2 Managing Granular Roles with Access Control

Access Control allows you to extend a Oracle Fusion Cloud Enterprise Performance Management user’s access beyond their predefined role by assigning roles at the business process-level. These business process-level roles are referred to as granular roles.

Service Administrators, or user with Access Control - Manage granular role can assign granular roles and data grants to users and to groups created and managed in Access Control.

For example, by default, only Service Administrators and Power Users can access Data Integration. To allow users with the User or Viewer predefined roles to participate in the integration process, Service Administrators can assign Data Integration - Create granular roles to those users.

Note:

Granular roles can only extend the user's access. They do not revoke or restrict any privileges granted by a predefined role. To learn more about predefined roles, see Understanding Predefined Roles in the Getting Started Guide for Administrators.

Note:

If you are migrating business processes from an on-premises environment to Cloud EPM, see Role Mapping for Migrating to Cloud EPM in Administering Migration.

Best Practice for Assigning Granular Roles

As a best practice, assign the lowest-level granular role required to provide the necessary additional privileges. Grant granular roles only when a user needs capabilities beyond those provided by their predefined role.

Examples:

  • Assign the Preparer granular role to a Viewer who needs to prepare reconciliations
  • Assign the Reports - Manage granular role to a Viewer who designs reports but does not require broader business process functionality
  • Assign the Alert Types - Manage granular role to a Power User who needs to manage alert definitions.

Note:

Granting privileges are additive only. This means that you can add to the privileges that a user's predefined role has, but cannot remove privileges that are automatically given to that predefined role.