Oracle Configure, Price, and Quote (CPQ) enables organizations to streamline the entire opportunity-to-quote-to-order process, including product selection, configuration, quoting, pricing, ordering, and approval workflows. Oracle CPQ product provides a flexible, scalable, enterprise-ready solution which is ideal for companies of any size that sell products and services acrossdirect, indirect, and e-commerce sales verticals. Oracle CPQ is a highly customizable product and provides the users with various configuration options. The purpose of this tutorial is to provide readers with tips and best practices to learn and understand CPQ BML.
Best Administration Practices:
Oracle CPQ Administration Platform, often referred to as the Home page, is the area within Oracle CPQ used by Users to setup a secure configuration for Oracle CPQ. Oracle recommends administrators comply with the administration best practices identified within this section.
Passwords
Administrators have the ability to set the password strength for all Oracle CPQ user accounts from the General Site Options page. The Admins can also specify the number of login attempts allowed before locking a particular user account and the number of days a password is valid before it expires. Complete the following steps:
Open the Oracle CPQ Administration Platform.
Under General, click General Site Options. The Options – General page opens.
Administrators can set the Password Strength to Low or High, mostly recommending High for greater security. Low – Requires 4-30 characters without special requirements. High – Requires 8-31 characters, including at least one uppercase letter, at least one number, and at least one special character.
Use the Number of Login Attempts field to specify the number of login attempts allowed before locking a user account. Refer to your company policy and populate this field with the minimum value referenced. If not addressed in your company policy, Oracle recommends setting the value to 3.
Use the Password Expires After field to specify the number of days after which the password expires. Refer to your company policy and populate the value with the minimum value referenced. If not addressed by your company policy, Oracle recommends setting the value to less than 90 days. This field cannot be left blank.
Use the Password Reuse after field to specify the number of days after which an expired password can be reused. Refer to your company policy and populate this field with the maximum value referenced. If not addressed in your company policy, Oracle recommends setting the value to 365 days.
Use the Password Reset Link Expires After field to specify the number of minutes the reset link is available to the user. Refer to your company policy and populate this field with the minimum value referenced. If not addressed in your company policy, Oracle recommends setting the value to 30. Oracle CPQ Security Guide 3 .
Administrators can set the Password Expiry Override For Web Services Only User to Yes or No, the default setting for this is No. This option specifies if Web Services Only user passwords follow the CPQ site password options.
Yes – Passwords do not expire for SOAP and REST API Web Services users.
No – SOAP and REST API Web Services user passwords follow the password options set for all users on the CPQ site.
Use the Account Lockout Time option to specify the number of minutes an account is automatically locked after the number of invalid login attempts is exceeded. Once the lockout time has passed, the account is automatically unlocked and available for user login. Refer to your company policy and populate this field with the maximum value referenced. If not addressed in your company policy and you want to implement this feature, Oracle recommends setting the value to 30. If you do not want to implement this feature, set the value to 0.
COMMERCE BEST PRACTICES
Commerce is one of the main foundation pillars of Oracle CPQ and is where a configuration turns into a quote, which can flow through approvals and into other systems. Commerce uses workflows, secure attributes, and approvals to help the process data in a secure way.
Secure Attributes
Secure attributes are available to administrators when they need information encrypted in the system that
should not be persisted in Oracle CPQ
or must be encrypted. Encryption is asymmetric.
With a Secure Attribute field on a Commerce layout, Oracle CPQ can record values as users enters them. Oracle CPQ masks the entry as if it were a password. In addition, Oracle CPQ uses the Java RSA encryption standard to encrypt the data without ever storing the original value in Oracle CPQ. Oracle CPQ only stores the masked data, which cannot be converted back to its original value.
When an Oracle CPQ action For example, Save) is active, the encrypted data is temporarily stored in memory and can be transferred to the customer’s system via an integration call from Oracle CPQ. The customer’s system, located in their controlled database, handles data storage, security, and any further encryption and decryption.
Oracle CPQ encryption uses standard Java libraries, including RSA standard with Optimal Asymmetric Encryption Padding. The public key (an SSL certificate with a minimum key length of 2048) must be uploaded to the Commerce process
HOME PAGE BEST PRACTICES
Administrators can customize and configure the Oracle CPQ home page and use features on a customer’s Oracle CPQ site to apply custom headers and footers, which are placed on the site without Oracle CPQ processing. Oracle advises admins to place content in the header and footercarefully, ensuring that it is not exposedto be insecure or performance impacting JavaScript.
The home page can also have access restrictions applied to various elements. In the administration section on the homepage link, administrators can introduce smart restrictions based upon user account values, allowing models to shown to specific users only if they are in a specific user group. In this way, homepage views are customized to the permission of each user.
