Duty Role Components
A typical duty role consists of function security privileges and data security policies. Duty roles may also inherit aggregate privileges and other duty roles.
Data Security Policies
For a given duty role, you may create any number of data security policies. Each policy selects a set of data required for the duty to be completed and actions that may be performed on that data. The duty role may also acquire data security policies indirectly from its aggregate privileges.
These are the components of a data security policy:
-
A duty role, for example Expense Entry Duty.
-
A business object that's being accessed, for example Expense Reports.
-
The condition, if any, that controls access to specific instances of the business object. For example, a condition may allow access to data applying to users for whom a manager is responsible.
-
A data security privilege, which defines what may be done with the specified data, for example Manage Expense Report.
Function Security Privileges
Many function security privileges are granted directly to a duty role. It also acquires function security privileges indirectly from its aggregate privileges.
Each function security privilege secures the code resources that make up the relevant pages, such as the Manage Grades and Manage Locations pages.