1. Securing Applications
  2. Role Mappings

Role Mappings

Roles give users access to data and functions. To provision a role to users, you define a relationship, called a role mapping, between the role and some conditions. This topic describes how to provision roles to users both automatically and manually.

Use the Manage Role Provisioning Rules task in the Setup and Maintenance work area to provision roles.

Note: Role provisioning generates requests to provision roles. Only when those requests are processed successfully is role provisioning complete.

Automatic Provisioning of Roles to Users

Role provisioning occurs automatically if:

  • At least one of the user's assignments matches all role-mapping conditions.

  • You select the Autoprovision option for the role in the role mapping.

For example, for the data role Sales Manager Finance Department, you could select the Autoprovision option and specify the conditions shown in this table.

Attribute

Value

Department

Finance Department

Job

Sales Manager

HR Assignment Status

Active

Users with at least one assignment that matches these conditions acquire the role automatically when you either create or update the assignment. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.

Manual Provisioning of Roles to Users

Users such as line managers can provision roles manually to other users if:

  • At least one of the assignments of the user who's provisioning the role, for example, the line manager, matches all role-mapping conditions.

  • You select the Requestable option for the role in the role mapping.

For example, for the data role Training Team Leader, you could select the Requestable option and specify the conditions shown in this table.

Attribute

Value

Manager with Reports

Yes

HR Assignment Status

Active

Any user with at least one assignment that matches both conditions can provision the role Training Team Leader manually to other users.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role Requests from Users

Users can request a role when managing their own accounts if:

  • At least one of their assignments matches all role-mapping conditions.

  • You select the Self-requestable option for the role in the role mapping.

For example, for the data role Expenses Reporter you could select the Self-requestable option and specify the conditions shown in this table.

Attribute

Value

Department

Finance Department

System Person Type

Employee

HR Assignment Status

Active

Any user with at least one assignment that matches these conditions can request the role. Self-requested roles are defined as manually provisioned.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role-Mapping Names

Role-mapping names must be unique in the enterprise. Devise a naming scheme that shows the scope of each role mapping. For example, the role mapping Autoprovisioned Roles Sales could include all roles provisioned automatically to workers in the sales department.

Related Topics