7Role Provisioning

This chapter contains the following:

Roles give users access to data and functions. To provision a role to users, you define a relationship, called a role mapping, between the role and some conditions. This topic describes how to provision roles to users both automatically and manually. Use the Manage Role Provisioning Rules task in the Setup and Maintenance work area.

Note: All role provisioning generates requests to provision roles. Only when those requests are processed successfully is role provisioning complete.

Automatic Provisioning of Roles to Users

Role provisioning occurs automatically if:

  • At least one of the user's assignments matches all role-mapping conditions.

  • You select the Autoprovision option for the role in the role mapping.

For example, for the data role Sales Manager Finance Department, you could select the Autoprovision option and specify the conditions shown in this table.

Attribute Value

Department

Finance Department

Job

Sales Manager

HR Assignment Status

Active

Users with at least one assignment that matches these conditions acquire the role automatically when you either create or update the assignment. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.

Manual Provisioning of Roles to Users

Users such as line managers can provision roles manually to other users if:

  • At least one of the assignments of the user who's provisioning the role, for example, the line manager, matches all role-mapping conditions.

  • You select the Requestable option for the role in the role mapping.

For example, for the data role Training Team Leader, you could select the Requestable option and specify the conditions shown in this table.

Attribute Value

Manager with Reports

Yes

HR Assignment Status

Active

Any user with at least one assignment that matches both conditions can provision the role Training Team Leader manually to other users.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role Requests from Users

Users can request a role when managing their own accounts if:

  • At least one of their assignments matches all role-mapping conditions.

  • You select the Self-requestable option for the role in the role mapping.

For example, for the data role Expenses Reporter you could select the Self-requestable option and specify the conditions shown in this table.

Attribute Value

Department

Finance Department

System Person Type

Employee

HR Assignment Status

Active

Any user with at least one assignment that matches these conditions can request the role. Self-requested roles are defined as manually provisioned.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role-Mapping Names

Role mapping names must be unique in the enterprise. Devise a naming scheme that shows the scope of each role mapping. For example, the role mapping Autoprovisioned Roles Sales could include all roles provisioned automatically to workers in the sales department.

Create a Role Mapping

To provision roles to users, you create role mappings. This topic explains how to create a role mapping.

Sign in as IT Security Manager and follow these steps:

  1. In the Setup and Maintenance work area, go to the following:

    • Functional Area: Users and Security

    • Task: Manage Role Provisioning Rules

  2. In the Search Results section of the Manage Role Mappings page, click Create.

    The Create Role Mapping page opens.

Defining the Role-Mapping Conditions

Set values in the Conditions section to specify when the role mapping applies. For example, use the values given in the following table to limit the role mapping to current employees of the Finance Department in Redwood Shores whose job is Accounts Payable Supervisor.

Field Value

Department

Finance Department

Job

Accounts Payable Supervisor

Location

Redwood Shores

System Person Type

Employee

HR Assignment Status

Active

Users must have at least one assignment that meets all these conditions.

Identifying the Roles

  1. In the Associated Roles section, click Add Row.

  2. In the Role Name field, search for and select the role that you're provisioning.

  3. Select one or more of the role-provisioning options as listed in the following table:

    Role-Provisioning Option Description

    Requestable

    Qualifying users can provision the role to other users.

    Self-requestable

    Qualifying users can request the role for themselves.

    Autoprovision

    Qualifying users acquire the role automatically.

    Qualifying users have at least one assignment that matches the role-mapping conditions.

    Note: Autoprovision is selected by default. Remember to deselect it if you don't want autoprovisioning.

    The Delegation Allowed option indicates whether users who have the role or can provision it to others can also delegate it. You can't change this value, which is part of the role definition. When adding roles to a role mapping, you can search for roles that allow delegation.

  4. If appropriate, add more rows to the Associated Roles section and select provisioning options. The role-mapping conditions apply to all roles in this section.

