Oracle User Management Layers
The following is extracted from Oracle® E-Business Suite Security Guide Release 12.2, Part No. E22952-09 published October 2015.. It provides a brief description of each layer of User Management. This SIG is devoted to further exploring and explaining these layers and how to effectively use them in your EBS environment.
Function Security is the base layer of access control in Oracle E-Business Suite. It restricts user access to individual menus and menu options within the system, but does not restrict access to the data contained within those menus.
Building on Function Security, Data Security provides access control within Oracle E-Business Suite on the data a user can access, and the actions a user can perform on that data. Oracle E-Business Suite restricts access to individual data that is displayed on the screen once the user has selected a menu or menu option. Data Security policies can only be defined for applications that have been written to utilize the Data Security Framework.
Role Based Access Control (RBAC) is the next layer and builds upon Data Security and Function Security. With RBAC, access control is defined through roles, and user access to Oracle E-Business Suite is determined by the roles granted to the user. Access control in Oracle E-Business Suite closely follows the RBAC ANSI standard (ANSI INCITS 359-2004) originally proposed by the US National Institute of Standards & Technology (NIST), which defines a role as "a job function within the context of an organization with some associated semantics regarding the authority and responsibility conferred on the user assigned to the role." A role can be configured to consolidate the responsibilities, permissions, function security and data security polices that users require to perform a specific function.
Delegated Administration is a privilege model that builds on the RBAC system to provide organizations with the ability to assign the required access rights for managing roles and user accounts. With delegated administration, instead of relying on a central administrator to manage all its users, an organization can create local administrators and grant them sufficient privileges to manage a specific subset of the organization's users and roles. This provides organizations with a tighter, more granular level of security, and the ability to easily scale their administrative capabilities.
Provisioning Services are modeled as registration processes that enable end users to perform some of their own registration tasks, such as requesting new accounts or additional access to the system. They also provide administrators with a faster and more efficient method of creating new user accounts, as well as assigning roles.
Self Service & Approvals - Once registration processes have been configured as required, individuals can subsequently perform self-service registration tasks, such as obtaining new user accounts or requesting additional access to the system. In addition, organizations can use the Oracle Approvals Management engine to create customized approval routing for these requests.
To access the full E-Business Suite Security Guide, click here.