Implementing Distributed User Profiles
This section provides an overview of distributed user profiles and discusses how to:
Define user profile access for remote security administrators.
Define remote security administrator role grant capability.
Administer distributed user profiles.
As your user population increases in size, it can become impractical for one person to centrally administer all of your system's user profiles. You can distribute some or all user profile administration tasks by enabling selected users to use the Distributed User Profiles component (USERMAINT_DIST) to control the granting of selected roles to other users.
The pages in the Distributed User Profiles component are identical to the corresponding pages in the User Profiles component, except that its User Roles page does not include links for editing the assigned roles. You can restrict who can use the component, which users they can administer, and what roles they can grant, based on the roles to which they themselves belong. For example, you might specify that users in the Line Manager role can grant the Shipping Clerk role to other users. The effect of this is to designate line managers as remote security administrators who can administer the user profiles of shipping clerks. In addition to granting and managing roles, a remote security administrator can administer all parts of a user profile, including passwords, email addresses, and workflow.
Important! Distributing user profile administration might affect regulatory compliance (for example, Sarbanes Oxley). You are responsible for determining and accounting for any effect of using this feature.
To implement distributed user profiles:
Use permission lists and roles to configure security to give selected remote security administrators access to the Distributed User Profiles component.
Note: The PIA navigation path to this component is .
Use the Set Distributed User Profile Search Record page to define which user profiles can be administered with the Distributed User Profiles component.
See Defining User Profile Access for Remote Security Administrators.
Use the Role Grant page in the Roles component (ROLEMAINT) to specify which roles your remote security administrators can grant with the Distributed User Profiles component.
See Defining Remote Security Administrator Role Grant Capability.
To define user profile access:
Define a search record that returns only the user IDs that you want remote security administrators to be able to administer.
Note: Initially, PSOPRDEFN_SRCH is the default search record for this purpose. You can accept the default and skip this step, but that action enables access to every user profile in your system. We encourage you to define a more restrictive search record.
In a browser, select to access the Set Distributed User Profile Search Record page.
In the New Search Record field, select the search record that you defined in Step 1, and then save.
When remote security administrators access the Distributed User Profiles component, this search record enforces row-level security to restrict the set of user IDs that they can select and administer.
In a browser, select to access the Roles - Role Grant page.
Image: Roles - Role Grant page
This example illustrates the fields and controls on the Roles - Role Grant page.
You use this page to specify which roles can be granted using the Distributed User Profiles component and which users can grant them. This page is part of a role definition; you can configure this role to be a remote security administrator, a role that a remote security administrator can grant to users, or both.
|
Field or Control |
Definition |
|---|---|
| Roles That Can Be Granted By This Role |
By specifying one or more roles in this grid, you effectively designate users who belong to roles, and who have access to the Distributed User Profiles component, as remote security administrators. Add rows to enable this role to grant as many roles as appropriate. For example, you might want users who belong to the Shipping Manager role to be able to grant the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role to other users. Note: This grid is complementary to the Roles That Can Grant This Role grid, and it propagates its values accordingly. Using the example given, on the Role Grant page for the Shipping Clerk (Temporary) role and the Packing Clerk (Temporary) role, the Roles That Can Grant This Role grid now specifies Shipping Manager. |
| Roles That Can Grant This Role |
By specifying one or more roles in this grid, you effectively designate users who belong to roles. and who have access to the Distributed User Profiles component,as remote security administrators, able to grant roles to users. Add more rows to enable additional roles to grant this role. For example, you might want users who belong to the Security Administrator role to be able to grant the Shipping Manager role to other users. Note: This grid is complementary to the Roles That Can Be Granted By This Role grid, and it propagates its values accordingly. Using the example given, on the Role Grant page for the Security Administrator role, the Roles That Can Be Granted By This Role grid now specifies Shipping Manager. |
| View Definition |
Click to view the associated role definition and ensure that you have selected the appropriate role to grant or to serve as a remote security administrator. |
In a browser, select to access the Distributed User Profiles component.
Remote security administrators can fully edit the user profiles that they access through the Distributed User Profiles component, including granting roles.
The users who remote security administrators can administer are determined by the search record you specified on the Set Distributed User Profile Search Record page.
The roles that a given remote security administrator can grant are determined by the selections that you made on the Roles - Role Grant page.