  5. Click Save and Close.

Applying Autoprovisioning

You're recommended to run the process Autoprovision Roles for All Users after creating or editing role mappings and after loading person records in bulk. This process compares all current user assignments with all current role mappings and creates appropriate autoprovisioning requests.

You must provision roles to users. Otherwise, they have no access to data or functions and can't perform application tasks. This topic explains how role mappings control role provisioning and deprovisioning. Use the Manage Role Provisioning Rules or Manage HCM Role Provisioning Rules task to create role mappings.

Role Provisioning Methods

You can provision roles to users:

  • Automatically

  • Manually

    • Users such as line managers can provision roles manually to other users.

    • Users can request roles for themselves.

For both automatic and manual role provisioning, you create a role mapping to specify when a user becomes eligible for a role.

Role Types

You can provision data roles, abstract roles, and job roles to users. However, for Oracle HCM Cloud users, you typically include job roles in HCM data roles and provision those data roles.

Automatic Role Provisioning

Users acquire a role automatically when at least one of their assignments satisfies the conditions in the relevant role mapping. Provisioning occurs when you create or update worker assignments. For example, when you promote a worker to a management position, the worker acquires the line manager role automatically if an appropriate role mapping exists. All changes to assignments cause review and update of a worker's automatically provisioned roles.

Role Deprovisioning

Users lose automatically provisioned roles when they no longer satisfy the role-mapping conditions. For example, a line manager loses an automatically provisioned line manager role when he or she stops being a line manager. You can also manually deprovision automatically provisioned roles at any time.

Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.

Roles at Termination

When you terminate a work relationship, the user automatically loses all automatically provisioned roles for which he or she no longer qualifies. The user loses manually provisioned roles only if he or she has no other work relationships. Otherwise, the user keeps manually provisioned roles until you remove them manually.

The user who's terminating a work relationship specifies when the user loses roles. Deprovisioning can occur:

  • On the termination date

  • On the day after the termination date

If you enter a future termination date, then role deprovisioning doesn't occur until that date or the day after. The Role Requests in the Last 30 Days section on the Manage User Account page is updated only when the deprovisioning request is created. Entries remain in that section until they're processed.

Role mappings can provision roles to users automatically at termination. For example, a terminated worker could acquire the custom role Retiree at termination based on assignment status and person type values.

Reversal of Termination

Reversing a termination removes any roles that the user acquired automatically at termination. It also provisions roles to the user as follows:

  • Any manually provisioned roles that were lost automatically at termination are reinstated.

  • As the autoprovisioning process runs automatically when a termination is reversed, roles are provisioned automatically as specified by current role-provisioning rules.

You must reinstate manually any roles that you removed manually, if appropriate.

Date-Effective Changes to Assignments

Automatic role provisioning and deprovisioning are based on current data. For a future-dated transaction, such as a future promotion, role provisioning occurs on the day the changes take effect. The Send Pending LDAP Requests process identifies future-dated transactions and manages role provisioning and deprovisioning at the appropriate time. These role-provisioning changes take effect on the system date. Therefore, a delay of up to 24 hours may occur before users in other time zones acquire their roles.

Autoprovisioning is the automatic allocation or removal of user roles. It occurs for individual users when you create or update assignments. You can also apply autoprovisioning explicitly for the enterprise using the Autoprovision Roles for All Users process. This topic explains the effects of applying autoprovisioning for the enterprise.

Roles That Autoprovisioning Affects

Autoprovisioning applies only to roles that have the Autoprovision option enabled in a role mapping.

It doesn't apply to roles without the Autoprovision option enabled.

The Autoprovision Roles for All Users Process

The Autoprovision Roles for All Users process compares all current user assignments with all current role mappings.

  • Users with at least one assignment that matches the conditions in a role mapping and who don't currently have the associated roles acquire those roles.

  • Users who currently have the roles but no longer satisfy the associated role-mapping conditions lose those roles.

When a user has no roles, his or her user account is also suspended automatically by default.

