7Role Provisioning

This chapter contains the following:

Roles give users access to data and functions. To provision a role to users, you define a relationship, called a role mapping, between the role and some conditions. This topic describes how to provision roles to users both automatically and manually. Use the Manage Role Provisioning Rules task in the Setup and Maintenance work area.

Note: All role provisioning generates requests to provision roles. Only when those requests are processed successfully is role provisioning complete.

Automatic Provisioning of Roles to Users

Role provisioning occurs automatically if:

  • At least one of the user's assignments matches all role-mapping conditions.

  • You select the Autoprovision option for the role in the role mapping.

For example, for the data role Sales Manager Finance Department, you could select the Autoprovision option and specify the conditions shown in this table.

Attribute Value

Department

Finance Department

Job

Sales Manager

HR Assignment Status

Active

Users with at least one assignment that matches these conditions acquire the role automatically when you either create or update the assignment. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.

Manual Provisioning of Roles to Users

Users such as line managers can provision roles manually to other users if:

  • At least one of the assignments of the user who's provisioning the role, for example, the line manager, matches all role-mapping conditions.

  • You select the Requestable option for the role in the role mapping.

For example, for the data role Training Team Leader, you could select the Requestable option and specify the conditions shown in this table.

Attribute Value

Manager with Reports

Yes

HR Assignment Status

Active

Any user with at least one assignment that matches both conditions can provision the role Training Team Leader manually to other users.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role Requests from Users

Users can request a role when managing their own accounts if:

  • At least one of their assignments matches all role-mapping conditions.

  • You select the Self-requestable option for the role in the role mapping.

For example, for the data role Expenses Reporter you could select the Self-requestable option and specify the conditions shown in this table.

Attribute Value

Department

Finance Department

System Person Type

Employee

HR Assignment Status

Active

Any user with at least one assignment that matches these conditions can request the role. Self-requested roles are defined as manually provisioned.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role-Mapping Names

Role mapping names must be unique in the enterprise. Devise a naming scheme that shows the scope of each role mapping. For example, the role mapping Autoprovisioned Roles Sales could include all roles provisioned automatically to workers in the sales department.

Create a Role Mapping

To provision roles to users, you create role mappings. This topic explains how to create a role mapping.

Sign in as IT Security Manager and follow these steps:

  1. In the Setup and Maintenance work area, go to the following:

    • Functional Area: Users and Security

    • Task: Manage Role Provisioning Rules

  2. In the Search Results section of the Manage Role Mappings page, click Create.

    The Create Role Mapping page opens.

Defining the Role-Mapping Conditions

Set values in the Conditions section to specify when the role mapping applies. For example, use the values given in the following table to limit the role mapping to current employees of the Finance Department in Redwood Shores whose job is Accounts Payable Supervisor.

Field Value

Department

Finance Department

Job

Accounts Payable Supervisor

Location

Redwood Shores

System Person Type

Employee

HR Assignment Status

Active

Users must have at least one assignment that meets all these conditions.

Identifying the Roles

  1. In the Associated Roles section, click Add Row.

  2. In the Role Name field, search for and select the role that you're provisioning.

  3. Select one or more of the role-provisioning options as listed in the following table:

    Role-Provisioning Option Description

    Requestable

    Qualifying users can provision the role to other users.

    Self-requestable

    Qualifying users can request the role for themselves.

    Autoprovision

    Qualifying users acquire the role automatically.

    Qualifying users have at least one assignment that matches the role-mapping conditions.

    Note: Autoprovision is selected by default. Remember to deselect it if you don't want autoprovisioning.

    The Delegation Allowed option indicates whether users who have the role or can provision it to others can also delegate it. You can't change this value, which is part of the role definition. When adding roles to a role mapping, you can search for roles that allow delegation.

  4. If appropriate, add more rows to the Associated Roles section and select provisioning options. The role-mapping conditions apply to all roles in this section.

  5. Click Save and Close.

Applying Autoprovisioning

You're recommended to run the process Autoprovision Roles for All Users after creating or editing role mappings and after loading person records in bulk. This process compares all current user assignments with all current role mappings and creates appropriate autoprovisioning requests.

