8Configuring Security

This chapter contains the following:

Copying Oracle Loyalty Roles: Points to Consider

Copying predefined roles and editing the copies is the recommended approach to creating company-specific roles. This topic describes some of the issues to consider when copying a role on the Security Console.

Note: You can copy the predefined roles but can't edit them. Predefined roles have role codes with the prefix ORA_.

Role-Copy Options

When you copy a role on the Security Console, you have the option of copying the top role only (shallow copy), or of copying the top role and its inherited roles (deep copy). The result of selecting each of these copy options is described in this section.

  • Copying the Top Role

    If you select the Copy top role option, you copy only the role you have selected. The source role has links to roles in its hierarchy, and the copy inherits links to the original versions of those roles. Subsequent changes to the inherited roles affect not only the source top role, but also your copy. The result of selecting the Copy top role option, therefore, is as follows:

    • You can add roles directly to the copied role without affecting the source role.

    • You can remove any role that's inherited directly by the copied role without affecting the source role.

    • If you remove any role that's inherited indirectly by the copied role, then the removal affects both the copied role and any other role that inherits the removed role's parent role, including the source role.

    • If you edit any inherited role, then the changes affect any role that inherits the edited role. The changes aren't limited to the copied role.

      To edit the inherited roles without affecting other roles, you must first make copies of those inherited roles. You can either select the Copy top role and inherited roles option or copy individual inherited roles separately, edit the copies, and use them to replace the existing versions.

  • Copying the Top Role and Inherited Roles

    If you select the Copy top role and inherited roles option, you copy not only the role you have selected, but also all of the roles in its hierarchy. Your copy of the top role is connected to new copies of subordinate roles.

    Note: Inherited duty roles are copied if a copy of the role with the same name doesn't already exist. Otherwise, the copied role inherits links to the existing copies of the duty roles.

    When inherited duty roles are copied, you can edit them without affecting other roles. Equally, changes made subsequently to duty roles in the source role hierarchy aren't reflected in the copied role.

Reviewing the Role Hierarchy

When you copy a predefined job, abstract or duty role, it's recommended that you first review the role hierarchy to identify any inherited roles that you want to either copy, add, or delete in your role. You can review the role hierarchy on the Roles tab of the Security Console in either graphical or tabular format. You can also:

  • Export the role hierarchy to a spreadsheet from the Roles tab.

  • Review the role hierarchy and export it to a spreadsheet from the Analytics tab.

  • Run the User and Role Access Audit Report.

Job and abstract roles inherit function security privileges and data security policies from the roles that they inherit. Function security privileges and data security policies may also be granted directly to a job or abstract role. Review these directly granted privileges on the Roles tab of the Security Console, as follows

  • In the graphical view of a role, its inherited roles and function security privileges are visible at the same time.

  • In the tabular view, you set the Show value to switch between roles and function security privileges. You can export either view to a spreadsheet.

Once your role exists, edit it to add or remove directly granted function security privileges.

Note: Data security policies are visible only when you edit your role; they don't display in the graphical or tabular role views. However, you can view the data security policies assigned to a role from the Analytics tab of the Security Console.

Transaction Analysis Duty Roles

Some roles, such as the Loyalty Marketing Manager job role, inherit Transaction Analysis Duty roles, which are used in Oracle Transactional Business Intelligence report permissions. If you copy the Loyalty Marketing Manager job role, then you can add the Transaction Analysis Duty roles to your role. However, don't copy the Transaction Analysis Duty roles. If you copy the Transaction Analysis Duty roles, then you must update the permissions for the relevant reports to secure them using your copies of the roles.

Naming Copied Roles

By default, a copied role has the same name as its source role with the suffix Custom. The role codes of copied roles have the suffix _CUSTOM. Copied roles lose the prefix ORA_ automatically from their role codes. You can define a local naming convention for company-specific roles, with a prefix, suffix, or both, on the Roles subtab of the Security Console Administration tab.

Note: Copied roles take their naming pattern from the default values specified on the Roles subtab of the Security Console Administration tab. You can override this pattern on the Copy Role: Basic Information page for the role that you're copying. However, the names of roles inherited by the copied role are unaffected. For example, if you perform a deep copy of the Employee role, then duty roles inherited by that role take their naming pattern from the default values.

If any role in the hierarchy already exists when you copy a role, then no copy of that role is made. For example, if you make a second copy of the Employee role, then copies of the inherited duty roles might already exist. In this case, the copied role inherits links to the existing copies of the roles. To create unique copies of inherited roles, you must enter unique values on the Administration tab of the Security Console before you perform a deep copy. To retain links to the predefined job or abstract role hierarchy, perform a shallow copy of the predefined role.