19Using the Security Console

This chapter contains the following:

Graphical and Tabular Role Visualizations

On the Roles tab of the Security Console, you can review role hierarchies. You see either a tabular or a graphical view of a role hierarchy. Which view you see by default depends on the setting of the Enable default table view option on the Administration tab. This topic describes how to use each of these views.

Role hierarchies stretch from users at the top of the hierarchy to privileges at the bottom. In both graphical and tabular views, you can set the direction of the displayed hierarchy.

  • To show from the selected user, role, or privilege up the hierarchy, set Expand Toward to Users.

  • To show from the selected user, role, or privilege down the hierarchy, set Expand Toward to Roles.

The Tabular View

If the tabular view doesn't appear when you select a security artifact on the Roles tab, then you can click the View as Table icon. In the tabular view, you can:

  • Review the complete role hierarchy for a selected user or role. The table shows roles inherited both directly and indirectly.

  • Search for a security artifact by entering a search term in the column search field and pressing Enter.

  • Set the contents of the table as follows:

    • If Expand Toward is set to Privileges, then you can set Show to either Privileges or Roles.

    • If Expand Toward is set to Users, then you can set Show to either Roles or Users.

    The resulting contents of the table depend on the start point. For example, if you select a privilege, Expand Toward is set to Privileges, and Show is set to Roles, then the table is empty.

  • Export the displayed details to a Microsoft Excel spreadsheet.

The Graphical View

If the graphical view doesn't appear when you select a security artifact on the Roles tab, then you can click the Show Graph icon. In the graphical view, users, privileges, and the various types of roles are represented by nodes and differentiated by both color and labels. These values are defined in the Legend. You can:

  • Review roles inherited directly by the selected role or user. To see roles and privileges inherited indirectly, select a directly inherited role, right-click, and select either Expand or Expand All. Select Collapse or Collapse All to reverse the action. Alternatively, double-click a node to expand or collapse it.

  • Use the Set as Focus action to make any selected node the center of the visualization.

  • Use the Overview icon to manipulate the visualization. For example, clicking a node in the Overview moves the node to the center of the visualization. You can also use drag and drop.

  • Hover on a legend entry to highlight the corresponding nodes in the visualization. Click a legend entry to add or remove corresponding nodes in the visualization.

In the Control Panel, you can:

  • Switch the layout between radial and layered representations.

  • Click the Search icon and enter a search term to find a security artifact among currently displayed nodes.

  • Zoom in and out using either the Zoom in and Zoom out icons or the mouse wheel.

  • Magnify areas of the visualization by clicking the Magnify icon and dragging it to the area of interest. Click the icon again to switch it off.

  • Click the Zoom to Fit icon to center the image and fill the display area

Simulate Navigator Menus

You can simulate the Navigator for both users and roles. This feature can help you to identify how access is provided to specific work areas and tasks. You may need this information when creating roles, for example. This topic provides instructions for simulating the Navigator.

Simulate the Navigator for a Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for the role, which can be of any type.

  2. In the search results, select Simulate Navigator in the Actions menu for the role. The Simulate Navigator page opens. Icons may appear against Navigator entries. In particular:

    • The Lock icon indicates that the role can't access the entry.

    • The Warning icon indicates that the entry may not appear in the Navigator as the result of configuration, for example.

    Entries without either of these icons are available to the role.

Tip: To view just the entries that the role can access, set Show to Access granted.

View Roles That Grant Access to a Navigator Entry

For any entry in the Navigator, regardless of whether it's available to the role, you can identify the roles that grant access. Follow these steps:

  1. Click the entry.

  2. Select View Roles That Grant Access.

  3. In the Roles That Grant Access dialog box, review the list of roles. The roles can be of all types. After reviewing this list, you can decide how to enable this access, if appropriate. For example, you may decide to provision an abstract role to a user or add an aggregate privilege to a custom role.

  4. Click OK to close the Roles That Grant Access dialog box.

View Privileges Required for Menu

For any entry in the Navigator, regardless of whether it's available to the role, you can identify the privileges that grant access to:

  • The Navigator entry

  • Tasks in the associated work area

Follow these steps:

  1. Click the entry.

  2. Select View Privileges Required for Menu.

  3. In the View Privileges for Work Area Access dialog box, review the list of privileges that grant access to:

    • The Navigator menu item

    • Task panel entries in the associated work area. In the Access Granted column of this table, you can see whether the selected role can access these tasks.

