Edit Job and Abstract Roles

You can create a role by copying a predefined job role or abstract role and editing the copy. You must have the IT Security Manager job role or privileges to perform this task.

Edit the Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select your custom role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code. If location-based access is enabled, then you can also manage the Enable Role for Access from All IP Addresses option.

  4. Click Next.

Manage Functional Security Privileges

On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures in the Details section of the page.

To remove a privilege from the role, select the privilege and click the Delete icon. To add a privilege to the role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from the selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Edit Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Manage Data Security Policies

The Edit Role: Data Security Policies page shows any data security policies granted to the copied role. You can add, remove, or modify data security policies as needed.

Note: For the Data Security Policies page to be active, you must select the Enable edit of data security policies option. To find this option, select the Administration tab, then select the Roles tab on the Administration page. If this option isn't selected, the Data Security Policies page is read-only.

To add a data security policy:

  1. Click the Create Data Security Policy icon.

  2. Enter values that define the policy. A start date is required; a name, end date, and description are optional. Values that define the data access include:

    • Data Resource: A database table.

    • Data Set: A definition that selects a subset of the data made available by the data resource:

      • Select by key. Choose a primary key value to limit the data set to a record in the data resource whose primary key matches the value you select.

      • Select by instance set. Choose a condition that defines a subset of the data in the data resource. Conditions vary by resource.

      • All values: Include all data from the data resource in your data set.

    • Actions: Select one or more data privileges to apply to the data set you have defined.

  3. Click OK to save.

To edit a data security policy:

  1. Select the data security policy in the table.

  2. Click the drop down on the right, and select Edit Data Security Policy.

  3. Change the data security policy as needed.

  4. Click OK to confirm the changes.

To remove a data security policy:

  1. Select the data security policy in the table.

  2. Click the drop down on the right, and select Remove Data Security Policy.

  3. Click Yes to close the confirmation page.

Add and Remove Inherited Roles

The Edit Role: Role Hierarchy page shows the copied role and its inherited aggregate privileges and duty roles. The hierarchy is in tabular format by default. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the confirmation message.

Note: The role that you're removing must be inherited directly by the role that you're editing. If the role is inherited indirectly, then you must edit its parent role.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Running Separation of Duties Analysis

If you use the provisioning rules feature of Advanced Controls in Risk Management Cloud, you can use the Separation of Duties page to determine whether the hierarchy of the role you're creating includes separation of duties conflicts. For more on creating these provisioning rules, see the Risk Management Cloud user guide for Advanced Controls.

Note: If you don't use this feature, you can disable the Separation of Duties page by setting the ASE_SEGREGATION_OF_DUTIES_SETTING profile option to No.

Provision the Role to Users

The Edit Role: Users page shows users that are currently provisioned this role.

Note: For the Users page to be active, you must select the Enable edit of user role membership option. To find this option, select the Administration tab, then select the Roles tab on the Administration page. If this option isn't selected, the Users page is read-only.

To remove a user from this role:

  1. Select the user in the table.

  2. Click the Delete icon.

  3. Click OK to close the confirmation message.

To add users to this role:

  1. Click the Add User button.

  2. In a Search field, select the value Users or types of role in any combination and enter at least three characters. The search returns values including items of the type you selected, whose names contain the characters you entered.

  3. Select a user or role. If you select a user, click Add User to Role. If you select a role, click Add Selected Users, which adds all its assigned users to the role you're creating.

    To automatically provision the role to users, you can also create a role mapping.

Review the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

The role is available immediately.