Role Delegation

Role delegation is the assignment of a role from one user, known as the delegator, to another user, known as the proxy. The delegation can be either for a specified period, such as a planned absence, or indefinite.

You can delegate roles in the Roles and Approvals Delegated to Others section on the Manage User Account page. Select Navigator > Me > Roles and Delegations.

You can also make a role delegable by using the Security Console. In the Users tab, search and view the selected user account details and edit. In the roles table there is an Assignable option for each role listed. Once the Assignable option is checked on the role, the role becomes delegable. Click Save and Close.

The proxy user can perform the tasks of the delegated role on the relevant data. For example, a line manager can manage absence records for his or her reports. If that manager delegates the line manager role, then the proxy can also manage the absence records of the delegator's reports. The delegator doesn't lose the role while it's delegated.

The proxy user signs in using his or her own user name, but has extra function and data privileges from the delegated role.

Proxy Users

You can delegate roles to any user whose details you can access by means of a public person security profile. This security profile typically controls access to person details in the worker directory.

Roles That You Can Delegate

You can delegate any role that you have currently, provided that the role is enabled for delegation.

Note: The role may have been autoprovisioned to you based on your assignment attributes. If the relevant assignment has a future termination date, then you can't delegate the role. This restriction doesn't apply to the proxy user, whose assignments can have future-dated terminations.

You can also delegate any role that you can provision to other users, provided that the role is enabled for delegation. By delegating roles rather than provisioning them to a user, you can:

• Specify a limited period for the delegation.

• Enable the proxy user to access your data.

If you have the Human Resource Specialist job role, you can use the Manage User Account page to delegate roles that are allowed for delegation on behalf of another selected user. The proxy user can see all delegations and who made them on their user account page, but they can't edit or delete delegations performed by others.

Duplicate Roles

If the proxy user already has the role, then the role isn't provisioned again. However, the proxy user gains access to the data that's accessible using the delegator's role.

For example, you may delegate the line manager role to a proxy user who already has the role. The proxy user can access both your data (for example, your manager hierarchy) and his or her own data while the role is delegated. The proxy's My Account page shows the delegated role in the Roles Delegated to Me section, even though only data access has been delegated.

Delegation from Multiple Delegators

Multiple users can delegate the same role to the same proxy for overlapping periods. If the proxy user already has the role, then the role isn't provisioned again. However, the proxy can access the data associated with the delegated roles. For example, three line managers delegate the line manager role to the same proxy for the following periods:

• Manager 1, January and February

• Manager 2, February and March

• Manager 3, January through April

This table shows by month which manager hierarchies the proxy can access.

Month	Manager 1 Hierarchy	Manager 2 Hierarchy	Manager 3 Hierarchy
January	Yes	No	Yes
February	Yes	Yes	Yes
March	No	Yes	Yes
April	No	No	Yes

For example, the proxy can access the hierarchies of all three managers in February. If the proxy is a line manager, then the proxy can access his or her own manager hierarchy in addition to those from other managers.

Note: A single delegator can't delegate the same role to the same proxy more than once for overlapping periods.

Role Delegation Dates

You can enter both start and end dates or a start date only.

• If the start date is today's date, then the delegation is immediate.

• If the start and end dates are the same, then the delegation is immediate on the start date. A request to end the delegation is generated on the same date and processed when the Send Pending LDAP Requests process next runs.

• If the start and end dates are different and in the future, then requests to start and end delegation are generated on the relevant dates. They're processed when Send Pending LDAP Requests runs on those dates.

• If you change a delegation date to today's date, then the change is immediate if the start and end dates are different. If they're the same, then a request to end the delegation is generated and processed when Send Pending LDAP Requests next runs.

• If you enter no end date, then the delegation is indefinite.

Role delegation ends automatically if the proxy user's assignment is terminated.

Limit the Delegation Duration

You can specify the maximum number of days of the duration of role delegations using a predefined profile option. Once specified, the end date for a role delegation is required. If users try to save a role delegation without setting a valid end date, then an error message alerts them to the latest allowable date for the end date.

To set the profile option, follow these steps:

1. In the Setup and Maintenance work area, use the Manage Administrator Profile Values task.

2. On the Manage Administrator Profile Values page, enter PER_USER_DELEGATION_MAX_DAYS in the Profile Option Code field and click Search.

3. In the Profile Values section of the search results, enter the number of days for the duration of delegation in the Profile Value field.

4. Click Save and Close.

The default profile value is 0, which specifies that the end date for a role delegation is not validated.

Notifications Support in Role Delegation

When a role delegation is created or deleted, you can choose to send a notification that indicates the creation or deletion. Introducing a notification upon creating or deleting a delegation notifies users that they have may have new or different responsibilities.

When an employee (Delegator) creates or deletes a delegation (Self-Service), a notification is sent to the user defined as the Proxy (Delegate To). When an HR Administrator creates or deletes a delegation (On-Behalf of), a notification is sent to both the selected person on behalf of whom the delegation was created or deleted (Delegator), and the user defined as the Proxy (Delegate To).

You enable this feature by setting the delivered PER_USER_DELEGATION_SEND_NOTIFICATIONS profile option to Y.

To enable the profile option, navigate to the Setup and Maintenance work area:

1. Search for and click the Manage Administrator Profile Values task.

2. Search for and select the profile option.

3. Click to add a new Profile Value.

4. Select the Level as Site.

5. Enter a Y in the Profile Value field.

6. Click Save and Close.

The default profile value is 0, which will not send notifications.