20Creating and Editing Job, Abstract, and Duty Roles

This chapter contains the following:

Guidelines for Copying HCM Roles

Copying predefined roles and editing the copies is the recommended approach to creating roles. This topic describes what to consider when you're copying a role.

Reviewing the Role Hierarchy

When you copy a predefined job, abstract, or duty role, you're recommended first to review the role hierarchy. This review is to identify the inherited roles that you want to refer to, copy, or delete in your custom role. For example, the Payroll Manager job role inherits the Payroll Administrator job role, among others. When copying the Payroll Manager role, you must decide whether to copy the Payroll Administrator role, refer to it, or remove it from your copy. You can review the role hierarchy on the Roles tab of the Security Console in either graphical or tabular format. You can also:

  • Export the role hierarchy to a spreadsheet from the Roles tab.

  • Review the role hierarchy and export it to a spreadsheet from the Analytics tab.

  • Run the User and Role Access Audit Report.

Tip: Aggregate privileges are never copied. When you copy a job or abstract role, its inherited aggregate privileges are referred to from your copy.

Reviewing Privileges

Job and abstract roles inherit function security privileges and data security policies from the roles that they inherit. Function security privileges and data security policies may also be granted directly to a job or abstract role. You can review these directly granted privileges on the Roles tab of the Security Console, as follows:

  • In the graphical view of a role, its inherited roles and function security privileges are visible at the same time.

  • In the tabular view, you set the Show value to switch between roles and function security privileges. You can export either view to a spreadsheet.

Once your custom role exists, edit it to add or remove directly granted function security privileges.

Note: Data security policies are visible only when you edit your role. You're recommended to leave data security policies unchanged.

Transaction Analysis Duty Roles

Some roles, such as the Human Resource Analyst job role, inherit Transaction Analysis Duty roles, which are used in Oracle Transactional Business Intelligence report permissions. If you copy the Human Resource Analyst job role, or any other role that inherits Transaction Analysis Duty roles, then don't copy the Transaction Analysis Duty roles. If you copy the roles, then you must update the permissions for the relevant reports to secure them using your copies of the roles. Instead, add the predefined Transaction Analysis Duty roles to your copy of the relevant job role, such as Human Resource Analyst.

Naming Copied Roles

By default, a copied role has the same name as its source role with the suffix Custom. The role codes of copied roles have the suffix _CUSTOM. Copied roles lose the prefix ORA_ automatically from their role codes. You can define a local naming convention for custom roles, with a prefix, suffix, or both, on the Administration tab of the Security Console.

Note: Copied roles take their naming pattern from the default values specified on the Administration tab of the Security Console. You can override this pattern on the Copy Role: Basic Information page for the role that you're copying. However, the names of roles inherited by the copied role are unaffected. For example, if you perform a deep copy of the Employee role, then inherited duty roles take their naming pattern from the default values.

Duplicate Roles

If any role in the hierarchy already exists when you copy a role, then no copy of that role is made. For example, if you make a second copy of the Employee role, then copies of the inherited duty roles may already exist. In this case, membership is added to the existing copies of the roles. To create unique copies of inherited roles, you must enter unique values on the Administration tab of the Security Console before performing a deep copy.

To retain membership of the predefined job or abstract role hierarchy, perform a shallow copy of the predefined role.

What Role Copy Does

When you copy a role on the Security Console, the role is copied in accordance with the role-copy options that you specify. Nothing else is updated. For example:

  • If the role that you're copying is referenced in an EL expression, then the expression isn't updated to include the new role.

  • The new role isn't assigned automatically to users who have the original role.

Security Console Role-Copy Options

When you copy a role on the Security Console, you select one of the following options:

  • Copy top role

  • Copy top role and inherited roles

This topic explains the effects of each of these options.

Copy Top Role

If you select the Copy top role option, then only the top role from the selected role hierarchy is copied. Memberships are created for the copy in the roles of which the original is a member. That is, the copy of the top role references the inherited role hierarchy of the source role. Any changes made to those inherited roles appear in both the source role and the copy. Therefore, you must take care when you edit the role hierarchy of the copy. You can:

  • Add roles directly to the copy without affecting the source role.

  • Remove any role from the copy that it inherits directly without affecting the source role. However, if you remove any role that's inherited indirectly by the copy, then any role that inherits the removed role's parent role is affected.

  • Add or remove function and data security privileges that are granted directly to the copy of the top role.

If you copy a custom role and edit any inherited role, then the changes affect any role that inherits the edited role.

