| Oracle® Role Manager User's Guide Release 10g (10.1.4.2) Part Number E14609-02 |
|
|
View PDF |
| Oracle® Role Manager User's Guide Release 10g (10.1.4.2) Part Number E14609-02 |
|
|
View PDF |
This chapter discusses the predefined system roles in Oracle Role Manager. This chapter also discusses the procedure to create and manage system roles. It contains the following sections:
Oracle Role Manager provides predefined system roles in the sample data. In addition, Oracle Role Manager provides the following predefined system roles (including the System Administrator system role):
Note:
See Oracle Role Manager Installation Guide for information about loading the standard_roles.dar file containing predefined system roles.The System Administrator system role enables complete access to the Oracle Role Manager system. This system role is granted to persons.
A person who is granted this system role can perform all transactions in the system without regard to sphere of control (SOC). See "Static Business Roles with Sphere of Control" for information about SOC.
The following are the privileges that are mapped to the System Administrator system role:
All for Approver Role objects
All for Business Role objects
All for Cost Center Hierarchy Root objects
All for Entitlement objects
All for IT Role objects
All for Location Hierarchy Root objects
All for Person objects
All for Reporting Hierarchy Root objects
All for System Identity objects
All for System Role objects
All for all organization objects
The responsibilities of the System Role Administrator system role are as follows:
Creating system roles
Updating system roles
Deleting system roles
Reading audit data related to system roles
Mapping and unmapping system privileges to and from system roles
The System Role Administrator system role is granted to persons.
A person with the System Role Administrator system role can perform all the actions listed in the preceding list without regard to SOC.
The following are the system privileges that are mapped to the System Role Administrator system role:
Audit System Role objects
Manage System Role objects
The responsibilities of the System Role Grant Administrator system role are as follows:
Granting system roles
Revoking system roles
The System Role Grant Administrator system role is granted to persons.
System role grant administrators can grant and revoke roles to and from users without regard to SOC.
The following are the system privileges that are mapped to the System Role Grant Administrator system role:
Grant Person objects
Grant System Identity objects
Grant System Role objects
The responsibilities of the Role Administrator system role are as follows:
Creating roles and privileges (except system roles and system privileges)
Note:
Creating a role includes creating rules (membership and eligibility rules) for role grants.Updating roles and privileges (except system roles and system privileges)
Moving roles (except system roles)
Deleting roles and privileges (except system roles and system privileges)
Reading audit data related to approver, business, and IT roles
Managing privilege mappings between business roles and IT roles
Managing privilege mappings between IT roles and entitlements
The Role Administrator system role is granted to persons
This system role can be granted with SOC. The SOC for this system role is defined relative to the reporting organization hierarchy.
For example, if John Doe is granted the Role Administrator system role with SOC over Accounting organization, then:
John can create, update, move, and delete roles in the Accounting organization and any of its child organizations.
John can create rules for role grants, however he does not have the ability to grant roles.
If the Operations Director business role belongs to the Accounting organization, then John can map the Network Engineer IT role to the Operations Director business role. This is regardless of whether or not the reporting organization of the Network Engineer IT role is the Accounting organization or any of its child organizations.
Similarly, John can delete the mapping between the Network Engineer IT role and the Operations Director business role based on the criterion described in the preceding paragraph.
The following are the system privileges that are mapped to the Role Administrator system role:
Audit Approver Role objects
Audit Business Role objects
Audit Entitlement objects
Audit IT Role objects
Manage Approver Role objects
Manage Business Role objects
Manage Entitlement objects
Manage IT Role objects
The responsibilities of the Role Grant Administrator system role are as follows:
Granting roles (except system roles)
Revoking roles (except system roles)
The Role Grant Administrator system role is granted to persons
This system role can be granted with SOC. The SOC for this system role is defined relative to the reporting organization hierarchy.
For example, if John Doe is granted the Role Grant Administrator system role with SOC over Accounting organization, then:
John can grant roles that belong to the Accounting organization, its parent organization, or any of its child organizations.
John can grant roles only to people who belong to the Accounting organization or any of its child organizations.
Similarly, John Doe can revoke roles based on the criterion described in the preceding paragraph.
