Guidance for Assigning Predefined Roles

As a security administrator, you have access to the predefined roles and privileges that are readily available for assignment. However, you must assess the user's need before assigning those roles as is with the complete set of privileges.

When you assign predefined roles and privileges as is, you're entrusting users with full access to all data and functionality. Such unrestricted access without really determining the business need might pose a security concern. Also, the assigned privileges might account for subscription consumption irrespective of whether you purchased the cloud service or not. A detailed list of all the predefined roles that impact subscription is available for reference. See the spreadsheet Predefined Roles with Subscription Impact.

If you are aware of a requirement or recommendation to assign specific predefined roles as is, it's fine to do so. For example, only while setting up an application, you may need to assign the predefined Application Implementation Consultant role as is. Once the setup is complete, you can unassign it. Otherwise, the recommended process is to always make a copy of the predefined role, remove the privileges you don't need, and assign only the required privileges. That way, you will hit the subscription usage in a controlled way, based on your business need.

Note: Updates to Fusion Applications might also include changes to certain predefined roles. Check the release readiness documents for your product area to know if there are any updates to the predefined roles that are in use. If you find changes that are relevant, incorporate the same changes to your custom role. This will remain an ongoing maintenance activity for the custom roles.