You must provision roles to users. Otherwise, they have no access to data or functions and can't perform application tasks. This topic explains how role mappings control role provisioning and deprovisioning. Use the Manage Role Provisioning Rules or Manage HCM Role Provisioning Rules task to create role mappings.

Role Provisioning Methods

You can provision roles to users:

  • Automatically

  • Manually

    • Users such as line managers can provision roles manually to other users.

    • Users can request roles for themselves.

For both automatic and manual role provisioning, you create a role mapping to specify when a user becomes eligible for a role.

Role Types

You can provision data roles, abstract roles, and job roles to users. However, for Oracle HCM Cloud users, you typically include job roles in HCM data roles and provision those data roles.

Automatic Role Provisioning

Users acquire a role automatically when at least one of their assignments satisfies the conditions in the relevant role mapping. Provisioning occurs when you create or update worker assignments. For example, when you promote a worker to a management position, the worker acquires the line manager role automatically if an appropriate role mapping exists. All changes to assignments cause review and update of a worker's automatically provisioned roles.

Role Deprovisioning

Users lose automatically provisioned roles when they no longer satisfy the role-mapping conditions. For example, a line manager loses an automatically provisioned line manager role when he or she stops being a line manager. You can also manually deprovision automatically provisioned roles at any time.

Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.

Roles at Termination

When you terminate a work relationship, the user automatically loses all automatically provisioned roles for which he or she no longer qualifies. The user loses manually provisioned roles only if he or she has no other work relationships. Otherwise, the user keeps manually provisioned roles until you remove them manually.

The user who's terminating a work relationship specifies when the user loses roles. Deprovisioning can occur:

  • On the termination date

  • On the day after the termination date

If you enter a future termination date, then role deprovisioning doesn't occur until that date or the day after. The Role Requests in the Last 30 Days section on the Manage User Account page is updated only when the deprovisioning request is created. Entries remain in that section until they're processed.

Role mappings can provision roles to users automatically at termination. For example, a terminated worker could acquire the custom role Retiree at termination based on assignment status and person type values.

Reversal of Termination

Reversing a termination removes any roles that the user acquired automatically at termination. It also provisions roles to the user as follows:

  • Any manually provisioned roles that were lost automatically at termination are reinstated.

  • As the autoprovisioning process runs automatically when a termination is reversed, roles are provisioned automatically as specified by current role-provisioning rules.

You must reinstate manually any roles that you removed manually, if appropriate.

Date-Effective Changes to Assignments

Automatic role provisioning and deprovisioning are based on current data. For a future-dated transaction, such as a future promotion, role provisioning occurs on the day the changes take effect. The Send Pending LDAP Requests process identifies future-dated transactions and manages role provisioning and deprovisioning at the appropriate time. These role-provisioning changes take effect on the system date. Therefore, a delay of up to 24 hours may occur before users in other time zones acquire their roles.

Autoprovisioning is the automatic allocation or removal of user roles. It occurs for individual users when you create or update assignments. You can also apply autoprovisioning explicitly for the enterprise using the Autoprovision Roles for All Users process. This topic explains the effects of applying autoprovisioning for the enterprise.

Roles That Autoprovisioning Affects

Autoprovisioning applies only to roles that have the Autoprovision option enabled in a role mapping.

It doesn't apply to roles without the Autoprovision option enabled.

The Autoprovision Roles for All Users Process

The Autoprovision Roles for All Users process compares all current user assignments with all current role mappings.

  • Users with at least one assignment that matches the conditions in a role mapping and who don't currently have the associated roles acquire those roles.

  • Users who currently have the roles but no longer satisfy the associated role-mapping conditions lose those roles.

When a user has no roles, his or her user account is also suspended automatically by default.

The process creates requests immediately to add or remove roles. These requests are processed by the Send Pending LDAP Requests process. When running Autoprovision Roles for All Users, you can specify when role requests are to be processed. You can either process them immediately or defer them as a batch to the next run of the Send Pending LDAP Requests process. Deferring the processing is better for performance, especially when thousands of role requests may be generated. Set the Process Generated Role Requests parameter to No to defer the processing. If you process the requests immediately, then Autoprovision Roles for All Users produces a report identifying the LDAP request ranges that were generated. Requests are processed on their effective dates.