Note:
Role Grant Administrators cannot create or edit the rules for approver, static, and dynamic business role grants.The following are the system privileges that are mapped to the Role Grant Administrator system role:
Grant Business Role objects
Grant IT Role objects
Grant Person objects
The responsibilities of the Reporting Organization Administrator system role are as follows:
Creating organizations within a reporting organization
Updating organizations within a reporting organization
Moving organizations within a reporting organization
Deleting organizations within a reporting organization
Reading organization-related audit data
The Reporting Organization Administrator system role can be granted to persons or system identities (through integrations. For example, the Oracle Role Manager and the Oracle Identity Manager integration) .
This system role can be granted with SOC. The SOC for this system role is defined relative to the reporting organization hierarchy.
For example, if John Doe is granted the Reporting Organization Administrator system role with SOC over the Commercial Banking organization, then he can perform the following actions:
Create organizations within the Commercial Banking organization and any of its child organizations.
Update the Commercial Banking organization and any of its child organizations.
Move the child organizations of the Commercial Banking organization to any of its child organizations.
Delete the Commercial Banking organization and any of its child organizations.
Read organization-related audit data of the Commercial Banking organization and any of its child organizations.
The following are the system privileges that are mapped to the Reporting Organization Administrator system role:
Audit all organization objects
Manage all organization objects
The responsibilities of the Cost Center Administrator system role are as follows:
Creating cost center nodes within a cost center hierarchy
Updating cost center nodes within a cost center hierarchy
Moving cost center nodes within a cost center hierarchy
Deleting cost center nodes within a cost center hierarchy
Reading cost center-related audit data
The Cost Center Administrator system role can be granted to persons or system identities.
This system role can be granted with SOC. The SOC for this system role is defined relative to the cost center hierarchy.
For example, if John Doe is granted the Cost Center Administrator system role with SOC over the Retail Banking cost center, then he can perform the following actions:
Create cost centers within the Retail Banking cost center and any of its child cost centers.
Update the Retail Banking cost center and any of its child cost centers.
Move the child cost centers of the Retail Banking cost center to any of its child cost centers.
Delete the Retail Banking cost center and any of its child cost centers.
Read cost center-related audit data of the Retail Banking cost center and any of its child cost centers.
The following are the system privileges that are mapped to the Cost Center Administrator system role:
Audit all organization objects
Manage all organization objects
The responsibilities of the Location Administrator system role are as follows:
Creating location nodes within a location hierarchy
Updating location nodes within a location hierarchy
Moving location nodes within a location hierarchy
Deleting location nodes within a location hierarchy
Reading location-related audit data
The Location Administrator system role can be granted to persons or system identities.
This system role is granted with SOC. The SOC for this system role is defined relative to the location hierarchy.
For example, if John Doe is granted the Location Administrator system role with SOC over the United States location, then he can perform the following actions:
Create locations within the United States and any of its child location nodes.
Update the United States location node and any of its child location nodes.
Move the child location nodes of the United States location node to any of its child location nodes.
Delete the United States location and any of its child locations.
Read location-related audit data of the United States location node and any of its child location nodes.
The following are the system privileges that are mapped to the Location Administrator system role:
Audit all organization objects
Manage all organization objects
The responsibilities of the User Administrator system role are as follows:
Note:
Oracle Role Manager is not the authoritative source for person records when the Integration Library is installed. In such a scenario, the
User Administrator system role can be granted to a system identity in Oracle Identity Manager that performs the necessary actions in Oracle Role Manager.Creating person records
Updating person records
Deleting person records
Creating organization memberships
Updating organization memberships
Deleting organization memberships
Reading person-related audit data
The User Administrator system role can be granted to persons or system identities.
This system role is granted with SOC. The SOC for this system role is defined relative to the reporting hierarchy.
For example, if John Doe is granted the User Administrator system role with SOC over the Consumer Marketing organization, then he can perform the following actions:
Create person records within the Consumer Marketing organization and any of its child organizations.
Update person records belonging to the Consumer Marketing organization and any of its child organizations.
Delete person records belonging to the Consumer Marketing organization or any or its child organizations.
Create, update, and delete location and cost center memberships of a person record belonging to the Consumer Marketing organization or any of its child organizations.
Read person-related audit data of person records belonging to the Consumer Marketing organization and any of its child organizations.
The following are the system privileges that are mapped to the User Administrator system role:
Audit Person objects
Manage Person objects
The responsibility of the Auditor system role is to evaluate the records in the Oracle Role Manager system for compliance or debugging purposes.