The process creates requests immediately to add or remove roles. These requests are processed by the Send Pending LDAP Requests process. When running Autoprovision Roles for All Users, you can specify when role requests are to be processed. You can either process them immediately or defer them as a batch to the next run of the Send Pending LDAP Requests process. Deferring the processing is better for performance, especially when thousands of role requests may be generated. Set the Process Generated Role Requests parameter to No to defer the processing. If you process the requests immediately, then Autoprovision Roles for All Users produces a report identifying the LDAP request ranges that were generated. Requests are processed on their effective dates.

When to Run the Process

You're recommended to run Autoprovision Roles for All Users after creating or editing role mappings. You may also have to run it after loading person records in bulk if you request user accounts for those records. If an appropriate role mapping exists before the load, then this process isn't necessary. Otherwise, you must run it to provision roles to new users loaded in bulk. Avoid running the process more than once in any day. Otherwise, the number of role requests that the process generates may slow the provisioning process.

Only one instance of Autoprovision Roles for All Users can run at a time.

Autoprovisioning for Individual Users

You can apply autoprovisioning for individual users on the Manage User Account page.

User and Role Access Audit Report

The User and Role Access Audit Report provides details of the function and data security privileges granted to specified users or roles. This information is equivalent to the information that you can see for a user or role on the Security Console. This report is based on data in the Applications Security tables, which you populate by running the Import User and Role Application Security Data process.

To run the User and Role Access Audit Report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the User and Role Access Audit Report process.

  3. In the Process Details dialog box, set parameters and click Submit.

  4. Click OK to close the confirmation message.

User and Role Access Audit Report Parameters

Population Type

Set this parameter to one of these values to run the report for one user, one role, multiple users, or all roles.

  • All roles

  • Multiple users

  • Role name

  • User name

User Name

Search for and select the user name of a single user.

This field is enabled only when Population Type is User name.

Role Name

Search for and select the name of a single aggregate privilege or data, job, abstract, or duty role.

This field is enabled only when Population Type is Role name.

From User Name Starting With

Enter one or more characters from the start of the first user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

To User Name Starting With

Enter one or more characters from the start of the last user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

User Role Name Starts With

Enter one or more characters from the start of a role name.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users and roles.

Data Security Policies

Select Data Security Policies to view the data security report for any population. If you leave the option deselected, then only the function security report is generated.

Note: If you don't need the data security report, then leave the option deselected to reduce the report processing time.
Debug

Select Debug to include the role GUID in the report. The role GUID is used to troubleshoot. Select this option only when requested to do so by Oracle Support.

Viewing the Report Results

The report produces either one or two .zip files, depending on the parameters you select. When you select Data Security Policies, two .zip files are generated, one for data security policies and one for functional security policies in a hierarchical format.

The file names are in the following format: [FILE_PREFIX]_[PROCESS_ID]_[DATE]_[TIME]_[FILE_SUFFIX]. The file prefix depends on the specified Population Type value.

This table shows the file prefix values for each report type.

Report Type File Prefix

User name

USER_NAME

Role name

ROLE_NAME

Multiple users

MULTIPLE_USERS

All roles

ALL_ROLES

This table shows the file suffix, file format, and file contents for each report type.

Report Type File Suffix File Format File Contents

Any

DataSec

CSV

Data security policies. The .zip file contains one file for all users or roles. The data security policies file is generated only when Data Security Policies is selected.

Note: Extract the data security policies only when necessary, as generating this report is time consuming.

Any

Hierarchical

CSV

Functional security policies in a hierarchical format. The .zip file contains one file for each user or role.

  • Multiple users

  • All roles

CSV

CSV

Functional security policies in a comma-separated, tabular format.

The process also produces a .zip file containing a diagnostic log.

