4 Working with IT Privileges and IT Roles

This chapter discusses the procedure to create and manage IT privileges and IT roles. It contains the following sections:

• Section 4.1, "IT Privileges"

• Section 4.2, "IT Roles"

4.1 IT Privileges

As discussed in one of the earlier chapters, IT privileges associate themselves with IT resources.

This section discusses the following topics:

Note:

Do not perform any of the procedures described in this section, if the Integration Library is installed. Creating, modifying, and deleting IT privileges must be performed in provisioning systems.

A provisioning system, such as Oracle Identity Manager, is the authoritative source for IT privilege data, and this data is imported into Oracle Role Manager by using the Integration Library.

Note:

To perform the procedures described in this section, you must be a member of a system role containing one of the following system privileges:

• All for IT Privilege objects

• Manage IT Privilege objects

• Creating IT Privileges

• Modifying IT Privileges

• Deleting IT Privileges

4.1.1 Creating IT Privileges

To create an IT privilege:

1. On the first-level navigation bar, click Roles.

2. On the second-level navigation bar, click IT Privileges.

3. On the left pane, right-click the IT Privileges node and then click New IT Privilege.

4. In the Display Name field on the Attributes tab of the New IT Privilege page, type the name of the IT privilege being created.

5. If you want to enter a unique name for the IT privilege, then enter it in the Unique Name field.

6. If you want to enter privilege details for the IT privilege, then enter it in the Privilege Details field.

7. If you want to enter a description for the IT privilege, then enter it in the Description field.

   For example, the description for the Configure Default Router IT privilege can be as follows:

   Configure router to external networks.

8. Click Submit.

   A message indicating that the IT privilege was created successfully is displayed.

4.1.2 Modifying IT Privileges

To modify an IT privilege:

1. On the first-level navigation bar, click Roles.

2. On the second-level navigation bar, click IT Privileges.

3. On the left pane, right-click the IT Privileges node and then click Search.

4. On the right pane, specify the search criterion for the IT privilege that you want to modify.

   A list of all IT privileges that meet the search criterion is displayed.

5. To display the details of the IT privilege that you want to modify, click the View/Edit icon in the row for the IT privilege.

6. Depending on the fields that you want to modify, perform one or all of Steps 4 through 7 of "Creating IT Privileges".

7. Click Submit.

   A message indicating that the IT privilege was updated successfully is displayed.

4.1.3 Deleting IT Privileges

To delete an IT privilege:

1. On the first-level navigation bar, click Roles.

2. On the second-level navigation bar, click IT Privileges.

3. On the left pane, right-click the IT Privileges node and then click Search.

4. On the right pane, specify the search criterion for the IT privilege that you want to delete.

   A list of all IT privileges that meet the search criterion is displayed.

5. Click the Delete icon in the row for the IT privilege that you want to delete.

   A dialog box prompting you to confirm if you want to delete the IT privilege is displayed.

6. Click OK.

   A message indicating that the IT privilege was deleted successfully is displayed.

4.2 IT Roles

This section discusses the following topics:

• Creating IT Roles

• Mapping and Unmapping IT Privileges

• Granting and Revoking IT Roles

• Delegating IT Roles

• Deleting IT Roles

4.2.1 Creating IT Roles

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for IT Role objects and All for IT Privilege objects

• Manage IT Role objects and Manage IT Privilege objects

To create an IT role:

1. On the first-level navigation bar, click Roles.

2. On the second-level navigation bar, click IT Roles.

3. On the left pane, right-click the organization where you want to create the IT role and then click New IT Role.

4. In the Display Name field on the Attributes tab of the New IT Role page, type the name of the IT role being created.

5. If you want to enter a unique name for the IT role, then enter it in the Unique Name field.

6. If you want to enter a description for the IT role, then enter it in the Description field.

7. If you want to delegate the IT role being created, then select Can Be Delegated.

8. If the IT role being created is related to finance, then select Is Finance Related.

9. If the IT role being created is a high-risk role, then select Is High Risk.

10. If the IT role being created is associated with non-public personal information, then select Non-Public Personal Information Related.

