Skip Headers
Oracle® Role Manager User's Guide
Release 10g (10.1.4.2)
Part Number E14609-02
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

4 Working with Entitlements and IT Roles

This chapter discusses the procedure to create and manage entitlements and IT roles. It contains the following sections:

4.1 Entitlements

As discussed in "IT Roles", entitlements are associated with IT resources.

This section discusses the following topics:

Note:

You cannot perform any of the procedures described in this section, if the Integration Library is installed. A provisioning system, such as Oracle Identity Manager, is the authoritative source for entitlement data, when the Integration Library is installed.

Creation, modification, and deletion of entitlements can be done only in a provisioning system. This entitlement data is then imported into Oracle Role Manager by using the Integration Library. See Oracle Role Manager Integration Guide for information about importing into Oracle Role Manager, entitlements from Oracle Identity Manager.

Note:

To perform the procedures described in this section, you must be a member of a system role containing one of the following system privileges:

  • All for Entitlement objects

  • Manage Entitlement objects

4.1.1 Creating Entitlements

To create an entitlement:

  1. On the first-level navigation bar, click Roles.

  2. On the second-level navigation bar, click Entitlements.

  3. On the left pane, right-click the Entitlements node and then click New Entitlement.

  4. In the Entitlement Name field on the Attributes tab of the New Entitlement page, type the name of the entitlement being created.

  5. If you want to enter the name of the resource with which the entitlement is associated, then enter it in the Resource Name field.

  6. If you want to enter a description for the entitlement, then enter it in the Description field.

    For example, the description for the Configure Default Router entitlement can be as follows:

    Configure router to external networks.

  7. In the OIM Entitlement ID field, do not enter any value. If the Integration Library is installed, then this field is automatically populated with the value of the entitle ID that is obtained from Oracle Identity Manager.

  8. Click Submit.

    A message indicating that the entitlement was created successfully is displayed.

4.1.2 Modifying Entitlements

To modify an entitlement:

  1. On the first-level navigation bar, click Roles.

  2. On the second-level navigation bar, click Entitlements.

  3. On the left pane, right-click the Entitlements node and then click Search.

  4. On the right pane, specify the search criterion for the entitlement that you want to modify.

    A list of all entitlements that meet the search criterion is displayed.

  5. To display the details of the entitlement that you want to modify, click the View/Edit icon in the row for the entitlement.

  6. Depending on the fields that you want to modify, perform one or all of Steps 4 through 6 of "Creating Entitlements".

  7. Click Submit.

    A message indicating that the entitlement was updated successfully is displayed.

4.1.3 Deleting Entitlements

To delete an entitlement:

  1. On the first-level navigation bar, click Roles.

  2. On the second-level navigation bar, click Entitlements.

  3. On the left pane, right-click the Entitlements node and then click Search.

  4. On the right pane, specify the search criterion for the entitlement that you want to delete.

    A list of all entitlements that meet the search criterion is displayed.

  5. Click the Delete icon in the row for the entitlement that you want to delete.

    A dialog box prompting you to confirm if you want to delete the entitlement is displayed.

  6. Click OK.

    A message indicating that the entitlement was deleted successfully is displayed.

4.2 IT Roles

This section discusses the following topics:

4.2.1 Creating IT Roles

To create an IT role:

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

  • All for IT Role objects and All for Entitlement objects

  • Manage IT Role objects and Manage Entitlement objects

  1. On the first-level navigation bar, click Roles.

  2. On the second-level navigation bar, click IT Roles.

  3. On the left pane, right-click the organization where you want to create the IT role and then click New IT Role.

  4. In the Display Name field on the Attributes tab of the New IT Role page, type the name of the IT role being created.

  5. If you want to enter a unique name for the IT role, then enter it in the Unique Name field.

  6. If you want to enter a description for the IT role, then enter it in the Description field.

  7. If the IT role being created is related to finance, then select Is Finance Related.

  8. If the IT role being created is a high-risk role, then select Is High Risk.

  9. If the IT role being created is associated with non-public personal information, then select Non-Public Personal Information Related.

  10. If the IT role being created is related to SOX, then select Sarbanes-Oxley Related.

  11. If you want to set an owner for the IT role, then:

    1. In the Owner field, click Edit.

    2. On the page that is displayed, specify the search criterion for the person whom you want to set as the owner of the IT role.

      A list of persons who meet the search criterion is displayed.

    3. From this list, select the person whom you want to set as the owner and then click OK.

  12. To set the organization to which the IT role must belong:

    Note:

    By default, the IT role that you create belongs to the organization that you select in Step 3. If you want to change the organization to which the role must belong, then perform the instructions in this step.

    1. In the Reporting Org field, click Edit.

    2. On the page that is displayed, specify the search criterion for the organization that you want to select.

      Note:

      This is the organization that will be responsible for administering this IT role. In addition, this is also the organization within which the IT role is listed after it is created.

      A list of all organizations that meet the search criterion is displayed.

    3. From this list, select the organization and then click OK.

  13. You cannot perform any action on the Members tab while creating an IT role. However, while you modify an IT role, the Members tab displays a list of people who have been granted this role.

