Duty Role Components

A typical duty role consists of function security privileges and data security policies. Duty roles may also inherit aggregate privileges and other duty roles.

Data Security Policies

For a given duty role, you may create any number of data security policies. Each policy selects a set of data required for the duty to be completed and actions that may be performed on that data. The duty role may also acquire data security policies indirectly from its aggregate privileges.

These are the components of a data security policy:

• A duty role, for example Expense Entry Duty.

• A business object that's being accessed, for example Expense Reports.

• The condition, if any, that controls access to specific instances of the business object. For example, a condition may allow access to data applying to users for whom a manager is responsible.

• A data security privilege, which defines what may be done with the specified data, for example Manage Expense Report.

Function Security Privileges

Many function security privileges are granted directly to a duty role. It also acquires function security privileges indirectly from its aggregate privileges.

Each function security privilege secures the code resources that make up the relevant pages, such as the Manage Grades and Manage Locations pages.

Tip: The predefined duty roles represent logical groupings of privileges that you may want to manage as a group. They also represent real-world groups of tasks. For example, the predefined General Accountant job role inherits the General Ledger Reporting duty role. You can create a General Accountant job role with no access to reporting structures. To create such a job role, copy the job role and remove the General Ledger Reporting duty role from the role hierarchy.