When to Run the Process

You're recommended to run Autoprovision Roles for All Users after creating or editing role mappings. You may also have to run it after loading person records in bulk if you request user accounts for those records. If an appropriate role mapping exists before the load, then this process isn't necessary. Otherwise, you must run it to provision roles to new users loaded in bulk. Avoid running the process more than once in any day. Otherwise, the number of role requests that the process generates may slow the provisioning process.

Only one instance of Autoprovision Roles for All Users can run at a time.

Autoprovisioning for Individual Users

You can apply autoprovisioning for individual users on the Manage User Account page.

User and Role Access Audit Report

The User and Role Access Audit Report provides details of the function and data security privileges granted to specified users or roles. This information is equivalent to the information that you can see for a user or role on the Security Console. This report is based on data in the Applications Security tables, which you populate by running the Import User and Role Application Security Data process.

To run the User and Role Access Audit Report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the User and Role Access Audit Report process.

  3. In the Process Details dialog box, set parameters and click Submit.

  4. Click OK to close the confirmation message.

User and Role Access Audit Report Parameters

Population Type

Set this parameter to one of these values to run the report for one user, one role, multiple users, or all roles.

  • All roles

  • Multiple users

  • Role name

  • User name

User Name

Search for and select the user name of a single user.

This field is enabled only when Population Type is User name.

Role Name

Search for and select the name of a single aggregate privilege or data, job, abstract, or duty role.

This field is enabled only when Population Type is Role name.

From User Name Starting With

Enter one or more characters from the start of the first user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

To User Name Starting With

Enter one or more characters from the start of the last user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

User Role Name Starts With

Enter one or more characters from the start of a role name.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users and roles.

Data Security Policies

Select Data Security Policies to view the data security report for any population. If you leave the option deselected, then only the function security report is generated.

Note: If you don't need the data security report, then leave the option deselected to reduce the report processing time.
Debug

Select Debug to include the role GUID in the report. The role GUID is used to troubleshoot. Select this option only when requested to do so by Oracle Support.

Viewing the Report Results

The report produces either one or two .zip files, depending on the parameters you select. When you select Data Security Policies, two .zip files are generated, one for data security policies and one for functional security policies in a hierarchical format.

The file names are in the following format: [FILE_PREFIX]_[PROCESS_ID]_[DATE]_[TIME]_[FILE_SUFFIX]. The file prefix depends on the specified Population Type value.

This table shows the file prefix values for each report type.

Report Type File Prefix

User name

USER_NAME

Role name

ROLE_NAME

Multiple users

MULTIPLE_USERS

All roles

ALL_ROLES

This table shows the file suffix, file format, and file contents for each report type.

Report Type File Suffix File Format File Contents

Any

DataSec

CSV

Data security policies. The .zip file contains one file for all users or roles. The data security policies file is generated only when Data Security Policies is selected.

Note: Extract the data security policies only when necessary, as generating this report is time consuming.

Any

Hierarchical

CSV

Functional security policies in a hierarchical format. The .zip file contains one file for each user or role.

  • Multiple users

  • All roles

CSV

CSV

Functional security policies in a comma-separated, tabular format.

The process also produces a .zip file containing a diagnostic log.

For example, if you report on a job role at 13.30 on 17 December 2015 with process ID 201547 and the Data Security Policies option selected, then the report files are:

  • ROLE_NAME_201547_12-17-2015_13-30-00_DataSec.zip

  • ROLE_NAME_201547_12-17-2015_13-30-00_Hierarchical.zip

  • Diagnostic.zip

You can assign users access to appropriate data based on their job roles. The Oracle Fusion security model requires a three-way link between users, role, and data. It's summarized as: who can do what on which data. Who refers to the users, what are the job roles the user is assigned, and which refers to the data that's specific to a particular security context, typically an element of the enterprise structure, such as a business unit, asset book, or ledger.