The Auditor system role is granted to persons.
A user who is granted this system role requires read-only access to all the records in the system. SOC is not applied to this system role.
The following are the system privileges that are mapped to the Auditor system role:
Audit Approver Role objects
Audit Business Role objects
Audit Entitlement objects
Audit IT Role objects
Audit Person objects
Audit System Identity objects
Audit System Role objects
Audit all organization objects
The responsibilities of the Role Delegation Administrator system role are as follows:
Delegating roles
Revoking delegated roles.
The Role Delegation Administrator system role can be granted to persons or system identities.
This system role is granted with SOC. The SOC for this system role is defined relative to the reporting organization hierarchy.
For example, if John Doe is granted the Role Delegation Administrator system role with SOC over Accounting organization, then:
John can delegate roles that belong to the Accounting organization, its parent organization, or any of its child organizations.
John can delegate roles only to people who belong to the Accounting organization or any of its child organizations.
Similarly, John Doe can revoke the delegated roles based on the criterion described in the preceding paragraph.
The following are the system privileges that are mapped to the Role Delegation Administrator system role:
Delegate Business Role objects
Delegate IT Role objects
Delegate Person objects
Note:
To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:All for System Role objects and All for System Privilege objects
Manage System Role objects and Manage System Privilege objects
For example, a user who is granted the System Administrator or System Role Administrator system role can perform the procedure described in this section.
To create a system role:
On the first-level navigation bar, click Administration.
On the left pane, right-click the organization where you want to create the system role and then click New System Role.
In the Display Name field on the Attributes tab of the New System Role page, type the name of the system role being created.
If you want to enter a unique name for the system role, then enter it in the Unique Name field.
If you want to set SOC for the role, then:
Note:
If you do not set SOC while creating the role, then you will not be able set SOC any time later. In addition, you cannot modify SOC after it is has been set.In the Sphere of Control field, click Edit.
On the page that is displayed, specify a search criterion for the hierarchy on which you want to set SOC.
A list of hierarchies that meet the search criterion is displayed.
From this list, select the hierarchy on which you want to set SOC and then click OK.
If you want to enter a description for the system role, then enter it in the Description field.
If you want to set an owner for the system role, then:
In the Owner field, click Edit.
On the page that is displayed, specify the search criterion for the person whom you want to set as the owner of the system role.
A list of persons who meet the search criterion is displayed.
From this list, select the person whom you want to set as the owner and then click OK.
To set the organization to which the system role must belong:
Note:
By default, the system role that you create belongs to the organization that you select in Step 2. If you want to change the organization to which the role must belong, then perform the instructions in this step.In the Reporting Org field, click Edit.
On the page that is displayed, specify the search criterion for the organization that you want to select.
Note:
This is the organization within which the system role is listed after it is created.A list of all organizations that meet the search criterion is displayed.
From this list, select the organization and then click OK.
If you want to map system privileges to the system role:
Click the Privileges tab.
Click Map Privilege.
On the page that is displayed, specify the search criterion for the system privilege that you want to map. These are the system privileges that have already been created.
A list of all system privileges that meet the search criterion is displayed.
From this list, select a system privilege and then click OK.
A message indicating that the system privilege mapping to the system role was successful is displayed.
Repeat Steps b through d for each system privilege that you want to map.
If you want to grant a system role (while creating the system role) to an Oracle Role Manager user, then:
Click the Members tab.
Click Grant System Role.
On the page that is displayed, specify a search criterion for the person to whom you want to grant the system role.
A list of all persons who meet the search criterion is displayed.
From this list, select the person and then click Next.
If you want to set the scope of the grant to all nodes in the hierarchy that you chose in Step 5. c, then select Set Sphere of Control to All Organizations in the Hierarchy and click Finish. Alternatively, if you want to set the scope of the grant to a specific node within the hierarchy (that you chose in Step 5. c), then:
i. Select Pick a Single Organization in the Hierarchy.
ii. Click Next.
iii. Specify a search criterion for the node to which you want the grant to be limited. A list of all nodes that meet the search criterion is displayed.
iv. From this list, select the node and then click Finish. A message indicating that the role has been granted is displayed.
v. Repeat Steps b through e for each person to whom the role must be granted.