The option of copying the top role is referred to as a shallow copy. This figure summarizes the effects of a shallow copy. It shows that the copy references the same instances of the inherited roles as the source role. No copies are made of the inherited roles.

The source job role inherits an aggregate privilege
and a duty role. That duty role inherits another duty role. The copy
of the job role references the inherited roles of the source role.
The duty roles and aggregate privilege belonging to the source role
haven't been copied.

You're recommended to create a shallow copy unless you must make changes that could affect other roles or that you couldn't make to predefined roles. To edit the inherited roles without affecting other roles, you must first make copies of those inherited roles. To copy the inherited roles, select the Copy top role and inherited roles option.

Tip: The Copy Role: Summary and Impact Report page provides a useful summary of your changes. Review this information to ensure that you haven't accidentally made a change that affects other roles.

Copy Top Role and Inherited Roles

Selecting Copy top role and inherited roles is a request to copy the entire role hierarchy. These rules apply:

  • Inherited aggregate privileges are never copied. Instead, membership is added to each aggregate privilege for the copy of the source role.

  • Inherited duty roles are copied if a copy with the same name doesn't already exist. Otherwise, membership is added to the existing copies of the duty roles for the new role.

When inherited duty roles are copied, custom duty roles are created. Therefore, you can edit them without affecting other roles. Equally, changes made subsequently to the source duty roles don't appear in the copies of those roles. For example, if those duty roles are predefined and are updated during upgrade, then you may have to update your copies manually after upgrade. This option is referred to as a deep copy.

This figure shows the effects of a deep copy. In this example, copies of the inherited duty roles with the same name don't already exist. Therefore, the inherited duty roles are copied when you copy the top role. Aggregate privileges are referenced from the new role.

The source job role inherits an aggregate privilege
and a duty role. That duty role inherits another duty role. The copy
of the source job role inherits copies of the duty roles from the
source role. The aggregate privilege belonging to the source role
is referenced by the copy of the top role.

Guidelines for Copying Abstract Roles

This topic provides guidance about copying abstract roles. This guidance also applies to job roles if you assign security profiles to them directly.

Copying Upgraded Abstract Roles with Inherited HCM, CRM, and FSCM Roles

This section describes how to copy abstract roles with assigned security profiles that were upgraded from Oracle Human Capital Management Cloud Release 11. This information doesn't apply if:

  • You didn't upgrade abstract roles from Release 11.

  • You upgraded abstract roles from Release 11, but you regenerated their data security policies after the upgrade.

The Simplified Reference Role Model was introduced in Release 10. In Releases 10 and 11, each predefined job role and abstract role was represented as an enterprise role. The enterprise role inherited an application role. When you assigned security profiles to an abstract role before Release 12, some additional roles were generated automatically. These additional roles had the name of the abstract role with the suffix (HCM), (CRM), or (FSCM). Data security policies were generated against these roles, which were inherited directly by the abstract role's enterprise role. The presence of these roles means that the enterprise role was modified. This modification prevented the enterprise and application roles from being merged when the abstract roles were upgraded from Release 11.

As the enterprise and application roles for such abstract roles remain separate after the upgrade from Release 11, you must take care when copying them. If you perform a shallow copy of an upgraded enterprise role, then you keep membership of:

  • The inherited (HCM), (CRM), and (FSCM) roles.

  • The application role from the original role. If the application role is predefined, then you can't edit it. Otherwise, any changes you make to the application role are also inherited by the role on which the copy was based.

Therefore, you're recommended always to copy the application role and perform a shallow copy. If you must copy the enterprise role, then always perform a deep copy. Once the copy of the enterprise role exists, you must edit it to remove the inherited (HCM), (CRM), and (FSCM) roles. Otherwise, your custom role has the data security policies from the source role in addition to any that you create specifically for the custom role. The copied role can't function as required unless you remove these roles.

Copying Abstract Roles with Assigned Security Profiles

This section provides guidance about copying roles in the following circumstances:

  • You're a new customer in Release 12 or later and are copying predefined abstract roles with assigned security profiles.

  • You're creating custom abstract roles, assigning security profiles to them directly, and then copying them.

  • You upgraded from Release 11, regenerated the data security policies for an abstract role with assigned security profiles, and are now copying those roles.

In all of these cases, the data security policies from the assigned security profiles are granted to the top-level role. Therefore, if you copy an abstract role, you copy all of its data security policies, including those that were generated from the assigned security profiles. These data security policies can be difficult to remove successfully from the role copy on the Security Console. Therefore, to avoid copying unwanted data security policies, you're recommended to revoke security profiles from abstract roles before you copy them. Reassign the security profiles to the abstract role when the copy is complete.

