Data Security allows administrators to control user access to specific data, as well as what functions users can apply to that data.
Function security can be considered "global" data security, in that access to a function is granted regardless of the data.
Data Security uses the concept of an Object to define the data records that are secured.
Data security permissions are managed on objects. Business entities such as Projects and Users are examples of objects. Only a securable business-level concept should be registered as an object.
An object definition includes the business name of the object and identifies the main table and primary key columns used to access the object.
An object instance is a specific example of an object, such as Project Number 123 or User JDOE. An object instance generally corresponds to a row in the database. An instance is identified by a set of one or more primary key values as defined by the object.
In addition, "All Rows" for an object indicates all data rows of the object.
An object instance set is a group of related object instances within an object. A set is specified as a predicate on the keys or attributes of an object, expressed as a SQL "WHERE clause". All instances that satisfy the predicate are considered members of the object instance set. For example:
STATUS = 'ACTIVE'
could determine a set of object instances with the "Active" status.
The specific instances in the set can vary over time as object instance attributes change, or as new object instances are created.
An example is:
OWNER = FND_GLOBAL.USER_ID
The predicate can also be parameterized, so that the logic can define instance sets as a function of one or more input parameters. An example is:
COLOR = :PARAM1
Object instance sets are also called "data instance sets".
Users and groups are both roles that you can use in Role-Based Access Control. User and role information is stored in the Oracle Workflow directory service. For more information, see: Setting Up an Oracle Workflow Directory Service.
Privileges given to users and groups determine their access to secured objects.
The data security system allows you to assign privileges to groups of users instead of assigning privileges to each user individually.
Users are individuals who have access to software applications at a particular enterprise.
A user must have a unique name and should map one-to-one with an individual human or system. "Group" accounts are not correct uses of the user entity.
Users can belong to Groups. The grouping can come from position or organization relationships modeled in applications such as Oracle Human Resources. Alternatively, ad-hoc groups can be created explicitly for security purposes. A group is sometimes referred to as a role.
A function or a permission is the smallest unit of securable product functionality. You can register function definitions with the security system to represent actions that can be performed on an object or on the system in general. Granting a function to a set of users gives them permission to perform that function, and so a function may also be referred to as a permission.
There are two broad categories of functions and permissions:
An executable function/permission can be invoked from a generic navigator user interface. An executable function definition must contain all information necessary to launch the function; often this includes the form name or URL plus parameters.
An abstract function/permission does not refer to a specific piece of code, but represents permission to perform a higher-level business action. The code that implements an abstract function calls the function security system to test whether the abstract function is granted. The system only allows the action if the abstract function is granted.
Examples of these are a particular JSP page (executable) and View Person (abstract).
Functions and permissions can either be at the system level or be sensitive to a data context.
Functions and permissions are grouped into related sets so that administration of these functions can be performed in higher-level business terms.
Functions and permissions are bundled into named sets, which can be defined for two purposes: as navigation menus and/or permission sets. Each set can also contain other sets.
Menus are defined for navigation purposes and group UI pages into functional areas. Users access menus by selecting responsibilities. Each menu item maps to a permission which optionally may be granted to the user as part of the menu/responsibility assignment. Menu items that are not granted as part of the menu/responsibility assignment will not be rendered unless the user is granted the permission separately.
Permission sets are granted to users or roles independently of menus/responsibilities. Permission sets are granted to users in order to enable menu items and other operations (functions) that should not be available to all users assigned a given menu/responsibility. Permission sets are granted to users or roles through permission assignments (grants).
A grant authorizes a particular role to perform a specified action or actions (set of functions) on a specified object instance (or object instance set).
Note that where you are creating a data security policy for an object by creating a grant, you need to include that object in your grant definition. Other than in this specific type of case, you do not need to specify an object in your definition.
Security context refers to the context of the data in which the user is working. For example, data context could be the organization or responsibility with which the user is logged in.
Implement data security by granting access to a set of functions (either a navigation menu or a permission set) to a user or group of users.
Data security policies can reflect access to:
A specific instance (row) identified by a primary key value
All instances (rows) of an object
An instance set defined by a SQL predicate (WHERE clause)