Click Submit to complete the procedure for creating the system role.
A message indicating that the role was created successfully is displayed.
Note:
To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:All for System Role objects
Manage System Role objects
For example, a user who is granted the System Administrator or System Role Administrator system role can perform the procedure described in this section.
To map or unmap system privileges to or from system roles:
On the first-level navigation bar, click Administration.
On the left pane, perform one of the following:
Right-click the System Roles node and then click Search.
Right-click the reporting organization within which you want to search the system role (whose system privileges must be mapped or unmapped), and then click Search.
On the System Roles page, specify the search criterion for the system role.
A list of all system roles that meet the search criterion is displayed.
To display the details of the system role, click the View/Edit icon in the row for the system role.
Click the Privileges tab.
If you want to map system privileges, then:
Click Map Privilege.
On the page that is displayed, specify the search criterion for the system privilege that you want to map. These are the system privileges that have already been created.
A list of all system privileges that meet the search criterion is displayed.
From this list, select a system privilege and then click OK.
A message indicating that the system privilege mapping to the system role was successful is displayed.
Repeat Steps a through c for each system privilege that you want to map.
Proceed to Step 8
If you want to unmap system privileges, then:
Click the Delete icon in the row for the system privilege that you want to delete.
A dialog box prompting you to confirm if you want to delete the system privilege is displayed.
Note:
Performing this step will only delete the mapping between the system privilege and the system role. It does not actually delete the system privilege.Click OK.
A message indicating that the privilege mapping was successfully deleted is displayed.
Repeat Steps a and b for each system privilege that you want to unmap.
Proceed to Step 8
Click Submit.
A message indicating that the system role was updated successfully is displayed.
Note:
To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:All for System Role objects and All for Person objects
Grant System Role objects and Grant Person objects
For example, a user who is granted the System Administrator or System Role Grant Administrator system role can perform the procedure described in this section.
To grant or revoke a system role:
On the first-level navigation bar, click Administration.
On the left pane, perform one of the following:
Right-click the System Roles node and then click Search.
Right-click the reporting organization within which you want to search the system role and then click Search.
On the System Roles page, specify the search criterion for the system role that you want to grant or revoke.
A list of all system roles that meet the search criterion is displayed.
To display the details of the system role that you want to grant or revoke, click the View/Edit icon in the row for the system role.
Click the Members tab.
If you want to revoke the system role grant for a particular person, then:
Click the Delete icon in the row for that person.
On the page that is displayed, click OK to confirm that you want to revoke the system role grant.
A message indicating that the role grant was successfully deleted is displayed.
Proceed to Step 12.
If you want to grant the system role, then click Grant System Role.
On the page that is displayed, specify a search criterion for the person to whom the system role must be granted.
A list of all persons who meet the search criterion is displayed.
From this list, select the person and then click Next.
If the system role that you want to grant has a sphere of control set, then:
If you want to set the scope of the grant to all organizations in the hierarchy to which the system role belongs, then select Set Sphere of Control to All Organizations in the Hierarchy and click Finish. Alternatively, if you want to set the scope of the grant to a specific organization within the hierarchy to which the static business role belongs, then:
Select Pick a Single Organization in the Hierarchy.
Click Next.
Specify a search criterion for the organization to which you want the grant to be limited.
A list of all organizations that meet the search criterion is displayed.
From this list, select the organization to which you want the grant to be limited and then click Next.
Proceed to Step 12.
If the system role that you want to grant has no sphere of control, then click Finish.
A message indicating that the system role has been granted is displayed.
Click Submit.
A message indicating that the system role was updated successfully is displayed.
Note:
To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:All for System Role objects
Manage System Role objects
For example, a user who is granted the System Administrator or System Role Administrator system role can perform the procedure described in this section.
To delete a system role:
On the first-level navigation bar, click Administration.
On the left pane, perform one of the following:
Right-click the System Roles node and then click Search.
Right-click the reporting organization within which you want to search the system role that you want to delete, and then click Search.
On the System Roles page, specify the search criterion for the system role that you want to delete.
A list of all system roles that meet the search criterion is displayed.
Click the Delete icon in the row for the system role that you want to delete.
A dialog box prompting you to confirm if you want to delete the system role is displayed.
Click OK.
A message indicating that the system role was deleted successfully is displayed.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|