For example, consider a user, Mary Johnson, who manages accounts payable functions, such as processing supplier invoices for the US Operations business unit. In this scenario, Mary Johnson must be assigned a job role such as the predefined Accounts Payable Manager, and given access to the US Operations business unit.

The following table lists the elements of the enterprise structure to which users can be assigned access based on their job roles.

Product Security Context

Oracle Fusion Financials

Business Unit

Data Access Set

Ledger

Asset Book

Control Budget

Intercompany Organization

Reference Data Set

Oracle Fusion Supply Chain Management

Inventory Organization

Reference Data Set

Cost Organization

Inventory Organization

Manufacturing Plant

Oracle Fusion Procurement

Business Unit

Oracle Fusion Project Portfolio Management

Project Organization Classification

Oracle Fusion Incentive Compensation

Business Unit

Assigning Data Access

Assigning data access to users is a three step process:

  1. Create users using one of the following:

    • Manage Users task in Oracle Fusion Functional Setup Manager

      Specify user attributes such as user name, assigned business unit, legal employer, department, job, position, grade, and location.

    • Security Console

  2. Assign at least one job role to users. Use Oracle Fusion Human Capital Management or the Security Console to assign job roles. Alternatively, define Role Provisioning Rules to auto-provision roles to users based on the users' work assignments.

  3. Assign data access to users for each applicable job role. Use the Manage Data Access for Users task in the Functional Setup Manager. For General Ledger users, you can also use the Manage Data Access Set Data Access for Users task to assign data access. Alternatively, define Data Provisioning Rules to auto-provision data access to users based on the users' work assignments.

Use the Manage Data Access for Users page to assign data access to users based on their job roles. You can assign data access to only one user at a time:

The following table lists the questions you can consider before assigning data access to users.

Decision to Consider In This Example

Which user role is being given data access?

Accounts Payable Manager

What is the security context to which access is being given?

Business Unit

Prerequisites

Before you can complete this task, you must:

  1. Create users and specify the user attributes such as a user name, assigned business unit, legal employer, department, job, position, grade and location, and so on. To create users, use the Manage Users task in the Functional Setup Manager or the Create User page. If you're implementing Oracle Fusion HCM, you can also use the Hire an Employee page. You can also use the Security Console to create the implementation users who create the setups, such as legal entities, business units, and so on, that are required to create the users in the Manage Users or Hire an Employee page.

  2. Assign users their job roles. You can either use Oracle Fusion Human Capital Management or the Security Console to assign job roles.

  3. Run the Retrieve Latest LDAP Changes process.

Assigning Data Access to Users Using a Spreadsheet

  1. Sign in to the Functional Setup Manager as an IT Security Manager or Application Implementation Consultant and navigate to the Setup and Maintenance page.

  2. Search for and select the Manage Data Access for Users task. Alternatively, you can perform this task through the product-specific task list.

  3. Click Users without Data Access to view users who don't have data access. Alternatively, to assign additional data access to users, use the Users with Data Access option.

  4. Select the Security Context, for our example, select Business Unit.

  5. Search for users with no data access. For our example, enter Accounts Payable Specialist in the Role field.

    Note: The search fields are related to the user attributes.

  6. Click Search. The Search Results region displays users who don't have any data access.

  7. Click the Authorize Data Access button to export the search results to a Microsoft Excel spreadsheet. You can provide data access to a group of users through the spreadsheet.

  8. Click OK to open the spreadsheet using Microsoft Excel.

  9. Select the Security Context from the list for each user.

  10. Enter the Security Context Value.

    • To provide additional data access to the user, add a new row and enter the user name, role, security context, and security context value.

    • You can click the View Data Access button to see what other data access the user already has even if this is outside the parameters of the search. This may help to identify users you want to grant access to because of existing access.

  11. Click the Upload button on the spreadsheet when you have assigned data access.

  12. Select the upload options on the Upload Options window and click OK.

  13. Note the status of your upload in the Upload column.

    • If the status of the upload is Successful and there are no validation errors in the log file, you can view the data access assignment to the users using the search criteria on the Manage Data Access for Users page.