    You can use this information when creating roles, for example. You can identify how to both add and remove access to specific tasks and work areas.

  4. Click OK to close the View Privileges for Work Area Access dialog box.

  5. Click Close to close the Simulate Navigator page.

Simulate the Navigator for a User

Search for the user on the Roles tab of the Security Console and select Simulate Navigator in the Actions menu for the user. Follow the instructions for simulating the Navigator for a role.

Review Role Assignments

You can use the Security Console to:

  • View the roles assigned to a user.

  • Identify users who have a specific role.

You must have the IT Security Manager job role to perform these tasks.

View the Roles Assigned to a User

Follow these steps:

  1. Open the Security Console.

  2. On the Roles tab, search for and select the user.

    Depending on the enterprise setting, either a table or a graphical representation of the user's role hierarchy appears. Switch to the graphical representation if necessary to see the user and any roles that the user inherits directly. User and role names appear on hover. To expand an inherited role:

    1. Select the role and right-click.

    2. Select Expand. Repeat these steps as required to move down the hierarchy.

Tip: Switch to the table to see the complete role hierarchy at once. You can export the details to Microsoft Excel from this view.

Identify Users Who Have a Specific Role

Follow these steps:

  1. On the Roles tab of the Security Console, search for and select the role.

  2. Depending on the enterprise setting, either a table or a graphical representation of the role hierarchy appears. Switch to the graphical representation if it doesn't appear by default.

  3. Set Expand Toward to Users.

    Tip: Set the Expand Toward option to control the direction of the graph. You can move either up the hierarchy from the selected role (toward users) or down the hierarchy from the selected role (toward privileges).

    In the refreshed graph, user names appear on hover. Users may inherit roles either directly or indirectly from other roles. Expand a role to view its hierarchy.

  4. In the Legend, click the Tabular View icon for the User icon. The table lists all users who have the role. You can export this information to Microsoft Excel.

Review Role Hierarchies

On the Security Console you can review the role hierarchy of a job role, an abstract role, a duty role, or an HCM data role. You must have the IT Security Manager job role to perform this task.

Note: Although you can review HCM data roles on the Security Console, you must manage them on the Manage HCM Data Role and Security Profiles page. Don't attempt to edit them on the Security Console.

Follow these steps:

  1. On the Roles tab of the Security Console, ensure that Expand Toward is set to Privileges.

  2. Search for and select the role. Depending on the enterprise setting, either a table or a graphical representation of the role appears.

  3. If the table doesn't appear by default, click the View as Table icon. The table lists every role inherited either directly or indirectly by the selected role. Set Show to Privileges to switch from roles to privileges.

    Tip: Enter text in a column search field and press Enter to show only those roles or privileges that contain the specified text.

Click Export to Excel to export the current table data to Microsoft Excel.

Compare Roles

You can compare two roles to identify differences and similarities. The roles can be job roles, abstract roles, HCM data roles, duty roles, or aggregate privileges. You can compare roles of the same or different types. For example, you can compare a job role with a duty role or a custom job role with its predefined equivalent. This topic describes how to compare two roles.

Compare Two Roles

Follow these steps:

  1. On the Roles tab of the Security Console, click Compare Roles. The Compare Roles page opens.

  2. In the First Role field, search for and select the first of the two roles to compare.

  3. In the Second Role field, search for and select the second role.

  4. Set Filter Criteria to one of these values to identify the security artifacts to compare in each of the roles:

    • Function security policies

    • Data security policies

    • Inherited roles

  5. Set Show to one of the values shown in this table to identify the security artifacts to display in the comparison results.

    Value Description

    All

    All selected artifacts for both roles.

    Only in first role

    Selected artifacts that appear in the first role but not in the second role

    Only in second role

    Selected artifacts that appear in the second role but not in the first role

    In both roles

    Only those selected artifacts that appear in both roles

    For example, if you set Filter Criteria to Inherited roles and Show to In both roles, then you see the roles that both roles inherit. The comparison excludes any role that only one of the roles inherits.

