Role Mappings
Roles give users access to data and functions. To provision a role to users, you define a relationship, called a role mapping, between the role and some conditions. This topic describes how to provision roles to users both automatically and manually.
Use the Manage Role Provisioning Rules task in the Setup and Maintenance work area to provision roles.
Role provisioning generates requests to provision roles. Only when those requests are processed successfully is role provisioning complete.
Automatic Provisioning of Roles to Users
Role provisioning occurs automatically if:
-
At least one of the user's assignments matches all role-mapping conditions.
-
You select the Autoprovision option for the role in the role mapping.
For example, for the data role Sales Manager Finance Department, you could select the Autoprovision option and specify the conditions shown in this table.
Attribute |
Value |
---|---|
Department |
Finance Department |
Job |
Sales Manager |
HR Assignment Status |
Active |
Users with at least one assignment that matches these conditions acquire the role automatically when you either create or update the assignment. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.
Manual Provisioning of Roles to Users
Users such as line managers can provision roles manually to other users if:
-
At least one of the assignments of the user who's provisioning the role, for example, the line manager, matches all role-mapping conditions.
-
You select the Requestable option for the role in the role mapping.
For example, for the data role Training Team Leader, you could select the Requestable option and specify the conditions shown in this table.
Attribute |
Value |
---|---|
Manager with Reports |
Yes |
HR Assignment Status |
Active |
Any user with at least one assignment that matches both conditions can provision the role Training Team Leader manually to other users.
Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.
Role Requests from Users
Users can request a role when managing their own accounts if:
-
At least one of their assignments matches all role-mapping conditions.
-
You select the Self-requestable option for the role in the role mapping.
For example, for the data role Expenses Reporter you could select the Self-requestable option and specify the conditions shown in this table.
Attribute |
Value |
---|---|
Department |
Finance Department |
System Person Type |
Employee |
HR Assignment Status |
Active |
Any user with at least one assignment that matches these conditions can request the role. Self-requested roles are defined as manually provisioned.
Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.
Role-Mapping Names
Role-mapping names must be unique in the enterprise. Devise a naming scheme that shows the scope of each role mapping. For example, the role mapping Autoprovisioned Roles Sales could include all roles provisioned automatically to workers in the sales department.