1. Securing ERP
  2. Create Job and Abstract Roles from Scratch

Create Job and Abstract Roles from Scratch

If the predefined roles aren't suitable or you need a role with few privileges, then you can create a role from scratch. This topic explains how to create a job role or abstract role. To perform this task, you must have the IT

Enter Basic Information

Follow these steps:

  1. On the Roles tab of the Security Console, click Create Role.

  2. On the Create Role: Basic Information page, enter the role's display name in the Role Name field. For example, enter Sales Department Administration Job Role.

  3. Complete the Role Code field. For example, enter SALES_DEPT_ADMIN_JOB.

    Abstract roles have the suffix _ABSTRACT, and job roles have the suffix _JOB.

  4. In the Role Category field, select either Financials - Abstract Roles, Financials - Discretionary Roles, or Financials - Job Roles, as appropriate.

  5. If you're using location-based access, then you see the Enable Role for Access from All IP Addresses option. If you select this option, then users who have the role can access the tasks that the role secures from any IP address.

  6. Click Next.

Add Functional Security Policies

When you create a role from scratch, you're most likely to add one or more aggregate privileges or duty roles to your role. You're less likely to grant function security privileges directly to the role.

If you aren't granting function security privileges, then click Next. Otherwise, to grant function security privileges to the role:

  1. On the Privileges tab of the Create Role: Functional Security Policies page, click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from a selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Create Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

Create Data Security Policies

The Create Role: Data Security Policies page enables you to add data security policies as needed.

Note: For the Data Security Policies page to be active, you must select the Enable edit of data security policies option. To find this option, select the Administration tab, then select the Roles tab on the Administration page. If this option isn't selected, the Data Security Policies page is read-only.

To add a data security policy:

  1. Click the Create Data Security Policy icon.

  2. Enter values that define the policy. A start date is required; a name, end date, and description are optional. Values that define the data access include:

    • Data Resource: A database table.

    • Data Set: A definition that selects a subset of the data made available by the data resource:

      • Select by key. Choose a primary key value to limit the data set to a record in the data resource whose primary key matches the value you select.

      • Select by instance set. Choose a condition that defines a subset of the data in the data resource. Conditions vary by resource.

      • All values: Include all data from the data resource in your data set.

    • Actions: Select one or more data privileges to apply to the data set you have defined.

  3. Click OK to save.

Build the Role Hierarchy

The Create Role: Role Hierarchy page shows the hierarchy of your custom role in tabular format by default. You can add one or more aggregate privileges, job roles, abstract roles, and duty roles to the role. Roles are always added directly to the role that you're creating.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. When you finish adding roles, close the Add Role Membership dialog box.

  7. Click Next.

Provision the Role

The Create Role: Users page enables you to quickly provision a new role to users.

Note: For the Users page to be active, you must select the Enable edit of user role membership option. To find this option, select the Administration tab, then select the Roles tab on the Administration page. If this option isn't selected, the Users page is read-only.

To add users to this role:

  1. Click the Add User button.

  2. In a Search field, select the value Users or types of role in any combination and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.

  3. Select a user or role. If you select a user, click Add User to Role. If you select a role, click Add Selected Users, which adds all its assigned users to the role you're creating.

    To automatically provision the role to users, you can also create a role mapping when the role exists.

Review the Role

On the Create Role: Summary and Impact Report page, review the summary of the changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

Your custom role is available immediately.