Tip: If you have already made a copy of a predefined abstract role with assigned security profiles, then you can remove the copied data security policies as follows:
  1. Edit your custom role.

  2. On the Data Security Policies page, filter by policy names beginning with the prefix ORA_. These policies were generated from security profiles assigned to the predefined abstract role that you copied.

  3. Remove all policies beginning with ORA_ in the filtered list.

Any remaining data security policies are either predefined and should not be removed or generated from security profiles assigned to your custom role.

Copy Job and Abstract Roles

You can copy any job role or abstract role and use it as the basis for a custom role. Copying roles is more efficient than creating them from scratch, especially if your changes are minor. This topic explains how to copy a role to create a role. You must have the IT Security Manager job role or privileges to perform this task.

Copy a Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for the role to copy.

  2. Select the role in the search results. The role hierarchy appears in tabular format by default.

    Tip: If you prefer, click the Show Graph icon to show the hierarchy in graphical format.
  3. In the search results, click the down arrow for the selected role and select Copy Role.

  4. In the Copy Options dialog box, select a copy option.

  5. Click Copy Role.

  6. On the Copy Role: Basic Information page, review and edit the Role Name, Role Code, Description, and Enable Role for Access from All IP Addresses values, as appropriate. Enable Role for Access from All IP Addresses appears only if location-based access is enabled.

    Tip: The role name and code have the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. You can overwrite these values for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make on the Copy Role: Basic Information page.
  7. Click the Summary and Impact Report train stop.

  8. Click Submit and Close, then OK to close the confirmation message.

  9. Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. When the status is Complete, you can edit the copied role.

    If you prefer, you can visit the intermediate train stops after the Copy Role: Basic Information page and edit your copy of the role before you save it.

Edit Job and Abstract Roles

You can create a role by copying a predefined job role or abstract role and editing the copy. This topic describes how to edit a role on the Security Console. You must have the IT Security Manager job role or privileges to perform this task.

Edit the Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select your custom role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code. If location-based access is enabled, then you can also manage the Enable Role for Access from All IP Addresses option.

  4. Click Next.

Manage Functional Security Privileges

On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures in the Details section of the page.

To remove a privilege from the role, select the privilege and click the Delete icon. To add a privilege to the role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from the selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Edit Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Manage Data Security Policies

Make no changes on the Copy Role: Data Security Policies page.

Add and Remove Inherited Roles

The Edit Role: Role Hierarchy page shows the copied role and its inherited aggregate privileges and duty roles. The hierarchy is in tabular format by default. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the confirmation message.

Note: The role that you're removing must be inherited directly by the role that you're editing. If the role is inherited indirectly, then you must edit its parent role.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Provision the Role to Users

To provision the role to users, you must create a role mapping. Don't provision the role to users on the Security Console.

Review the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

The role is available immediately.

Create Job and Abstract Roles from Scratch

If the predefined roles aren't suitable or you need a role with few privileges, then you can create a role from scratch. This topic explains how to create a job role or abstract role. To perform this task, you must have the IT Security Manager job role or privileges.

Enter Basic Information

Follow these steps:

  1. On the Roles tab of the Security Console, click Create Role.

  2. On the Create Role: Basic Information page, enter the role's display name in the Role Name field. For example, enter Sales Department Administration Job Role.

  3. Complete the Role Code field. For example, enter SALES_DEPT_ADMIN_JOB.

    Abstract roles have the suffix _ABSTRACT, and job roles have the suffix _JOB.

  4. In the Role Category field, select either HCM - Abstract Roles or HCM - Job Roles, as appropriate.

    Note: Be sure to select the HCM - Job Roles category when creating job roles. Otherwise, your job roles don't appear in the list of available job roles when you create an HCM data role.
  5. If you're using location-based access, then you see the Enable Role for Access from All IP Addresses option. If you select this option, then users who have the role can access the tasks that the role secures from any IP address.

  6. Click Next.

Add Functional Security Policies

When you create a role from scratch, you're most likely to add one or more aggregate privileges or duty roles to your role. You're less likely to grant function security privileges directly to the role.

If you aren't granting function security privileges, then click Next. Otherwise, to grant function security privileges to the role:

  1. On the Privileges tab of the Create Role: Functional Security Policies page, click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to add all function security privileges from a selected role to your custom role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Create Role: Role Hierarchy page, if appropriate.