  14. If you want to map entitlements to the IT role, then:

    1. Click the Entitlements tab.

    2. Click Map Entitlement.

    3. On the page that is displayed, specify the search criterion for the entitlement that you want to map. These are the entitlements that have been created by performing the steps described in "Creating Entitlements".

      A list of all entitlements that meet the search criterion is displayed.

    4. From this list, select an entitlement and then click OK.

      A message indicating that the entitlement mapping to the IT role was created successfully is displayed.

    5. Repeat Steps b through d for each entitlement that you want to map.

  15. You cannot perform any action on the Mappings tab while creating an IT role. However, while you modify an IT role, the Mappings tab displays a list of business roles to which the IT role is mapped. See "Working with Business Roles" for information about mapping IT roles to business roles.

  16. You cannot perform any action on the History tab while creating an IT role. However, while you modify an IT role the History tab displays a list of events for the IT role.

    For example, if you update the Description field of the IT role, then this event is stored and displayed on the History tab.

  17. Click Submit to complete the procedure for creating the IT role.

    A message indicating that the IT role was successfully created is displayed.

4.2.2 Mapping and Unmapping Entitlements

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

  • All for IT Role objects

  • Manage IT Role objects

To map or unmap an entitlement to or from an IT role:

  1. On the first-level navigation bar, click Roles.

  2. On the second-level navigation bar, click IT Roles.

  3. On the left pane, perform one of the following:

    • Right-click IT Roles and then click Search.

    • Right-click the reporting organization within which you want to search the IT role (whose entitlement must be mapped or unmapped), and then click Search.

  4. On the IT Roles page, specify the search criterion for the IT role.

    A list of all IT roles that meet the search criterion is displayed.

  5. To display the details of the IT role, click the View/Edit icon in the row for the IT role.

  6. Click the Entitlements tab.

  7. If you want to map entitlements, then:

    1. Click Map Entitlement.

    2. On the page that is displayed, specify the search criterion for the entitlement that you want to map. These are the entitlements that have been created by performing the steps described in "Creating Entitlements".

      A list of all entitlements that meet the search criterion is displayed.

    3. From this list, select an entitlement and then click OK.

      A message indicating that the entitlement mapping to the IT role was created successfully is displayed.

    4. Repeat Steps a through c for each entitlement that you want to map.

  8. If you want to unmap entitlements, then:

    1. Click the Delete icon in the row for the entitlement that you want to delete.

      A dialog box prompting you to confirm if you want to delete the entitlement is displayed.

      Note:

      Performing this step will only delete the mapping between the entitlement and the IT role. It does not actually delete the entitlement.

    2. Click OK.

      A message indicating that the entitlement mapping was successfully deleted is displayed.

    3. Repeat Steps a and b for each entitlement that you want to unmap.

  9. Click Submit.

    A message indicating that the system role was updated successfully is displayed.

4.2.3 Deleting IT Roles

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

  • All for IT Role objects

  • Manage IT Role objects

To delete an IT role:

  1. On the first-level navigation bar, click Roles.

  2. On the second-level navigation bar, click IT Roles.

  3. On the left pane, perform one of the following:

    • Right-click the IT Roles node and then click Search.

    • Right-click the reporting organization within which you want to search the IT role that you want to delete, and then click Search.

  4. On the IT Roles page, specify the search criterion for the IT role that you want to delete.

    A list of all IT roles that meet the search criterion is displayed.

  5. Click the Delete icon in the row for the IT role that you want to delete.

    A dialog box prompting you to confirm if you want to delete the IT role is displayed.

  6. Click OK.

    A message indicating that the IT role was deleted successfully is displayed.

4.2.4 IT Roles Granted in the 10.1.4.1 Release

Note:

You cannot directly grant an IT role to a user from this release onward. However, indirect grants of IT roles through business roles is possible.

All direct IT role grants from the previous release can be migrated to the current release, by running the upgrade tool. See Oracle Role Manager Integration Guide for information about running the upgrade tool.

When you run the upgrade tool, all direct IT roles grants will be migrated as follows:

  • For every IT role that was directly granted to a user (in the 10.1.4.1 release), a corresponding static business role with a display name same as the display name of the IT role is created.

  • The IT role is mapped to this static business role

  • The static business role is granted to the user to whom the IT role was directly granted in the earlier releases

In addition, the values of the Owner and Reporting Org fields for the static business role will be the same as the values of the Owner and Reporting Org fields for the IT role.

The following example illustrates how a direct IT role grant (from an earlier release) is migrated to the current release when you run the upgrade tool:

Suppose Mary was directly granted (in earlier releases) the Inventory System Administrator IT role, which is a collection of the Create Inventory System Accounts, Modify Inventory System Accounts, and Delete Inventory System Accounts entitlements.

Now, suppose you run the upgrade tool. Figure 4-1 illustrates an indirect IT role mapping.

Figure 4-1 Sample Mapping of an Indirect IT Role

Description of Figure 4-1 follows
Description of "Figure 4-1 Sample Mapping of an Indirect IT Role "

As shown in Figure 4-1, Mary has been granted the Inventory System Administration static business role. The Inventory System Administration IT role is mapped to the Inventory System Administrator static business role. Therefore, Mary is indirectly granted the Inventory System Administrator IT role through the Inventory System Administrator static business role grant. Mary gets all the entitlements that were mapped to the Inventory System Administrator IT role.

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us