Role Provisioning and Deprovisioning
You must provision roles to users. Otherwise, they have no access to data or functions and can't perform application tasks. This topic explains how role mappings control role provisioning and deprovisioning.
Use the Manage Role Provisioning Rules or Manage HCM Role Provisioning Rules task to create role mappings.
Role Provisioning Methods
You can provision roles to users:
-
Automatically
-
Manually
-
Users such as line managers can provision roles manually to other users.
-
Users can request roles for themselves.
-
For both automatic and manual role provisioning, you create a role mapping to specify when a user becomes eligible for a role.
Role Types
You can provision data roles, abstract roles, and job roles to users. However, for Oracle Fusion Cloud HCM users, you typically include job roles in HCM data roles and provision those data roles.
Automatic Role Provisioning
Users acquire a role automatically when at least one of their assignments satisfies the conditions in the relevant role mapping. Provisioning occurs when you create or update worker assignments. For example, when you promote a worker to a management position, the worker acquires the line manager role automatically if an appropriate role mapping exists. All changes to assignments cause review and update of a worker's automatically provisioned roles.
Role Deprovisioning
Users lose automatically provisioned roles when they no longer satisfy the role-mapping conditions. For example, a line manager loses an automatically provisioned line manager role when he or she stops being a line manager. You can also manually deprovision automatically provisioned roles at any time.
Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.
Roles at Termination
When you terminate a work relationship, the user automatically loses all automatically provisioned roles for which he or she no longer qualifies. The user loses manually provisioned roles only if he or she has no other work relationships. Otherwise, the user keeps manually provisioned roles until you remove them manually.
The user who's terminating a work relationship specifies when the user loses roles. Deprovisioning can occur:
-
On the termination date
-
On the day after the termination date
If you enter a future termination date, then role deprovisioning doesn't occur until that date or the day after. The Role Requests in the Last 30 Days section on the Manage User Account page is updated only when the deprovisioning request is created. Entries remain in that section until they're processed.
Role mappings can provision roles to users automatically at termination. For example, a terminated worker could acquire the custom role Retiree at termination based on assignment status and person type values.
Reversal of Termination
Reversing a termination removes any roles that the user acquired automatically at termination. It also provisions roles to the user as follows:
-
Any manually provisioned roles that were lost automatically at termination are reinstated.
-
As the autoprovisioning process runs automatically when a termination is reversed, roles are provisioned automatically as specified by current role-provisioning rules.
You must reinstate manually any roles that you removed manually, if appropriate.
Date-Effective Changes to Assignments
Automatic role provisioning and deprovisioning are based on current data. For a future-dated transaction, such as a future promotion, role provisioning occurs on the day the changes take effect. The Send Pending LDAP Requests process identifies future-dated transactions and manages role provisioning and deprovisioning at the appropriate time. These role-provisioning changes take effect on the system date. Therefore, a delay of up to 24 hours may occur before users in other time zones acquire their roles.