    If you select a single privilege, then click Add Privilege to Role.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Function Security Policy dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

Create Data Security Policies

Make no entries on the Create Role: Data Security Policies page.

Build the Role Hierarchy

The Create Role: Role Hierarchy page shows the hierarchy of your custom role in tabular format by default. You can add one or more aggregate privileges, job roles, abstract roles, and duty roles to the role. Typically, when creating a job or abstract role you add aggregate privileges. Roles are always added directly to the role that you're creating.

To add a role:

  1. Click the Add Role icon.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. When you finish adding roles, close the Add Role Membership dialog box.

  7. Click Next.

Provision the Role

To provision the role to users, you must create a role mapping when the role exists. Don't provision the role to users on the Security Console.

Review the Role

On the Create Role: Summary and Impact Report page, review the summary of the changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

Your custom role is available immediately.

Copy and Edit Duty Roles

You can copy a duty role and edit the copy to create a duty role. Copying duty roles is the recommended way of creating duty roles. This topic explains how to copy a duty role and edit the copy. You must have the IT Security Manager job role or privileges to perform these tasks.

Copy a Duty Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for the duty role to copy.

  2. Select the role in the search results. The role hierarchy appears in tabular format by default.

    Tip: If you prefer, click the Show Graph icon to show the hierarchy in graphical format.
  3. In the search results, click the down arrow for the selected role and select Copy Role.

  4. In the Copy Options dialog box, select a copy option.

  5. Click Copy Role.

  6. On the Copy Role: Basic Information page, edit the Role Name, Role Code, and Description values, as appropriate.

    Tip: The role name and code have the default prefix and suffix for copied roles specified on the Roles subtab of the Security Console Administration tab. You can overwrite these values for the role that you're copying. However, any roles inherited by the copied role are unaffected by any name changes that you make on the Copy Role: Basic Information page.
  7. Click the Summary and Impact Report train stop.

  8. Click Submit and Close, then OK to close the confirmation message.

  9. Review the progress of your copy on the Role Copy Status subtab of the Security Console Administration tab. Once the status is Complete, you can edit the copied role.

Edit the Copied Duty Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select your copy of the duty role.

  2. In the search results, click the down arrow for the selected role and select Edit Role.

  3. On the Edit Role: Basic Information page, you can edit the role name and description, but not the role code.

  4. Click Next.

Manage Functional Security Policies

On the Edit Role: Functional Security Policies page, any function security privileges granted to the copied role appear on the Privileges tab. Select a privilege to view details of the code resources that it secures.

To remove a privilege from the role, select the privilege and click the Delete icon. To add a privilege to the role:

  1. Click Add Function Security Policy.

  2. In the Add Function Security Policy dialog box, search for and select a privilege or role.

  3. If you select a role, then click Add Selected Privileges to grant all function security privileges from the selected role to your custom role. If you select a single privilege, then click Add Privilege to Role.

    Tip: If the role has no function security privileges, then you see an error message. You can add the role to the role hierarchy on the Edit Role: Role Hierarchy page, if appropriate.
  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional privileges.

  6. Close the Add Functional Security Policies dialog box.

  7. Click Next.

Note: If a function security privilege forms part of an aggregate privilege, then add the aggregate privilege to the role hierarchy. Don't grant the function security privilege directly to the role. The Security Console enforces this approach.

The Resources tab, which is read-only, lists any resources granted to the role directly rather than through function security privileges. As you can't grant resources directly to roles on the Security Console, only resource grants created before Release 12 could appear on this tab. You can't edit these values.

Manage Data Security Policies

Make no changes on the Edit Role: Data Security Policies page.

Add and Remove Inherited Roles

The Edit Role: Role Hierarchy page shows the copied duty role and any duty roles and aggregate privileges that it inherits. The hierarchy is in tabular format by default. You can add or remove roles.

To remove a role:

  1. Select the role in the table.

  2. Click the Delete icon.

  3. Click OK to close the information message.

To add a role:

  1. Click Add Role.

  2. In the Add Role Membership dialog box, search for and select the role to add.

  3. Click Add Role Membership.

  4. Click OK to close the confirmation message.

  5. Repeat from step 2 for additional roles.

  6. Close the Add Role Membership dialog box.

    The Edit Role: Role Hierarchy page shows the updated role hierarchy.

  7. Click Next.

Review the Role

On the Edit Role: Summary and Impact Report page, review the summary of changes. Click Back to make corrections. Otherwise:

  1. Click Save and Close to save the role.

  2. Click OK to close the confirmation message.

The role is available immediately.