Edit Job Role and Abstract Role

You can create a role by copying a predefined job role or abstract role and editing the copy. You must have the IT Security Manager job role or privileges to perform this task.

Caution: While creating custom roles, make sure you assign only the required privileges. Assigning all the privileges may impact subscription usage. Before you proceed, see the topic Guidance for Assigning Predefined Roles.

Edit the Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select your custom role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code. If location-based access is enabled, then you can also manage the Enable Role for Access from All IP Addresses option.

  4. Click Next.

Manage Functional Security Privileges

On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures in the Details section of the page.

To remove a privilege from the role, select the privilege and click the Delete icon. To add a privilege to the role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from the selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Edit Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Manage Data Security Policies

Make no changes on the Copy Role: Data Security Policies page.

Add and Remove Inherited Roles

The Edit Role: Role Hierarchy page shows the copied role and its inherited aggregate privileges and duty roles. The hierarchy is in tabular format by default. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the confirmation message.

Note: The role that you're removing must be inherited directly by the role that you're editing. If the role is inherited indirectly, then you must edit its parent role.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Provision the Role to Users

To provision the role to users, you must create a role mapping. Don't provision the role to users on the Security Console.

Review the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

The role is available immediately.