This post provides you with an overview on how to define and secure a custom ESS Job in Fusion Applications. It’s a long post so I’ve had to split it up into two parts, Part 1 focuses on the APM configuration and Part 2 on the ESS Job Definition.
I recommend you read Metalink Note: 1386658.1 and you will need access to Authorization Policy Management (APM) and Functional Setup Manager (FSM)
http://<CommonDomainHostName>:<port>/apm
http://<CommonDomainHostName>:<port>/homePage/faces/AtkHomePageWelcome
Part 1
As per Oracle’s taxonomy guidelines custom ESS Jobs will always be defined under the path /oracle/apps/ess/custom.
This is a hierarchal identifier so for consistency I suggest you define some sort of naming convention similar to that of the seeded oracle ESS job definitions. I’m using something along the lines of oracle.apps.ess.custom.<product>.<entity>.<entity type>
This path will then be used to expose your Custom ESS Jobs as resources in APM which then control which users have access to these Jobs and what they are allowed to do with the Jobs.
In summary we are firstly going to define a resource oracle.apps.ess.custom.* under which all custom ESS Job Definitions wills be created, we will then define a secondary resource oracle.apps.ess.custom.subledgerAccounting.interface.programs.* which will be used to secure the ESS Jobs so that only the relevant users can access and execute our ESS jobs (In this example it’s the ops team).
Step 1. Login to APM, under the Applications region in the Home tab select the desired application and click on create resource.
Step 2. Enter the resource name as oracle.apps.ess.custom.*, specify the display name and description. Under the Resource Type select ESSMetadataResourceType from the drop down list. Click the Save button, close the tab and repeat Steps 1 and 2 for resource oracle.apps.ess.custom.subledgerAccounting.interface.programs.*
Note: As mentioned before this is a hierarchical identifier and the * indicates that any policies created for this resource would also be applicable to any identifiers defined lower down the hierarchy.
Therefore the users with access to the policies defined for oracle.apps.ess.custom.* will automatically have the same privlidges for the resource oracle.apps.ess.custom.subledgerAccounting.interface.programs.*
Any users which only have access to the policies defined for oracle.apps.ess.custom.subledgerAccounting.interface.programs.* will NOT automatically have privileges to the resource oracle.apps.ess.custom.*
Step 3. Now we are going to verify our resources by querying the resources just created. Start by closing all your existing open tabs, then under the Applications region in the Home tab select the same application and click on search resources.
Step 4. In the name field enter the resource name oracle.apps.ess.custom, in the Resource Type select “ESSMetadataResourceType” from the drop down list and then proceed by clicking on the Search button. This should return both resources.
Step 5. Highlight the oracle.apps.ess.custom.* resource by clicking on it, then click on the New Policy button. This will open a new tab, check to see that the resource name highlighted appears in the new tab under the resources section.
Step 6. In the new tab click on the Add Principal button. This will launch the search screen. This pop-up allows you to search for users, application roles or external roles.
Note: You don’t really want to be granting permissions to individual users so depending on the level of access control you would typically either grant permissions to an application role or external role.
In the below example I will be using External Roles, in particular I’m going to grant full privileges (Update, Execute, Delete, Read and Create) to the “Application Implementation Manager” external role. This is because Oracle have specifically specified that in order to correctly update the ESS MDS repository a user must have the ASM_IMPLEMENTATION_MANAGER_DUTY duty role assigned and this duty role is mapped to the Application Implementation Manager external role.
This means that I will then have to assign the “Application Implementation Manager” external role to all the Functional and Dev Team members as they require the ability to Update, Execute, Delete, Read or Create any ESS Job Definition under the fscm application.
Note: At this point I have now granted all users assigned the “Application Implementation Manager” external role access to Update, Execute, Delete, Read and Create any Custom ESS Job Definition defined under the path oracle.apps.ess.custom for the fscm application.
These users can now go about defining their new Jobs and testing as required.
We initially created an additional resource named oracle.apps.ess.custom.subledgerAccounting.interface.programs.* and I defined this resource because I do NOT want to grant our operational users the same privileges granted to the functional and development teams. Our ops team constantly monitor the feeds into the Fusion Accounting Hub and they need the ability to view and submit our Custom ESS Jobs relating to these feeds but they will not be updating, deleting or defining any new ESS Jobs.
Now remember that the resource name is hierarchical in nature therefore I have asked our developers to define any Custom ESS Job definitions using the naming convention specified at the start of this post (oracle.apps.ess.custom.<product>.<entity>.<entity_type>).
I specified the * as I want to grant read and execute access to our ops team for all ESS Jobs defined under the path /oracle/apps/ess/custom/subledgerAccounting/interface/programs, I could take it a step further and lock down access to individual ESS Jobs by defining the resource as the entire path such as oracle.apps.ess.custom.subledgerAccounting.interface.programs.createEvents
In the following few steps we will now be assigning the external role “Interface Controller” to the additional resource, and as mentioned before I will only be granting Execute and Read privileges which will allow all our operational staff assigned to the external role “Interface Controllers” to submit the ESS Jobs but not to Update, Delete or Create any ESS Job Definitions.
Step 7. Repeat Step 3 through to Step 6 but note the following changes. In Step 5 instead of clicking on the oracle.apps.ess.custom.* resource you now need to highlight the oracle.apps.ess.custom.subledgerAccounting.interface.programs.* resource and proceed by clicking the New Policy button. In Step 6 you need to search for the Interface Controller External Role and only grant it read and execute privileges.
Step 8. Now we verify your configuration by closing all open tabs and repeating Step 3 and Step 4.
Step 9. Highlight the resource oracle.apps.ess.custom.* by clicking on it followed by the Find Policies button. This will open a new tab, check to see that the resource name is correct and then click on Resource Based Policies.
Step 10. Repeat Step 9 for the oracle.apps.ess.custom.subledgerAccounting.interface.programs.* resource.
That’s the end of Part 1, Part 2 is in the works and will be out shortly.