For example, if you report on a job role at 13.30 on 17 December 2015 with process ID 201547 and the Data Security Policies option selected, then the report files are:

  • ROLE_NAME_201547_12-17-2015_13-30-00_DataSec.zip

  • ROLE_NAME_201547_12-17-2015_13-30-00_Hierarchical.zip

  • Diagnostic.zip

You can assign users access to appropriate data based on their job roles. The Oracle Fusion security model requires a three-way link between users, role, and data. It's summarized as: who can do what on which data. Who refers to the users, what are the job roles the user is assigned, and which refers to the data that's specific to a particular security context, typically an element of the enterprise structure, such as a business unit, asset book, or ledger.

For example, consider a user, Mary Johnson, who manages accounts payable functions, such as processing supplier invoices for the US Operations business unit. In this scenario, Mary Johnson must be assigned a job role such as the predefined Accounts Payable Manager, and given access to the US Operations business unit.

The following table lists the elements of the enterprise structure to which users can be assigned access based on their job roles.

Product Security Context

Oracle Fusion Financials

Business Unit

Data Access Set

Ledger

Asset Book

Control Budget

Intercompany Organization

Reference Data Set

Oracle Fusion Supply Chain Management

Inventory Organization

Reference Data Set

Cost Organization

Inventory Organization

Manufacturing Plant

Oracle Fusion Procurement

Business Unit

Oracle Fusion Project Portfolio Management

Project Organization Classification

Oracle Fusion Incentive Compensation

Business Unit

Assigning Data Access

Assigning data access to users is a three step process:

  1. Create users using one of the following:

    • Manage Users task in Oracle Fusion Functional Setup Manager

      Specify user attributes such as user name, assigned business unit, legal employer, department, job, position, grade, and location.

    • Security Console

  2. Assign at least one job role to users. Use Oracle Fusion Human Capital Management or the Security Console to assign job roles. Alternatively, define Role Provisioning Rules to auto-provision roles to users based on the users' work assignments.

  3. Assign data access to users for each applicable job role. Use the Manage Data Access for Users task in the Functional Setup Manager. For General Ledger users, you can also use the Manage Data Access Set Data Access for Users task to assign data access. Alternatively, define Data Provisioning Rules to auto-provision data access to users based on the users' work assignments.

Use the Manage Data Access for Users page to assign data access to users based on their job roles. You can assign data access to only one user at a time:

The following table lists the questions you can consider before assigning data access to users.

Decision to Consider In This Example

Which user role is being given data access?

Accounts Payable Manager

What is the security context to which access is being given?

Business Unit

Prerequisites

Before you can complete this task, you must:

  1. Create users and specify the user attributes such as a user name, assigned business unit, legal employer, department, job, position, grade and location, and so on. To create users, use the Manage Users task in the Functional Setup Manager or the Create User page. If you're implementing Oracle Fusion HCM, you can also use the Hire an Employee page. You can also use the Security Console to create the implementation users who create the setups, such as legal entities, business units, and so on, that are required to create the users in the Manage Users or Hire an Employee page.

  2. Assign users their job roles. You can either use Oracle Fusion Human Capital Management or the Security Console to assign job roles.

  3. Run the Retrieve Latest LDAP Changes process.

Assigning Data Access to Users Using a Spreadsheet

  1. Sign in to the Functional Setup Manager as an IT Security Manager or Application Implementation Consultant and navigate to the Setup and Maintenance page.

  2. Search for and select the Manage Data Access for Users task. Alternatively, you can perform this task through the product-specific task list.

  3. Click Users without Data Access to view users who don't have data access. Alternatively, to assign additional data access to users, use the Users with Data Access option.

  4. Select the Security Context, for our example, select Business Unit.

  5. Search for users with no data access. For our example, enter Accounts Payable Specialist in the Role field.

    Note: The search fields are related to the user attributes.

  6. Click Search. The Search Results region displays users who don't have any data access.

  7. Click the Authorize Data Access button to export the search results to a Microsoft Excel spreadsheet. You can provide data access to a group of users through the spreadsheet.

  8. Click OK to open the spreadsheet using Microsoft Excel.

  9. Select the Security Context from the list for each user.

  10. Enter the Security Context Value.

    • To provide additional data access to the user, add a new row and enter the user name, role, security context, and security context value.

