14Provisioning Roles to Application Users

This chapter contains the following:

Roles give users access to data and functions. To provision a role to users, you define a relationship, called a role mapping, between the role and some conditions. This topic describes how to provision roles to users both automatically and manually. Use the Manage Role Provisioning Rules task in the Setup and Maintenance work area.

Note: All role provisioning generates requests to provision roles. Only when those requests are processed successfully is role provisioning complete.

Automatic Provisioning of Roles to Users

Role provisioning occurs automatically if:

  • At least one of the user's assignments matches all role-mapping conditions.

  • You select the Autoprovision option for the role in the role mapping.

For example, for the data role Sales Manager Finance Department, you could select the Autoprovision option and specify the conditions shown in this table.

Attribute Value

Department

Finance Department

Job

Sales Manager

HR Assignment Status

Active

Users with at least one assignment that matches these conditions acquire the role automatically when you either create or update the assignment. The provisioning process also removes automatically provisioned roles from users who no longer satisfy the role-mapping conditions.

Manual Provisioning of Roles to Users

Users such as line managers can provision roles manually to other users if:

  • At least one of the assignments of the user who's provisioning the role, for example, the line manager, matches all role-mapping conditions.

  • You select the Requestable option for the role in the role mapping.

For example, for the data role Training Team Leader, you could select the Requestable option and specify the conditions shown in this table.

Attribute Value

Manager with Reports

Yes

HR Assignment Status

Active

Any user with at least one assignment that matches both conditions can provision the role Training Team Leader manually to other users.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role Requests from Users

Users can request a role when managing their own accounts if:

  • At least one of their assignments matches all role-mapping conditions.

  • You select the Self-requestable option for the role in the role mapping.

For example, for the data role Expenses Reporter you could select the Self-requestable option and specify the conditions shown in this table.

Attribute Value

Department

Finance Department

System Person Type

Employee

HR Assignment Status

Active

Any user with at least one assignment that matches these conditions can request the role. Self-requested roles are defined as manually provisioned.

Users keep manually provisioned roles until either all of their work relationships are terminated or you deprovision the roles manually.

Role-Mapping Names

Role mapping names must be unique in the enterprise. Devise a naming scheme that shows the scope of each role mapping. For example, the role mapping Autoprovisioned Roles Sales could include all roles provisioned automatically to workers in the sales department.

To provision roles to users, you create role mappings. This topic explains how to create a role mapping.

Sign in as IT Security Manager and follow these steps:

  1. In the Setup and Maintenance work area, go to the following:

    • Functional Area: Users and Security

    • Task: Manage Role Provisioning Rules

  2. In the Search Results section of the Manage Role Mappings page, click Create.

    The Create Role Mapping page opens.

Define the Role-Mapping Conditions

Set values in the Conditions section to specify when the role mapping applies. For example, the values shown in this table limit the mapping to current employees of the Procurement Department in Denver whose job is Chief Buyer.

Field Value

Department

Procurement Department

Job

Chief Buyer

Location

Denver

System Person Type

Employee

HR Assignment Status

Active

Users must have at least one assignment that meets all these conditions.

Identify the Roles

  1. In the Associated Roles section, click Add Row.

  2. In the Role Name field, search for and select the role that you're provisioning. For example, search for the data role Procurement Analyst Denver.

  3. Select one or more of the role-provisioning options shown in this table.

    Role-Provisioning Option Description

    Requestable

    Qualifying users can provision the role to other users.

    Self-Requestable

    Qualifying users can request the role for themselves.

    Autoprovision

    Qualifying users acquire the role automatically.

    Qualifying users have at least one assignment that matches the role-mapping conditions.

    Note: Autoprovision is selected by default. Remember to deselect it if you don't want autoprovisioning.

    The Delegation Allowed option indicates whether users who have the role or can provision it to others can also delegate it. You can't change this value, which is part of the role definition. When adding roles to a role mapping, you can search for roles that allow delegation.

  4. If appropriate, add more rows to the Associated Roles section and select provisioning options. The role-mapping conditions apply to all roles in this section.

  5. Click Save and Close.

Apply Autoprovisioning

You're recommended to run the process Autoprovision Roles for All Users after creating or editing role mappings and after loading person records in bulk. This process compares all current user assignments with all current role mappings and creates appropriate autoprovisioning requests.

Examples of Role Mappings

You must provision roles to users either automatically or manually. This topic provides some examples of typical role mappings to support automatic and manual role provisioning.

Creating a Role Mapping for Employees

All employees must have the Employee role automatically from their hire dates. In addition, the few employees who claim expenses must request the Expenses Reporting data role.

