Working With Roles

Oracle Identity Analytics administers role-based access controls. Roles make it easier to assign access levels to users and to audit those assignments on an ongoing basis. Rather than assigning access levels to users directly, access levels are assigned to a role. Roles are assigned to users, and a user's access level is determined by the roles assigned to that user.

Role-based administration typically grows and expands as new situations occur. The main advantage of using this approach is ease of implementation. Role-based administration can be established in a centralized fashion, distributed throughout your network, or hybridized. Oracle Identity Analytics can be configured to match the unique structure and needs of your organization. Roles can be defined in a hierarchical format, and Segregation of Duties (SOD) can be administered through a role.

To Search for a Role

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

3. To use quick search, use the Search panel at the top of the page and choose an option from the drop-down menu.

   Commonly populated fields are available to be searched on.

4. Enter a value to search for.

   Wildcards can be used (for example, a* , j*n*).

5. Click Search to search the selected field for the value specified.

   Search results are displayed in the Search panel on the left side of the screen.

6. Double-click a role to select it.

Creating Roles

There are three ways to create roles in Oracle Identity Analytics:

• Manually

• From existing roles

• From a global user

To Create Roles Manually

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

3. Choose New Role > Create Role Manually.

   The Create Role pop-up window opens.

4. Complete the form:

   • Name - Type a name for the role.

   • Parent Role - Click the button to open the Select Role window, select the role that you want to designate as the parent role for the role you are creating, and click OK.

   • High Privileged - Select the check box to make this a high privileged role.

   • Start Date - Enter the start date. The role will be active on this date.

   • End Date - Enter the end date. The role will be inactive after this date.

   • Service Desk Ticket - Add the helpdesk system reference number, if relevant to your organization.

5. Click Save to create the role.

   The role is available in the Roles view under the Identity Warehouse tab.

To Create Roles From Existing Roles

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

3. Choose New Role > Create Role Using an Existing Role as Template.

   The Create Role pop-up window opens.

4. Complete the form:

   • Name - Type a name for the role.

   • Template Role - Click Select Template Role, search for the role that you want to use as a template for the new role, select the role, and click OK.

5. Click Save to create the role.

   The role is available in the Roles view under the Identity Warehouse tab.

To Create Roles Based On an Existing User

You can create a role based on an existing user. All of the entitlements that the selected user has are used to create corresponding policies that are assigned to the new role.

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

3. Choose New Role > Create Role From Existing User.

   The Create Role pop-up window opens.

4. Type a name for the role and click Select User.

   The Search window opens.

5. Use either the user quick search or advanced search feature to search for the user whose entitlements will be used to create policies for the new role.

   For help using the search feature, see Working With Roles.

6. Select the user and click OK.

7. Click Save to create the role.

   The role is available in the Roles view under the Identity Warehouse tab.

To Rename, Modify, or Decommission (Delete) a Role

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

3. Search for a role, or select a role from the Roles panel on the left side of the screen.

   For help using the search feature, see Working With Roles.

4. Do one of the following tasks:

   • To rename a role, click the General tab, type the new role name in the Name field, and click Send for Approval or Save.

   • To modify a role, type or select the new role properties, and click Send for Approval or Save.

   • To delete a role, click the Decommission Role button.

     Decommissioning a role removes all role-user associations. The role itself, however, is not truly deleted. Instead, the role is made inactive and stored in Oracle Identity Analytics. The role cannot be made active again, and it cannot be modified in any way or assigned to users.

To Associate Roles With Business Units

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

3. Click a role and click the Business Structures tab.

4. Click the Add Business Structures button and select the desired business units.

5. Click Save or Send for Approval.

To Associate Role Owners With Roles

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

3. Click a role and click the Ownership tab.

4. Click the Add Owners button and search for the user (or users) to add.

   For help searching for users, see Searching For a User.

5. Select one or more users.

6. Click Save or Send for Approval.

To Create a Role Hierarchy

Similar to a business unit hierarchy, an n-level role hierarchy can be defined in Oracle Identity Analytics. A role can have various "child roles" under it. To define a role hierarchy, add a new child role to it. When a child role is added to a user, the parent role is also automatically assigned to the user. The role hierarchy defines an organized structure of roles. Roles defined in an organization may have a hierarchy associated with them. In addition, enterprise-level roles and application-level roles can be defined.

1. Log in to Oracle Identity Analytics.

2. Choose Identity Warehouse > Roles.

   The role hierarchy is defined when a new Role is created manually.

   • To change a role hierarchy, follow these steps:

     1. Select the role and click the button located next to the Parent Role field on the General tab.

     2. From the list of roles that appear, select the role that you want to designate as the parent role.

   • To select the child role for a user, follow these steps:

     1. Choose Identity Warehouse > Users and search for the user that you want to assign to a role.

     2. Select the user and click the Role tab.

     3. Click the Add Roles button.

        The parent Role is automatically assigned to the user. If the parent role is removed, the child role is automatically removed from the user.

To Approve Role Change Requests

Modifications to a role are activated only after the approval of the role owner.

To approve a role change request, see My Requests Tab in the My Requests chapter.

To Manage the Lifecycle of Roles

The lifecycle of a role is managed by out-of-the-box workflows. Workflows are step-by-step explanations (flowcharts) that Oracle Identity Analytics follows to complete a selected set of tasks. The workflows can be modified to suit the requirements of your organization.

Oracle Identity Analytics has the following role workflows:

• Role creation workflow

• Role modification workflow

• Role membership workflow

The default role creation, role modification, and role membership workflows each have four steps:

1. Start workflow: This steps kicks-off once a role is created, modified, or a member is added or removed.

2. Policy Owner Approval: If a policy owner approves the request, the workflow proceeds to the next step. Otherwise, the role is rejected.

3. Role Owner Approval: If a role owner approves the request, the workflow proceeds to the next step. Otherwise, the role is rejected.

4. Finish: The role is created or modified.

To understand or change role workflows, refer to the Oracle Identity Analytics Workflows chapter in the Business Administrator's Guide.