11. If the IT role being created is related to SOX, then select Sarbanes-Oxley Related.

12. In the Status box, select the status of the IT role.

13. If you want to set an owner for the IT role, then:

    1. In the Owner field, click Edit.

    2. On the page that is displayed, specify the search criterion for the person whom you want to set as the owner of the IT role.

       A list of persons who meet the search criterion is displayed.

    3. From this list, select the person whom you want to set as the owner and then click OK.

14. To set the organization to which the IT role must belong:

    Note:

    By default, the IT role that you create belongs to the organization that you select in Step 3. If you want to change the organization to which the role must belong, then perform the instructions in this step.

    1. In the Reporting Org field, click Edit.

    2. On the page that is displayed, specify the search criterion for the organization that you want to select.

       Note:

       This is the organization that will be responsible for administering this IT role. In addition, this is also the organization within which the IT role is listed after it is created.

       A list of all organizations that meet the search criterion is displayed.

    3. From this list, select the organization and then click OK.

15. You cannot perform any action on the Members tab while creating an IT role. However, while you modify an IT role, the Members tab displays a list of people who have been granted this role. See "Granting and Revoking IT Roles" for information about granting an IT role.

16. If you want to map IT privileges to the IT role, then:

    1. Click the Privileges tab.

    2. Click Map Privilege.

    3. On the page that is displayed, specify the search criterion for the IT privilege that you want to map. These are the IT privileges that have been created by performing the steps described in "Creating IT Privileges".

       A list of all IT privileges that meet the search criterion is displayed.

    4. From this list, select an IT privilege and then click OK.

       A message indicating that the IT privilege mapping to the IT role was created successfully is displayed.

    5. Repeat Steps b through d for each IT privilege that you want to map.

17. You cannot perform any action on the Mappings tab while creating an IT role. However, while you modify an IT role, the Mappings tab displays a list of business roles to which the IT role is mapped. See "Working with Business Roles" for information about mapping IT roles to business roles.

18. You cannot perform any action on the History tab while creating an IT role. However, while you modify an IT role the History tab displays a list of events for the IT role.

    For example, if you update the Description field of the IT role, then this event is stored and displayed on the History tab.

19. Click Submit to complete the procedure for creating the IT role.

    A message indicating that the IT role was successfully created is displayed.

4.2.2 Mapping and Unmapping IT Privileges

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for IT Role objects

• Manage IT Role objects

To map or unmap an IT privilege to or from an IT role:

1. On the first-level navigation bar, click Roles.

2. On the second-level navigation bar, click IT Roles.

3. On the left pane, perform one of the following:

   • Right-click IT Roles and then click Search.

   • Right-click the reporting organization within which you want to search the IT role (whose IT privilege must be mapped or unmapped), and then click Search.

4. On the IT Roles page, specify the search criterion for the IT role.

   A list of all IT roles that meet the search criterion is displayed.

5. To display the details of the IT role, click the View/Edit icon in the row for the IT role.

6. Click the Privileges tab.

7. If you want to map IT privileges, then:

   1. Click Map Privilege.

   2. On the page that is displayed, specify the search criterion for the IT privilege that you want to map. These are the IT privileges that have been created by performing the steps described in "Creating IT Privileges".

      A list of all IT privileges that meet the search criterion is displayed.

   3. From this list, select an IT privilege and then click OK.

      A message indicating that the IT privilege mapping to the IT role was created successfully is displayed.

   4. Repeat Steps a through c for each IT privilege that you want to map.

8. If you want to unmap IT privileges, then:

   1. Click the Delete icon in the row for the IT privilege that you want to delete.

      A dialog box prompting you to confirm if you want to delete the IT privilege is displayed.

      Note:

      Performing this step will only delete the mapping between the IT privilege and the IT role. It does not actually delete the IT privilege.

   2. Click OK.

      A message indicating that the privilege mapping was successfully deleted is displayed.

   3. Repeat Steps a and b for each IT privilege that you want to unmap.

9. Click Submit.

   A message indicating that the system role was updated successfully is displayed.

