1. Securing ERP
  2. Best Practices for Creating Segment Value Security Roles

Best Practices for Creating Segment Value Security Roles

Here are some best practices for creating and maintaining roles for segment value security.

  • Create the role solely for the purpose of assigning segment value security policies. This prevents the potential commingling with other elements of data security and other artifacts that might be present in other roles. That could make it much more difficult to diagnose when segment value security rules aren’t acting in an expected manner.
    Note: Set the Role Category to Default.
  • Don’t form hierarchies with segment value security roles. Hierarchies could result in the rolling up of data security policies to a user from the various roles within the role hierarchy, based on the assignment of that one segment value security role. This will make it difficult to evaluate the data security a user ends up with, and to identify the precise origin of certain data security policies the user ended up with if unexpected results are encountered.
  • It's generally not advisable to use job roles, predefined by Oracle or otherwise, to pass on segment value security policies because it's highly unlikely that a group of users who share a job role will also share the exact same security profile for a secured chart of accounts.

    By attaching segment value security policies to job roles, any user who's assigned that job role will uniformly pick up those data security policies. Job roles are primarily for the purpose of passing function security access to features in a product module, and shared among users who have the same job function, but most likely for different parts of the organization. It's generally best to not incorporate data security access directly into a job role.

  • Assess the total number of unique variations of segment value security profiles across all users in the organization who'll need access to a given secured value set. Then, define individual segment value security roles for each of these security profiles by creating empty roles before creating the segment value security policies. The purpose of these roles is to serve as a method to pass through specific chart of accounts segment value security data security policies intended for a given user, or user group, by assigning this segment value security role to the appropriate users.

    Minimize the number of policy definitions that you maintain for a given secured value set by having each policy definition comprehensively capture each of these identified security profiles for that value set. This helps promote a more manageable framework for maintaining the segment value security requirements for your organization.

  • Maintaining individual segment value security roles for each distinct data security profile among all the users and user groups in the organization will also help with ongoing maintenance of your segment value security setups. Any required change to such a segment value security data security profile would only require making a change to the one segment value security role and this will automatically cascade down to all the users that belong to that one security profile.

    The one segment value security role can be assigned different policies from within the same secured value set. Even policies from different secured value sets can be assigned, so long as that common security profile applicable to the entire group of users who will share that segment value security role, includes each and every one of these segment value security policies for the one or more secured value sets that will be tied to this segment value security role.

    Loading up the one segment value security role can help with cutting down the number of segment value security roles that need to be maintained, and each role can be used very efficiently. However, this can also substantially increase the complexity of organizing and maintaining the segment value security setups by creating additional interdependencies between the security requirements for different policies and different secured value sets, and the security segment value security requirements of each user placed into this group. As such, take caution when loading up a segment value security role in this manner and apply the requisite judgment in weighing the benefits and costs of taking such a decision to determine the optimal fit for your organization.

Caution: Don’t use the Security Console Role Copy feature to make copies of such segment value security roles that have segment value security policies assigned through policies created using the Manage Segment Value Security Roles spreadsheet. The Role Copy function doesn’t account for all the attributes maintained for policy definitions that were created using the spreadsheet. A role created from such a copy action will have data security policy assignments that are incomplete and that won’t function properly.