Security Console Role-Copy Options

When you copy a role on the Security Console, you have the option to either copy top role, or copy top role and inherited roles. This topic explains the effects of each of these options.

Copy Top Role

If you select the Copy top role option, then only the top role from the selected role hierarchy is copied. Memberships are created for the copy in the roles of which the original is a member. That is, the copy of the top role references the inherited role hierarchy of the source role. Any changes made to those inherited roles appear in both the source role and the copy. Therefore, you must take care when you edit the role hierarchy of the copy. You can:

Add roles directly to the copy without affecting the source role.
Remove any role from the copy that it inherits directly without affecting the source role. However, if you remove any role that's inherited indirectly by the copy, then any role that inherits the removed role's parent role is affected.
Add or remove function and data security privileges that are granted directly to the copy of the top role.

If you copy a custom role and edit any inherited role, then the changes affect any role that inherits the edited role.

The option of copying the top role is referred to as a shallow copy. This figure summarizes the effects of a shallow copy. It shows that the copy references the same instances of the inherited roles as the source role. No copies are made of the inherited roles.

The source job role inherits an aggregate privilege and a duty role. That duty role inherits another duty role. The copy of the job role references the inherited roles of the source role. The duty roles and aggregate privilege belonging to the source role haven't been copied.

You're recommended to create a shallow copy unless you must make changes that could affect other roles or that you couldn't make to predefined roles. To edit the inherited roles without affecting other roles, you must first make copies of those inherited roles. To copy the inherited roles, select the Copy top role and inherited roles option.

Tip: The Copy Role: Summary and Impact Report page provides a useful summary of your changes. Review this information to ensure that you haven't accidentally made a change that affects other roles.

Copy Top Role and Inherited Roles

Selecting Copy top role and inherited roles is a request to copy the entire role hierarchy. These rules apply:

Inherited aggregate privileges and middleware roles are never copied. Instead, membership is added to each aggregate privilege, or middleware role, for the copy of the source role.
Inherited duty roles are copied if a copy with the same name doesn't already exist. Otherwise, membership is added to the existing copies of the duty roles for the new role.

When inherited duty roles are copied, custom duty roles are created. Therefore, you can edit them without affecting other roles. Equally, changes made subsequently to the source duty roles don't appear in the copies of those roles. For example, if those duty roles are predefined and are updated during upgrade, then you may have to update your copies manually after upgrade. This option is referred to as a deep copy.

This figure shows the effects of a deep copy. In this example, copies of the inherited duty roles with the same name don't already exist. Therefore, the inherited duty roles are copied when you copy the top role. Aggregate privileges are referenced from the new role.

The source job role inherits an aggregate privilege and a duty role. That duty role inherits another duty role. The copy of the source job role inherits copies of the duty roles from the source role. The aggregate privilege belonging to the source role is referenced by the copy of the top role.