    • You can click the View Data Access button to see what other data access the user already has even if this is outside the parameters of the search. This may help to identify users you want to grant access to because of existing access.

  11. Click the Upload button on the spreadsheet when you have assigned data access.

  12. Select the upload options on the Upload Options window and click OK.

  13. Note the status of your upload in the Upload column.

    • If the status of the upload is Successful and there are no validation errors in the log file, you can view the data access assignment to the users using the search criteria on the Manage Data Access for Users page.

    • If the upload status is Failed, check the details in your upload file, correct any errors, and upload the file again.

View Role Information Using Security Dashboard

As an IT Security Manager, you can use the Security Dashboard to get a snapshot of the security roles and how those roles are provisioned in the Oracle Cloud Applications. The information is sorted by role category and you can view details such as data security policy, function security policy, and users associated with a role. You can also perform a reverse search on a data security policy or a function security policy and view the associated roles.

You can search for roles using the Role Overview page. You can view the count of the roles which includes the inherited roles, data security policies, and function security policies on this page. Clicking the number in a tile on this page takes you to the corresponding page in the Role Dashboard. You can view role details either on the Role Overview page of the Security Dashboard or the Role Dashboard.

You can view role information such as the directly assigned function security policies and data security policies, roles assigned to users, directly assigned roles, and inherited roles list using the Role Dashboard. Clicking any role-related link on a page of the Security Dashboard takes you to the relevant page in the Role Dashboard. You can export the role information to a spreadsheet. The information on each tab is exported to a sheet in the spreadsheet. This dashboard supports a print-friendly view for a single role.

Here are the steps to view the Security Dashboard:

  1. In the Reports and Analytics work area, click Browse Catalog.

  2. On the Oracle BI page, open Shared Folders > Security > Transaction Analysis Samples > Security Dashboard.

    All pages of the dashboard are listed.

  3. To view the Role Category Overview page, click Open.

    The page displays the number of roles in each role category in both tabular and graphical formats.

  4. In the Number of Roles column, click the numeral value to view the role-related details.

  5. Click View Role to view the role-specific information in the Role Dashboard.

Automatic Data Provisioning

You can automatically assign users access to appropriate data based on their work assignments.

Automatic data provisioning occurs if:

  • At least one of the user's assignments matches all data-mapping conditions on a Data Provisioning Rule

  • At least one role is automatically provisioned to the user using Role Provisioning Rules

  • The matched Data Provisioning Rule includes data assignments for a role that is automatically provisioned to the user

For example, you can create a data provisioning rule to assign all current employees of the Finance Department in Seattle the following data assignments:

Role Data Security Context Value

Accounts Payable Manager

Business Unit

US West

Accounts Payable Supervisor

Business Unit

US West

Accounts Payable Specialist

Business Unit

US West

Accounts Receivable Manager

Business Unit

US West

Accounts Receivable Specialist

Business Unit

US West

Financial Analyst

Data Access Set

US-Corporate

General Accountant

Data Access Set

US-Corporate

General Accounting Manager

Data Access Set

US-Corporate

With this data provisioning rule defined, a user with a work assignment location of Seattle that has been automatically provisioned one of the job roles listed above would also get the corresponding data assignments.

Note: While role mappings and data provisioning rules use similar attributes to find a user's matching assignments, you do not need to use the same combination of attributes to drive role provisioning and the corresponding data provisioning. For example, you can use a combination of job, grade, or department or all to determine automatic provisioning of roles, and use a combination of business unit, legal employer or location or all to determine automatic provisioning of data.

Creating a Data Provisioning Rule

To automatically provision data assignments to users, you create data provisioning rules.

Before creating data provisioning rules, you first need to opt-in the feature Data Security Auto-Provisioning for ERP.