    • If the upload status is Failed, check the details in your upload file, correct any errors, and upload the file again.

View Role Information Using Security Dashboard

As an IT Security Manager, you can use the Security Dashboard to get a snapshot of the security roles and how those roles are provisioned in the Oracle Cloud Applications. The information is sorted by role category and you can view details such as data security policy, function security policy, and users associated with a role. You can also perform a reverse search on a data security policy or a function security policy and view the associated roles.

You can search for roles using the Role Overview page. You can view the count of the roles which includes the inherited roles, data security policies, and function security policies on this page. Clicking the number in a tile on this page takes you to the corresponding page in the Role Dashboard. You can view role details either on the Role Overview page of the Security Dashboard or the Role Dashboard.

You can view role information such as the directly assigned function security policies and data security policies, roles assigned to users, directly assigned roles, and inherited roles list using the Role Dashboard. Clicking any role-related link on a page of the Security Dashboard takes you to the relevant page in the Role Dashboard. You can export the role information to a spreadsheet. The information on each tab is exported to a sheet in the spreadsheet. This dashboard supports a print-friendly view for a single role.

Here are the steps to view the Security Dashboard:

  1. In the Reports and Analytics work area, click Browse Catalog.

  2. On the Oracle BI page, open Shared Folders > Security > Transaction Analysis Samples > Security Dashboard.

    All pages of the dashboard are listed.

  3. To view the Role Category Overview page, click Open.

    The page displays the number of roles in each role category in both tabular and graphical formats.

  4. In the Number of Roles column, click the numeral value to view the role-related details.

  5. Click View Role to view the role-specific information in the Role Dashboard.

FAQs for Role Provisioning

Most are assignment attributes, such as job or department. At least one of a user's assignments must match all assignment values in the role mapping for the user to qualify for the associated roles.

Any role that you want to provision to users. You can provision data roles, abstract roles, and job roles to users. The roles can be either predefined or custom.

The provisioning method identifies how the user acquired the role. This table describes its values.

Provisioning Method Meaning

Automatic

The user qualifies for the role automatically based on his or her assignment attribute values.

Manual

Either another user assigned the role to the user, or the user requested the role.

External

The user acquired the role outside Oracle Applications Cloud.

How do I provision roles to users?

Use the following tasks to provision roles to users.

  • Manage Users

  • Provision Roles to Implementation Users

The Manage Users task is available in Oracle HCM Cloud, Oracle Engagement Cloud, Oracle ERP Cloud, Oracle SCM Cloud, and Oracle Fusion Suppliers.

Human Resources (HR) transaction flows such as Hire and Promote also provision roles.

How do I view the privileges or policies for a job role?

The most efficient way is to use the Security Console to search for and select the job role. When it appears in the visualizer, you can see all inherited roles, aggregate privileges, and privileges. If you edit the role from the visualizer, you can see the policies on the function policies and data policies pages.

How can I tell which roles are provisioned to a user?

Use the Security Console to search for the user. When you select the user, the user and any roles assigned to the user appear in the visualizer. Navigate the nodes to see the role hierarchies and privileges. You must be assigned the IT Security Manager role to access the Security Console.

Why can't a user access a task?

If a task doesn't appear in a user's task list, you may need to provision roles to the user.

A position or job and its included duties determine the tasks that users can perform. Provisioned roles provide access to tasks through the inherited duty roles.

The duty roles in a role hierarchy carry privileges to access functions and data. You don't assign duty roles directly to users. Instead, duty roles are assigned to job or abstract roles in a role hierarchy. If the duties assigned to a predefined job role don't match the corresponding job in your enterprise, you can create copies of job roles and add duties to or remove duties from the copy.

Note: You can't change predefined roles to add or remove duties. In the Security Console, you can identify predefined roles by the ORA_ prefix in the Role Code field. Create copies and update the copies instead.

Users are generally provisioned with roles based on role provisioning rules. If a user requests a role to access a task, always review the security reference implementation to determine the most appropriate role.