1. Administering Access Control for Oracle Enterprise Performance Management Cloud
  2. Managing Role Assignments at the Application Level
  3. Application Role Assignment Overview

Application Role Assignment Overview

Access Control enables you to extend the capabilities of Oracle Enterprise Performance Management Cloud user’s access beyond its predefined role by assigning them roles at application level. These roles are called Applicaton Roles. Service Administrators or user with Access Control - Manage application role can grant application-specific roles and data grants to users and to groups created and managed in Access Control.

For example, by default, only Service Administrators and Power Users can access Data Integration. To enable users with the User or Viewer predefined roles to participate in the integration process, Service Administrators can assign Data Integration - Create application roles to them.

Note:

Application roles can only enhance the access rights of users; none of the privileges granted by a predefined role can be curtailed. To learn more about predefined roles, see Understanding Predefined Roles in Getting Started with Oracle Enterprise Performance Management Cloud for Administrators.

For more information on available EPM Cloud application roles and their predefined role mapping, see:

Note:

If you are migrating applications from an on-premises environment to EPM Cloud, see "Role Mapping for Migrating to EPM Cloud" in Administering Migration for Oracle Enterprise Performance Management Cloud.

Best Practice to Assign Application Roles

The recommended best practice is to assign the lowest level role that fits additional privileges where necessary. Here are some examples of situations where you may want to grant application roles to someone that would not have those privileges from their predefined role.

  • Add the Preparer application role to a Viewer that needs to prepare reconciliations
  • Have a reports designer who only works on designing reports and not the rest of application functionality. You can give them the Viewer role and then assign the application role of Manage Reports
  • Allow a Power User to be able to manage alert types so you can assign the application role of Manage Alert Types

Note:

Granting privileges are additive only. This means that you can add to the privileges that a user's predefined role has, but cannot remove privileges that are automatically given to that predefined role.