Sign in as IT Security Manager or Application Implementation Consultant and follow these steps:

  1. Navigate to the Setup and Maintenance page.

  2. Search for and select the Manage Data Access for Users task. Alternatively, you can perform this task through the product-specific task list.

  3. Click Data Provisioning Rules.

  4. In the Search Results section of the page, click Create.

    The Create Data Provisioning Rules page opens.

  5. Set values in the Conditions section to specify when the data provisioning rule applies. For example, use the values given in the following table to limit the data provisioning rule to current employees of the Finance Department in Seattle.

    Field Value

    Department

    Finance Department

    Location

    Seattle

    System Person Type

    Employee

    HR Assignment Status

    Active

  6. In the Data Assignments section, click Add Row.

  7. In the Role Name field, search for and select the role for this particular data assignment.

  8. In the Security Context field, select the desired security context from the list.

Applying Automatic Provisioning

You're recommended to run the process Autoprovision Roles for All Users after creating or editing data provisioning rules and after loading person records in bulk. This process compares all current user assignments with all current role mappings and data provisioning rules and creates appropriate autoprovisioning requests for both role and data assignments.

Automatic Data Provisioning and Deprovisioning

The process of automatic data provisioning and deprovisioning is very similar to automatic role provisioning and deprovisioning.

Automatic Data Provisioning

Users acquire a data assignment automatically when at least one of their work assignments satisfies the conditions in the relevant data provisioning rule and the corresponding role in the applicable data assignment is also automatically provisioned. For example, if a worker is hired into the Finance Department of the Seattle office, the worker acquires the relevant data assignments automatically if an appropriate role provisioning rule exists for Finance Department or Seattle office or for both, provided that at least one of the affected roles in the role provisioning rule is also automatically provisioned to the user. Provisioning occurs when you create or update worker assignments. All changes to work assignments cause review and update of a worker's automatically provisioned roles as well as data assignments.

Data Deprovisioning

Users lose automatically provisioned data assignments when they no longer satisfy the data provisioning conditions. For example, if a worker is relocated from the Seattle office to another office, data assignments that were automatically provisioned for workers working at the Seattle office will be lost automatically. You can also manually deprovision automatically provisioned data assignments at any time.

Data Assignments at Termination

When you terminate a work relationship, the user automatically loses all automatically provisioned data assignments, similar to how the user would automatically lose all automatically provisioned roles.

Autoprovision Roles for All Users Process

The Autoprovision Roles for All Users process handles both automatic role provisioning and automatic data provisioning. The process compares all current user assignments with all current role mappings and data provisioning rules. Users with at least one work assignment that matches the conditions in a data provisioning rule and acquire those data assignments as long as the corresponding role is automatically provisioned. Users who currently have the data assignments but no longer satisfy the associated data provisioning rule conditions lose those data assignments. Users who currently have the data assignments but no longer satisfy the associated data provisioning rule conditions lose those data assignments.

Access for Workflow Administrators

Predefined roles provide workflow administration access for specific product families. These roles are assigned by default to predefined job roles. Administrators with these roles can, for example, set up approval rules and manage submitted approval tasks for corresponding product families. One predefined role gives access for all families and isn't assigned by default to any predefined job role.

Predefined Roles

This table lists the predefined roles for workflow administration access and the predefined job roles that they're assigned to.

Product Family Role Name Role Code Predefined Job Roles Assigned To

All

BPM Workflow All Domains Administrator Role

BPMWorkflowAllDomainsAdmin

None

Financials

BPM Workflow Financials Administrator

BPMWorkflowFINAdmin

Financial Application Administrator (ORA_FUN_FINANCIAL_APPLICATION_ADMINISTRATOR_JOB)

Higher Education

BPM Workflow Higher Education Administrator

BPMWorkflowHEDAdmin

Higher Education Application Administrator (ORA_HEY_HIGHER_EDUCATION_APPLICATION_ADMINISTRATOR_JOB)

Human Capital Management

BPM Workflow Human Capital Management

BPMWorkflowHCMAdmin

Human Capital Management Application Administrator (ORA_HRC_HUMAN_CAPITAL_MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB)