You create a role mapping called All Employees and enter the conditions shown in this table.

Attribute Value

System Person Type

Employee

HR Assignment Status

Active

In the role mapping you include the:

  • Employee role, and select the Autoprovision option

  • Expenses Reporting role, and select the Self-requestable option

Creating a Role Mapping for Line Managers

Any type of worker can be a line manager in the sales business unit. You create a role mapping called Line Manager Sales BU and enter the conditions shown in this table.

Attribute Value

Business Unit

Sales

HR Assignment Status

Active

Manager with Reports

Yes

You include the Line Manager role and select the Autoprovision option. Any worker with at least one assignment that matches the role-mapping conditions acquires the role automatically.

In the same role mapping, you can include roles that line managers can:

  • Provision manually to other users.

    You select the Requestable option for these roles.

  • Request for themselves.

    You select the Self-requestable option for these roles.

Tip: The Manager with Reports attribute always means a line manager. Setting the Manager Type attribute to Line Manager is the same as setting Manager with Reports to Yes. If your role mapping applies to managers of a type other than Line Manager, then don't set the Manager with Reports attribute.

Creating a Role Mapping for Retirees

Retired workers have system access to manage their retirement accounts. You create a role mapping called All Retirees and enter the conditions shown in this table.

Attribute Value

System Person Type

Retiree

HR Assignment Status

Inactive

You include the custom role Retiree in the role mapping and select the Autoprovision option. When at least one of a worker's assignments satisfies the role-mapping conditions, he or she acquires the role automatically.

You must provision roles to users. Otherwise, they have no access to data or functions and can't perform application tasks. This topic explains how role mappings control role provisioning and deprovisioning. Use the Manage Role Provisioning Rules or Manage HCM Role Provisioning Rules task to create role mappings.

Role Provisioning Methods

You can provision roles to users:

  • Automatically

  • Manually

    • Users such as line managers can provision roles manually to other users.

    • Users can request roles for themselves.

For both automatic and manual role provisioning, you create a role mapping to specify when a user becomes eligible for a role.

Role Types

You can provision data roles, abstract roles, and job roles to users. However, for Oracle HCM Cloud users, you typically include job roles in HCM data roles and provision those data roles.

Automatic Role Provisioning

Users acquire a role automatically when at least one of their assignments satisfies the conditions in the relevant role mapping. Provisioning occurs when you create or update worker assignments. For example, when you promote a worker to a management position, the worker acquires the line manager role automatically if an appropriate role mapping exists. All changes to assignments cause review and update of a worker's automatically provisioned roles.

Role Deprovisioning

Users lose automatically provisioned roles when they no longer satisfy the role-mapping conditions. For example, a line manager loses an automatically provisioned line manager role when he or she stops being a line manager. You can also manually deprovision automatically provisioned roles at any time.

Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.

Roles at Termination

When you terminate a work relationship, the user automatically loses all automatically provisioned roles for which he or she no longer qualifies. The user loses manually provisioned roles only if he or she has no other work relationships. Otherwise, the user keeps manually provisioned roles until you remove them manually.

The user who's terminating a work relationship specifies when the user loses roles. Deprovisioning can occur:

  • On the termination date

  • On the day after the termination date

If you enter a future termination date, then role deprovisioning doesn't occur until that date or the day after. The Role Requests in the Last 30 Days section on the Manage User Account page is updated only when the deprovisioning request is created. Entries remain in that section until they're processed.

Role mappings can provision roles to users automatically at termination. For example, a terminated worker could acquire the custom role Retiree at termination based on assignment status and person type values.

Reversal of Termination

Reversing a termination removes any roles that the user acquired automatically at termination. It also provisions roles to the user as follows:

  • Any manually provisioned roles that were lost automatically at termination are reinstated.

  • As the autoprovisioning process runs automatically when a termination is reversed, roles are provisioned automatically as specified by current role-provisioning rules.

You must reinstate manually any roles that you removed manually, if appropriate.

Date-Effective Changes to Assignments

Automatic role provisioning and deprovisioning are based on current data. For a future-dated transaction, such as a future promotion, role provisioning occurs on the day the changes take effect. The Send Pending LDAP Requests process identifies future-dated transactions and manages role provisioning and deprovisioning at the appropriate time. These role-provisioning changes take effect on the system date. Therefore, a delay of up to 24 hours may occur before users in other time zones acquire their roles.

Autoprovisioning is the automatic allocation or removal of user roles. It occurs for individual users when you create or update assignments. You can also apply autoprovisioning explicitly for the enterprise using the Autoprovision Roles for All Users process. This topic explains the effects of applying autoprovisioning for the enterprise.

