5 Working with Business Roles

This chapter discusses the procedure to create and manage static and dynamic business roles. It contains the following sections:

• Static Business Roles

• Dynamic Business Roles

5.1 Static Business Roles

As discussed in the preceding chapter, a static business role must be granted manually. Static business roles do not depend on rules to determine who should be granted a particular role. However, these roles can have an eligibility rule, which enables you to refine role memberships.

This section discusses the following topics:

• Creating Static Business Roles

• Granting and Revoking Static Business Roles

• Delegating Static Business Roles

5.1.1 Creating Static Business Roles

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for Business Role objects

• Manage Business Role objects

To create a static business role:

1. On the first-level navigation bar, click Roles.

2. Click Business Roles.

3. On the left pane, right-click the organization where you want to create the static business role and then click New Business Role.

   For example, if you want to create the Comptroller static business role, then you right-click the Accounting organization.

4. In the Business Role Type box, select Static, and then click Submit.

5. In the Display Name field on the Attributes tab of the New Business Role page, type the name of the static business role that you are creating.

6. If you want to enter a unique name for the static business role, then enter it in the Unique Name field.

7. If you want to set sphere of control (SOC) for the role, then:

   Note:

   If you set SOC, then you cannot delegate static business roles.

   If you do not set SOC while creating the role, then you will not be able to set SOC any time later. In addition, you cannot modify SOC once it has been set.

   1. In the Sphere of Control field, click Edit.

   2. On the page that is displayed, specify a search criterion for the hierarchy on which you want to set the SOC.

      A list of hierarchies that meet the search criterion is displayed.

   3. From this list, select the hierarchy on which you want to set SOC, and then click OK.

8. If you want to enter a description for the static business role, then enter it in the Description field.

9. If you want to enter the responsibilities of the static business role, then enter it in the Responsibilities field.

   For example, the responsibilities of the Banking Clerk static business role are to assist banking clients with deposits, withdrawals, and opening new accounts.

10. If you want to delegate the role, then select Role Is Delegatable.

    Note:

    You cannot create the static business role if SOC is set and the Role Is Delegatable check box is selected.

    The "Delegating Static Business Roles" discusses the procedure to delegate static business roles.

11. In the Status box, select the status of the static business role.

12. If you want to set an owner for the static business role, then:

    1. In the Owner field, click Edit.

    2. On the page that is displayed, specify the search criterion for the person whom you want to set as the owner of the static business role.

       A list of persons who meet the search criterion is displayed.

    3. From this list, select the person whom you want to set as the owner and then click OK.

13. To set the organization to which the static business role must belong:

    Note:

    By default, the static business role that you create belongs to the organization that you select in Step 3. If you want to change the organization to which the role must belong, then perform the instructions in this step.

    1. In the Reporting Org field, click Edit.

    2. On the page that is displayed, specify the search criterion for the organization that you want to select.

       A list of all organizations that meet the search criterion is displayed.

    3. From this list, select the organization to which the static business role must belong, and then click OK.

14. If you want to set an eligibility rule, then:

    1. Click the Grant Policy tab.

    2. In the text field, enter the eligibility rule in XML. See Chapter 7, "Building Membership and Eligibility Rules" for information about building rules using XML.

15. If you want to map IT roles to the static business role:

    1. Click the Mappings tab.

    2. Click Map IT Role.

    3. On the page that is displayed, specify the search criterion for the IT roles that you want to map. These are the IT roles that have already been created.

       A list of all IT roles that meet the search criterion is displayed.

    4. From this list, select an IT role, and then click OK.

       A message indicating that the IT role has been mapped to the static business role is displayed.

    5. Repeat Steps b through d for each IT role that you want to map.

16. Click Submit.

    A message indicating that the role has been created is displayed.

5.1.2 Granting and Revoking Static Business Roles

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for Business Role objects and All for Person objects

• Grant Business Role objects and Grant Person objects

• All for Business Role objects and Grant Person objects

• Grant Business Role objects and All for Person objects

To grant or revoke a static business role:

1. On the first-level navigation bar, click Organizations & People.

2. Click People.

3. To search for the person to whom you want to grant a static business roles, perform one of the following:

   • Right-click People and then click Search.

   • Right-click the reporting organization to which the person belongs, and then click Search.

4. On the People page, specify the search criterion for the person to whom you want to grant a static business role.

   A list of all persons who meet the search criterion is displayed.

5. To display the details of the person, click the View/Edit icon in the row for the person.

6. Click the Business Roles tab.

7. If you want to revoke the static business role grant for a particular person, then:

   1. Click the Delete icon in the row for the static business role.

   2. On the page that is displayed, click OK to confirm that you want to revoke the static business role grant.

      A message indicating that the role grant was successfully deleted is displayed.

   3. Proceed to Step 13.

8. If you want to check whether the static business role has already been granted to the person, then specify the search criterion for the static business role and click Filter. If the static business role is displayed, then it implies that this role has already been granted to the person. Therefore, you need not perform the remaining steps in this section.

9. Click Grant Role.

10. On the page that is displayed, specify a search criterion for the static business role that you want to grant.

    A list of all static business roles that meet the search criterion is displayed.