Incentive Compensation

BPM Workflow Incentive Compensation Administrator

BPMWorkflowOICAdmin

Customer Relationship Management Application Administrator (ORA_ZCA_CUSTOMER_RELATIONSHIP_MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB)

Incentive Compensation Application Administrator (ORA_CN_INCENTIVE_COMPENSATION_ADMINISTRATOR_JOB)

Procurement

BPM Workflow Procurement Administrator

BPMWorkflowPRCAdmin

Procurement Application Administrator (ORA_PO_PROCUREMENT_APPLICATION_ADMIN_JOB)

Project Portfolio Management

BPM Workflow Project Administrator

BPMWorkflowPRJAdmin

Project Application Administrator (ORA_PJF_PROJECTS_APPLICATION_ADMINISTRATOR_JOB)

Sales

BPM Workflow Customer Relationship Management Administrator

BPMWorkflowCRMAdmin

Corporate Marketing Manager (ORA_MKT_CORPORATE_MARKETING_MANAGER_JOB)

Customer Relationship Management Application Administrator (ORA_ZCA_CUSTOMER_RELATIONSHIP_MANAGEMENT_APPLICATION_ADMINISTRATOR_JOB)

Marketing Analyst (ORA_MKT_MARKETING_ANALYST_JOB)

Marketing Manager (ORA_MKT_MARKETING_MANAGER_JOB)

Marketing Operations Manager (ORA_MKT_MARKETING_OPERATIONS_MANAGER_JOB)

Marketing VP (ORA_MKT_MARKETING_VP_JOB)

Sales Lead Qualifier (ORA_MKL_SALES_LEAD_QUALIFIER_JOB)

Supply Chain Management

BPM Workflow Supply Chain Administrator

BPMWorkflowSCMAdmin

Supply Chain Application Administrator (ORA_RCS_SUPPLY_CHAIN_APPLICATION_ADMINISTRATOR_JOB)

Usage of the Roles

If your administrators manage workflow for more than one product family, then you or your security administrator can add the appropriate family-specific roles to custom roles for those users. If your administrators manage workflow for all product families, then add BPM Workflow All Domains Administrator Role to a custom role for those users.

Note:
  • Assign BPM Workflow All Domains Administrator Role only if your administrators truly need access for all product families. For multiple product families, but not all, assign instead the roles for the corresponding families.

  • To-do tasks are visible to all administrators no matter which role they have for workflow administration access.

View Role Information Using Security Dashboard

As an IT Security Manager, you can use the Security Dashboard to get a snapshot of the security roles and how those roles are provisioned in the Oracle Cloud Applications. The information is sorted by role category and you can view details such as data security policy, function security policy, and users associated with a role. You can also perform a reverse search on a data security policy or a function security policy and view the associated roles.

You can search for roles using the Role Overview page. You can view the count of the roles which includes the inherited roles, data security policies, and function security policies on this page. Clicking the number in a tile on this page takes you to the corresponding page in the Role Dashboard. You can view role details either on the Role Overview page of the Security Dashboard or the Role Dashboard.

You can view role information such as the directly assigned function security policies and data security policies, roles assigned to users, directly assigned roles, and inherited roles list using the Role Dashboard. Clicking any role-related link on a page of the Security Dashboard takes you to the relevant page in the Role Dashboard. You can export the role information to a spreadsheet. The information on each tab is exported to a sheet in the spreadsheet. This dashboard supports a print-friendly view for a single role.

Here are the steps to view the Security Dashboard:

  1. In the Reports and Analytics work area, click Browse Catalog.

  2. On the Oracle BI page, open Shared Folders > Security > Transaction Analysis Samples > Security Dashboard.

    All pages of the dashboard are listed.

  3. To view the Role Category Overview page, click Open.

    The page displays the number of roles in each role category in both tabular and graphical formats.