Roles That Autoprovisioning Affects

Autoprovisioning applies only to roles that have the Autoprovision option enabled in a role mapping.

It doesn't apply to roles without the Autoprovision option enabled.

The Autoprovision Roles for All Users Process

The Autoprovision Roles for All Users process compares all current user assignments with all current role mappings.

  • Users with at least one assignment that matches the conditions in a role mapping and who don't currently have the associated roles acquire those roles.

  • Users who currently have the roles but no longer satisfy the associated role-mapping conditions lose those roles.

When a user has no roles, his or her user account is also suspended automatically by default.

The process creates requests immediately to add or remove roles. These requests are processed by the Send Pending LDAP Requests process. When running Autoprovision Roles for All Users, you can specify when role requests are to be processed. You can either process them immediately or defer them as a batch to the next run of the Send Pending LDAP Requests process. Deferring the processing is better for performance, especially when thousands of role requests may be generated. Set the Process Generated Role Requests parameter to No to defer the processing. If you process the requests immediately, then Autoprovision Roles for All Users produces a report identifying the LDAP request ranges that were generated. Requests are processed on their effective dates.

When to Run the Process

You're recommended to run Autoprovision Roles for All Users after creating or editing role mappings. You may also have to run it after loading person records in bulk if you request user accounts for those records. If an appropriate role mapping exists before the load, then this process isn't necessary. Otherwise, you must run it to provision roles to new users loaded in bulk. Avoid running the process more than once in any day. Otherwise, the number of role requests that the process generates may slow the provisioning process.

Only one instance of Autoprovision Roles for All Users can run at a time.

Autoprovisioning for Individual Users

You can apply autoprovisioning for individual users on the Manage User Account page.

On the Edit Role Mapping page, you can update a role mapping. Changes that you make to start and end dates, role-mapping conditions, and the associated roles may affect current role provisioning. This topic describes when such changes take effect. To edit a role mapping, perform the Manage Role Provisioning Rules task in the Setup and Maintenance work area.

Making Changes to Roles That Were Provisioned Automatically

Changes to roles that were provisioned automatically take effect as soon as one of the following occurs:

  • The Autoprovision Roles for All Users process runs.

    This process compares all current user assignments with all current role mappings and updates role provisioning as appropriate. You're recommended to run this process after creating or editing role mappings. You should also run this process after loading person records in bulk if no role mapping exists for those person records before the load.

  • A human resource (HR) specialist or line manager clicks Apply Autoprovisioning on the Manage User Account or Edit User page for individual users affected by the role mapping.

    This action compares the user's current assignments with all current role mappings and updates the user's roles as appropriate.

  • An HR specialist or line manager creates or updates assignments of users affected by the role mapping.

    These actions cause a user's roles to be reevaluated.

Making Changes to Requestable Roles

Changes to requestable roles take effect immediately. If you remove a requestable role from the role mapping or change the role-mapping conditions, then:

  • Users who currently have the role keep it.

    Users such as line managers provision requestable roles manually to other users. Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.

  • Users who could provision the role to other users can no longer do so, unless they satisfy any revised role-mapping conditions.

Making Changes to Self-Requestable Roles

Changes to self-requestable roles take effect immediately. If you remove a self-requestable role from the role mapping or change the role-mapping conditions, then:

  • Users who currently have the role keep it.

    Users lose manually provisioned roles automatically only when all of their work relationships are terminated. Otherwise, users keep manually provisioned roles until you deprovision them manually.

  • Users who could request the role can no longer do so, unless they satisfy any revised role-mapping conditions.

FAQs for Provisioning Roles to Application Users

Most are assignment attributes, such as job or department. At least one of a user's assignments must match all assignment values in the role mapping for the user to qualify for the associated roles.

Use HR Assignment Status to specify whether qualifying assignments must be active or inactive.

Use Assignment Status to specify a subcategory, such as Active - Payroll Eligible or Suspended - No Payroll.

When you select an HR Assignment Status value, the corresponding Assignment Status values appear. For example, if HR Assignment Status is Inactive, then Assignment Status values have the prefix Inactive or Suspended.

Any role that you want to provision to users. You can provision data roles, abstract roles, and job roles to users. The roles can be either predefined or custom.

The provisioning method identifies how the user acquired the role. This table describes its values.

Provisioning Method Meaning

Automatic

The user qualifies for the role automatically based on his or her assignment attribute values.

Manual

Either another user assigned the role to the user, or the user requested the role.

External

The user acquired the role outside Oracle Applications Cloud.