11. From this list, select the static business role that you want to grant, and then click Next.

12. If you want to set SOC to all organizations in the hierarchy (selected in Step 7 of the "Creating Static Business Roles" section), then select Set Sphere of Control to All Organizations in the Hierarchy, and click Finish. Alternatively, if you want to set the scope of the grant to a specific organization within the hierarchy to which the static business role belongs, then:

    1. Select Pick a Single Organization in the Hierarchy.

    2. Click Next.

    3. Specify a search criterion for the organization to which you want the grant to be limited.

       A list of all organizations that meet the search criterion is displayed.

    4. From this list, select the organization and then click Finish.

13. Click Submit.

    A message indicating that the person's information has been updated is displayed.

5.1.3 Delegating Static Business Roles

You can delegate a static business role only if it was created with the Role Is Delegatable option selected. You select this option while performing Step 10 of the procedure described in "Creating Static Business Roles".

Delegating roles enables you to distribute role administration across users in your enterprise. The status of the role (active or inactive) does not affect its ability to be delegated.

A person who has received a role through delegation can delegate the same role to another person.

Suppose Angelyn, a Senior Manager of Corporate Security delegates the Compliance Officer static business role to Roger, a Manager in the audits department. Roger can delegate the Compliance Officer static business role to Sharon, an auditor in his team which enables her to monitor and ensure compliance with official regulations within Roger's team.

Note:

You can delegate only static business roles. However, static business roles cannot be delegated if SOC is defined.

To delegate a static business role:

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for Business Role objects and All for Person objects

• Delegate Business Role objects and Delegate Person objects

1. On the first-level navigation bar, click Organizations & People.

2. On the left pane, perform one of the following:

   • Right-click People and then click Search.

   • Right-click the reporting organization within which the person to whom you want to delegate the static business roles exists, and then click Search.

3. On the People page, specify a search criterion for the person whose static business role must be delegated.

   A list of all persons in the organization who satisfy the search criterion is displayed.

4. To display the details of the person, click the View/Edit icon in the row for the person.

5. Click the Business Roles tab.

6. Specify a search criterion for the role that you want to delegate.

   A list of all roles that meet the search criterion is displayed.

7. From this list, click the Delegate icon in the Actions column for the static business role that you want to delegate.

8. On the page that is displayed, specify a search criterion for the person to whom you want to delegate the static business role.

   A list of all persons who meet the search criterion is displayed.

9. From this list, select the person to whom you want to delegate the static business role, and then click OK.

   A message indicating that the static business role has been delegated is displayed.

10. Click Submit.

    A message indicating that the person information has been updated is displayed.

5.2 Dynamic Business Roles

As discussed in the preceding chapter, a dynamic business role depends on a membership rule to determine role membership. This rule defines the conditions under which a user is automatically granted the dynamic business role.

The following section describes the procedure to create dynamic business roles in Oracle Role Manager.

5.2.1 Creating Dynamic Business Roles

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for Business Role objects

• Manage Business Role objects

To create a dynamic business role:

1. On the first-level navigation bar, click Roles.

2. Click Business Roles.

3. On the left pane, right-click the organization where you want to create the dynamic business role, and then click New Business Role.

4. In the Business Role Type box, select Dynamic, and then click Submit.

   The New Business Role page is displayed in the right pane of the screen.

5. In the Display Name field on the Attributes tab of the New Business Role page, type the name of the dynamic business role being created.

6. If you want to enter a unique name for the dynamic business role, then enter it in the Unique Name field.

7. If you want to enter a description for the dynamic business role, then enter it in the Description field.

8. If you want to enter the responsibilities of the dynamic business role, then enter it in the Responsibilities field.

   For example, the responsibilities of the Senior Accounting dynamic business role are to define and enforce accounting policies.

9. In the Status box, select the status of the role being created.

10. If you want to set an owner for the dynamic business role, then:

    1. In the Owner field, click Edit.

    2. On the page that is displayed, specify the search criterion for the person whom you want to set as the owner of the dynamic business role.

       A list of persons who meet the search criterion is displayed.

    3. From this list, select the person whom you want to set as the owner, and then click OK.

11. To set the organization to which the dynamic business role must belong:

    Note:

    By default, the dynamic business role that you create belongs to the organization that you select in Step 3. If you want to change the organization to which the role must belong, then perform the instructions in this step.

    1. In the Reporting Org field, click Edit.

    2. On the page that is displayed, specify the search criterion for the organization that you want to select.

       Note:

       This is the organization within which the dynamic business role is listed after it is created.

       A list of all organizations that meet the search criterion is displayed.

    3. From this list, select the organization and then click OK.

12. To set a membership rule, do the following:

    1. Click the Grant Policy tab.

    2. In the field, type the membership rule using XML. See Chapter 7, "Building Membership and Eligibility Rules" for information about building rules using XML.

13. If you want to check the list of members who will be automatically granted the role that is being created, then click the Members tab, specify the search criterion based on the membership rule created in the Grant Policy tab, and then click Recalculate Membership.

14. If you want To map IT roles to the dynamic business role:

    1. Click the Mappings tab.

    2. Click Map IT Role.

    3. On the page that is displayed, specify the search criterion for the IT roles that you want to map. These are the IT roles that have already been created.

       A list of all IT roles that meet the search criterion is displayed.

    4. From this list, select an IT role, and then click OK.

       A message indicating that the IT role has been mapped to the dynamic business role is displayed.

    5. Repeat Steps b through d for each IT role that you want to map.

15. Click Submit.

    A message indicating that the role has been created is displayed.