  4. In the Number of Roles column, click the numeral value to view the role-related details.

  5. Click View Role to view the role-specific information in the Role Dashboard.

FAQs on Provisioning Roles and Data to Application Users

Most are assignment attributes, such as job or department. At least one of a user's assignments must match all assignment values in the role mapping for the user to qualify for the associated roles.

Any role that you want to provision to users. You can provision data roles, abstract roles, and job roles to users. The roles can be either predefined or custom.

The provisioning method identifies how the user acquired the role. This table describes its values.

Provisioning Method Meaning

Automatic

The user qualifies for the role automatically based on his or her assignment attribute values.

Manual

Either another user assigned the role to the user, or the user requested the role.

External

The user acquired the role outside Oracle Applications Cloud.

How do I provision roles to users?

Use the following tasks to provision roles to users.

  • Manage Users

  • Provision Roles to Implementation Users

The Manage Users task is available in Oracle HCM Cloud, Oracle CX Sales, Oracle ERP Cloud, Oracle SCM Cloud, and Oracle Fusion Suppliers.

Human Resources (HR) transaction flows such as Hire and Promote also provision roles.

How do I view the privileges or policies for a job role?

The most efficient way is to use the Security Console to search for and select the job role. When it appears in the visualizer, you can see all inherited roles, aggregate privileges, and privileges. If you edit the role from the visualizer, you can see the policies on the function policies and data policies pages.

How can I tell which roles are provisioned to a user?

Use the Security Console to search for the user. When you select the user, the user and any roles assigned to the user appear in the visualizer. Navigate the nodes to see the role hierarchies and privileges. You must be assigned the IT Security Manager role to access the Security Console.

Why can't a user access a task?

If a task doesn't appear in a user's task list, you may need to provision roles to the user.

A position or job and its included duties determine the tasks that users can perform. Provisioned roles provide access to tasks through the inherited duty roles.

The duty roles in a role hierarchy carry privileges to access functions and data. You don't assign duty roles directly to users. Instead, duty roles are assigned to job or abstract roles in a role hierarchy. If the duties assigned to a predefined job role don't match the corresponding job in your enterprise, you can create copies of job roles and add duties to or remove duties from the copy.

Note: You can't change predefined roles to add or remove duties. In the Security Console, you can identify predefined roles by the ORA_ prefix in the Role Code field. Create copies and update the copies instead.

Users are generally provisioned with roles based on role provisioning rules. If a user requests a role to access a task, always review the security reference implementation to determine the most appropriate role.

How can I autoprovision data assignments for users?

If you want to use automatic provisioning of data assignments, you need to consider the following points:

  1. All users with matching work assignments would automatically get the same data assignments as specified in the data provisioning rules. While it is possible to manually deprovision undesirable data assignments, the additional manual tasks required to deprovision these undesirable data assignments would negate the benefits of automatic data provisioning and create security risks

  2. Only data assignments for roles that are autoprovisioned to users can be automatically provisioned to users. However, you do not need to use the same combination of attributes to drive role provisioning in role-mappings and the corresponding data provisioning in data provisioning rules.

What happens if I autoprovision data assignments for a user?

The data assignment provisioning process is part of the role-provisioning process, and reviews the user's work assignments against all data provisioning rules.

The user immediately:

  • Acquires any data assignments for roles for which he or she qualifies but doesn't have

  • Loses any data assignments for roles for which he or she no longer qualifies

You are recommended to run the Autoprovision Roles for All Users process to autoprovision data assignments to users when new or changed role provisioning rules exist. Otherwise, no automatic provisioning of data assignments occurs until you next update the user's work assignments.

Why can't I see the data assignments for a user that I expect to be autoprovisioned?

Automatic provisioning of data assignments would only occur for roles that are also automatically provisioned.

What data security contexts are supported in automatic data provisioning?

All data security contexts that are supported in Manage Data Access for Users are supported. In other words, Automatic Data Provisioning is essentially rule-based Manage Data Access for Users assignments.