4.2.3 Granting and Revoking IT Roles

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for IT Role objects and All for Person objects

• Grant IT Role objects and Grant Person objects

• All for IT Role objects and Grant for Person objects

• Grant for IT Role objects and All for Person objects

To grant or revoke an IT role:

1. On the first-level navigation bar, click Organizations & People.

2. On the second-level navigation bar, click People.

3. To search for the person to whom you want to grant an IT role, perform one of the following:

   • Right-click the People node and then click Search.

   • Right-click the reporting organization to which the person belongs, and then click Search.

4. On the People page, specify the search criterion for the person to whom you want to grant the IT role.

   A list of all persons who meet the search criterion is displayed.

5. To display the details of the person, click the View/Edit icon in the row for the person.

6. Click the IT Roles tab.

7. If you want to grant the IT role, then:

   1. If you want to check whether the IT role has already been granted to the person, then specify the search criterion for the IT role and click Filter. If the IT role is displayed, then it implies that this role has already been granted to the person. Therefore, you need not perform the remaining steps in this section.

   2. Click Grant Role.

   3. On the page that is displayed, specify a search criterion for the IT role that you want to grant.

      A list of all IT roles that meet the search criterion is displayed.

   4. From this list, select the IT role that you want to grant and then click Finish.

   5. Proceed to Step 9.

8. If you want to revoke the IT role grant for a particular person, then:

   1. Click the Delete icon in the row for the IT role.

   2. On the page that is displayed, click OK to confirm that you want to delete the IT role grant.

      A message indicating that the role grant was deleted successfully is displayed.

9. Click Submit.

   A message indicating that the person's information was updated successfully is displayed.

4.2.4 Delegating IT Roles

You can delegate an IT role only if it was created with the Role Is Delegatable option selected. You select this option while performing Step 7 of the procedure described in "Creating IT Roles".

Delegating roles enables you to distribute role administration across users in your enterprise. The status of the role (active or inactive) does not affect its ability to be delegated.

A person who has received a role through delegation can delegate the same role to another person.

To delegate an IT role:

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for IT Role objects and All for Person objects

• Delegate IT Role objects and Delegate Person objects

1. On the first-level navigation bar, click Organizations & People.

2. On the left pane, perform one of the following:

   • Right-click the People node and then click Search.

   • Right-click the reporting organization within which the person to whom you want to delegate the IT roles exists, and then click Search.

3. On the People page, specify a search criterion for the person whose IT role must be delegated.

   A list of all users in the organization who satisfy the search criterion is displayed.

4. To display the details of the person, click the View/Edit icon in the row for the person.

5. Click the IT Roles tab.

6. Specify a search criterion for the role that you want to delegate.

   A list of all roles that meet the search criterion is displayed.

7. From this list, click the Delegate icon in the Actions column for the IT role that you want to delegate.

8. On the page that is displayed, specify a search criterion for the person to whom you want to delegate the IT role.

   A list of all persons who meet the search criterion is displayed.

9. From this list, select the person to whom you want to delegate the IT role and then click OK.

   A message indicating that the IT role was delegated is displayed.

10. Click Submit.

    A message indicating that the person information was updated successfully is displayed.

4.2.5 Deleting IT Roles

Note:

To perform the procedure described in this section, you must be a member of a system role containing one of the following system privileges:

• All for IT Role objects

• Manage IT Role objects

To delete an IT role:

1. On the first-level navigation bar, click Roles.

2. On the second-level navigation bar, click IT Roles.

3. On the left pane, perform one of the following:

   • Right-click the IT Roles node and then click Search.

   • Right-click the reporting organization within which you want to search the IT role that you want to delete, and then click Search.

4. On the IT Roles page, specify the search criterion for the IT role that you want to delete.

   A list of all IT roles that meet the search criterion is displayed.

5. Click the Delete icon in the row for the IT role that you want to delete.

   A dialog box prompting you to confirm if you want to delete the IT role is displayed.

6. Click OK.

   A message indicating that the IT role was deleted successfully is displayed.