  6. Click Compare. You can query by example to filter the results. The comparison is refreshed automatically if you change the Show or Filter Criteria values.

    Tip: Click Export to Excel to save the comparison data to a spreadsheet.
  7. Click Done to close the Compare Roles page.

Alternative ways of comparing roles on the Roles tab exist. You can:

  • In the search results, select Compare Roles from the Actions menu for a role in the search results

  • In the graphical view of a role, select the role, right-click and select Compare Roles.

In both cases, the selected role becomes the first role in the role comparison.

Copy Privileges to the Second Role in the Comparison

You can make some updates to the second role in the comparison without having to edit the role explicitly. That is, you can copy a selected function or data security policy from the first role to the second role when you set:

  • Filter Criteria to either Function security policies or Data security policies

  • Show to Only in first role

Note: The second role in the comparison must be a custom role.

To copy a selected policy to the second role, you click Add to Second Role.

Role Information on the Analytics Tab

All roles belong to a category. In most cases, the category identifies both the owning product family and the role type. For example, HCM - Job Roles, HCM - Duty Roles, and Common - Abstract Roles are role categories. This topic describes how to review statistics relating to role categories and details of individual roles on the Analytics tab of the Security Console.

On the Analytics tab, you can see these numbers for each role category:

  • Roles in the category

  • Role memberships (roles that are inherited by roles in this category)

  • Function security policies granted to all roles in the category

  • Data security policies granted to all roles in the category

This information appears in a table. The number of roles in each category also appears in a pie chart.

Reviewing Roles on the Analytics Tab

To review role details on the Analytics tab, follow these steps:

  1. Select a role category to populate the Roles in Category section of the Analytics tab.

  2. In the Roles in Category section, you see a list of all roles in the selected category. You can filter the list by entering a value in any of the column search fields and pressing Enter.

  3. For a selected role, click the role name to open the Role Details page.

  4. On the Role Details page, review the role's:

    • Function security policies

    • Data security policies

    • Role hierarchy

    • User memberships (users who have the role)

Click Export to save this role information to a .csv file.

Analytics for Database Resources

You can review information about data security policies that grant access to a database resource, or about roles and users granted access to that resource.

  1. On the Analytics page, click the Database Resources tab.

  2. Select the resource you want to review in the Database Resource field.

  3. Click Go.

    Results are presented in three tables.

Data Security Policies

The Data Security Policies table documents policies that grant access to the selected database resource.

Each row documents a policy, specifying by default:

  • The data privileges it grants.

  • The condition that defines how data is selected from the database resource.

  • The policy name and description.

  • A role that includes the policy.

For any given policy, this table may include multiple rows, one for each role in which the policy is used.

Authorized Roles

The Authorized Roles table documents roles with direct or indirect access to the selected database resource. Any given role may comprise the following:

  • Include one or more data security policies that grant access to the database resource. The Authorized Roles table includes one row for each policy belonging to the role.

  • Inherit access to the database resource from one or more roles in its hierarchy. The Authorized Roles table includes one row for each inheritance.

By default, each row specifies the following:

  • The name of the role it documents.

  • The name of a subordinate role from which access is inherited, if any. (If the row documents access provided by a data security policy assigned directly to the subject role, this cell is blank.)

  • The data privileges granted to the role.

  • The condition that defines how data is selected from the database resource.

Note: A role's data security policies and hierarchy may grant access to any number of database resources. However, the Authorized Roles table displays records only of access to the database resource you selected.

Authorized Users

The Authorized Users table documents users who are assigned roles with access to the selected database resource.

By default, each row specifies a user name, a role the user is assigned, the data privileges granted to the user, and the condition that defines how data is selected from the database resource. For any given user, this table may include multiple rows, one for each grant of access by a data security policy belonging to, or inherited by, a role assigned to the user.

Manipulating the Results

In any of these three tables, you can do the following actions:

  • Add or remove columns. Select View - Columns.

  • Search among the results. Select View - Query by Example to add a search field on each column in a table.

  • Export results to a spreadsheet. Select the Export to Excel option available for each table.