access set in Oracle Fusion Applications to access newly created Ledger and we will also see how to add Data Roles and Access Set to the user. Let’s first understand briefly about Data Role and Data Access Set-
Data Roles
A data role defines components of data within which a job is performed. The data role inherits the job role that describes the job. For example, a data role entitles a user to perform a job in a business unit and data roles are implemented as job roles for a set of data. The data role inherits abstract or job roles and is granted data security privileges. Data roles carry the function security privileges inherited from job roles and also the data security privilege granted on database objects and table rows.
Let’s understand by this example- an accounts payables specialist in the UK Business Unit may be assigned the data role Accounts Payables Specialist - UK Business Unit. This data role inherits the job role Accounts Payables Specialist and grants access to transactions in the UK Business Unit. Data roles are created and maintained using data role templates in the Authorization Policy Manager (APM). 

Data Access Sets
Data access sets define a set of access privileges to one or more Ledgers or Ledger Sets. The information on Ledgers that are attached to data access sets are secured by function security. Users must have access to the segment values associated with the data access sets to access the corresponding GL account.
In the security reference implementation, the IT Security Manager job role hierarchy includes the Data Access Administration Duty role, which is entitled to manage data access sets (the entitlement is Define General Ledger Data Access Set). This entitlement provides the access necessary to perform the Manage Data Access Sets task in General Ledger.



Security in Oracle Fusion Applications is based on integrations with Oracle Identity Management in Fusion Middleware, security features in the database, and Governance, Risk, Compliance, and Controls, additional resources in support of performing security tasks include the following-
  • Authorization Policy Manager (APM) is available in Oracle Fusion Applications through integration with Oracle Identity Management (OIM). Authorization policy management involves managing duty roles, data role templates, and data security policies.  
  • Oracle Identity Management (OIM) is available in Oracle Fusion Applications through integration with Oracle Fusion Middleware and involves creating and managing user identities, creating and linking user accounts, managing user access control through user role assignment, managing enterprise roles, and managing workflow approvals and delegated administration.
  • Oracle Fusion Applications is certified to integrate with Applications Access Controls Governor (AACG) in the Oracle Governance, Risk and Compliance Controls (GRCC) suite to ensure effective Access & Segregation of Duties (SOD)

Feature of Data Access Set-
Data Access Sets secure access to ledgers, ledger sets, and portions of Ledgers using primary balancing segment values. If primary balancing segment values are assigned to Legal Entity, then we can use this feature to secure access to specific Legal Entities.
  • Secures parent or detail primary balancing segment values.
  • Secures the specified parent value as well as all its descendents, including midlevel parents and detail values.
  • Requires all Ledgers assigned to the data access set to share chart of accounts and accounting calendar.

When a Ledger is created, a data access set for that Ledger is automatically created, giving full read and write access to that Ledger. Data access sets are automatically created when we create a new Ledger set as well. We can also manually create data access sets to give read only access or partial access to select balancing segment values in the Ledger.
We can combine Ledger and Ledger Set assignments to a single data access set as long as all Ledgers share a common chart of accounts and calendar. When a data access set is created, data roles are automatically created for that data access set. Following five data roles are generated for each data access set, one for each of the Oracle Fusion General Ledger roles-
  • Chief Financial Officer
  • Controller
  • General Accounting Manager
  • General Accountant
  • Financial Analyst

The data roles then must to be assigned to specific users before they can use the data access set.
As mentioned above, you will find Roles created for Chief Financial Officer, Controller, General Accounting Manager, general Accountant and Financial Analyst.


  • Full Ledger Access: Access to the entire ledger or ledger sets. For example, this could mean read only access to the entire Ledger or both read and write access.

  • Primary Balancing Segment Value: Access one or more primary balancing segment values for that Ledger. We can specify read only, read and write access, or a combination of the two for different primary balancing segment values for different ledgers and ledger sets.

 Function and Data Security
This helps to secures features and data with privileges that are mapped to roles. Access through the Define Security from the Setup and Maintenance work area or your implementation project.
  • Use Oracle Identity Manager (OIM) to manage user and user-role assignments.
  • Use Authorization Policy Manager (APM) to manage data roles and duty roles.
Functions and data are inaccessible to users unless they are provisioned with the roles necessary to gain access. Function Security Consists of privileges unconditionally granted to a role and used to control access toPage or a specific widget or a functionality within a page, including services, regions, and flows.
Data Security Consists of privileges conditionally granted as data security policies carried by roles, or granted as Human Capital Management (HCM) security profiles, and used to control access to data-
  •  Within a business object such as a business unit.
  •  Based on user profiles.
  •  Based on privacy policies.
 For example- A job role can give view access to the functions needed to access invoices, but a data role that inherits the job role gives limited view access to the invoice data within a business unit, such as the data role Accounts Payable Manager - UK which inherits the job role Accounts Payable Manager for performing accounts payable duties for the UK business unit only.
Assign to your user the data role that contains the data access set your user needs with the job role that provides the required functional access level.
  • Optionally, assign Segment Value Security Rules to data roles.
  • Assigned multiple data roles to a user, if needed.

How to assign Data Roles to User-
 A user needs to add these system generated Roles to their User in Oracle Identity Manager as shown below- First of all search for your User in Oracle Identity Manager-


next step is


and Finally-


After completing these steps now again log in with your user and you should be able to access Ledger or Ledger Sets you created-

No comments:

Post a Comment